Back when the internet was new, it was realized fairly early on that websites in particular, were going to need security. The original HTTP protocol had no security built into it. So we had to do something. So back in the early 90s, back when Netscape was king, they developed a series of security protocols which are collectively known as SSL or Secure Sockets Layer. Now SSL has been around for a long time. In fact, it's pretty much been you served, at least in terms of websites with Transport Layer Security, or TLS.
But whether you're using the term SSL or TLS, they are protocols that are designed to make secure connections between two points. These were originally invented for websites under HTTPS. However, SSL and TLS find new life in other protocols to take advantage of this. So basically, on the internet, if you want to make a secure connection between some kind of server and some kind of client SSL or as Big Brother TLS are the way to go. Now, what's important here is that SSL is the older protocol. TLS is the newer protocol.
However, in terms of functions, they do basically the exact same thing. It's just that TLS does it a lot better with a little extra security built in. So the first thing I want to do is talk about what do I need to do if I want to make a secure connection between two points? Well, alright, number one, I'm going to want encryption, that's a given but then I want to use encryption. But more importantly, I want to use a symmetric encryption. symmetric encryption is really, really, really fast compared to asymmetric.
So I'm going to have to make sure that each point gets a key. So I need encryption for sure. But I also need to determine how I'm going to go about a key exchange between these two points. Number three, I'm going to want to do authentication. I'm not going to be passing out my key to anybody. So I want to go through some authentication process with SSL and TLS.
We pretty much use RSA certificates, they could do other stuff. But I'm going to keep it simple in this episode. And then the fourth thing you're going to want to do is some kind of H max. So the cool part about SSL slash TLS, is that they are the protocols which established the connection, and the establishment of these four really, really important aspects that make a secure connection. So the first thing I want to do to show you TLS in action is I'm going to fire up Wireshark here, we're going to go to a secure website and grab that TLS conversation taking place. So if you take a look here, what I've got is good old Wireshark.
So I'm just going to go ahead and start my capture. let that go for a minute. And what I'm going to do is open up a web browser, I got chrome here, that'll work as good as any. And what I have is a one of my quick links on my bookmark is to a webmail site, and you'll see it says webmail seven dot blue Genesis Comm. So you'll see that this is HTTPS and now prompting for my username and password. Now I'm not going to give you my username and password.
But the cool part is, is we have now created a complete capture in Wireshark. So the first thing I want to do here is I'm going to have a whole lot of data. So let's take a look. Now if you look over here, the first thing I want to do is I'm going to do a ping. So I'm pinging this, and I see I've got an IP address right here, I need that IP address. Because I have so much data in Wireshark.
I'm going to have to do a little bit of filtering. So let's go ahead and filter right now. So I've got this huge capture. And this is always the problem when you're using Wireshark. I mean, it's capturing everything, not just this one connection, this web server. I've got all kinds of other stuff.
I'm running Windows 10. It's phoning home and he DNS. If you take a look on the screen, you see I've got Dropbox protocol and all this. So what I gotta do is I've got to filter this out. So I'm going to make this a little bit of a Wireshark class and use a filter here. Now if you take a look over here, what I've done is I did a ping on that particular URL.
So webmail, seven dot blue Genesis Comm. And you can see I've got an i p address there. So I can actually use that as a filtering tool. I've already done it once, so it should still be there. Fantastic. So I'm going to use this as a little filter.
And now I've got it down to anything with a source or a destination IP address is going to be to that particular web server. So that's fantastic. But you have to be careful with Wireshark because Wireshark records everything whenever it sees it. So bad packets, or weird stuff would if they one computer doesn't respond back fast enough, another computer might send another request. So if you're thinking you're going to use Wireshark and get this perfect, step, step, step, step step thing you're not going to it can be a little fun frustrating. But what is important is we can do a little work here to make it a little bit cleaner.
So I do know it all starts with a client, hello. All of these up here are just the initial TCP connection trying to get to the guy. And then right here is the client Hello, that starts everything. So what I'm going to do is take advantage of another little power of Wireshark. And I'm going to click on follow TCP stream. Now it basically shows me the connection in clear text.
And even down here at the bottom, it shows all of the encrypted data, I don't really need to see that. What's more important is it changes the sort order for me, so it's only looking at that one connection. So it cleans things up a little bit. So if we start right at the top, you can see here's my computer, doing a SYN SYN ack ack. It's a standard TCP connection. And once it has that, here it goes.
Here's the client Hello right here and this is the first step in making a TLS handshake. So what I'm going to do is I've got this click what I want you to do As we look, actually, in that request, what you're going to see is right here, it's called cipher suites. Remember, we have four things that we have to get set up the symmetric encryption, the key exchange, the authentication methodology, and then some type of hashing for H Mac. And this is how TLS starts, all this is in the client. Hello. So what you're looking at right here is a list of all the different ways that this web browser is able to go ahead and do these four things.
So it submits to the server, this big, long list, here's all the different ways I can do it in preferential order. So the stuff that wants to do first is at the top and the stuff he wants to do the least is at the bottom. Now, no one's going to test you on what exactly all this means. But I would like to give you an example. So let's pick this second one right here. So as we look at this, it says they all start with TLS.
The first thing is the key exchange. So what we're seeing here is elliptic curve diffie Hellman. So it says, I'd like to do elliptic diffie Hellman. Next is the authentication and wants to do good old RSA certificates, pretty common. Third is the symmetric encryption, it wants to do as 128 GCM. And then fourth, it wants to Sha 256 for all the H max.
So it gives us big list, it actually gives a lot of other stuff too. Let me show you something else that might be interesting. We know does it wants to do elliptic curve. So it's also going to have to provide elliptic curves in here. So you look way down here at the bottom. So you'll see that this guy has three built in types of elliptic curves.
So it's going to say, if you do elliptic curve, it has to be one of these three. Cool, alright, so let me get all this close back up. So that's the client Hello. So the server now gets all this information. And the server is going to pick from that list, whatever from the top, whatever he can do, and he's going to respond back. And that's what the server Hello is all about.
So let's take a look at this. server low. And the server load provides certain things like for example, here's a session ID, which defines this individual connection. It says, here's the cipher suite that it wants to use. So it's going to use a quick elliptic curve, diffie Hellman, RSA, a Aes 256, GCM and Sha 384. So it's pretty much ready to rock and roll on this.
And the server Hello says, great. That's how we're going to do it. So the next step is then we have what's called the key exchange. Now I want you to be very careful when you look at this. You'll see right up here in Wireshark, it says, certificate server key exchange comma server Hello done. One of the powers of TLS is that it can combine a lot of commands into individual packets.
So what we're actually seeing here is two very separate commands that look like just one line in Wireshark. But there's actually two. So the certificate key exchange comes along, and he's basically going to go Okay, here we go. Now there's going to be some important information in here. For example, in the key exchange, one of the things you're going to get is, well, the certificate. So if you take a look right here, this is actually the certificate for my webmail.
And it also provides either the root certificate or an intermediate certificate as well. Now, you'd save yourself that Wait a minute, the whole idea of the server providing me a certificate is that as a web browser, I have all these certificates built into me. So what I can do is I can check that certificate against whoever his root certificate is, and it should be confirmed right? So why is he sending me another root certificate or intermediate? Well, it's actually just another layer of check. Yes, blue Genesis knows that I have a copy of their root certificate, however, they just send another copy.
And any good web browser just as another layer of check is going to compare the two and make sure that they're the same one. So it's just an extra layer. Alright, so we get our certificates in here. Now the key exchange takes place. And they're pretty much ready to go once the key exchange takes place. We've got the encryption set, we got the key exchange set, we've got the authentication, well, pretty much done.
And the H Mac will be ready to go when it needs it. So then we come down, oh, and then the server says, His Hello is done. So basically, the server now says, You got what you need. Let's get started and do this. Right. So that's where you see right here.
Now there's a client key exchange. TLS is actually capable of having client certificates, but usually we don't have that. So the client key exchange is really an optional feature. What's more interesting is right here, see where it says change cipher spec? Change cipher spec is the statement that says, You ready? Let's do this.
Once the change cipher spec has been sent by both parties, it automatically starts going into application data. So you can See here. Here's the change cipher spec coming from my client. Here's the change cipher spec coming from the server right here. And there's a messed up packet. But from there on in, you see where it says application data.
We are encrypted. So we have to have all of these steps combined to make SSL TLS work. It's a magical tool. It's actually a lot more complicated than this, but this will get you through the exam. The other thing I want you to remember about SSL and TLS is all even though this was originally invented for websites, you see this all over the place. You can see it in email servers, you can see it in VPN, you can see SSL and TLS.
Originally invented for websites used all over the internet.