How does dtls factor into this? I briefly looked at the wikipedia entry, but haven’t dug into it yet.
On Sat, Nov 17, 2018 at 2:20 PM Dave Stoddard <lamp...@gmail.com> wrote: > >>> Just a note that TLS 1.2 cannot be implemented over UDP. To meet the TLS > 1.2 spec, you must use TCP as it requires a connection-oriented protocol. > UDP is connectionless - it provides no guarantee that the packet was > received at the other end, and there is no guarantee that the packet > received by the server originated with the sender IP address found in the > UDP packet. > > TCP requires a three-way handshake to ensure the connection is > established, that the two parties to the connection are genuine, and to > ensure that packets that are sent are received in the correct sequence. > Once the connection is established over TCP, the client requests a secure > connection with a list of supported ciphers and hashes. The server picks a > cipher and hash and returns the choice to the client. Then the server > provides a signed certificate to the client (usually signed by a third > party certificate authority), which contains the server's public key. The > client verifies the certificate and returns its public key to the server in > an encrypted connection using the server's public key to encrypt the > response (it is a little more complicated than that, but that is the gist > of it in a nutshell). Once the key exchange is completed, data can be > exchanged. TLS 1.2 is generally used to support encrypted data exchange > when you do not have control over both the client and the server (which is > typical for HTTPS or SMTPS). > > When UDP is used, it is more common to use symmetric keys for data > exchange, such as AES 256 with a pre-shared key (PSK). This is the way > encryption is implemented for UDP in OSSEC. AES 256 meets the requirements > for HIPAA, PDI DSS 3.2, and DFARS (NIST 800-171). Of course, you can use > symmetric key cryptography with TCP too. When public key cryptography is > used for encryption, as provided through TLS 1.2, the specification of TLS > 1.2 for HIPAA, PCI DSS, and other regulatory compliance is done to stop > people from using earlier (flawed) versions of PKI, such as SSL 2, SSL 3, > TLS 1.0, and TLS 1.1. > > While it is generally recommended not to "roll your own" cryptography, the > open source OpenSSL library provides a complete set of wrapper functions > through the EVP interface that make it easy to implement encryption for > almost any cipher using C/C++ (Google for "openssl evp functions" for more > info). Most mainstream programming languages provide libraries to support > encryption protocols, including Python, Perl, Go, and many others. Hope > this helps. Best, > > Dave Stoddard > Network Alarm Corporation > https://networkalarmcorp.com > https://redgravity.net > dgs at networkalarmcorp dot com > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
