What is TLS and How to Ensure a Secure Implementation
Transport Layer Security (TLS) is an encryption protocol that enhances the security of communication and the transfer of data over computer networks and the internet. It is widely used to encrypt all types of online communication, including across the secure internet transfer protocol “https.”
Most people come into contact with TLS when browsing online and their browser seeks to perform a “TLS handshake,” which is where the client and server initiate contact and decide the parameters of the session. This establishes a secure connection with the server that’s hosting the website they want to view. TLS is not only used by web browsers, however. It also provides data security across internet messaging, voice communication (VOIP) and email.
How TLS Came About
The first incarnation of TLS was the Secure Sockets Layer (SSL) protocol, which was first released in 1995 by browser pioneer Netscape. It was one of a variety of secure protocols used in the early days of the internet. SSL was found to be particularly flexible and secure, and in 1996 was adopted by the Internet Engineering Task Force (IETF) to become the globally standardized security protocol. The name was changed from SSL to TLS to differentiate it from the Netscape-only protocol.
What Does TLS Do?
TLS enables network communications security by addressing three major elements that define a secure connection, namely:
Privacy: Every secure connection through TLS starts with a TLS handshake, where the client and server involved in the communication establish the secure keys that they’re going to use. These keys are then used to encrypt and decode the data transfers during that session. In theory, this guarantees that only the parties which have the secure keys can understand what’s being communicated, thus avoiding ‘man-in-the-middle’ attacks and message tampering.
Authentication: For many communications through TLS, such as that between a web application and server, authentication is only required on the part of the server. This means that during the TLS handshake, a secure certificate is supplied from the server-side, which authenticates its identity. Basically, it tells the client that the server is who it says it is.
Integrity: A major mode of attack by cybercriminals is to tamper with communications between two parties to inject malicious data or code into devices. To prevent this, a secure TLS implementation seeks to authenticate the data that has been transferred through a Message Authentication Code (MAC). This verifies the integrity of the message and that it has not been altered during the process of communication.
The Advantages of TLS
Online communications is vulnerable to a wide variety of bad actors looking to steal sensitive information, criminals looking to harness devices for use in botnets, and even state-sponsored threat groups conducting espionage and using cyberattacks to harm other countries. With trillions of interactions occurring daily, methods for securing communications and data transfers are essential to the functioning of the internet.
In this respect, TLS delivers a relatively safe and effective method for encrypting data and assuring the identities of the two communicating parties. The use of a standardized security protocol means that all web servers and clients that communicate through it are on the same page. All communication goes through a single designated secure channel, port 443, while the TLS protocol also specifies the exact certificate that is required for authentication.
For this reason, virtually all web browsers use TLS, speeding up the process of necessary TLS handshakes and the transfer of data. For example, Google, through both its Chrome browser and the algorithm it uses for search results, has pushed websites to adopt https as standard, using TLS to create a more secure environment for all online. The question becomes how to establish the most secure TLS implementation.
Vulnerabilities and How to Ensure a Secure TLS Implementation
Because it is so widely used, TLS gets a lot of attention from bad actors trying to find and exploit vulnerabilities in the protocol, such as through its encryption algorithm, poorly configured servers or taking advantage of weaknesses in older TLS versions which have not yet been updated.
However, one of the most critical issues facing a secure TLS implementation lies at the very foundation of the protocol: its cryptographic keys. If a bad actor gains access to one of the set of keys that form the connection between the two parties, it can have disastrous consequences for data integrity and the security of both client and server.
With just one set of the supposedly secure keys, hackers can pretend to be an authenticated user, using this position to gain access to otherwise secure locations and sensitive data. They could also decrypt data being transferred, no matter how strong the encryption algorithm, as well as alter it by injecting malicious code. In essence, TLS is only safe if you know that the keys of both parties are secure.
Servers often use Hardware Security Modules (HSMs) which are specialized physical computing devices designed to manage cryptographic keys and perform cryptographic operations safely. They ensure that the server’s keys are kept fully protected. However, HSMs are expensive, custom pieces of equipment and it is important to remember that they only protect the server keys—they cannot authenticate the client.
Secure Key Box for TLS
To prevent eavesdropping and message manipulation, and for the server to be assured that the client is the one it claims to be, the encryption keys used by both ends of the connection in the TLS protocol need to be absolutely secured from falling into the wrong hands. This can be achieved by storing the keys in an HSM on a server, and in secure key box (SKB), which keeps them safe on the client both while they’re being used and when they’re not.
whiteCryption Secure Key Box for TLS acts like a software HSM. It is the culmination of Intertrust’s efforts to deliver the most secure TLS implementation made possible by creating a cryptographically protected library that ensures cryptographic keys never appear in the clear. It works to protect both the keys that guarantee the session’s security and integrity at the outset of each session, as well as the cryptographic keys used to encrypt and decrypt all data that’s transferred.
To find out how our whitebox cryptographic library ensures a secure TLS implementation for end-to-end data safety and integrity, get in touch with our team.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.