Computer security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
BolderBoy
Posts: 4547
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Computer security

Post by BolderBoy » Fri Mar 22, 2019 11:16 pm

BYUvol wrote:
Thu Mar 21, 2019 8:53 pm
... but I will say that TLS relies on asymmetric encryption which is fundamentally different than the symmetric encryption that performs the bulk of the tunneling encryption in VPNs...
I think this is misleading.

The objective of the entire TLS handshake is to ultimately agree on a single-use, disposable, symmetric key with which all the traffic that follows is encrypted.

It works like this (simplified): browser contacts https:// server and the server provides its signed certificate and the ciphers it is willing to support. This is all happening using the PKI and [hopefully] perfect forward secrecy (elliptic curves). The browser checks its certificate store to make sure the server's certificate was signed by a trusted root CA or intermediary and chooses one of the ciphers offered by the https:// server. At that point things are asymmetrical (hence the necessity for 2048 bit or stronger keys) but now they transition to using an agreed upon single-use, disposable, symmetric key (at least 128 bit and preferably 256 bit key strength) for the rest of the session.

Nothing magical about it. It is really quite elegant (and very fast) to watch the process in action.

If a VPN is involved, the process is like that above - the initial setup (VPN client -> VPN server) is done asymmetrically and quickly shifts to a single-use, disposable, symmetric key for the rest of the connection.

Another poster mentioned that password salting has been the industry standard for 20 years. The latest, "strong" suggestion is to use password salting, peppering, stretching & hashing. Using that technique with, for example, a 20+ character, complex password it is theorized that all the combined supercomputer power on earth couldn't break the pw during the lifetime of the universe. And rainbow tables are useless.

(I'm not an expert but I read a lot)
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect

HawkeyePierce
Posts: 871
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Computer security

Post by HawkeyePierce » Sat Mar 23, 2019 12:07 am

1. Don’t reuse passwords

2. Use two factor authentication on your email account and financial accounts

3. Don’t click on links in emails

4. Install your software updates

That will get an average person 99% of the way to safe. Public WiFi really isn’t that dangerous: you can visit vanguard.com at Starbucks without worrying.

bryanm
Posts: 228
Joined: Mon Aug 13, 2018 3:48 pm

Re: Computer security

Post by bryanm » Sat Mar 23, 2019 9:54 am

BolderBoy wrote:
Fri Mar 22, 2019 11:16 pm
The objective of the entire TLS handshake is to ultimately agree on a single-use, disposable, symmetric key with which all the traffic that follows is encrypted.
...
If a VPN is involved, the process is [similar] - the initial setup (VPN client -> VPN server) is done asymmetrically and quickly shifts to a single-use, disposable, symmetric key for the rest of the connection.
You're correct, but I think there are those in this thread that we will never convince. I've decided there is no need to prolong the discussion as overwhelm the non-technical folks. (I will say that VPN's can be configured to use pre-shared keys, avoiding the need for an asymmetric handshake. So in that sense they avoid downgrade attacks and the like. But so long as your machine isn't already compromised, you visit a site directly, you look for "the lock", and you take heed of warnings your browser gives you (e.g., "proper use" of the internet), you'll be fine.)

Post Reply