Transport encryption methods encrypt data in transit to ensure transmitted data remains confidential. If you’re planning on taking the Security+ exam, you should have a basic understanding of transport encryption.
For example, can you answer this question?
Q. A heavily used application accesses a financial database on a server within your network. Due to recent data breaches, management wants to ensure transport encryption protects this data. Which of the following algorithms is the BEST choice to meet this goal?
A. SSL
B. SHA
C. TLS
D. CRL
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Transport Encryption Protocols
Transport encryption includes data transmitted over the Internet and on internal networks. Here are several transport encryption protocols:
- SSH. It’s used to encrypt a wide assortment of traffic, such as Secure File Transport Protocol (SFTP), Secure Copy (SCP), and Telnet. SSH uses port 22.
- HTTPS. HTTP Secure (HTTPS) uses either SSL or TLS to encrypt web traffic over port 443.
The primary transport encryption methods are IPsec, SSL, and TLS.
IPsec
IPsec can encrypt data in Tunnel mode with virtual private networks (VPNs) such as with L2TP/IPsec. It can also encrypt data in Transport mode between two systems.
IPsec uses an Authentication Header (AH) to provide authentication and integrity. Request for Comments 4835 (RFC 4835) mandates the use of HMAC for AH. Routers and firewalls identify AH traffic with protocol ID 51.
It can also use Encapsulating Security Payload (ESP) to provide confidentiality, in addition to the authentication and integrity provided by AH. RFC 4835 mandates the use of AES or 3DES as the symmetric encryption algorithm. Routers and firewalls identify ESP traffic with protocol ID 50.
When IPsec uses ESP, it encapsulates the entire IP packet and adds an additional IP header. The original IP header includes information such as destination ports, which can give clues to what type of data is in the payload. However, by encapsulating the original IP header and creating a new one, attackers can only see that the packet is IPsec with ESP.
Remember this
Transport encryption methods such as SSH, IPsec, HTTPS, SSL, and TLS protect the confidentiality of data transmitted over a network. IPsec must use HMAC for authentication and integrity. It can use either AES or 3DES for encryption with ESP. When IPsec uses ESP, it encrypts the entire packet, including the original IP header, and creates an additional IP header.
SSL
Secure Sockets Layer (SSL) is an encryption protocol previously used to encrypt Internet traffic. For example, HTTPS used SSL in secure web browser sessions. SSL can also encrypt other transmissions. For example, File Transport Protocol Secure (FTPS) uses SSL to encrypt transmissions.
SSL provides certificate-based authentication and encrypts data with a combination of both symmetric and asymmetric encryption during a session. It uses asymmetric encryption to privately share a session key and symmetric encryption to encrypt data displayed on the web page and transmitted during the session.
Netscape created SSL for its web browser and updated it to version SSL 3.0. This was before organizations such as the Internet Engineering Task Force (IETF) created and maintained standards. Netscape’s success waned and there wasn’t a standardization process to update SSL, even though all web browsers were using it. The IETF created TLS to standardize improvements with SSL.
TLS
Transport Layer Security (TLS) is a replacement for SSL and is widely used in many different applications. The IETF has updated and published several TLS documents specifying the standard. TLS 1.0 is based on SSL 3.0 and is referred to as SSL 3.1. Similarly, each update to TLS indicates it is an update to SSL. For example, TLS 1.1 is called SSL 3.2 and TLS 1.2 is called SSL 3.3.
Just like SSL, TLS provides certificate-based authentication and uses both asymmetric and symmetric encryption. It uses asymmetric encryption to privately share a symmetric key and uses symmetric encryption to encrypt data in the web session.
Many other applications use TLS. For example, the Extensible Authentication Protocol (EAP) in the context of increasing wireless security by adding authentication with an 802.1x server. Protected EAP (PEAP) and EAP-Tunneled TLS (EAP-TTLS) require 802.1x servers to have a certificate. EAP-TLS is the most secure method because it requires both servers and clients to use certificates. TLS can encrypt other traffic such as FTP and SMTP just as SSL does.
It’s important to remember that TLS and SSL require certificates. Certificate authorities (CAs) issue and manage certificates, so a CA is required to support TLS and SSL. These CAs can be internal or external third-party CAs.
Note that SSL is rarely used any more. However, even when TLS is used, many people still refer to it as SSL.
Remember this
TLS is the replacement for SSL. Both TLS and SSL require certificates issued by certificate authorities (CAs). For example, PEAP-TLS uses TLS to encrypt the authentication process and requires a certificate issued by a CA.
Q. A heavily used application accesses a financial database on a server within your network. Due to recent data breaches, management wants to ensure transport encryption protects this data. Which of the following algorithms is the BEST choice to meet this goal?
A. SSL
B. SHA
C. TLS
D. CRL
Answer is C. Transport Layer Security (TLS) is a transport encryption protocol that can protect the data while it is in transit.
Secure Sockets Layer (SSL) is also a transport encryption protocol, but TLS is recommended instead.
Secure Hash Algorithm (SHA) is a hashing algorithm, not an encryption protocol.
Both SSL and TLS use certificates and revoked certificates are published in a certificate revocation list (CRL), but a CRL is not a transport encryption protocol.