WEBVTT 1 00:00:00.000 --> 00:00:01.120 In this lesson, 2 00:00:01.120 --> 00:00:04.474 we will learn about Cryptographic Issues. 3 00:00:04.474 --> 00:00:08.156 Cryptographic issues are problems related 4 00:00:08.156 --> 00:00:09.323 to the implementation 5 00:00:09.323 --> 00:00:13.442 and functioning of encryption protocols that secure data. 6 00:00:13.442 --> 00:00:15.750 Cryptographic issues include, 7 00:00:15.750 --> 00:00:18.480 transport layer security errors, 8 00:00:18.480 --> 00:00:20.070 cipher mismatches 9 00:00:20.070 --> 00:00:23.460 and issues with cryptographic implementation. 10 00:00:23.460 --> 00:00:27.150 Transport Layer Security or TLS errors, 11 00:00:27.150 --> 00:00:30.420 occur when there are problems with the negotiation 12 00:00:30.420 --> 00:00:33.720 or establishment of a secure connection. 13 00:00:33.720 --> 00:00:36.360 Next, cipher mismatch occurs 14 00:00:36.360 --> 00:00:40.560 when the client and server cannot agree on a cipher suite, 15 00:00:40.560 --> 00:00:43.320 during the TLS handshake, 16 00:00:43.320 --> 00:00:46.920 leading to a failed or insecure connection. 17 00:00:46.920 --> 00:00:51.690 Finally, issues with cryptographic implementations are flaws 18 00:00:51.690 --> 00:00:55.860 or vulnerabilities in the way cryptographic algorithms 19 00:00:55.860 --> 00:00:59.610 are applied and include weak encryption methods 20 00:00:59.610 --> 00:01:02.130 or improper key management. 21 00:01:02.130 --> 00:01:06.780 Let's learn more about TLS errors, cipher mismatch, 22 00:01:06.780 --> 00:01:10.500 and issues with cryptographic implementations. 23 00:01:10.500 --> 00:01:15.500 First, we have transport layer security or TLS errors. 24 00:01:15.960 --> 00:01:17.640 TLS errors occur 25 00:01:17.640 --> 00:01:20.670 when there are problems during the negotiation 26 00:01:20.670 --> 00:01:23.640 or establishment of a secure connection, 27 00:01:23.640 --> 00:01:26.400 between a client and a server. 28 00:01:26.400 --> 00:01:29.340 One common cause of these errors 29 00:01:29.340 --> 00:01:34.140 is the use of incompatible or outdated protocol versions. 30 00:01:34.140 --> 00:01:35.490 For an example, 31 00:01:35.490 --> 00:01:40.490 if a server only supports newer protocols like TLS 1.2 32 00:01:41.070 --> 00:01:43.500 or TLS 1.3, 33 00:01:43.500 --> 00:01:47.340 but the client attempts to connect using an older protocol, 34 00:01:47.340 --> 00:01:52.340 such as TLS 1.0, the handshake process may fail. 35 00:01:52.950 --> 00:01:56.640 This failure prevents the secure communication channel 36 00:01:56.640 --> 00:01:58.380 from being established, 37 00:01:58.380 --> 00:02:01.230 leaving the client unable to connect 38 00:02:01.230 --> 00:02:04.530 or forcing the server to reject the connection 39 00:02:04.530 --> 00:02:08.790 or potentially to downgrade to a less secure protocol, 40 00:02:08.790 --> 00:02:13.790 like SSL 3.0, which increases the risk of data exposure. 41 00:02:15.150 --> 00:02:19.470 TLS errors can also arise from certificate issues, 42 00:02:19.470 --> 00:02:21.270 during the handshake. 43 00:02:21.270 --> 00:02:24.810 When a client and a server exchange certificates, 44 00:02:24.810 --> 00:02:28.020 problems such as expired certificates, 45 00:02:28.020 --> 00:02:32.430 invalid domain names or broken certificate trust chains 46 00:02:32.430 --> 00:02:35.070 can cause the handshake to fail. 47 00:02:35.070 --> 00:02:40.070 For example, if a server's digital certificate has expired, 48 00:02:40.170 --> 00:02:42.990 the client will not trust the connection 49 00:02:42.990 --> 00:02:45.210 and the handshake will fail. 50 00:02:45.210 --> 00:02:49.560 This type of TLS error directly affects the ability 51 00:02:49.560 --> 00:02:52.560 to establish secure communication, 52 00:02:52.560 --> 00:02:55.440 making it important to regularly update 53 00:02:55.440 --> 00:02:58.080 and monitor certificate validity 54 00:02:58.080 --> 00:03:00.960 and the overall certificate chain. 55 00:03:00.960 --> 00:03:04.410 Additionally, misconfigured certificates, 56 00:03:04.410 --> 00:03:06.870 such as when the server certificate, 57 00:03:06.870 --> 00:03:10.530 does not match the domain it's being used for, 58 00:03:10.530 --> 00:03:15.530 can trigger TLS errors, disrupting secure connections. 59 00:03:15.540 --> 00:03:19.350 So, from a security professional's perspective, 60 00:03:19.350 --> 00:03:22.830 identifying and interpreting TLS errors 61 00:03:22.830 --> 00:03:27.270 is a key step in maintaining secure network operations. 62 00:03:27.270 --> 00:03:29.970 Tools like vulnerability scanners 63 00:03:29.970 --> 00:03:32.872 can help identify instances where weak 64 00:03:32.872 --> 00:03:35.888 or outdated protocols like SSL, 65 00:03:35.888 --> 00:03:39.720 or TLS 1.0 are still in use 66 00:03:39.720 --> 00:03:42.210 flagging them for remediation. 67 00:03:42.210 --> 00:03:43.680 In these cases, 68 00:03:43.680 --> 00:03:48.680 updating the protocol to a modern version such as TLS 1.2 69 00:03:48.950 --> 00:03:53.640 or TLS 1.3 can prevent handshake failures 70 00:03:53.640 --> 00:03:56.520 and in ensure secure communication. 71 00:03:56.520 --> 00:04:00.900 Also regularly reviewing and managing certificates, 72 00:04:00.900 --> 00:04:04.440 as well as ensuring protocol compatibility, 73 00:04:04.440 --> 00:04:08.850 between clients and servers can prevent TLS errors 74 00:04:08.850 --> 00:04:13.850 and ensure encrypted data moves securely across the network. 75 00:04:14.040 --> 00:04:17.460 Second, we have cipher mismatch. 76 00:04:17.460 --> 00:04:20.460 A cipher mismatch specifically refers 77 00:04:20.460 --> 00:04:23.790 to the inability of the client and server 78 00:04:23.790 --> 00:04:26.400 to agree on which encryption algorithms 79 00:04:26.400 --> 00:04:29.130 or cipher suite to use. 80 00:04:29.130 --> 00:04:33.180 A cipher suite consists of multiple components, 81 00:04:33.180 --> 00:04:36.030 including the key exchange method, 82 00:04:36.030 --> 00:04:40.470 digital signature algorithm, bulk encryption algorithm 83 00:04:40.470 --> 00:04:42.180 and hashing algorithm. 84 00:04:42.180 --> 00:04:45.780 If there is no overlap in the cipher suites supported 85 00:04:45.780 --> 00:04:47.310 by both parties, 86 00:04:47.310 --> 00:04:51.780 the handshake fails and the connection cannot be secured. 87 00:04:51.780 --> 00:04:55.080 This is different from a TLS version error 88 00:04:55.080 --> 00:04:57.480 where the client and server may disagree 89 00:04:57.480 --> 00:04:59.613 on the protocol version such as 90 00:04:59.613 --> 00:05:03.540 TLS 1.2 versus TLS 1.0. 91 00:05:03.540 --> 00:05:05.910 In the case of a cipher mismatch, 92 00:05:05.910 --> 00:05:08.520 the protocol may be agreed upon, 93 00:05:08.520 --> 00:05:12.300 but the actual algorithms for securing the connection 94 00:05:12.300 --> 00:05:14.130 are incompatible. 95 00:05:14.130 --> 00:05:15.360 For example, 96 00:05:15.360 --> 00:05:18.480 if a server supports strong cipher suites, 97 00:05:18.480 --> 00:05:23.133 like ECDHE-RSA-AES128-GCM-SHA256, 98 00:05:27.060 --> 00:05:30.480 but the client only supports weaker options, 99 00:05:30.480 --> 00:05:34.470 such as DES-CBC3-SHA, 100 00:05:34.470 --> 00:05:39.180 the two will not be able to establish a secure connection. 101 00:05:39.180 --> 00:05:42.270 This mismatch can result in an error message, 102 00:05:42.270 --> 00:05:46.350 such as SSL version or cipher mismatch, 103 00:05:46.350 --> 00:05:49.890 forcing the server to deny the connection 104 00:05:49.890 --> 00:05:53.850 or worse fall back to an insecure protocol 105 00:05:53.850 --> 00:05:55.470 or weak cipher. 106 00:05:55.470 --> 00:06:00.060 Cipher mismatch errors can also occur if an outdated browser 107 00:06:00.060 --> 00:06:02.250 or server is not updated 108 00:06:02.250 --> 00:06:05.130 to support secure encryption methods. 109 00:06:05.130 --> 00:06:06.750 To avoid this, 110 00:06:06.750 --> 00:06:10.800 servers should be configured to reject obsolete ciphers, 111 00:06:10.800 --> 00:06:15.330 like the triple data encryption standard or 3DES 112 00:06:15.330 --> 00:06:18.810 and Revest Cipher Four or RC4, 113 00:06:18.810 --> 00:06:23.810 ensuring that only newer more secure cipher suites are used. 114 00:06:23.970 --> 00:06:27.870 So, security teams must regularly review 115 00:06:27.870 --> 00:06:31.050 the cipher suite supported by their systems 116 00:06:31.050 --> 00:06:34.830 to ensure they remain up to date and secure. 117 00:06:34.830 --> 00:06:37.320 This includes configuring servers 118 00:06:37.320 --> 00:06:41.190 to prioritize the use of strong encryption methods, 119 00:06:41.190 --> 00:06:44.970 like AES with the Galois Counter Mode, 120 00:06:44.970 --> 00:06:48.660 and disabling the use of outdated ciphers. 121 00:06:48.660 --> 00:06:52.830 By doing this, security teams can minimize the risk 122 00:06:52.830 --> 00:06:54.690 of cipher mismatches 123 00:06:54.690 --> 00:06:57.420 and maintain a high level of security, 124 00:06:57.420 --> 00:07:00.000 during encrypted communications. 125 00:07:00.000 --> 00:07:03.810 Additionally, implementing regular updates and scanning 126 00:07:03.810 --> 00:07:07.681 for weak ciphers helps identify potential risks 127 00:07:07.681 --> 00:07:10.020 and reduce vulnerabilities 128 00:07:10.020 --> 00:07:13.650 from outdated cryptographic configurations. 129 00:07:13.650 --> 00:07:15.510 Third and last, 130 00:07:15.510 --> 00:07:19.575 we have issues with cryptographic implementations. 131 00:07:19.575 --> 00:07:23.610 Issues with cryptographic implementations arise 132 00:07:23.610 --> 00:07:25.500 when encryption algorithms, 133 00:07:25.500 --> 00:07:30.330 even if they are strong in theory are applied incorrectly. 134 00:07:30.330 --> 00:07:34.530 These implementation errors can lead to vulnerabilities 135 00:07:34.530 --> 00:07:38.250 that compromise the security of a system. 136 00:07:38.250 --> 00:07:42.300 One common problem in cryptographic implementation 137 00:07:42.300 --> 00:07:46.830 is the use of weak or improper key management practices. 138 00:07:46.830 --> 00:07:48.090 For example, 139 00:07:48.090 --> 00:07:51.270 if a server uses the advanced encryption standard 140 00:07:51.270 --> 00:07:53.310 or AES algorithm 141 00:07:53.310 --> 00:07:57.300 but relies on static encryption keys that never change, 142 00:07:57.300 --> 00:08:01.920 it becomes easier for attackers to guess or crack that key. 143 00:08:01.920 --> 00:08:03.990 So, proper key rotation 144 00:08:03.990 --> 00:08:07.320 and generation of strong random keys, 145 00:08:07.320 --> 00:08:10.080 helps maintain encryption strength. 146 00:08:10.080 --> 00:08:13.260 Another cryptographic implementation issue, 147 00:08:13.260 --> 00:08:17.280 involves the incorrect use of cryptographic libraries 148 00:08:17.280 --> 00:08:18.870 or protocols. 149 00:08:18.870 --> 00:08:22.230 Even if a secure cipher suite is chosen, 150 00:08:22.230 --> 00:08:26.897 such as ECDHE-RSA-AES256-GCM-SHA384, 151 00:08:31.470 --> 00:08:35.820 improper configuration of the ephemeral key exchange 152 00:08:35.820 --> 00:08:38.220 can leave the system vulnerable. 153 00:08:38.220 --> 00:08:40.890 The ephemeral key exchange ensures that, 154 00:08:40.890 --> 00:08:44.850 each symmetric session key is unique and short-lived. 155 00:08:44.850 --> 00:08:48.510 Providing forward secrecy by preventing attackers 156 00:08:48.510 --> 00:08:50.880 from decrypting past sessions, 157 00:08:50.880 --> 00:08:54.660 even if they compromise misconfiguring this process 158 00:08:54.660 --> 00:08:58.650 by failing to generate fresh keys for each session 159 00:08:58.650 --> 00:09:01.830 can allow attackers to exploit this weakness 160 00:09:01.830 --> 00:09:04.080 and break the encryption. 161 00:09:04.080 --> 00:09:05.220 Additionally, 162 00:09:05.220 --> 00:09:10.220 the use of outdated or deprecated algorithms like MD5 163 00:09:10.320 --> 00:09:14.790 for hashing exposes systems to collision attacks, 164 00:09:14.790 --> 00:09:18.420 where attackers can generate two different inputs 165 00:09:18.420 --> 00:09:20.550 with the same hash value, 166 00:09:20.550 --> 00:09:24.180 enabling them to manipulate data undetected. 167 00:09:24.180 --> 00:09:28.590 So, to prevent cryptographic implementation issues, 168 00:09:28.590 --> 00:09:31.800 security teams should conduct regular audits 169 00:09:31.800 --> 00:09:36.420 of their encryption practices and system configurations. 170 00:09:36.420 --> 00:09:40.680 This includes verifying that strong encryption algorithms, 171 00:09:40.680 --> 00:09:44.100 like AES and strong hashing functions, 172 00:09:44.100 --> 00:09:47.850 like SHA256 are properly implemented, 173 00:09:47.850 --> 00:09:51.300 and that deprecated algorithms like MD5 174 00:09:51.300 --> 00:09:53.460 are removed from use. 175 00:09:53.460 --> 00:09:56.610 Additionally, proper key management techniques, 176 00:09:56.610 --> 00:10:00.600 should be used such as generating unique session keys 177 00:10:00.600 --> 00:10:02.070 for each connection, 178 00:10:02.070 --> 00:10:06.510 securely storing keys and regularly rotating them. 179 00:10:06.510 --> 00:10:09.120 Addressing these technical details, 180 00:10:09.120 --> 00:10:12.960 helps ensure that encryption functions as intended, 181 00:10:12.960 --> 00:10:16.950 protecting sensitive data from unauthorized access 182 00:10:16.950 --> 00:10:20.370 and maintaining the integrity of communications. 183 00:10:20.370 --> 00:10:25.370 So remember, cryptographic issues refer to vulnerabilities 184 00:10:26.100 --> 00:10:29.910 in the way in encryption is applied to secure data 185 00:10:29.910 --> 00:10:31.830 and communications. 186 00:10:31.830 --> 00:10:36.830 These issues include transport layer security or TLS errors, 187 00:10:37.230 --> 00:10:38.910 cipher mismatches 188 00:10:38.910 --> 00:10:42.540 and problems with cryptographic implementations. 189 00:10:42.540 --> 00:10:46.890 TLS errors occur when there is a failure to negotiate 190 00:10:46.890 --> 00:10:49.680 or establish a secure connection, 191 00:10:49.680 --> 00:10:52.830 often due to outdated protocol versions 192 00:10:52.830 --> 00:10:54.960 or certificate issues. 193 00:10:54.960 --> 00:10:59.100 Next, cipher mismatches happen when a client and server, 194 00:10:59.100 --> 00:11:03.090 cannot agree on a common encryption method, 195 00:11:03.090 --> 00:11:06.690 during the TLS handshake leading to failed 196 00:11:06.690 --> 00:11:09.120 or insecure connections. 197 00:11:09.120 --> 00:11:13.500 Finally, cryptographic implementation issues arise 198 00:11:13.500 --> 00:11:16.530 from misapplied encryption techniques, 199 00:11:16.530 --> 00:11:18.870 such as weak key management 200 00:11:18.870 --> 00:11:21.750 or the use of deprecated algorithms, 201 00:11:21.750 --> 00:11:25.560 which can lead to significant security vulnerabilities, 202 00:11:25.560 --> 00:11:27.540 such as data breaches, 203 00:11:27.540 --> 00:11:31.503 unauthorized access or on path attacks.