// Wireshark pcap // davidbombal.wiki/tlsedpcap // Ed's TLS course // davidbombal.wiki/edtls49 Use coupon code: "BombalTLS" to get for $49 // MENU // 00:00 ▶ Introduction 02:11 ▶ How SSL/TLS is shown in a browser 02:40 ▶ Pre-Requisites 05:15 ▶ Data Integrity/Hashing 06:27 ▶ Potential Problems with Hashing/man in-the-middle attack 07:32 ▶ Message Authentication Code 10:09 ▶ Prerequisites continued 11:51 ▶ Symmetric Encryption 12:45 ▶ Asymmetric Encryption 17:00 ▶ Private and Public Keys 20:05 ▶ Signatures 21:55 ▶ Protocols 22:50 ▶ SSL/TLS Handshake, Client Hello and Server Hello 28:35 ▶ Client Hello and Server Hello in Wireshark 34:09 ▶ Certificate 35:12 ▶ Server Done 35:35 ▶ Server Hello, Certificate, Server Hello Done in Wireshark 36:51 ▶ Client Key Exchange 50:26 ▶ Client Key Exchange in Wireshark 51:39 ▶ Client Change Cipher Spec and Finished/Encrypted Verification 54:08 ▶ Server Change Cipher Spec and Finished/Encrypted 56:10 ▶ SSL/TLS Handshake in Wireshark 57:44 ▶ Decrypting a PreMaster Key with a Private Key in Wireshark 1:03:15 ▶ Where to get in contact with Ed to learn more // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal TH-cam: th-cam.com/users/davidbombal // Ed's SOCIAL // Twitter: twitter.com/ed_pracnet TH-cam: th-cam.com/channels/KmU-GKiukM8LYjkJFb8oBQ.html // Ed's TLS course // davidbombal.wiki/edtls49 Use coupon code: "BombalTLS" to get for $49 // More detail on Ed's TH-cam channel and website // Asymmetric Encryption explained from a Practical Perspective: www.practicalnetworking.net/practical-tls/rsa-diffie-hellman-dsa-asymmetric-cryptography-explained/ RSA Algorithm: th-cam.com/video/Pq8gNbvfaoM/w-d-xo.html DH Algorithm: th-cam.com/video/KXq065YrpiU/w-d-xo.html Practical TLS - Crypto & SSL/TLS foundation: th-cam.com/play/PLIFyRwBY_4bTwRX__Zn4-letrtpSj1mzY.html // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
David! It was a ton of fun doing this video with you! Thanks for the opportunity! I love sharing some of the wonders of the SSL and TLS protocols =). Cheers!
CIA triad is about confidentiality integrity and availablity. Not authentication @ some where around in video at 3 to 4 min u mentioned it incorrectly..
@@dhirajverma8600 Some people put "authentication" in "Integrity". Some people list it as it's own service (as I did). This was intentional because achieving all three requires separate processes, which I use to frame the rest of my course picking apart TLS/SSL (that is in fact where these slides are from, is my TLS course).
Awesome to see Ed on your channel, he is without any doubt one of the best networking teachers I came accross. Especially him and Jeremy helped me a lot in passing my CCNA - actually just today!
Great video David and Ed! I would like to dig deeper on: 1. The client key exchange (the inner aspects of it) 2. Certificates Thanks for the video! Keep on posting more content.
Amazing , I dont think so anyone can explain TLS with this much detail and in such a simple and crisp way. Love your work David and Ed. I never comment of videos but this one has made me to to comment and follow both of you!!!
Two masters of the game right here. Ed's channel is absolutely superb. TLS, OSPF, NAT etc can be quite complicated but he makes it so easy to absorb without leaving any stone unturned. Can't reccomend it enough. Been waiting for this collab. Cheers both 👍
Crystal crisp explanations, just like Chris Greer. Really enjoying this videos of yours David!!! To continue further with Ed, perhaps DH overview and what are common issues with ssl where things might get wrong...Cheers!!!
Hey David. please call Ed for an ipsec deep dive ... There are lots stuff available but nothing comes close to what you guys (DAVID, CHRIS, ED) deliver. Thanks for sharing your amazing knowledge Ed.
Thank you so much for taking up this and making it so simple. I know it is not that straightforward but the concept explained is the best way possible. Not sure if anyone could have explained it better than you did..
Excellent topic and very very detailed explained I will also need to watch this whole video in sections there is so much good information on it that Ed needed to explain quickly I imagine because of the time constraints. We definitely need to have him back with a series of videos instead. Thank you again, Ed is in my opinion one of the smartest ones I have seen on your list of guests and you have had very brilliant engineers on your channel Neil and John Hammond, WireShark Chris, and now Ed for TLS and other network topics explained the right way.
This is practical networking. I subscribed his channel. Coz his explanations & teaching methods are such an amazing. Sorry david, your skills are best but this guy is even better.
When I teach this live I explain the messages sent by Pam and Jim as actually messages from the show. Tends to amuse the students.... and the instructor ;)
This is awesome. I would love a deeper dive into this, as deep as it can get. I will check out his channel to find more but please consider another video with him, thanks 🖤
Great video. I would be interested in a follow up where you could cover a pfs (perfect forwarding secret) configuration. In the example above, you can decrypt everything if you manage to get hold of the private key later on. With a pfs (TLS 1.3) configuration this should not be possible. Would be great to see an ephemeral key exchange in detail.
I'm a year late but thanks!! I managed to solve an issue with our office printer. Captured the packets and noticed the printer was opting to use TLS 1.0 when attempting to log into its web interface which is no longer supported by most browsers.
Thank you so much all of you two, i really enjoy the course here. I just don't know yet if i join the course and pay for the each course and complete them, will i get certificate or what? Because the no need to be in endless loans and credits for colleges or universities
Great information from Ed on the TLS handshake! Sub'd. I ran wireshark and connected to a few websites. I'm not sure why but my wireshark does not show the certficate information in the Server Hello. The Server Hello also has Change Cipher Spec and sometimes Application Data as well. Any ideas why I don't see the Certificate information?
David this type of content is amazing. I am loving these deep dives you are doing with other SMEs. This content is extremely helpful and I greatly appreciate you working out offer code deals to get content from the SMEs at a discount. Just purchased Ed’s TLS course and Chris’ wireshark course. Super excited to go through both of them! Keep these deep dives coming, the real world examples and the heavy usage of wireshark packet captures to demonstrate what is actually happening is VERY helpful. There are lots of resources online and offline with all the basics, I appreciate you diving into how things really work so we can get a better foundation to design and troubleshoot from. Keep this up, I’m looking forward to more protocols and more deep dives!
Great to see this collaboration with Ed, been following his channel for a while now. He has a very good, natural, delivery style and hits all the detail without cluttering it up with unnecessary info. Fair play David for throwing some exposure his way.👏👏
I I’m an IT tec programmer and already know this , however I watched it whole it’s informative and simplified with real world examples , I do use my own encryption tho! “You can’t make the whole world be helpful like these guys !” most of us are lazy. I searched topics and found him XD
Hello. Great video and great way of explaining this concept. I have question, am i right if i say that https request for web page is sent after client and server establish session keys?
Wow... I'm simply blown away with this content---between this and Chris Greer, I am learning so much about how networking works---beyond what I've learned in my career in the support trenches. I'm going to have to watch this one again--equipped with a notebook, and then go hit the site and buy the full course to expand that knownledge. Thanks for doing this, both yourself and Ed Harmoush!
David and Ed are both gold mines of knowledge. Absolutely awesome knowledge sharing on this video, will be rewatching again for deeper knowledge. Loved it
Observation. C-I-A, commonly referred to as “A-I-C” instead (so as not to be confused with the US 3 letter agency), stands for Confidentiality-Integrity-“Availability”-not “Authentication”. That is according to CompTIA, but what do I care? I think the IT world has gotten pretty superfluous with their catchy chaining of terms and abundant security-centric phrases to describe stuff.
so for the two communication to happen, server also need to have the clients public key correct, so when is that exchange happens if the client dont send any certificate from its side ?
How does a client generate a list of *Cipher Suites* that it supports? I'm assuming client PCs have a specific list of cipher suites pre-installed on them. Is that right? Also, when creating a CSR for a server, one of the options for CSR is selection of *hash algorithm* (SHA256, POLY1305, etc.) and *key algorithm* (RSA, DSA, ECDH_P256, etc.). Does our selection of hash algorithm and key algorithm for a CSR *has anything to do with server's selection of a cipher suite*? or does a server also have its own preinstalled cipher suites that it can use that has nothing to do with a CSR?
Yes! Not the CSR, since that isn't sent between Client and Server. But if the Server certificate is signed using RSA keys, then RSA must be the selected authentication protocol in the cipher suite negotiated between Client & Server.
I actually having problem with this using Windows Server 2012 R2. The client server requires strong cipher suites with latest protocols like TLSv1.2 and TLSv1.3 GCMs not CBC. I did all the things i need to do to isolate the problem like forcing my application to use TLSv1.2 and TLSv1.2. But before that I don't have any idea whats going on behind the request of my application to the clients API. Then a friend of mine send me this link, he told me that maybe this will help me in my problem. After watching this I finally understand how TLS handshake works. exchanging information of client and server specially wireshark. I was able to check what list of cipher suites my server is offering to the client server. And by then I was able to identify my problem that Windows Server 2012 R2 does not support the Cipher Suites Required by the client server. Thank you for this wonderful or superb session! :) BTW I'm a software engineer trying hard to be a devops/sysad haha
Thanks for providing a detailed end2end packet exchange that happens for establishing secure sessions over tls. Just googled a little and found that, chain of ca certs already maintained at browser. Why do server need to send chain of certificates if client (browser) has chain. Just Google's public certificate would be enough in response to client hello. I will dig deep and get back.
Browsers are meant to only have the "Root" certificates (top of the chain). Some go the extra step and have the next level down Certificates. Which means a site that only sends a Certificate (and not the full chain) will work on _those_ browsers... but not on other browsers or devices that don't do the same. Therefore, it's generally recommended that every site sends the full chain, regardless of what software the client is using.
Would I be correct in understanding that integrity and authenticity are two sides of the same coin: the former protects against tampering by an *unintelligent* adversary (bit flip, lightning strike, script kiddie ignorant of hashing, etc.) while the latter protects against tampering by an *intelligent* adversary?
So... while I agree with you bit flipping is much easier than spoofing authentication, I don't know necessarily if I can consider them two aspects of the same coin. You can attain Integrity without Authentication. I'd recommend this video (the 2nd part in particular), it will help clarify: th-cam.com/video/aCDgFH1i2B0/w-d-xo.html
@38:00 anyone can send me google certificate and pretend to be Google then how I will verify that? that certificate must have issued by some CA and i trust that CA and when i will get that certificate and when i will verify that by running hash and decryption and if the value matches then I'm connected to a rouge google server.
Every time you visit Google, Google gives you their certificate. But once you have their certificate, you can then give it to someone else and claim to be the real Google. BUT, there is something the browser does to verify that whoever sent a Certificate is the true owner of the Certificate. That is one of the functions of the "Client Key Exchange" message. It effectively comes down to making sure whoever gives you the Certificate also has the Private Key correlating to the Public Key in the cert. Hope this helps! Check out the full course for more details.
Great Video Ed. Thanks David and Ed. With your example of alphabet encryption using 5 and 21, I guess one of these should be public and another one is private. You are correct that its a magic to decrypt the word (encrypted using 5) using 21. But the point to note here is the encrypted word can be decrypted using both 5 and 21. if we assume 5 as a public key and 21 as private key, when server sends 5 (public key) to the client, the hacker can get this 5. Later when the client encrypt the word using 5, the server will use 21 to decrypt (the magic thing) it while the hacker can still encrypt the same word using 5 which he got it previously. can you please explain this logic in a simple way. I guess something is missed here.May be the alphabet example is not well suit for explaining the private and public key. Or I might have understood it in a wrong way. On the other hand, the reminder example is good like when we divide the number 12 by 5, the reminder is 2. And we can take 5,2 as public key and 12 as private key. When the hacker gets the pair 5,2, it will be difficult for getting the number 12 because we have bunch of numbers like 7, 17, 22,...etc will leave the reminder 2 when divided by 5. But the question is how the client can encrypt anything using 5,2 in such a way that it can only be decrypted by the number 12. Can you explain it with any simple example?
Hi Chris. It's in the Public Certificate. More details about what is inside a Certificate and how to View the contents of a certificate here: th-cam.com/video/om9-9BCZr5M/w-d-xo.html
Hey bro can you help me to decrypt my handshake plz I have tried almost all the thing like aircrack all kali linux wordlist, guthub, crackstation, hashcat, hashcat rules and also brutforce attack a entire weak on Google cloud
Now it's the about the 7th or more round to watch this and I think I have really decrypted the idea on this !!! Many thanks David and Ed. Keep the deep dive coming.
I had a job interview the other day and they I asked me about this SSL/TLS and I couldn't answer properly, this is very helpfull to know and very important info for any network engineer nowdays that security is very important.
Mrs Richards: "I paid for a room with a view!" Basil: (pointing to the lovely view) "That is Torquay, Madam." Mrs Richards: "It's not good enough!" Basil: "May I ask what you were expecting to see out of a Torquay hotel bedroom window? Sydney Opera House, perhaps? the Hanging Gardens of Babylon? Herds of wildebeest sweeping majestically past?..." Mrs Richards: "Don't be silly! I expect to be able to see the sea!" Basil: "You can see the sea, it's over there between the land and the sky." Mrs Richards: "I'm not satisfied. But I shall stay. But I expect a reduction." Basil: "Why?! Because Krakatoa's not erupting at the momentt ?
Thank you for the video. BTW the CIA Security triad is Confidentiality Integrity and AVAILABILITY. It has in recent year been augmented with Non-repudiability and Authentication.
First of all: thank you! I'm dealing with encryption subject since a week and your work is far better so far. Congrats :) time 53:23 - how does the client perform the hash? time 53:57 - I'd understand using server's public key Question: public key could be used by any bad guy in between. Therefore I have twp notes: 1- the proper keys here are the 'Client session keys' 2- the only verification that matters is the answer from server at time 55:15 where the server summarises all seuqence using its private key Does it make sense to you?
Oh yes! We pick apart AES / CBC / GCM, all the good stuff. The RSA video is free on youtube, if you want to sample that one. See the link in the Description "RSA Algorithm"
Great vodeo! may i ask you one question tho: why the client and server keys are different if they use the same material which is master secret, key expension, CR, SR?
The PRF calculates "N" amount of bits. If we need two, symmetric 128 bit keys, we tell the PRF to calculate 256 bits, the first 128 are the Client's Encryption Key, and the 2nd 128 are the Server's Encryption key. Hence, same initial values (MS / Key Expansion / Cr / SR) creates multiple keys, but identical on both sides. HTH.
Greate video for me, but I would like to clarify about TLS extension. Is the extension on TLS handshake importance and how it involde in handshake? and if that extension suspicious is it harm for our connection?
Hi, what is the point of decrypting our own data using wireshark. It will be helpful if you show how to decrypt data of some other server. Game Hacker are far more ahead i guess than you guys. Salty 😅
thx mr bombal this guy also has great video he last series about ospf were great tell me thx ; the nexxt guy a wanna see if u want is jeremy it lab with it would be so great thx any way
This is a Gold mine!! I have been trying to find this explanation for quite sometime. Awesomely explained and i love the passion Ed. So the first thing i do support Ed by subscribing to his course and ensuring the knowledge stays with me in my repo. Thank you both of you!! Keep up the good work Ed and David. God Bless
Can we have a video on certificate chain as i want to understand why is there a need of intermediate ca cert when we have the rest which is enough as per my understanding, i know i am wrong thus need to understand the actual use of all cert in the chain.
Error at 3:43: The core CIA principles commonly referenced in cyber security stand for: 'Confidentiality', 'Integrity', and 'Availability'. Note. A is not for 'Authentication' That been said, 'authentication' is often referred to as an extended principle along with 'non-repudiation'.
There are multiple schools of thoughts on this. I chose to use CIA as Authentication because it's possible to do Integrity without truly having Authentication. Besides, the three terms (C. I. Authentication) are each provided differently in Cryptography and by TLS/SSL, and I use those three services to frame the rest of the course as we go deeper and deeper into TLS/SSL. Either way, it's just semantics in the end. =)
My app is a server and had shared public key with the client, but even though client did not import the crt file in their trustore, connection is working...although using openssl the client can see the correct CN name of my renewed cert(client has the main root certificate)
// Wireshark pcap //
davidbombal.wiki/tlsedpcap
// Ed's TLS course //
davidbombal.wiki/edtls49
Use coupon code: "BombalTLS" to get for $49
// MENU //
00:00 ▶ Introduction
02:11 ▶ How SSL/TLS is shown in a browser
02:40 ▶ Pre-Requisites
05:15 ▶ Data Integrity/Hashing
06:27 ▶ Potential Problems with Hashing/man in-the-middle attack
07:32 ▶ Message Authentication Code
10:09 ▶ Prerequisites continued
11:51 ▶ Symmetric Encryption
12:45 ▶ Asymmetric Encryption
17:00 ▶ Private and Public Keys
20:05 ▶ Signatures
21:55 ▶ Protocols
22:50 ▶ SSL/TLS Handshake, Client Hello and Server Hello
28:35 ▶ Client Hello and Server Hello in Wireshark
34:09 ▶ Certificate
35:12 ▶ Server Done
35:35 ▶ Server Hello, Certificate, Server Hello Done in Wireshark
36:51 ▶ Client Key Exchange
50:26 ▶ Client Key Exchange in Wireshark
51:39 ▶ Client Change Cipher Spec and Finished/Encrypted Verification
54:08 ▶ Server Change Cipher Spec and Finished/Encrypted
56:10 ▶ SSL/TLS Handshake in Wireshark
57:44 ▶ Decrypting a PreMaster Key with a Private Key in Wireshark
1:03:15 ▶ Where to get in contact with Ed to learn more
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
TH-cam: th-cam.com/users/davidbombal
// Ed's SOCIAL //
Twitter: twitter.com/ed_pracnet
TH-cam: th-cam.com/channels/KmU-GKiukM8LYjkJFb8oBQ.html
// Ed's TLS course //
davidbombal.wiki/edtls49
Use coupon code: "BombalTLS" to get for $49
// More detail on Ed's TH-cam channel and website //
Asymmetric Encryption explained from a Practical Perspective:
www.practicalnetworking.net/practical-tls/rsa-diffie-hellman-dsa-asymmetric-cryptography-explained/
RSA Algorithm:
th-cam.com/video/Pq8gNbvfaoM/w-d-xo.html
DH Algorithm:
th-cam.com/video/KXq065YrpiU/w-d-xo.html
Practical TLS - Crypto & SSL/TLS foundation:
th-cam.com/play/PLIFyRwBY_4bTwRX__Zn4-letrtpSj1mzY.html
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
OMG! After 25 years I finally got my head around how those handshakes work and how security is done. Thank you very much, gentlemen!
David! It was a ton of fun doing this video with you! Thanks for the opportunity! I love sharing some of the wonders of the SSL and TLS protocols =). Cheers!
CIA triad is about confidentiality integrity and availablity.
Not authentication
@ some where around in video at 3 to 4 min u mentioned it incorrectly..
@@dhirajverma8600 Some people put "authentication" in "Integrity". Some people list it as it's own service (as I did). This was intentional because achieving all three requires separate processes, which I use to frame the rest of my course picking apart TLS/SSL (that is in fact where these slides are from, is my TLS course).
Thank you so much for sharing your knowledge with all of us Ed!
Heading over to your channel 😀
@@israel-ie4vp
Awesome to see Ed on your channel, he is without any doubt one of the best networking teachers I came accross. Especially him and Jeremy helped me a lot in passing my CCNA - actually just today!
Great video David and Ed! I would like to dig deeper on:
1. The client key exchange (the inner aspects of it)
2. Certificates
Thanks for the video! Keep on posting more content.
Certificates would be fun to pick apart =)
Amazing , I dont think so anyone can explain TLS with this much detail and in such a simple and crisp way. Love your work David and Ed. I never comment of videos but this one has made me to to comment and follow both of you!!!
Glad you enjoyed this, Kamal. Cheers !
Two masters of the game right here. Ed's channel is absolutely superb. TLS, OSPF, NAT etc can be
quite complicated but he makes it so easy to absorb without leaving any stone unturned. Can't reccomend it enough. Been waiting for this collab. Cheers both 👍
By far the best video on TLS ive ever seen. Amazing.
The best explanation I have ever come across about TLS. Thank you
I'm only 31 minutes in but this is the one video that finally made me feel comfortable with what's going on with certs!
Crystal crisp explanations, just like Chris Greer. Really enjoying this videos of yours David!!! To continue further with Ed, perhaps DH overview and what are common issues with ssl where things might get wrong...Cheers!!!
Spectacular video. I will probably sign up for Ed's online SSL/TLS course.
Thank you both.
Hey David. please call Ed for an ipsec deep dive ... There are lots stuff available but nothing comes close to what you guys (DAVID, CHRIS, ED) deliver. Thanks for sharing your amazing knowledge Ed.
Once again Mr David thanks so much. congratulations for hitting 900k followers. you have helped a lot of people. we really appreciate
Thank you so much for taking up this and making it so simple. I know it is not that straightforward but the concept explained is the best way possible. Not sure if anyone could have explained it better than you did..
Thank you for the kind words, Roshan. Glad you enjoyed it.
Awesome stuff, enjoyed lot, looking forward to see how Pre-Master secret shared with DH, Thank you both!!
Excellent topic and very very detailed explained I will also need to watch this whole video in sections there is so much good information on it that Ed needed to explain quickly I imagine because of the time constraints. We definitely need to have him back with a series of videos instead. Thank you again, Ed is in my opinion one of the smartest ones I have seen on your list of guests and you have had very brilliant engineers on your channel Neil and John Hammond, WireShark Chris, and now Ed for TLS and other network topics explained the right way.
THIS PRESENTATION IS LEGENDARY MATE
This is practical networking. I subscribed his channel. Coz his explanations & teaching methods are such an amazing. Sorry david, your skills are best but this guy is even better.
Love the Office references and the cartoon representation of Pam and Jim!
Bye-bye Bob and Alice
When I teach this live I explain the messages sent by Pam and Jim as actually messages from the show. Tends to amuse the students.... and the instructor ;)
I am a subscriber of Ed paid course on tls ...He is just awesome trainer ! i am a big fan of jeremy it lab as well
This is awesome. I would love a deeper dive into this, as deep as it can get. I will check out his channel to find more but please consider another video with him, thanks 🖤
We're doing a video soon on Certificates =)
Hi David sir ! Nice to meet you again with a good video #bombal
Great video. I would be interested in a follow up where you could cover a pfs (perfect forwarding secret) configuration. In the example above, you can decrypt everything if you manage to get hold of the private key later on. With a pfs (TLS 1.3) configuration this should not be possible. Would be great to see an ephemeral key exchange in detail.
You're asking great questions! All of that is covered in the full course. Consider checking it out =)
Many thanks for this demo ❣
Do more videos with Ed😅😅This was informative😊
Simple and clear, really Nice again
Glad you enjoyed it, Edouard!
@@PracticalNetworking I buy your course, and start it yesterday night :)
@@edouardmalot51 Welcome to the party =).
Every time I listen to Ed, (almost daily), I mostly just feel dumber. Dude is tooo smart.
Exceptional. Any chance you could do a follow up on TLS 1.3?
Brilliant material
Mind blowing that this all happens withn a second! 🤯
This is great. Loving this
God dam bro you always found great peaople to your show
Ed is awesome!!
I'm a year late but thanks!! I managed to solve an issue with our office printer. Captured the packets and noticed the printer was opting to use TLS 1.0 when attempting to log into its web interface which is no longer supported by most browsers.
Gold. Although the climax was inceptive. 😁
Thank you so much all of you two, i really enjoy the course here.
I just don't know yet if i join the course and pay for the each course and complete them, will i get certificate or what? Because the no need to be in endless loans and credits for colleges or universities
great video
More on CBC please
awesome and pretty cool
Great information from Ed on the TLS handshake! Sub'd. I ran wireshark and connected to a few websites. I'm not sure why but my wireshark does not show the certficate information in the Server Hello. The Server Hello also has Change Cipher Spec and sometimes Application Data as well. Any ideas why I don't see the Certificate information?
This is gold
U r the best!!!
Thank you Mohamed!
good video!
Thanks you so😅😅
❤ You are amazing dud
Thank you
David this type of content is amazing. I am loving these deep dives you are doing with other SMEs. This content is extremely helpful and I greatly appreciate you working out offer code deals to get content from the SMEs at a discount. Just purchased Ed’s TLS course and Chris’ wireshark course. Super excited to go through both of them! Keep these deep dives coming, the real world examples and the heavy usage of wireshark packet captures to demonstrate what is actually happening is VERY helpful. There are lots of resources online and offline with all the basics, I appreciate you diving into how things really work so we can get a better foundation to design and troubleshoot from. Keep this up, I’m looking forward to more protocols and more deep dives!
Cheers, Kyle. Happy to do more of these =)
Great to see this collaboration with Ed, been following his channel for a while now. He has a very good, natural, delivery style and hits all the detail without cluttering it up with unnecessary info. Fair play David for throwing some exposure his way.👏👏
Hi Frack =). Thanks for the kind words. It was loads of fun to do the collab with David !
@@PracticalNetworking Great explanation
Nicely done, David and Ed! I wish I can force most IT pros to review this video... very useful explainer!
Thank you Wesley! Much appreciated!
Agreed =). Glad you enjoyed it, Wesley!
I I’m an IT tec programmer and already know this , however I watched it whole it’s informative and simplified with real world examples , I do use my own encryption tho!
“You can’t make the whole world be helpful like these guys !”
most of us are lazy.
I searched topics and found him XD
thank you so much for the quality I've never missed these long version video
Thank you!
Hello. Great video and great way of explaining this concept. I have question, am i right if i say that https request for web page is sent after client and server establish session keys?
Wow... I'm simply blown away with this content---between this and Chris Greer, I am learning so much about how networking works---beyond what I've learned in my career in the support trenches.
I'm going to have to watch this one again--equipped with a notebook, and then go hit the site and buy the full course to expand that knownledge. Thanks for doing this, both yourself and Ed Harmoush!
You're welcome Dwayne!
David and Ed are both gold mines of knowledge. Absolutely awesome knowledge sharing on this video, will be rewatching again for deeper knowledge. Loved it
Glad you enjoyed the video Sourav!
Cheers, Sourav!
Disagree, they are decrypting their own data using private key. 😂 . If they can tell how to get private key of another server then I agree wid you.
Observation. C-I-A, commonly referred to as “A-I-C” instead (so as not to be confused with the US 3 letter agency), stands for Confidentiality-Integrity-“Availability”-not “Authentication”.
That is according to CompTIA, but what do I care? I think the IT world has gotten pretty superfluous with their catchy chaining of terms and abundant security-centric phrases to describe stuff.
so for the two communication to happen, server also need to have the clients public key correct, so when is that exchange happens if the client dont send any certificate from its side ?
How does a client generate a list of *Cipher Suites* that it supports? I'm assuming client PCs have a specific list of cipher suites pre-installed on them. Is that right?
Also, when creating a CSR for a server, one of the options for CSR is selection of *hash algorithm* (SHA256, POLY1305, etc.) and *key algorithm* (RSA, DSA, ECDH_P256, etc.). Does our selection of hash algorithm and key algorithm for a CSR *has anything to do with server's selection of a cipher suite*? or does a server also have its own preinstalled cipher suites that it can use that has nothing to do with a CSR?
Yes! Not the CSR, since that isn't sent between Client and Server. But if the Server certificate is signed using RSA keys, then RSA must be the selected authentication protocol in the cipher suite negotiated between Client & Server.
I actually having problem with this using Windows Server 2012 R2.
The client server requires strong cipher suites with latest protocols like TLSv1.2 and TLSv1.3 GCMs not CBC.
I did all the things i need to do to isolate the problem like forcing my application to use TLSv1.2 and TLSv1.2.
But before that I don't have any idea whats going on behind the request of my application to the clients API.
Then a friend of mine send me this link, he told me that maybe this will help me in my problem.
After watching this I finally understand how TLS handshake works. exchanging information of client and server specially wireshark. I was able to check what list of cipher suites my server is offering to the client server.
And by then I was able to identify my problem that Windows Server 2012 R2 does not support the Cipher Suites Required by the client server.
Thank you for this wonderful or superb session! :)
BTW I'm a software engineer trying hard to be a devops/sysad haha
Glad you enjoyed it and it helped you solve a problem you were experiencing =)
this is brilliant! learnt a lot today!
Thanks for providing a detailed end2end packet exchange that happens for establishing secure sessions over tls.
Just googled a little and found that, chain of ca certs already maintained at browser. Why do server need to send chain of certificates if client (browser) has chain. Just Google's public certificate would be enough in response to client hello. I will dig deep and get back.
Browsers are meant to only have the "Root" certificates (top of the chain). Some go the extra step and have the next level down Certificates. Which means a site that only sends a Certificate (and not the full chain) will work on _those_ browsers... but not on other browsers or devices that don't do the same. Therefore, it's generally recommended that every site sends the full chain, regardless of what software the client is using.
Thank's for this david,nice video 🔥🔥,keep going
Would I be correct in understanding that integrity and authenticity are two sides of the same coin: the former protects against tampering by an *unintelligent* adversary (bit flip, lightning strike, script kiddie ignorant of hashing, etc.) while the latter protects against tampering by an *intelligent* adversary?
So... while I agree with you bit flipping is much easier than spoofing authentication, I don't know necessarily if I can consider them two aspects of the same coin. You can attain Integrity without Authentication. I'd recommend this video (the 2nd part in particular), it will help clarify:
th-cam.com/video/aCDgFH1i2B0/w-d-xo.html
@38:00 anyone can send me google certificate and pretend to be Google then how I will verify that? that certificate must have issued by some CA and i trust that CA and when i will get that certificate and when i will verify that by running hash and decryption and if the value matches then I'm connected to a rouge google server.
Every time you visit Google, Google gives you their certificate. But once you have their certificate, you can then give it to someone else and claim to be the real Google. BUT, there is something the browser does to verify that whoever sent a Certificate is the true owner of the Certificate. That is one of the functions of the "Client Key Exchange" message. It effectively comes down to making sure whoever gives you the Certificate also has the Private Key correlating to the Public Key in the cert. Hope this helps! Check out the full course for more details.
A gift from Network Gurus !, Amazing.
Ed has so much of knowledge, that i can see , from all that i can say that
dialog
If I know even half of what you know, my little mind will explode
Great Video Ed. Thanks David and Ed. With your example of alphabet encryption using 5 and 21, I guess one of these should be public and another one is private. You are correct that its a magic to decrypt the word (encrypted using 5) using 21. But the point to note here is the encrypted word can be decrypted using both 5 and 21. if we assume 5 as a public key and 21 as private key, when server sends 5 (public key) to the client, the hacker can get this 5. Later when the client encrypt the word using 5, the server will use 21 to decrypt (the magic thing) it while the hacker can still encrypt the same word using 5 which he got it previously. can you please explain this logic in a simple way. I guess something is missed here.May be the alphabet example is not well suit for explaining the private and public key. Or I might have understood it in a wrong way. On the other hand, the reminder example is good like when we divide the number 12 by 5, the reminder is 2. And we can take 5,2 as public key and 12 as private key. When the hacker gets the pair 5,2, it will be difficult for getting the number 12 because we have bunch of numbers like 7, 17, 22,...etc will leave the reminder 2 when divided by 5. But the question is how the client can encrypt anything using 5,2 in such a way that it can only be decrypted by the number 12. Can you explain it with any simple example?
This is great content, but can we also see the DH key exchange used for perfect forward secrecy?
That's done in the full course =). Maybe it could be a subject of another Collaboration w/ David though. Who knows.
That's my TLS teacher! 😂 Go Ed !
I keep hearing everyone has the public key… How? How did they get it? Where is it stored?
Hi Chris. It's in the Public Certificate. More details about what is inside a Certificate and how to View the contents of a certificate here: th-cam.com/video/om9-9BCZr5M/w-d-xo.html
Looks deep enough on my end. Happy to see the references to the individual Request for Comments (RFCs) in Ed's slides.
Thank you Raymond!
=) This was only scratching the surface! ;)
Thank you for this enjoyable.
This was absolutely awesome, I was not able to understand a lot of it, but what I did, was awesome.
Hey bro can you help me to decrypt my handshake plz I have tried almost all the thing like aircrack all kali linux wordlist, guthub, crackstation, hashcat, hashcat rules and also brutforce attack a entire weak on Google cloud
Now it's the about the 7th or more round to watch this and I think I have really decrypted the idea on this !!! Many thanks David and Ed. Keep the deep dive coming.
Nice video 🔥🔥 btw I am following you from a long time and your videos are very informative . Keep going 🔥☺️
If you followed him a long time, you should have seen the videos he interviewed quite a few speakers on how to start Cyber Security. Dig it in
Thank you
@@tristix3721 Oki bro
I had a job interview the other day and they I asked me about this SSL/TLS and I couldn't answer properly, this is very helpfull to know and very important info for any network engineer nowdays that security is very important.
Mrs Richards: "I paid for a room with a view!"
Basil: (pointing to the lovely view) "That is Torquay, Madam."
Mrs Richards: "It's not good enough!"
Basil: "May I ask what you were expecting to see out of a Torquay hotel bedroom window? Sydney Opera House, perhaps? the Hanging Gardens of Babylon? Herds of wildebeest sweeping majestically past?..."
Mrs Richards: "Don't be silly! I expect to be able to see the sea!"
Basil: "You can see the sea, it's over there between the land and the sky."
Mrs Richards: "I'm not satisfied. But I shall stay. But I expect a reduction."
Basil: "Why?! Because Krakatoa's not erupting at the momentt ?
what to do if your client hello and server hello messages are encrypted?
How are they encrypted?
Thank you for the video. BTW the CIA Security triad is Confidentiality Integrity and AVAILABILITY. It has in recent year been augmented with Non-repudiability and Authentication.
The content is so good! I learned so much!! Absolutely appreciate the efforts made to come up with this Technical Deep Dive video
First of all: thank you! I'm dealing with encryption subject since a week and your work is far better so far. Congrats :)
time 53:23 - how does the client perform the hash?
time 53:57 - I'd understand using server's public key
Question: public key could be used by any bad guy in between. Therefore I have twp notes:
1- the proper keys here are the 'Client session keys'
2- the only verification that matters is the answer from server at time 55:15 where the server summarises all seuqence using its private key
Does it make sense to you?
Commendable efforts. Greatly elucidated. Excellent work. Excellent dissemination. Bow down to the knowledge and to the ability to express effectively.
HI thanks for this perfect video. Could you please upload the WIRESHARK PCAP file again? it is no longer available . thanks!
of course we will be glad if you provide details about cbc, rsa and aes
Oh yes! We pick apart AES / CBC / GCM, all the good stuff. The RSA video is free on youtube, if you want to sample that one. See the link in the Description "RSA Algorithm"
That was the best tutorial on SSL I've seen. Ed is a fantastic layman's terms teacher. I'll definitely be taking up the coupon and doing the course.
I feel slightly bad, cause you're giving us such EPIC information and education here!
Thanks alot for those deep dive
it's nice how informative this video is and with minimum amount of advertisement. this is what any video hosting should look like)).
I can't make It because of diffie-hellman! How can i decrypt having server's private Key and diffie-hellman instead of RSA?
Great vodeo! may i ask you one question tho: why the client and server keys are different if they use the same material which is master secret, key expension, CR, SR?
The PRF calculates "N" amount of bits. If we need two, symmetric 128 bit keys, we tell the PRF to calculate 256 bits, the first 128 are the Client's Encryption Key, and the 2nd 128 are the Server's Encryption key. Hence, same initial values (MS / Key Expansion / Cr / SR) creates multiple keys, but identical on both sides. HTH.
@@PracticalNetworking thank you very much! interesting!
@@MrTheAlexy You're welcome =)
Greate video for me, but I would like to clarify about TLS extension. Is the extension on TLS handshake importance and how it involde in handshake? and if that extension suspicious is it harm for our connection?
Hi, what is the point of decrypting our own data using wireshark. It will be helpful if you show how to decrypt data of some other server. Game Hacker are far more ahead i guess than you guys. Salty 😅
thx mr bombal this guy also has great video he last series about ospf were great tell me thx ; the nexxt guy a wanna see if u want is jeremy it lab with it would be so great thx any way
Great suggestion Majid!
Glad you enjoyed the OSPF content too =)
This is a Gold mine!! I have been trying to find this explanation for quite sometime. Awesomely explained and i love the passion Ed. So the first thing i do support Ed by subscribing to his course and ensuring the knowledge stays with me in my repo. Thank you both of you!! Keep up the good work Ed and David. God Bless
Cheers Avinash. Kind of you to say! Glad you enjoyed the course.
Can we have a video on certificate chain as i want to understand why is there a need of intermediate ca cert when we have the rest which is enough as per my understanding, i know i am wrong thus need to understand the actual use of all cert in the chain.
That is covered in the full course =). Consider checking it out.
@@PracticalNetworking can we get a direct link to it ?
It is great to meet ed, It has been always to complicated topics when I was in school. Loved it !!
Thank You Very Much Sir... This is the Best Video with full tutorial...❤️❤️❤️
Error at 3:43: The core CIA principles commonly referenced in cyber security stand for: 'Confidentiality', 'Integrity', and 'Availability'.
Note. A is not for 'Authentication'
That been said, 'authentication' is often referred to as an extended principle along with 'non-repudiation'.
There are multiple schools of thoughts on this. I chose to use CIA as Authentication because it's possible to do Integrity without truly having Authentication.
Besides, the three terms (C. I. Authentication) are each provided differently in Cryptography and by TLS/SSL, and I use those three services to frame the rest of the course as we go deeper and deeper into TLS/SSL.
Either way, it's just semantics in the end. =)
@@PracticalNetworking I appreciate the video however as much as it gets disregarded, I feel as if it should be the AIC triangle "A" for Availability
@@richardwarren2556 Glad you enjoyed the video, Richard. If this is the only critique in an hour long video, I'm still happy with the result =).
I used Ed's Subnetting and ACL videos when I was prepping for my CCNA. They were excellent and would highly recommend.
Thanks Jamie. Glad they helped you =)
Loved this TLS Handshake. I've been learning about https and tls for a while.
My app is a server and had shared public key with the client, but even though client did not import the crt file in their trustore, connection is working...although using openssl the client can see the correct CN name of my renewed cert(client has the main root certificate)
Awesome! Awesome! Awesome! Content!!! One of the best and easy to follow explanations of this subject I’ve seen! Thanks David and Ed!
You're welcome, Chris! Glad you enjoyed it!