The internet is a vast landscape with millions of entities interacting with each other on a daily basis, making security essential when conducting online communications or commerce.
Transport Layer Security (TLS) is a widely-utilized security protocol that facilitates secure communication between a client and server over the internet, such as a web page and web browser. TLS encrypts the data in-transit and verifies both parties in the transaction to ensure only the intended recipient can access the data.
Why is it called “TLS/SSL Encryption?”
Secure Socket Layer (SSL) is the predecessor of TLS, and what most people who’ve been in the industry for years are used to, interchanging SSL and TLS frequently. SSL was developed by Netscape back in the mid-1990’s, but has since been deprecated in favor of TLS, which was introduced in 1999. SSL saw three different updates, but each ultimately suffered from vulnerabilities that led to the creation of TLS.
TLS has also experienced a few updates, with TLS 1.3 being the most recent update and TLS 1.2 being the new standard for WPA2-Enterprise and 802.1X authentication.
TLS 1.0 and 1.1 have been phased out by major browsers, including Microsoft who disabled them in late 2020. Both the original TLS version and its first update have been around long enough for people to find vulnerabilities and it’s not recommended to use either of these versions.
TLS 1.2 is the accepted standard for now, with 1.3 set to take over in a matter of time. The vast majority of the internet nowadays uses TLS 1.2 because all major browsers have standardized their systems with 1.2, however a report by RiskRecon showed that some organizations have not fully deployed 1.2. Check out SecureW2’s solutions that allow organizations of any size and vendor to fully implement TLS 1.2.
TLS 1.3 is an improvement on TLS 1.2 rolled out in early 2018, and provides increased security and performance. 1.3 fixes a lot of the issues one would experience with 1.2, including RC4 cipher exploits. While 1.3 is a definite upgrade of 1.2, many organizations are satisfied with 1.2 and will have to confer with their IT team about upgrading to 1.3 if they so choose.
How TLS Encryption Works
TLS can be used for both symmetric and asymmetric encryption, though we recommend asymmetric encryption because it offers far better security standards. It can be harder to configure and implement, unless you use a turnkey Public Key Infrastructure (PKI) solution like SecureW2’s Managed PKI.
Symmetric encryption involves only one cryptographic key that performs both encryption and decryption. The convenience of one key also means it’s less secure as it’s easier to steal one key rather than multiple.
Asymmetric encryption is a much more convoluted process, intentionally for the purpose of providing better security. The process involves a pair of cryptographic keys that are mathematically linked and designated as the “public” key and “private” key.
The public is available to everyone, meaning anyone (within the domain) can use the public key to encrypt data meant specifically for the owner of the public key. The owner can then decrypt the data with their private key. This process ensures the identity of the data recipient and is the only one who can decrypt and view the message.
The encryption, whichever method you choose, occurs during the TLS handshake, a series of steps that encapsulates the communication, negotiation, and data exchange between the client and server. Both parties must agree on the TLS protocol and cipher suite and verify any digital certificates. The TLS handshake differs among TLS updates, with TLS 1.2 being more involved than 1.3.
3 Purposes of TLS Encryption
TLS was designed to fulfill three specific functions in regards to internet security. While it’s not necessary to implement all three, it’s highly recommended to leverage all three features:
- Encryption – Protects the data from anyone who’s not the intended recipient
- Authentication – Verifies the identity of the intended recipient
- Data Integrity – Prevents data tampering and ensures the data arrives to the intended recipient unchanged.
TLS fulfills all three functions by scrambling the data to hide it from the public and verifying the identity of the intended recipient AND the sender, giving assurance to both parties in the process.
TLS Encryption Use Cases
TLS Encryption is crucial for organizations and their clients because it protects them from data breaches and additional cyber attacks, like the infamous man-in-the-middle attack. HTTPS is an implementation of the TLS protocol and is used by all websites. HTTPS shows that the web site is protected by a TLS/SSL certificate. Conducting business online is a standard in today’s environment, meaning things like passwords, social security numbers, debit/credit card information is all online and at risk of being stolen. TLS ensures your data will stay safe from outside threats and reach its intended destination.
Organizations can configure the TLS protocol with digital certificates and enable EAP-TLS, the most secure IEEE 802.1X protocol that leverages certificates and the TLS protocol. EAP-TLS combines the TLS protocol with the Extensible Authentication Protocol (EAP), virtually eliminating over-the-air credential theft. Network administrators can configure the highest level of network security with WPA2-Enterprise. WPA2-Enterprise can work with other 802.1X authentication protocols, but EAP-TLS is the only one that leverages full capabilities of digital certificates.
Is TLS Secure?
Of course! As stated before, most people today use online resources to conduct business, meaning sensitive information is transmitted through the internet every second. Hundreds of thousands of people and businesses use TLS encryption to authenticate and secure their endpoints, email clients, Wi-Fi, VPN, web applications, IoTs, and much more.
Implementing TLS with a PKI
Network administrators can use EAP-TLS authentication with a private managed PKI solution, such as SecureW2. EAP-TLS is the only certificate-based authentication protocol, and SecureW2’s PKI allows admins to easily create and provision EAP-TLS certificates to every network user, device, and server. With SecureW2, a user will connect to the secure network and EAP-TLS confirms the identity of both the user and server in an EAP tunnel that prevents outsiders from infiltrating the connection.
Our PKI also comes with CloudRADIUS, an improved, dynamic version of the RADIUS protocol. RADIUS is imperative for 802.1X authentication as it can be configured as the server to authenticate clients and authorize them for web access. Network admins can configure CloudRADIUS with their organizations user policies and permissions. When a user is authenticated, CloudRADIUS is the only certificate-based solution that can directly reference the organization’s directory and look up policies and permission ascribed to that user and determine access levels at the moment of authentication.
Implementing a PKI for your environment can be a difficult and expensive process, unless you choose a turnkey Managed PKI solution that integrates with all major vendors and can be set up in a matter of hours instead of weeks. Plus, our PKI comes at a much more affordable price than most PKI solutions.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Sam Metzler. Read the original post at: https://www.securew2.com/blog/what-is-tls-encryption