Excellent break-down of the TLS handshake. John's explanations are clear and easy to understand. Thank you!
@kallikantzaros4 жыл бұрын
CLIENT: - Browser wants to establish connection to a server. - Client sends Hello’ message - TLS protocol number (1.2,1.3) - Cipher suite client supports SERVER: - Server sends ‘Hello’ message - Server sends certificate file - Includes server’s public key - Server sends ‘Hello done’ message CLIENT: - Client checks that certificate file - Checks if it has been revoked - Checks if it is still valid - Client generates ‘Pre-Master Secret Key’ (PMSK) - Client pulls some characters from server’s public key, encrypts that with server’s public key, and creates Pre-Master Secret Key - Based on PMSK, it will generate SYMMETRIC KEY from that PMSK that will be used for bulk encryption. - Client sends ‘Client finished’ message SERVER: - Server decrypts PMSK with his private key - Server creates SYMMETRIC KEY by decrypting PMSK. This symmetric key will be same as client’s symmetric key because it was encrypted with PMSK. - Server sends ‘Change Cipher Spec’ message. This tells client to change from asymmetric to symmetric key exchange - Server sends ‘Finished’ message END: Both of them have symmetric key used.
@MrReklez Жыл бұрын
Great summary . Thanks
@barnabyvonrudal12 ай бұрын
Is the server public key linked to the certificate? Or independent of it?
@mohdaadilfАй бұрын
@@barnabyvonrudal1The certificate will have the Public Key
@joshuaeuceda46353 жыл бұрын
The waterfall analogy was outstanding, provided an excellent framework for further study.
@devcentral3 жыл бұрын
Appreciate the note!
@JamesEtc34173 жыл бұрын
Wow this is great. It takes months to truly get your head around this but vids like this make it so easy to refresh my memory
@devcentral3 жыл бұрын
Glad you enjoyed it!
@pankajchaturvedi31763 жыл бұрын
The most thorough explanation of TLS Handshake. Thank you!
@devcentral3 жыл бұрын
Glad you enjoyed it!
@md.bidyuth64417 ай бұрын
Thanks Xians for making this concept so easy.
@ramkumark89013 жыл бұрын
after went through so many other videos. Finally got clear picture only from your explanation. Very good explanation, thanks !
@devcentral3 жыл бұрын
Great to hear!
@zajec115 жыл бұрын
Video is mirror image flipped, and the tshirt he's wearing has the text printed also mirror image flipped. That's how he's able on the glass so well. Now start learning some TLS!
@arduinoguru72334 жыл бұрын
first wait until I change from 240p to 1080p maybe he wroth it flipped ,
@thisiswill4 жыл бұрын
Thanks. Thought that was going on but I was so distracted considering what if he was just so good writing backwards, that I had to rewatch halfway to pay attention.
@PortuguesePirate994 жыл бұрын
See thats the first thing i was thinking and then scrolled through the comments to find out and you are top comment so thanks bro
@prat-man4 жыл бұрын
My mind is flipped. My eyes take in light flipped too. Double flip.
@zakb.71082 жыл бұрын
Perfect explanation. I thought every time we encrypt with server certificate public key the whole time but it's not.
@devcentral2 жыл бұрын
Thanks for the comment and glad you enjoyed the video!!
@mferreira12314 жыл бұрын
That was an amazing explanation, perfectly understood having the basics. Thank you
@devcentral4 жыл бұрын
glad you enjoyed it!
@imashish864 жыл бұрын
This is CooL. Better explanation than Google's IT certification video! Thanks a lot!!!
@devcentral4 жыл бұрын
glad you enjoyed it!
@mortalbm2 жыл бұрын
Best explain I'd ever seen.
@devcentral2 жыл бұрын
We appreciate the comment! Glad you liked it!!
@claudedjale38642 жыл бұрын
Wow, it is amazing to know what happens behind the scenes. I would like to meet the people who create/invent these things.
@liva236muzika6 жыл бұрын
Great video, simple explanations, not dumbed down, not too technical. Good learning experience.
@devcentral6 жыл бұрын
glad you liked it!
@devcentral6 жыл бұрын
hi liva236muzika~ was wondering if we could use your quote for a little promo?
@liva236muzika6 жыл бұрын
Yeah, no problem. Let me know when you put it on KZbin or wherever, I would love to see it.
@devcentral6 жыл бұрын
Actually added it to a tweet: twitter.com/devcentral/status/973325328314707970 RT if you have a handle! Thanks again!
@juliantoon45022 жыл бұрын
another good explanation need to watch a few times
@devcentral2 жыл бұрын
Glad you liked it and we appreciate the comment!
@ayanSaha132912 жыл бұрын
Nice explanation! Thank you.
@devcentral2 жыл бұрын
Glad you liked it and we really appreciate the comment!
@gursimrantiwana23193 жыл бұрын
what technology is he using to present? Is this a camera trick or a special screen?
@devcentral3 жыл бұрын
Behind the Scenes: kzbin.info/www/bejne/i2iokH9qrKiDisU
@usersn00003 жыл бұрын
Great explanation. Breaking something down that takes microseconds to complete into a 12min video.
@mrhex51877 жыл бұрын
So, the communication starts with asymmetric cryptography and finishes with symmetric cryptography, so we have a hybrid cryptography. Very very good!
@christorok19065 жыл бұрын
The asymmetric part is used for key distribution. The symmetric is used to reduce overhead and retain good performance.
@EJP286CRSKW4 жыл бұрын
Chris Torok The PKI part is used for authentication. Asymmetric encryption isn't used at all except in the now deprecated DH cipher suites.
@Zen-lz1hc2 жыл бұрын
That was entertaining to watch :) Thanks.
@devcentral2 жыл бұрын
Appreciate the comment!!
@terrancepinkney7774 жыл бұрын
Thank you for helping me better understand this. I'm studying for my cert and I kinda understood reading it but this makes more sense! Awesome video and explanation.
@devcentral4 жыл бұрын
Thanks Terrance...glad you enjoyed the video!
@emmanuelsolano68332 жыл бұрын
Very well explained, pretty useful.
@devcentral2 жыл бұрын
Glad it helped and thanks for the comment!
@puwanatth2 жыл бұрын
amazing and easy to understand
@devcentral2 жыл бұрын
We appreciate the comment and glad you enjoyed it!
@YouTubist6664 жыл бұрын
Excellent discussion. Thanks!!
@devcentral4 жыл бұрын
glad you enjoyed it!
@tushar8133a3 жыл бұрын
Superb!
@devcentral3 жыл бұрын
glad you enjoyed it!
@omkarsawant66023 жыл бұрын
Very Informative, thanks
@devcentral3 жыл бұрын
Glad you enjoyed it!
@mannylenis9312 Жыл бұрын
Great Video. One question, how often does that process kick off?
@amitshukla21654 жыл бұрын
Awsum teaching skills you have great for a fresher like me.................love from India
@devcentral4 жыл бұрын
glad you enjoyed it!
@rainfallen10643 жыл бұрын
Very good explanation!
@devcentral3 жыл бұрын
Thanks!
@viky7895 жыл бұрын
Just what i was looking for. Appreciated
@devcentral5 жыл бұрын
Glad you enjoyed it!
@Zohdiak3 жыл бұрын
Thank you for explaining things perfectly!
@devcentral3 жыл бұрын
And thank you for the comment!!
@sagarvyas37762 жыл бұрын
Its really amazing explanation on TLS handshake Thank you ... Just for my curiosity which application you used to record video with screen whiteboard option.
@devcentral2 жыл бұрын
Thanks for the comment! This is how we create these: kzbin.info/www/bejne/i2iokH9qrKiDisU
@srimalnishantha67002 жыл бұрын
Well explained. thanks a lot 👍
@devcentral2 жыл бұрын
Glad you liked it and we appreciate the comment!
@lukecaruana70622 жыл бұрын
super fkng awesome explaination
@devcentral2 жыл бұрын
Thank you so much and thanks for the comment!
@gagangupta12554 жыл бұрын
Awesome video
@devcentral4 жыл бұрын
glad you enjoyed it!
@zizifn91423 жыл бұрын
this guy know things...
@devcentral3 жыл бұрын
glad you enjoyed the video!
@isthereanyname4 жыл бұрын
Very good. Well done.
@devcentral4 жыл бұрын
glad you enjoyed it!
@satksd3 жыл бұрын
Thanks and that was great video. Have one question in the actual data transfer , the data is encrypted with symmetric encryption and the symmetric key is encrypted with asymmetric encryption for each session?
@devcentral2 жыл бұрын
Thanks for the comment satksd! The whole point of the asymmetric encryption is to share the encryption keys for the symmetric encryption. So, for a given session, the client and server will begin by using asymmetric encryption to share the keys that they will both use for the symmetric encryption. The symmetric encryption is used for encrypting all the data that is sent between the client and server during that session. So, once the symmetric encryption keys are exchanged (via the asymmetric encryption), then the asymmetric encryption is not needed any more until a new session is established and new keys need to be exchanged.
@neuroboost25852 жыл бұрын
I don't understand when Difie Hellaman is used here. And why is it actually needed? Why a signed certificate with public key is not enough?
@devcentral2 жыл бұрын
Thanks for the great question! In this particular example, the key exchange is RSA. So, you wouldn't see Diffie Hellman in this specific example. Here's a video of how Diffie Hellman would be used: kzbin.info/www/bejne/ppKXoKall5aLhc0
@neuroboost25852 жыл бұрын
@@devcentral Thanks man :)
@pankajh4u5 жыл бұрын
Brilliant way to explain the concept....loved it
@devcentral5 жыл бұрын
glad you enjoyed it!
@saileshb67583 жыл бұрын
Thanks! Pretty good explanation of how the TSL handshake works. Got a question around how the symmetric key is generated. So based on the video looks like, we create that pre-master secret from contents from the certificate that the server shared plus a key that client generates using some tools/security suite on the fly. Client then encrypts it using the public key that server shared in the certificate. Then client send it to the server. Server then decrypts it with the private key. The resultant decrypted content would then content the shared encryption key. Is my understanding right? Is there a security suite that needs to be present in the client to create such shared key? So shared encryption key generation is the responsibility of the client, correct?
@devcentral3 жыл бұрын
Hi Sailesh...great question! When the client initially contacts the server to initiate the secure connection (CLIENT HELLO for TLS), the client sends a list of cipher suites that are available for use on the client browser. In that cipher suite is a list of possible symmetric encryption algorithms that could be used (most of the time, the symmetric encryption type is AES). When the server gets the list of cipher suites from the client, the server checks to see if any of the cipher suites match what the server is willing to use (the server has a pre-loaded list of cipher suites that are configured for that specific server). The server picks the cipher suite that best matches its list of cipher suites (at least one has to match or else the connection gets terminated). Then, when the cipher suite is established, it tells the client and server exactly what kind of encryption methods will be used for that session. For example, Diffie Hellman could be used for key exchange while AES is used for symmetric encryption. So really, both the client and the server are involved in the creation of the symmetric encryption key, but the server is the one that gets to drive the choices (with picking the cipher suite and also sending its public key for initial encryption). I hope this helps!
@devcentral3 жыл бұрын
And, for more on cipher suites, you can watch this lightboard lesson. Thanks! kzbin.info/www/bejne/kH6WpYuehbtrrJI
@saileshb67583 жыл бұрын
@@devcentral I feel that things are lot clearer now about the symmetric key mechanism now that I have gone through few of the videos and the comment from you guys here. Agree that both server and clients are involved. But, someone still has to create the shared key that both the party agree to use. Are they generated on the fly? Am I missing something?
@saileshb67583 жыл бұрын
@@devcentral Thanks for sharing. I had already seen that video which gave much better understanding about shared encryption. But, even going through them things were not clear how shared encryption key gets generated.
@skitz2412 жыл бұрын
amazing vid thanks so much
@devcentral2 жыл бұрын
Glad you liked it and thanks for the comment!!
@Joallyson3 жыл бұрын
Amazing!
@devcentral3 жыл бұрын
glad you enjoyed it!
@godnonamesleft5 жыл бұрын
Very good. Thank you. I would like to learn how the symmetric key is first generated by the client.
@devcentral5 жыл бұрын
Great question! The math behind these calculations can get pretty tricky, but here's a link to some good info on the key generation topic: stackoverflow.com/questions/3936071/how-does-browser-generate-symmetric-key-during-ssl-handshake
@gauravchimanji69203 жыл бұрын
Great Video..!! One quick question.. How does the client verify that the (certificate and the public key) is coming from Big-IP not from an anonymous attacker?
@user-cd6vy2jg6f3 жыл бұрын
I believe this is what Cert authorities are for / root cert on the client. But would love a detailed answer
@devcentral3 жыл бұрын
Great question! The certificate is signed by the Certificate Authority (CA) so the client can use that signature as the validation that the certificate is from the proper sender. The server typically sends a Certificate Signing Request (CSR) to the CA to get a signed certificate for the server. Then, the server can send that signed certificate to the client so that the client knows it has been signed by the CA.
@GusRuss895 жыл бұрын
I'm left with one burning question. How did you learn to write backwards so well?
@madinakydyralieva31235 жыл бұрын
I wanted to ask the same question
@SaitoNakamura5 жыл бұрын
I'm pretty sure they've just flipped the video horizontally
@AamirSuhailDar5 жыл бұрын
They just flip while recording. He is not lefty by the way. Recording does the job here.
@rafaelveggi5 жыл бұрын
@@egregis21 I can read NEON on his pen at 7:09, looks like he is skillfully writing backwards.
@BalynOmavel5 жыл бұрын
@Narendra Solanki But title on his shirt???
@stenly3114 жыл бұрын
Would be great to know the reason why the client does not send the calculated primary key right away to the server instead of the pre-master secret/key? Only the server can decrypt that message anyway ...
@devcentral3 жыл бұрын
Great question! The main point of a pre-master secret is to provide greater consistency between TLS cipher suites. Here's a thread with a little more info: crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls
@omparikh44264 жыл бұрын
Great Content! can you please discuss tls upgrade for smtp server?
@adam_hd2 жыл бұрын
Thank youuu
@olekristianrannekleiv7622 жыл бұрын
Very well explained, thank you.
@antonfernando84093 жыл бұрын
cool presentation. Questions: is the pre-master key actually exchanged, if so, what if man in the middle learned it, can it be used to create the eventual asymmetric key? Meaning during the TLS handshake is there vulnerability? 2nd question, is the final symmetric key ever exchanged? thanks.
@Flixus982 жыл бұрын
The pre master secret is shared but encrypted with the public key of the server (found in the server certificate). That way even if someone can tap into the message they cannot decrypt it unless they know the servers private key.
@adedejiemmanuel14 жыл бұрын
In what sequence will TCP handshake and TLS handshake happen? Which one happens first in a connection?
@devcentral4 жыл бұрын
Hi Azza...great question! The TCP handshake will happen first and then the TLS handshake. Thanks!
@ankurrajput75063 жыл бұрын
Awesome explanation. But I didn't get the difference between Pre-master secret and symmetric key. As per my understanding they are different names to the same key. Could someone please correct me?
@devcentral3 жыл бұрын
Great question! The pre-master secret and the symmetric key are two different things. The main point of a pre-master secret is to provide greater consistency between TLS cipher suites. Here's a thread with a little more info: crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls
@ankurrajput75063 жыл бұрын
@@devcentral Thanks a lot 😀
@bobslave70635 жыл бұрын
Thanks! You guys as always Rock!!!
@devcentral5 жыл бұрын
glad you enjoyed it!
@thecandel54795 жыл бұрын
very, very, very nice. Thank you very much. Small question: what means by (bulk data)?
@devcentral5 жыл бұрын
glad you enjoyed it! bulk encryption (and thereby, bulk data) is the data transmitted between client and server after the key exchange takes place. This is, by far, the most data transmitted between client and server. The key exchange is simply there to exchange the keys that will be used in the symmetric (bulk) encryption.
@harmanpreetsingh69044 жыл бұрын
Well explained👍
@devcentral4 жыл бұрын
glad you enjoyed it!
@Varuntux5 жыл бұрын
very nice explanation, thank you very much.
@devcentral5 жыл бұрын
glad you enjoyed it!
@lightninginmyhands48785 жыл бұрын
Great vid! Now that you have a video about certificates it'd be helpful to have a link to that in this video's description. Thanks
@devcentral5 жыл бұрын
Great feedback! I just updated it. Thanks!
@sulekha37713 жыл бұрын
im a little confused... wouldn't it suffice if only one side generated a symmetric key? why is it necessary that even though it's the same symmetric key in a way another one would be generated by the web server?
@devcentral3 жыл бұрын
Great question! In order for the cryptography to work, one side must encrypt the data and then the other side must be able to decrypt the data so they can read it. The way symmetric cryptography works is that the same key (same value) does both the encrypting and decrypting. So, if only one side had the key, then they would be able to encrypt the data, but the other side wouldn't be able to decrypt it. So, both sides need to compute the exact same symmetric key so that they can each use that key to encrypt/decrypt. I hope this helps!
@sulekha37713 жыл бұрын
@@devcentral That makes sense!. This computing of the same symmetric key applies to all symmetric encryption right and not only in this case scenario?
@devcentral3 жыл бұрын
@@sulekha3771 yes, all symmetric encryption requires that the sender and receiver both have the same key.
@sulekha37713 жыл бұрын
@@devcentral I know but rather than both the sender and receiver having 1 key as I thought before they will both compute the same key (individually) to use to encrypt & decrypt data
@devcentral3 жыл бұрын
@@sulekha3771 yes...that's right!
@hnasr5 жыл бұрын
Thank you 😊 is this tls 1.2 or 1.3?
@devcentral5 жыл бұрын
This is TLS 1.2 and prior. I did a TLS 1.3 handshake video here: kzbin.info/www/bejne/r4HHe4msiN6Ap80
@theartist88354 жыл бұрын
you here Hussein ?
@christopherjholland3 жыл бұрын
Does symmetric key encryption used on top of the asymmetrical encryption, or do both nodes switch over to symmetric encryption? If so, why not asymmetrical to host and symmetric back to client?
@devcentral3 жыл бұрын
Hi Christopher...great questions! The asymmetric encryption is used at the beginning of the handshake and the primary purpose of this is to share/create the keys that will be used in the symmetric encryption. Both sides start with asymmetric and then (once the symmetric keys have been created and verified), they both move to symmetric encryption for the duration of the session. I hope this helps!
@christopherjholland3 жыл бұрын
@@devcentral I figured that had to happen somewhere. Thank you
@Mike-mp6cd5 жыл бұрын
whats the role of "client random number" and :"server random number" in generating the final symmetric key ?
@devcentral5 жыл бұрын
Great question, Mike! The random numbers are used to calculate the symmetric key used for the bulk encryption algorithm. I did a video on how the RSA algorithm works here: kzbin.info/www/bejne/qIe0oX5sg8iMf6c and I also did one on how the Diffie-Hellman algorithm works here: kzbin.info/www/bejne/ppKXoKall5aLhc0 I hope this helps!
@diegoramos274 жыл бұрын
very good video thanks for sharing, one question, what is the encryption algorithm used to exchange communication between client and server ? is it AES ? thanks
@devcentral4 жыл бұрын
Hi Diego...great question! The encryption algorithm used to exchange communication between client and server is negotiated in the initial part of the TLS handshake. That said, AES is almost always used in modern web applications today. I hope this helps!
@diegoramos274 жыл бұрын
@@devcentral Thanks for the reply ! another question... if you proceed to a site which is not using a valid certificate and then you get the warning and click on "proceed to unsafe" does the ssl handshake still happen ? if so, does encryption happen even if the certificate could not be validated ? Thanks
@devcentral4 жыл бұрын
@@diegoramos27 great question! yes, even if the certificate is not valid, the TLS handshake should still complete (although it's possible to configure to drop the connection if the certificate is invalid). In this case, the client and server would still have an encrypted connection, but the client just wouldn't know for sure that the web server is the correct one.
@houseofdiego4 жыл бұрын
How is the symmetric key generated, exactly? And how can the server generate it in a way that matches what the client generates?
@akashnautiyal82073 жыл бұрын
they use diffie hellman key exchange
@HughJass-3133 жыл бұрын
No, Akash... Diffie Hellam does NOT have to be used. Remember, the client sends over the *Pre-shared master key.* Okay... so what's that exactly? Well... its basically the *recipe* for the "symmetric key." However, the client does NOT send the "recipe" in *clear text.* Instead, the client ENCRYPTS the recipe using the Server's Public Key (aka, the certificate)... and THEN its sends it to the server. :]
@eoikiqwerty61487 жыл бұрын
nice videos. like your explanation on these topics. keep em coming. maybe next video about in depth certificate's?
@devcentral7 жыл бұрын
thanks!
@devcentral7 жыл бұрын
Also, here's another one I did on "what's in a digital certificate?" kzbin.info/www/bejne/jp6snaykoLdrgJo Enjoy!
@chillyvanilly63524 жыл бұрын
So the client does not have to provide it's own certificate? Or is that optional?
@devcentral4 жыл бұрын
Hi Chilly Vanilly...great question! The client is not required to provide its certificate unless the server is configured to require client authentication. Then, the client would need to present a valid certificate to prove who they are in order for the handshake to complete. Thanks!
@chillyvanilly63524 жыл бұрын
@@devcentral Ah, okay, thank you kindly for the quick reply! Great vid btw!
@HughJass-3133 жыл бұрын
@@chillyvanilly6352 Cliennt's usually provide a username/password to CONFIRM who they are. Thats the reason you are able to "LOG IN" in order to read your email. :]
@itihas99585 жыл бұрын
What's stopping a hacker from using the symmetric key on the client side to communicate with server after it's generated? Does that question even make sense?
@devcentral5 жыл бұрын
Great question!! If an attacker were to get the symmetric key from the client, he could definitely decrypt all communication between client and server. This is why it is so important to secure the symmetric key. This is also one of the reasons many clients and servers are moving to "Perfect Forward Secret" ciphers so that the symmetric key changes with every new session. Here's more info on Perfect Forward Secrecy in case you are interested: kzbin.info/www/bejne/f5ywZIVjgKmoapY Hope this helps!
@mahendranr42454 жыл бұрын
In registry of one machine, If we enable client tls 1.0 and server tls 1.2 enabled, rest all disabled. Will it still allow communication?
@devcentral4 жыл бұрын
Great question Mahendra! It all depends on how you configure, in this case, the server. If the client is using TLS 1.0 and the server is set to use TLS 1.2, then you can configure the server to abort the TLS handshake when it realizes the client can't use TLS 1.2. Or, you can configure the server to allow a downgrade to TLS 1.0 when it realizes that the client can only use TLS 1.0. So, it depends on how you configure the client cipher suite. I hope this helps!
@mahendranr42454 жыл бұрын
@@devcentral Thanks John for your reply. Glad to hear from you. Much appreciated, if you can explain along with sample client/server communication example.
@jasonb32004 жыл бұрын
beginner question here... why not just the client generate the symmetric key, encrypt it with the public key, send it to the server. The server decrypts the message with its private key to obtain the shared symmetric key?
@JakeGPictures4 жыл бұрын
Jason, the client needs to verify that the server is who they say they are before sending it’s own key, hence it first negotiates with the server to get the servers public certificate. Once the client has the certificate and public key it checks with a certificate authority (third party check which is briefly mentioned, but not drawn in the video) to verify the server is who the client expects it to be, only then will the client start negotiating symmetric keys.
@jasonb32004 жыл бұрын
@Jeggle Publishing Thank you for taking the time. I understand the initial authentication handshake but I appreciate you not making that assumption. My question pertains to what happens after, the necessity of the simultaneous calculation on both sides with the premaster as input to arrive at the symmetric encryption key. Could the client just have come up with this symmetric key, encrypt with the server's public key, send it. both sides acknowledge to use the symmetric key from then on?
@HughJass-3133 жыл бұрын
@@jasonb3200 LOL Honestly... what you proposed... is basically what happens anyway. LOL You're saying that, after the client CONFIRMS that the server is REALLY who it claims to be.... "WHy doesn't the client just SEND the symmetric key directly?" But.. it doesn't. instead, it sends the *Pre-shared master key.* Okay... so.... what exactly is that about? Well... its basically the *recipe* "for" the symmetric key. It's the equivalent to "ME" needing to send "YOU" my grandma *special* German Chocolate cake. i have the ingredients... i have the Oven... and i have the recipe.... so i could put in the *TIME & EFFORT* to "bake the cake" and then send it to you. Or, at the end of the day... i know that: You already have the Ingredients, You already have an Oven.... So... it's actually easier if i just *SEND you my grandma's RECIPE...* and then you can BAKE the cake yourself. At the end of the day.... think about it this way: which is EASIER to send to someone: a) a German Chocolate Cake, or b) the *recipe* for a German Chocolate cake. ? The key exchange probably follows the *same* reasoning. :]
@praiasteam7 жыл бұрын
Great video and explanation! Thank you very much!
@netsnower6 жыл бұрын
GREAT video, thanks!!
@devcentral6 жыл бұрын
glad you enjoyed it!
@angelic123ish5 жыл бұрын
So, we can get 1 symmetric key (ONLY) out of Pre Master Secret ? The reason I ask, if both server and client are able to generate 1 symmetric key out of 1 PMS, I would think the answer is 1.
@devcentral5 жыл бұрын
Hi...great question! The purpose of the Pre Master Secret is to ultimately create a shared symmetric key that the client and server can both use for the duration of that particular session. When the session is over (or renegotiated, etc), then the client and server will generate a new symmetric key for the new session. There would only need to be one pre master secret used to generate the shared symmetric key for a given session. But, like I mentioned, this entire process would happen again for any new sessions between the client and server (or a different client and the server). I hope this helps!
@angelic123ish5 жыл бұрын
@@devcentral Thank you for the explanation.
@EJP286CRSKW4 жыл бұрын
F5 DevCentral Wrong. The master secret can be used to generate any number of session keys within the session.
@ArjunSachdeva19087 жыл бұрын
Excellent explanation. Thank you.
@devcentral7 жыл бұрын
Glad you enjoyed it!!
@vaibhavsaxena07864 жыл бұрын
Thanks a lot , same I was looking for
@devcentral4 жыл бұрын
glad you enjoyed it!
@paritoshd97762 жыл бұрын
Does it protect TCP header and payload both? Or just the payload?
@buffaloofm71192 жыл бұрын
nice 🔥🔥
@devcentral2 жыл бұрын
Appreciate the comment!
@jemelsantiago5 жыл бұрын
thank you for this nice explanation!
@devcentral5 жыл бұрын
glad you enjoyed it!
@metalalive20065 жыл бұрын
Thanks & really appreciate your work . I have one question here : at 7:51, should Change Cipher Spec be sent before Client Key Exchange or after that ? I think Change Cipher Spec should be the last one sent in plaintext (accroding to RFC5246) , but not sure if we must encrypt Client Key Exchange before sending it out.
@kumaravelrajan4 жыл бұрын
Thanks for the video!
@ABDULKARIMHOMAIDI9 ай бұрын
THANKS MAN
@kanetla86923 жыл бұрын
As far as i know there's nonce in the handshake process. I know it's used to prevent some replay attack but I wonder if nonce is used to create pre master secret. Or Is pms only genereated from server's public key?
@simonlenz70574 жыл бұрын
why does the client send the Pre Master secret and not immediately the symmetric key?
@devcentral4 жыл бұрын
Great question! The main point of a pre-master secret is to provide greater consistency between TLS cipher suites. Here's a thread with a little more info: crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls
@rheumaticharm95513 жыл бұрын
I got everything but I have a single doubt. Pre master secret is derived from public key. And then it is encrypted and shared with the server. And then server has the same pre master key. And now both client and server makes a symmetric key. How? What kinds of algo do they use? And how do they ensure that they make the same symmetric key?
@rheumaticharm95513 жыл бұрын
And where is this symmetric key stored in the server?
@rheumaticharm95513 жыл бұрын
And how are these public keys and private keys decided by the server before sending to client? During the deployed of the application? Do the developer provide public and private keys?
@shreddder9994 жыл бұрын
Is this allowed? Doesn't it have to be an elbow bump?
@HughJass-3133 жыл бұрын
lol i see what you did there...
@drob184 Жыл бұрын
@@HughJass-313
@subhamthemusicalguy88514 жыл бұрын
Awesome info
@siddharthmanumusic5 жыл бұрын
How does it complete the transaction and tell the other side not to use that private key anymore?
@devcentral5 жыл бұрын
Great question! The "change cipher spec" message essentially alerts the other side that it's time to move to symmetric encryption. Plus, all future messages after that are encrypted using the symmetric key instead of the public/private key pair. Thanks!
@siddharthmanumusic5 жыл бұрын
Thanks for the quick reply! How is the data transfer process terminated and the symmetric key discarded?
@devcentral5 жыл бұрын
@@siddharthmanumusic once the client and server establish the shared symmetric key, they use that key for encryption/decryption for the duration of that specific user session. Sessions typically last for as long as the client has the browser open to that specific page (or pages) or until there is no more client activity (like, when you visit a banking page and then don't take any action, they will sometimes ask if you are still there or want to extend the session). Thanks!
@siddharthmanumusic5 жыл бұрын
F5 DevCentral Thank you! So when the TCP session ends, at the protocol level...
@EJP286CRSKW4 жыл бұрын
Siddharth Manu The session key can be changed within the session, via an abbreviated handshake.
@benb24923 жыл бұрын
Man this is TECH NF
@bajobozic48696 жыл бұрын
Great stuff,thanks for sharing!!!
@devcentral6 жыл бұрын
glad you enjoyed it!
@harshitshrivastava7816 жыл бұрын
Thanks for the video. One question I have. You mentioned that when server sends its certificate to the client, it also sends its public key. In this case, any MITM attacker can replace this certificate with its self-generated certificate signed using his private key and send to the client with his public key. So, client will have no way to identify if the cert+public key it received is from the actual server or from the attacker. Is my understanding correct?
@devcentral6 жыл бұрын
Hi Harshit...great question! You are exactly right that a MITM could step in and send a self-generated certificate signed by his own private key. The issue, though, is that the MITM will have to get someone/something to sign the certificate. The easy answer is for the attacker to sign the certificate himself, but all modern browsers will notice that a certificate has been "self-signed" and will prompt a warning page to the user saying that the page you are attempting to view has a certificate that has been self-signed. The idea is that the Certificate Authority has to sign the certificate in order to avoid the browser warning page. And, a Certificate Authority is not going to issue/sign a certificate for a secure website that already has a valid certificate. The Certificate Authority is supposed to check these things before they ever issue a certificate and public/private key for a given website. Here's a quick article that I found that goes into a bit more detail: www.globalsign.com/en/ssl-information-center/dangers-self-signed-certificates/ I hope this helps!
@harshitshrivastava7816 жыл бұрын
@@devcentral Thanks for the detailed explanation. Now I got the answer.
@bonbonpony5 жыл бұрын
@@devcentral But this in turn requires the Certificate Authorities to exists, so we're back to square one, because this requires trusting the Authorities :P And they can be the biggest Men In The Middle here, because of the scale of their power and lack of suspicion from the clients :q Imagine someone hacks the CA and swaps the keys to their own (happened already). Why do we need CAs anyway? Can't we do a two-sided key exchange without them? :q I see this entire CA thing as another huge pyramid scheme to squeeze money from people for selling certificates to them :q
@EJP286CRSKW4 жыл бұрын
Bon Bon The answer is not correct. What he's omitted is that the CertificateVerify message which is sent after the Certificate message contains a digital signature signed by the private key, and that can be verified by its public key. So only the owner of that public key can create a valid CertificateVerify message.
@bala2k23 жыл бұрын
EJP is correct .. Every browsers have CA root bundles installed which has the public key of trusted CA's who able to verfiry the sigature in certifcate which signed using their(CA) own private key at the time of CSR.. So any MITM hacked and replaced the certificate ,signature cannot be verified by browser and I think you will see warning message or connection may be dropped..
@Vikash01254 жыл бұрын
As far as I can understand, the first 4 steps(until hello done from big ip) are not encrypted . Or the first hello from client also includes its public key. I am confused. Please explain.
@mikexue51044 жыл бұрын
client never send its public key to server, client only use server's public key to encrypt message, while server can decrypt the message coming from client with its private key. after decryption, server knows the suggested pre-master-secret from client, then use its private key to encrypt pre-master-secret to create a symmetric key, send it back to client, client can decrypt this symmetric key by servers public key, if client get the original pre-master-secret, then it proves client is talking to the intented server, because by now no 3rd party knows this newly created symmetric key, for later communications client can use this symmetric key to encrypt, and server can use the same symmetric key for decryption.
@errorboom88883 жыл бұрын
But what is the pre master secret? ;/
@devcentral3 жыл бұрын
Great question! The pre-master secret and the symmetric key are two different things. The main point of a pre-master secret is to provide greater consistency between TLS cipher suites. Here's a thread with a little more info: crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls
@swayamraina45646 жыл бұрын
I have a doubt, Since you said Pre-master secret is generated from the public key that means the logic to derive the secret is embedded into the client which makes MITM possible at this very point. As per this post, security.stackexchange.com/questions/63971/how-is-the-premaster-secret-used-in-tls-generated it has no relation with the public key of the server. Also, is the Server HELLO, certificate sharing done in separate calls (as depicted by you) ? if yes, isn't this bandwidth wastage? could you please clear out these doubts?
@skannank925 жыл бұрын
Does the Master- Secret key keeps changing?
@devcentral5 жыл бұрын
Hi kannan, great question! The secret key for the bulk encryption (i.e. AES) can change with every new session between the client and server. But, it doesn't always have to do this. It depends on how the server is configured to handle the encryption. For newer versions of TLS (1.3), the secret key will be required to change with every session between client and server. But for older TLS versions (1.2 and older), the key doesn't have to change with every new session. Thanks!
@EJP286CRSKW4 жыл бұрын
F5 DevCentral That's not what he asked, and it isn't correct. The Master Secret doesn't change until the session is invalidated, and can be used to generate numerous session keys within that session.
@devcentral4 жыл бұрын
@@EJP286CRSKW, the point of the initial response was to say that the type of key exchange can affect the frequency of key changing. In RSA, the Pre-Master secret is computed in the browser. This Pre-Master secret is encrypted with the server's public key and shared with the server so that the client and server can later create the Master secret. In Diffie-Hellman, the client and server generate a new key pair for each session. The private keys of both client and server are deleted immediately once the Pre-Master secret is computed. Still, the Pre-Master secret is used later to create the Master secret. The point here is that, using Diffie-Hellman (or DHE), the keys can (and will) change with each new session. That said, it is also true that, when the Master secret is generated, there are a variety of "session" keys that are created. The RFC lists these as "client write MAC key, server write MAC key, client write encryption key, server write encryption key, client write initialization vector (IV), and server write IV. Not all of these will be used (the IV keys are not always needed) but it is true that more than one set of "session" keys will come out of a given Master secret. Thanks for contributing to the conversation on this.
@lathamanickavasagam55292 жыл бұрын
each client generates a unique symmetric key, how does the server stores all these symmetric keys ? if million unique users hit a website does that mean that the server stores million symmetric keys?
@atercat7 жыл бұрын
Why doesn't the client just send a symmetric key to the big IP? What is the reason of the additional step with a pre-master secret?
@devcentral7 жыл бұрын
Great question! The main point of a pre-master secret is to provide greater consistency between TLS cipher suites. Here's a thread with a little more info: crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls
@atercat7 жыл бұрын
I see now. Thank you for your videos. You're doing a great job!
@johnparker20076 жыл бұрын
Bro, Symmetric is based on PMK which is generated via public key of server ,so we need to have these steps
@EJP286CRSKW4 жыл бұрын
F5 DevCentral Not really. The basic idea is never to transmit the session key, so it can never be intercepted.
@olliveraira6122 Жыл бұрын
What I dont understand is how this makes the data secure by any means, cant a cleverly designed software follow all this communication and end up with the same symmetric key at the end (assuming the attacker is able to sniff every single package sent back & forth)?
@perburr2 ай бұрын
After receiving the server's certificate, the client generates a Pre-Master-Secret. They then encrypt this with the server's public key (extracted from the server's certificate). The client then sends the encrypted Pre-Master-Secret to the server. This is the crucial bit: only the server will be able to decrypt the encrypted Pre-Master-Secret. This is because only they (the server) possess the private key required to decrypt anything that is encrypted with their own public key. So even if an attacker could sniff all the packets sent between client/server, they wouldn't be able to decrypt the encrypted Pre-Master-Secret (since they don't possess the server's private key).
@TheodorSirmanoff3 жыл бұрын
Thank you, but in my feeling is that it's not enough organized as presentation. Cuts, got back several times, to add this and that. BIG/IP or Server: chose one of them and keep it. Of course I'm speaking for myself, but I would prefer you to follow much more your paper you are looking at in your presentation. Anyway, thank you
@caroledecouto10324 жыл бұрын
what does TLS stand for?
@devcentral4 жыл бұрын
Transport Layer Security. It's the successor to Secure Sockets Layer (SSL). Here's more info on it: en.wikipedia.org/wiki/Transport_Layer_Security
@HughJass-3133 жыл бұрын
T.otally L.ame S.ecurity ;)
@magnus86647 жыл бұрын
Could you do an video what describe ChaCha20 and Poly1305 that Chrome/Google uses ?
@abhijithks74197 жыл бұрын
Hi john : great video, one question : If I am using the ssl client and server profile in which part Of the handshake that the certificates are validated for identity ? For both client and server side ?
@ryankaakaty45653 жыл бұрын
I believe this is done through the CA - or Certificate authority, at least validating the Servers identity.
@Flixus982 жыл бұрын
In this video the server does not request of the client to authenticate itself. Client authentication is optional but some connections require it