"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"
Brian Leek, Data Analyst, May 2022
This introductory chapter will discuss our motivation to use cryptography and introduce the basic concepts. Light exercises will be used to demonstrate certain features. The end of this module will discuss real-world security and the Internet threat model.
1. Motivation: why do we need cryptography?
a. Confidentiality, integrity, authentication
2. Building blocks of modern cryptography
a. Sidebar: Alice and Bob
b. Symmetric encryption
c. Asymmetric encryption
d. Hashing
i. Exercise: produce SHA1 and SHA256 hashes of a file. Notice size differences. Change one byte of contents and observe the hash changing.
e. Message Authentication Codes
f. Digital signatures
g. Random number generation
i. Exercise: generate some random numbers using OpenSSL, /dev/random and /dev/urandom. Measure the speed.
h. Protocols
i. Authentication
ii. Key agreement
iii. Authenticated encryption
3. Attacking cryptography
a. Understanding strength
i. Security bits and computational security
ii. Symmetric, asymmetric, and hashing bits
b. Types of attack
i. Primitives
ii. Schemes and protocols
iii. Key management
iv. Application issues
v. Implementation attacks
c. Passive and active network attacks
i. Sidebar: Eve and Mallory
ii. Exercise: use Wireshark to examine plaintext HTTP traffic. See how easy it is to hijack HTTP sessions. Now connect to a HTTPS web site; can you find the data?
d. Understanding real-life threats
i. Internet Threat Model
ii. Cryptography typically not the weakest link; bypassed, not broken
Key management is the foundation on which internet encryption is built. This module will discuss our current trust model and its weaknesses. Exercises will be used to demonstrate the key concepts.
1. Purpose of PKI
a. Sidebar: What is trust?
2. Certificate lifecycle overview
a. Request for issuance
b. Validation
c. Issuance
d. Deployment: validation and revocation checking
e. Revocation or expiration
3. What’s in a certificate?
a. Exercise: Connect to a web site and retrieve certificate
b. Exercise: Examine the site’s certificate (in detail)
c. Exercise: Examine the ASN.1 makeup of a certificate
4. Certificate chains
a. Exercise: Observe the certificate chain in OpenSSL; retrieve all certificates
b. Exercise: Use a browser certificate viewer
c. Exercise: Use the SSL Labs report to observe chain
d. Exercise: Use AIA information to reconstruct a broken chain
e. Exercise: Examine CA certificates (in detail)
5. Certification authorities
6. Root stores
a. Exercise: Examine root certificates in browser or system store
7. Ecosystem weaknesses
a. Lack of technical controls for certificate issuance
b. Weak validation
c. Lack of trust agility
d. Revocation failures
e. Certificate warnings
f. Weak root keys
This module is a practical introduction to the SSL and TLS protocols. We will discuss the key functionality and components, and how they impact security.
1. Brief history
a. IETF TLS Working Group
b. Current activities and path to TLS 1.3
2. Where TLS fits in the OSI architecture
3. Session handshake models
a. Full handshake
b. Resumed handshake
c. Exercise: Use Wireshark to observe a full handshake.
d. Exercise: Use Wireshark to observe a resumed handshake.
e. Client authentication
4. Encryption
a. Stream, block, and authenticated encryption
5. Protocol elements
a. Key algorithms: RSA, DSA, ECDSA
b. Key exchange algorithms: RSA, DHE, ECDHE
c. Ciphers: AES, 3DES, RC4
6. Understanding cipher suites
7. Elements of SSL/TLS and TLS security: protocol, key, server configuration, suites
This final module brings all other training modules together. We discuss all decisions involved in the design of a secure and performant configuration that works for the intended user base.
1. Key
a. Algorithm
b. Size
c. Key management
2. Certificate
a. Validation type
b. Hostnames
c. Dangers of certificate sharing
d. Signature algorithm
3. Protocol configuration
4. Cipher suite configuration
a. Security versus interoperability
5. Special topics
a. Certificate chain correctness
b. Session management
JB International 020 8446 7555 www.jbinternational.co.uk
i. Exercise: Test session caching (with and without tickets)
c. Forward secrecy
d. Interoperability
e. Dual-key deployment
6. HTTP
a. Consistent use of transport encryption
b. Cookie security
c. Mixed content
d. HTTP Strict Transport Security
e. Content Security Policy
7. Advanced topics
a. Pinning
b. Session state sharing
8. Overview of the current threats: renegotiation, BEAST, CRIME, Lucky 13, RC4, TIME and BREACH, Triple Handshake Attack, Heartbleed, Virtual host confusion.
Discuss the performance challenges and overhead of encryption and how to get the best possible performance.
1. TCP/IP topics
a. Latency and connection management
b. Connection persistence
c. SPDY and HTTP/2
2. Session caching
3. Key exchange performance
4. Cipher suite performance
5. Overheads
a. Certificate chain size
b. TLS record overhead
c. Encryption overhead
d. Revocation checking
6. Denial of Service attacks
Discuss new standards that are designed to address the weaknesses in how SSL/TLS and Internet PKI are deployed and consumed today.
1. HTTP Strict Transport Security
2. Content Security Policy
3. Public Key Pinning
a. Mobile application pinning
b. Chrome and Firefox
c. Public Key
"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"
Brian Leek, Data Analyst, May 2022
“JBI did a great job of customizing their syllabus to suit our business needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and the Instructor handled this particularly well - very impressive”
Brian F, Team Lead, RBS, Data Analysis Course, 20 April 2022
Sign up for the JBI Training newsletter to stay updated with world-class technology training opportunities, including Analytics, AI, ML, DevOps, Web, Backend and Security. Our Power BI Training Course is especially popular. Gain new skills, useful tips, and validate your expertise with an industry-leading organisation, all tailored to your schedule and learning preferences.
Our SSL/TLS training course is led by an expert instructor who will guide you through Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are cryptographic protocols designed to provide communication security over a computer network. Additionally public key infrastructure (PKI) will be covered in detail to help you create, manage, distribute, use, store, and revoke digital certificates.
CONTACT
+44 (0)20 8446 7555
Copyright © 2023 JBI Training. All Rights Reserved.
JB International Training Ltd - Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS
Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us
