TLS 1.3

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SalesServiceGuy
    Field Supervisor

    Site Contributor
    5,000+ Posts
    • Dec 2009
    • 7902

    TLS 1.3

    I have recently been receiving increased requests for TLS 1.3 Enryyption for scan to email vs TLS 1.2 that we have been using for many years.

    I suspect this has something to do with increased demands from Managed Service providers increasing client email security.

    I do not think TLS 1.3 vs TLS 1.2 ptotects the clent any more against ransomware or phising attacks.

    I suspect this uses more copier resources to accomodate the increased encryption demands.
  • copier tech
    Field Supervisor

    5,000+ Posts
    • Jan 2014
    • 7979

    #2
    Re: TLS 1.3

    Originally posted by SalesServiceGuy
    I have recently been receiving increased requests for TLS 1.3 Enryyption for scan to email vs TLS 1.2 that we have been using for many years.

    I suspect this has something to do with increased demands from Managed Service providers increasing client email security.

    I do not think TLS 1.3 vs TLS 1.2 ptotects the clent any more against ransomware or phising attacks.

    I suspect this much use more copier resources to accomodate the increased encryption demands.
    It is always good practice to have the highest level of security whenever possible.

    You most likely heard about the SMB v1.0 vulnerability & WannaCry.

    Most models no older than 3 years all that is required is a firmware update.

    Let us eat, drink, and be merry, because tomorrow we may die!

    For all your firmware & service manual needs please visit us at:

    www.copierfirmware.co.uk - www.printerfirmware.co.uk

    Comment

    • SalesServiceGuy
      Field Supervisor

      Site Contributor
      5,000+ Posts
      • Dec 2009
      • 7902

      #3
      Re: TLS 1.3

      Originally posted by copier tech
      It is always good practice to have the highest level of security whenever possible.

      You most likely heard about the SMB v1.0 vulnerability & WannaCry.

      Most models no older than 3 years all that is required is a firmware update.

      Is not SMB 1.0 more about scan to network folder? TLS 1.3 seems to be about everyday email security.

      WannaCry was more about a Windows operating system vulnerability exploited by an unwitting employee clicking on a specific dangerous email

      I find that Managed Service Providers often demand the highest form of security without first checking is a customer's devices can support it.

      This can be good/ bad becuase it does force some customers to upgrade their equipment at unexpected expense or change copier vendors to one that can support the MSP's demands.

      I am curious which copier/ printer vendors can support TLS 1.3?

      Comment

      • BillyCarpenter
        Field Supervisor

        Site Contributor
        VIP Subscriber
        10,000+ Posts
        • Aug 2020
        • 15202

        #4
        Re: TLS 1.3

        Originally posted by SalesServiceGuy
        Is not SMB 1.0 more about scan to network folder? TLS 1.3 seems to be about email security.
        That's correct but I think he was making a general point about it's best practice to use the latest security protocol no matter what that is.
        Adversity temporarily visits a strong man but stays with the weak for a lifetime.

        Comment

        • rthonpm
          Field Supervisor

          2,500+ Posts
          • Aug 2007
          • 2848

          #5
          Re: TLS 1.3

          The main differences between TLS 1.3 and 1.2 are the usable ciphers and the handshake method for connections. Generally with TLS, you'll see at least two supported versions at one time, especially since not all operating systems will support the latest and greatest version. Even TLS 1.0 and 1.1 didn't start to see a move towards deprecation until about three or four years ago.

          From a cipher standpoint, TLS 1.2 is still strong enough to be used in a production environment. Even many in-lifecycle operating systems don't offer complete support for TLS 1.3 from a hosting perspective (IIS, Apache, Databases, etc), though it's now the standard with any new OS.

          TLS isn't going to protect a client from any kind of malware: all it's going to do is increase the security of data in transit. The desire for its use by clients is likely coming from either audits or other requirements that they are bound to: confirming what MFP's will support the protocol may be a little tricky since most manufacturers will stick with a platform even after it's long outlived its utility: look at the number of machines that were still being released only with SMB1 support even after SMB2 and 3 had been released.

          Comment

          • PrintWhisperer
            Trusted Tech

            250+ Posts
            • Feb 2018
            • 437

            #6
            Re: TLS 1.3

            Originally posted by SalesServiceGuy
            .....

            I do not think TLS 1.3 vs TLS 1.2 ptotects the clent any more against ransomware or phising attacks.

            I suspect this uses more copier resources to accomodate the increased encryption demands.
            TLS 1.3 is purported to be more efficient by reducing the number of turns required to establish the session, along with other performance improvements resulting in reduced latency.

            As others have stated, it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption.


            Kyocera '4' Series is released with TLS 1.3 support, and all prior versions are still available (Including deprecated ciphers). SHA Hash length limit was NOT increased from 384 to 512 though
            "Being ignorant is not so much a shame, as being unwilling to learn" - Benjamin Franklin

            Comment

            • SalesServiceGuy
              Field Supervisor

              Site Contributor
              5,000+ Posts
              • Dec 2009
              • 7902

              #7
              Re: TLS 1.3

              Originally posted by PrintWhisperer
              TLS 1.3 is purported to be more efficient by reducing the number of turns required to establish the session, along with other performance improvements resulting in reduced latency.

              As others have stated, it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption.


              Kyocera '4' Series is released with TLS 1.3 support, and all prior versions are still available (Including deprecated ciphers). SHA Hash length limit was NOT increased from 384 to 512 though
              " it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption."

              ... I have to try and break this statement down into English so that I can explain it:

              ... "it is about session integrity against Man in the Middle attacks"

              ... A man-in-the-middle attack is a type of eavesdropping attack, where attackers interrupt an existing conversation or data transfer. After inserting themselves in the "middle" of the transfer, the attackers pretend to be both legitimate participants.

              ... "hijacking session keys"

              ... gain unauthorized access to information or services in a computer system.

              ... "particularly in session resumption"

              ... This is done so that when a client reconnects to a server with a session ID, the server can quickly look up the session keys and resume the encrypted communication.

              ... "along with payload resumption"

              ... that is a ton of geek speak in one sentenace that 99% of my SMB customers would look back at me with a blank stare.

              I find a successful copier sales or service guy has to deal more and more with highly educated and specialized Managed Service Providers who have been sub-contracted to protect their customer's network. Every network can be hacked, look at Ikea's recent experience. All a good MSP can do is detect the intrusion as early as possible and react with a good mitigation plan.

              Comment

              • BillyCarpenter
                Field Supervisor

                Site Contributor
                VIP Subscriber
                10,000+ Posts
                • Aug 2020
                • 15202

                #8
                Re: TLS 1.3

                Originally posted by SalesServiceGuy

                ... that is a ton of geek speak in one sentenace that 99% of my SMB customers would look back at me with a blank stare.

                .

                Both rthonpm and Print Whisperer are very advanced in IT. They've learned it over years and years, I would imagine.
                Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                Comment

                • BillyCarpenter
                  Field Supervisor

                  Site Contributor
                  VIP Subscriber
                  10,000+ Posts
                  • Aug 2020
                  • 15202

                  #9
                  Re: TLS 1.3

                  Just for the hell of it, I studied up on TLS 1.3. Much of this has been said already, but what you really need to know is that there are 2 big advantages to using 1.3 vs. 1.2


                  a.) performance

                  TLS 1.2 has been around for a long time and the "handshake" is considered to be a bit "clunky" and time consuming, if you will. This especially comes into play when we're on our cell phone and they have to perform all these complex calculations to exchange security keys.

                  TLS 1.3 uses a shorter and less complex handshake that puts less of a drain on resources.



                  And then there's Zero Round Trip time which is getting a little deep but it basically means that after the 1st session has ended that if you want to go back to the website (server) the 2nd session will be established faster due to using some of the old information (handshake is shortened eve more ?) from the 1st session.


                  It should be noted that theoretically that Zero Round Trip Time is is susceptible to a Man-In-The-Middle Attack.




                  b.) security

                  -Old ciphers have been removed. Anything that was considered a risk is now gone. New ciphers are now used that are stronger and less susceptible to attack. Only AEAD ciphers are used in TLS 1.3

                  - All data is encrypted after "server hello" message. What that means is that data that is included in the "handshake" is now encrypted where is wasn't in TLS 1.2

                  -Version negotiation has been removed. You used to be able to negotiate which version of TLS you wanted to use between client and server. This was a security risk because an attacker could step in and force the server to downgrade to the lowest version. I won't go any further because I think it's clear why that is a bad thing?

                  - The last thing you need to know is PFS - Perfect Forward Secrecy. This is a bit complicated. Basically it has to do with a static security key that's on the server. The server used to be able to share out the security key with trusted clients. This is no longer allowed with Perfect Forward Secrecy.



                  That's 30-minuts of my life that I'll never get back.

                  PS - Most of the protocols aren't overly complicated. We'll never be able to understand everything about them. It simply isn't possible.
                  Last edited by BillyCarpenter; 11-30-2021, 06:48 AM.
                  Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                  Comment

                  • BillyCarpenter
                    Field Supervisor

                    Site Contributor
                    VIP Subscriber
                    10,000+ Posts
                    • Aug 2020
                    • 15202

                    #10
                    Re: TLS 1.3

                    Once I dig into one of these protocols I find it difficult to let it go. I wasn't clear on the new AEAD ciphers. Of course, I had to study up on it a bit.


                    Here's what i gather.

                    There are 2 parts to the AEAD cipher. There's the AE part. Then there's the AD part.


                    AE part has do to with the actual encryption of the data to ensure privacy but it also includes the "integrity" ....which means that it makes sure that whomever sent the data that it hasn't been changed. So that's the AE portion which covers encryption and authentication. Hence: AE = "Authentication Encryption."


                    The AD is the Associated Data part of it. This is starting to get overly complicated. lol. Basically the AD part of it has to do with the header that precedes the data packet. The data packet is encrypted but the header is in plain text.


                    Unless you plan on using Wireshark....well...you get the picture.
                    Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                    Comment

                    • copier tech
                      Field Supervisor

                      5,000+ Posts
                      • Jan 2014
                      • 7979

                      #11
                      Re: TLS 1.3

                      Originally posted by SalesServiceGuy
                      Is not SMB 1.0 more about scan to network folder? TLS 1.3 seems to be about everyday email security.

                      WannaCry was more about a Windows operating system vulnerability exploited by an unwitting employee clicking on a specific dangerous email

                      I find that Managed Service Providers often demand the highest form of security without first checking is a customer's devices can support it.

                      This can be good/ bad becuase it does force some customers to upgrade their equipment at unexpected expense or change copier vendors to one that can support the MSP's demands.

                      I am curious which copier/ printer vendors can support TLS 1.3?
                      Yes SMB is scan to folder protocol I used this as a security example.
                      Let us eat, drink, and be merry, because tomorrow we may die!

                      For all your firmware & service manual needs please visit us at:

                      www.copierfirmware.co.uk - www.printerfirmware.co.uk

                      Comment

                      • tsbservice
                        Field tech

                        Site Contributor
                        5,000+ Posts
                        • May 2007
                        • 7704

                        #12
                        Re: TLS 1.3

                        Originally posted by SalesServiceGuy
                        Is not SMB 1.0 more about scan to network folder? TLS 1.3 seems to be about everyday email security.

                        WannaCry was more about a Windows operating system vulnerability exploited by an unwitting employee clicking on a specific dangerous email

                        I find that Managed Service Providers often demand the highest form of security without first checking is a customer's devices can support it.

                        This can be good/ bad becuase it does force some customers to upgrade their equipment at unexpected expense or change copier vendors to one that can support the MSP's demands.

                        I am curious which copier/ printer vendors can support TLS 1.3?
                        Bizhub C250i and such supports TLS 1.3
                        A tree is known by its fruit, a man by his deeds. A good deed is never lost, he who sows courtesy, reaps friendship, and he who plants kindness gathers love.
                        Blessed are they who can laugh at themselves, for they shall never cease to be amused.

                        Comment

                        • PrintWhisperer
                          Trusted Tech

                          250+ Posts
                          • Feb 2018
                          • 437

                          #13
                          Re: TLS 1.3

                          Originally posted by SalesServiceGuy
                          " it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption."

                          ... I have to try and break this statement down into English so that I can explain it:
                          ...
                          A thoughtful analysis and yes, I do go on a bit. However when I am in that same sales meeting I am facing off with the customer's IT who is doing a brain scan to see if I know WTF I am talking about.

                          A salesperson once told me 'No one but you guys understood a thing you were talking about'. We won the deal because their IT knew our business had the knowledge to actually engage in the work.


                          As for being paranoid about security, maybe I spend too much time on sites like this:
                          AMT healthcare data breach impacts nearly 50,000 patients | The Daily Swig

                          After recently scanning a medical facility and seeing UDP ping attacks, TLS session spamming (100's of connection attempts per MINUTE) XML SOAP queries, and DHCP spoofs trying to reset DNS addresses I tend to get worried. All this on a site using a 10BaseT hub for it's MFP and Camera sub-net

                          Oh and then there are the broken MFP protocol stacks which lack updated extentsions.

                          Whether it's the Manufacturer Engineers or the Customers with arm's length IT nobody really wants to understand this (I've had the dead eyed conversations)......but the hackers.

                          Latest hacking news | The Daily Swig
                          "Being ignorant is not so much a shame, as being unwilling to learn" - Benjamin Franklin

                          Comment

                          • tsbservice
                            Field tech

                            Site Contributor
                            5,000+ Posts
                            • May 2007
                            • 7704

                            #14
                            Re: TLS 1.3

                            Originally posted by PrintWhisperer
                            A thoughtful analysis and yes, I do go on a bit. However when I am in that same sales meeting I am facing off with the customer's IT who is doing a brain scan to see if I know WTF I am talking about.

                            A salesperson once told me 'No one but you guys understood a thing you were talking about'. We won the deal because their IT knew our business had the knowledge to actually engage in the work.


                            As for being paranoid about security, maybe I spend too much time on sites like this:
                            AMT healthcare data breach impacts nearly 50,000 patients | The Daily Swig

                            After recently scanning a medical facility and seeing UDP ping attacks, TLS session spamming (100's of connection attempts per MINUTE) XML SOAP queries, and DHCP spoofs trying to reset DNS addresses I tend to get worried. All this on a site using a 10BaseT hub for it's MFP and Camera sub-net

                            Oh and then there are the broken MFP protocol stacks which lack updated extentsions.

                            Whether it's the Manufacturer Engineers or the Customers with arm's length IT nobody really wants to understand this (I've had the dead eyed conversations)......but the hackers.

                            Latest hacking news | The Daily Swig
                            Thanks to your link I learned about new for me 😊 printer vulnerability - cross-site printing
                            HP printer vulnerabilities left enterprise networks open to abuse via ‘cross-site printing’ attack | The Daily Swig
                            A tree is known by its fruit, a man by his deeds. A good deed is never lost, he who sows courtesy, reaps friendship, and he who plants kindness gathers love.
                            Blessed are they who can laugh at themselves, for they shall never cease to be amused.

                            Comment

                            • SalesServiceGuy
                              Field Supervisor

                              Site Contributor
                              5,000+ Posts
                              • Dec 2009
                              • 7902

                              #15
                              Re: TLS 1.3

                              Toshiba plans to introduce TLS 1.3 in the next release of copiers in likely April 2022 and then make the firmware backwards compatible to the last two generations of copiers.

                              Until very recently there has been almost no demand for TLS 1.3 .

                              Comment

                              Working...