WEBVTT

00:00.720 --> 00:07.200
Back when the Internet was new it was realized fairly early on that Web sites in particular were going

00:07.200 --> 00:08.570
to need security.

00:08.580 --> 00:12.180
The original HTP protocol had no security built into it.

00:12.300 --> 00:13.780
So we had to do something.

00:13.920 --> 00:21.390
So back in the early 90s back when Netscape was king they developed a series of security protocols which

00:21.390 --> 00:25.810
are collectively known as SSL or secure sockets layer.

00:25.830 --> 00:30.780
Now this has been around for a long time in fact it's pretty much been usurped at least in terms of

00:30.780 --> 00:34.460
web sites with transport layer security or less.

00:34.620 --> 00:40.680
But whether you're using the term SSL or T.L. as they are protocols that are designed to make secure

00:40.680 --> 00:42.600
connections between two points.

00:42.600 --> 00:46.630
These were originally invented for Web sites under HTP.

00:46.800 --> 00:53.300
However SSL and T.L. s find new life in other protocols that take advantage of this.

00:53.310 --> 00:58.770
So basically on the Internet if you want to make a secure connection between some kind of server and

00:58.770 --> 01:03.190
some kind of client SSL or is Big Brother TS or the way to go.

01:03.250 --> 01:10.890
Now what's important here is that SSL is the older protocol T.L. S is the newer protocol however in

01:10.890 --> 01:14.190
terms of functions they do basically the exact same thing.

01:14.190 --> 01:18.360
It's just that Teall s does it a lot better with a little extra security built in.

01:18.360 --> 01:23.580
So the first thing I want to do is talk about what do I need to do if I want to make a secure connection

01:23.580 --> 01:24.490
between two points.

01:24.500 --> 01:25.260
Well all right.

01:25.260 --> 01:27.560
Number one I'm going to want encryption that's a given.

01:27.760 --> 01:34.230
But I want to use encryption but more importantly I want to use a symmetric encryption symmetric encryption

01:34.410 --> 01:36.990
is really really really fast compared to asymmetric.

01:37.020 --> 01:41.480
So I'm going to have to make sure that each point gets a key.

01:41.580 --> 01:47.370
So I need encryption for sure but I also need to determine how I'm going to go about a key exchange

01:47.550 --> 01:49.590
between these two points.

01:49.590 --> 01:52.050
Number three I'm going to want to do authentication.

01:52.050 --> 01:57.000
I'm not going to be passing out my key to anybody so I want to go through some authentication process

01:57.210 --> 01:58.550
with SSL anti-alias.

01:58.680 --> 02:01.190
We pretty much use RSA certificates.

02:01.320 --> 02:04.690
They could do other stuff but I'm going to keep it simple in this episode.

02:04.890 --> 02:12.190
And then the fourth thing you're going to want to do is some kind of HMX so the cool part about SSL

02:12.190 --> 02:19.210
flashed here less is that they are the protocols which establish the connection and the establishment

02:19.270 --> 02:24.430
of these four really really important aspects that make a secure connection.

02:24.460 --> 02:29.770
So the first thing I want to do to show you T.L. as an action is I'm going to fire up wireshark here.

02:29.890 --> 02:35.340
We're going to go to a secure Web site and grab that TLM conversation taking place.

02:35.340 --> 02:38.770
So if you take a look here what I've got is good old Wireshark.

02:38.920 --> 02:43.510
So I'm just going to go ahead and start my capture and let that go for a minute.

02:43.580 --> 02:47.740
And what I'm going to do is open up a web browser and I've got chrome here to work as good as any.

02:47.930 --> 02:54.560
And what I have is a one of my quick links on my bookmarks to a web mail site and you'll see it says

02:54.550 --> 02:57.270
web mail 7. blue Genesys dot com.

02:57.350 --> 02:59.440
So you'll see that this is HDTV.

02:59.750 --> 03:02.030
And now it's prompting for my username and password.

03:02.030 --> 03:07.760
Now I'm not going to give you my username and password but the cool part is is we have now created a

03:07.760 --> 03:10.330
complete capture in Wireshark.

03:10.460 --> 03:14.460
So the first thing I want to do here is I'm going to have a whole lot of data.

03:14.510 --> 03:16.030
So let's take a look now.

03:16.040 --> 03:23.460
If you look over here the first thing I want to do is I'm going to do a ping

03:31.850 --> 03:35.680
so I'm picking this and I see I've got an IP address right here.

03:35.810 --> 03:40.280
I need that IP address because I have so much data in Wireshark.

03:40.280 --> 03:43.790
I'm going to have to do a little bit of filtering so let's go ahead and filter right now.

03:43.880 --> 03:49.580
So I've got this huge capture and this is always the problem when you're using wireshark I mean it's

03:49.580 --> 03:54.270
capturing everything not just this one connection this web server I've got all kinds of other stuff

03:54.270 --> 03:57.160
from running Windows Tennent's phoning home and DNS.

03:57.180 --> 04:03.310
You take a look on the screen you see I've got a drop box protocol and all this so what I got to do

04:03.310 --> 04:07.600
is I've got to filter this out so I'm going to make this a little bit of a wireshark class and use a

04:07.600 --> 04:08.460
filter here.

04:08.620 --> 04:15.060
Now if you take a look over here what I've done is I did a ping on that particular you r else so webmail

04:15.100 --> 04:20.590
seven Blue Jonas's dot com and you can see I've got an IP address there so I can actually use that as

04:20.590 --> 04:21.980
a filtering tool.

04:22.000 --> 04:23.970
I've already done it once so it should still be there.

04:23.970 --> 04:25.600
Fantastic.

04:25.600 --> 04:31.450
So I'm going to use this as a little filter and now I've got it down to anything with a source or a

04:31.450 --> 04:37.110
destination IP address is going to be to that particular web server so that's fantastic.

04:37.180 --> 04:43.770
But you have to be careful with wireshark because wireshark records everything when ever it sees it

04:43.780 --> 04:51.160
so bad packets or weird stuff would if they one computer doesn't respond back fast enough another computer

04:51.160 --> 04:52.770
might send another request.

04:52.780 --> 04:58.420
So if you're thinking you're going to use wireshark and get this perfect step step step step step thing

04:58.480 --> 05:00.940
you're not going to it can be a little frustrating.

05:01.090 --> 05:04.780
But what is important is we can do a little work here to make it a little bit cleaner.

05:04.930 --> 05:06.940
So I do know it all starts with a client.

05:06.940 --> 05:07.600
Hello.

05:07.600 --> 05:13.580
All of these up here are just the initial TZP connection trying to get to the guy.

05:13.830 --> 05:16.440
And then right here is the client hello that starts everything.

05:16.440 --> 05:21.090
So what I'm going to do is take advantage of another little power of Wireshark and I'm going to click

05:21.090 --> 05:22.960
on follow TZP screen.

05:22.980 --> 05:29.460
Now it basically shows me the connection in clear text and even down here at the bottom it shows all

05:29.460 --> 05:30.970
of the encrypted data.

05:30.990 --> 05:36.220
I don't really need to see that what's more important is that changes the sort order for me.

05:36.240 --> 05:38.450
So it's only looking at that one connection.

05:38.520 --> 05:39.900
So it cleans things up a little bit.

05:39.900 --> 05:46.560
So if we start right at the top you can see here's my computer doing a sin sin ack ack it's a standard

05:46.560 --> 05:47.940
TCAP connection.

05:47.940 --> 05:54.570
And once it has that here it goes here's the client hello right here and this is the first step in making

05:54.570 --> 05:56.060
a TLM handshake.

05:56.340 --> 06:03.180
So what I'm going to do is I've got this clicked what I want to do is we look actually in that request

06:03.570 --> 06:06.480
what you're going to see is right here it's called Sipher suites.

06:06.540 --> 06:09.850
Remember we have four things that we have to get set up.

06:09.990 --> 06:16.470
The symmetric encryption the key exchange the authentication methodology and then some type of hashing

06:16.470 --> 06:17.670
for a Mac.

06:17.760 --> 06:20.190
And this is how it starts all this in the client.

06:20.190 --> 06:20.960
Hello.

06:21.210 --> 06:27.960
So what you're looking at right here is a list of all the different ways that this web browser is able

06:27.960 --> 06:30.040
to go ahead and do these four things.

06:30.120 --> 06:33.180
So it submits to the server this big long list.

06:33.240 --> 06:38.670
Here's all the different ways I can do it in preferential order so the stuff it wants to do first is

06:38.670 --> 06:41.720
at the top and the stuff it wants to do the least is at the bottom.

06:41.780 --> 06:45.420
Now no one's going to test you on what exactly all this means.

06:45.420 --> 06:49.470
But I would like to give you an example so let's pick the second one right here.

06:49.530 --> 06:52.810
So as we look at this it says they all start with Teall s.

06:53.010 --> 06:54.540
The first thing is the key exchange.

06:54.540 --> 06:57.740
So what we're seeing here is elliptic curve Diffie Hellman.

06:57.780 --> 07:03.870
So it says I'd like to do a elliptic curve Diffie Hellman next is the authentication and what's do good

07:03.870 --> 07:06.930
ole RSA certificates pretty common.

07:06.930 --> 07:09.210
Third is the symmetric encryption.

07:09.210 --> 07:09.960
It wants to do.

07:09.990 --> 07:12.210
A-S 128 GCM.

07:12.510 --> 07:18.630
And then fourth it wants to shop 256 for all the max so it gives this big list.

07:18.630 --> 07:22.710
It actually gives a lot of other stuff to let me show you something else that might be interesting we

07:22.710 --> 07:23.360
know it does.

07:23.370 --> 07:24.760
It wants to do elliptic curve.

07:24.870 --> 07:30.150
So it's also going to have to provide elliptic curves in your so you look way down here at the bottom.

07:30.420 --> 07:37.800
So you'll see that this guy has three built in types of elliptic curves so it's going to say if you

07:37.800 --> 07:40.230
do a elliptic curve it has to be one of these three.

07:40.230 --> 07:40.800
Cool.

07:40.800 --> 07:45.760
All right so when we get all this close back up.

07:45.960 --> 07:47.750
So that's the client Hello.

07:47.910 --> 07:53.220
So the server now gets all this information and the server is going to pick from that list whatever

07:53.490 --> 07:58.470
from the top whatever he can do and he's going to respond back and that's what the server hello is all

07:58.470 --> 07:59.060
about.

07:59.220 --> 08:00.390
So let's take a look at the server.

08:00.390 --> 08:01.090
Hello.

08:01.540 --> 08:06.030
And the server load provides certain things like for example here's a session id which defines this

08:06.090 --> 08:07.950
individual connection.

08:07.950 --> 08:10.920
It says here's the cipher suite that it wants to use.

08:10.950 --> 08:20.270
So it's going to use a click elliptic curve if you home an RSA alias 256 GCM and Shaw three eighty four

08:20.280 --> 08:26.430
so it's pretty much ready to rock and roll on this and the server says Great that's how we're going

08:26.430 --> 08:27.250
to do it.

08:27.270 --> 08:31.070
So the next step is then we have what's called the key exchange.

08:31.080 --> 08:33.890
Now I want you to be very careful when you look at this.

08:33.960 --> 08:38.970
You'll see right up here in Wireshark it says certificat server key exchange Comus server.

08:38.970 --> 08:40.510
Hello done.

08:40.530 --> 08:47.280
One of the powers of T.L. less is that it can combine a lot of commands into individual packets.

08:47.280 --> 08:52.110
So what we're actually seeing here is two very separate commands that look like just one line and wireshark

08:52.320 --> 08:54.040
But there's actually two.

08:54.060 --> 08:58.770
So the certificate key exchange comes along and he's basically going to go.

08:58.830 --> 09:00.110
OK here we go.

09:00.120 --> 09:05.520
Now there's going to be some important information in here for example in the key exchange one of the

09:05.520 --> 09:08.200
things you're going to get is Well the certificate.

09:08.250 --> 09:14.970
So if you take a look right here this is actually the certificate for my web mail.

09:15.000 --> 09:21.380
And it also provides either the root certificate or an intermediate certificate as well.

09:21.390 --> 09:24.040
Now you'd save yourself then wait a minute.

09:24.240 --> 09:30.450
The whole idea of the server providing me a certificate is that as a web browser I have all the certificates

09:30.480 --> 09:31.770
built into me.

09:31.800 --> 09:39.180
So what I can do is I can check that certificate against whoever his root certificate is and it should

09:39.180 --> 09:40.300
be confirmed right.

09:40.380 --> 09:43.370
So why is he sending me another route certificate in immediate.

09:43.530 --> 09:47.220
Well it's actually just another layer of check yes.

09:47.400 --> 09:51.180
Blue Genesys knows that I have a copy of their root certificate.

09:51.180 --> 09:53.070
However they just send another copy.

09:53.070 --> 09:57.360
And any good web browser just adds another layer of check is going to compare the two.

09:57.510 --> 10:00.630
And make sure that they're the same ones so it's just an extra layer check.

10:00.630 --> 10:01.130
All right.

10:02.220 --> 10:04.010
So we get our certificates in here.

10:04.020 --> 10:09.270
Now the key exchange takes place and they're pretty much ready to go once a key exchange takes place.

10:09.270 --> 10:11.760
We've got the encryption set we've got the key exchange set.

10:11.760 --> 10:13.120
We've got the authentication.

10:13.270 --> 10:14.920
Well pretty much done.

10:15.000 --> 10:17.750
And the Mac will be ready to go when it needs it.

10:17.760 --> 10:21.900
So then we come down oh and then the service says his halo is done.

10:21.900 --> 10:24.940
So basically the server now says you got what you need.

10:25.140 --> 10:27.170
Let's get started and do this right.

10:27.180 --> 10:29.440
So that's where you see right here.

10:29.520 --> 10:31.600
Now there's a quiet key exchange.

10:31.990 --> 10:35.460
Tell us is actually capable of having client certificates.

10:35.460 --> 10:37.300
But usually we don't have that.

10:37.410 --> 10:41.340
So the client key exchange is really an optional feature.

10:41.340 --> 10:43.710
What's more interesting is right here.

10:43.860 --> 10:51.080
So here it says change Cyperus spec change cipher spec is the statement that says you're ready.

10:51.180 --> 10:52.280
Let's do this.

10:52.290 --> 10:58.950
Once the change cipher spec has been sent by both parties it automatically starts going into application

10:58.950 --> 10:59.510
data.

10:59.580 --> 11:03.690
So you can see here here's the change cipher spec coming from my client.

11:04.020 --> 11:07.170
Here's the change cipher spec coming from the server right here.

11:07.350 --> 11:11.480
And there's a messed up packet but from there on in you see it says application data.

11:11.580 --> 11:13.530
We are encrypted.

11:13.650 --> 11:19.730
So we have to have all of these steps combined to make SSL slash T.L. s work.

11:19.770 --> 11:21.540
It's a magical tool.

11:21.540 --> 11:23.240
It's actually a lot more complicated in this.

11:23.250 --> 11:25.350
But this will get you through the exam.

11:25.350 --> 11:28.640
The other thing I want you to remember about SSL NTFS is all.

11:28.650 --> 11:34.590
Even though this was originally invented for Web sites you see this all over the place you can see it

11:34.830 --> 11:40.640
in email servers you can see it in VPN you can see SSL and TLM.

11:40.770 --> 11:57.770
Originally invented for Web sites used all over the Internet.