Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: TLS 1.3

  1. #1
    Service Manager 5,000+ Posts
    TLS 1.3

    SalesServiceGuy's Avatar
    Join Date
    Dec 2009
    Location
    Nova Scotia
    Posts
    5,772
    Rep Power
    166

    TLS 1.3

    I have recently been receiving increased requests for TLS 1.3 Enryyption for scan to email vs TLS 1.2 that we have been using for many years.

    I suspect this has something to do with increased demands from Managed Service providers increasing client email security.

    I do not think TLS 1.3 vs TLS 1.2 ptotects the clent any more against ransomware or phising attacks.

    I suspect this uses more copier resources to accomodate the increased encryption demands.

  2. #2
    Service Manager 5,000+ Posts
    TLS 1.3

    copier tech's Avatar
    Join Date
    Jan 2014
    Location
    London
    Posts
    6,449
    Rep Power
    150

    Re: TLS 1.3

    Quote Originally Posted by SalesServiceGuy View Post
    I have recently been receiving increased requests for TLS 1.3 Enryyption for scan to email vs TLS 1.2 that we have been using for many years.

    I suspect this has something to do with increased demands from Managed Service providers increasing client email security.

    I do not think TLS 1.3 vs TLS 1.2 ptotects the clent any more against ransomware or phising attacks.

    I suspect this much use more copier resources to accomodate the increased encryption demands.
    It is always good practice to have the highest level of security whenever possible.

    You most likely heard about the SMB v1.0 vulnerability & WannaCry.

    Most models no older than 3 years all that is required is a firmware update.

    Let us eat, drink, and be merry, because tomorrow we may die!

    For all your firmware & service manual needs please visit us at:

    www.copierfirmware.co.uk - www.printerfirmware.co.uk




  3. #3
    Service Manager 5,000+ Posts
    TLS 1.3

    SalesServiceGuy's Avatar
    Join Date
    Dec 2009
    Location
    Nova Scotia
    Posts
    5,772
    Rep Power
    166

    Re: TLS 1.3

    Quote Originally Posted by copier tech View Post
    It is always good practice to have the highest level of security whenever possible.

    You most likely heard about the SMB v1.0 vulnerability & WannaCry.

    Most models no older than 3 years all that is required is a firmware update.

    Is not SMB 1.0 more about scan to network folder? TLS 1.3 seems to be about everyday email security.

    WannaCry was more about a Windows operating system vulnerability exploited by an unwitting employee clicking on a specific dangerous email

    I find that Managed Service Providers often demand the highest form of security without first checking is a customer's devices can support it.

    This can be good/ bad becuase it does force some customers to upgrade their equipment at unexpected expense or change copier vendors to one that can support the MSP's demands.

    I am curious which copier/ printer vendors can support TLS 1.3?

  4. #4
    Service Manager 5,000+ Posts
    TLS 1.3

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    7,752
    Rep Power
    270

    Re: TLS 1.3

    Quote Originally Posted by SalesServiceGuy View Post
    Is not SMB 1.0 more about scan to network folder? TLS 1.3 seems to be about email security.
    That's correct but I think he was making a general point about it's best practice to use the latest security protocol no matter what that is.
    Embrace the process, not the outcome.

  5. #5
    Service Manager 1,000+ Posts rthonpm's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    2,263
    Rep Power
    83

    Re: TLS 1.3

    The main differences between TLS 1.3 and 1.2 are the usable ciphers and the handshake method for connections. Generally with TLS, you'll see at least two supported versions at one time, especially since not all operating systems will support the latest and greatest version. Even TLS 1.0 and 1.1 didn't start to see a move towards deprecation until about three or four years ago.

    From a cipher standpoint, TLS 1.2 is still strong enough to be used in a production environment. Even many in-lifecycle operating systems don't offer complete support for TLS 1.3 from a hosting perspective (IIS, Apache, Databases, etc), though it's now the standard with any new OS.

    TLS isn't going to protect a client from any kind of malware: all it's going to do is increase the security of data in transit. The desire for its use by clients is likely coming from either audits or other requirements that they are bound to: confirming what MFP's will support the protocol may be a little tricky since most manufacturers will stick with a platform even after it's long outlived its utility: look at the number of machines that were still being released only with SMB1 support even after SMB2 and 3 had been released.

  6. #6
    Senior Tech 100+ Posts PrintWhisperer's Avatar
    Join Date
    Feb 2018
    Location
    Wild West
    Posts
    225
    Rep Power
    19

    Re: TLS 1.3

    Quote Originally Posted by SalesServiceGuy View Post
    .....

    I do not think TLS 1.3 vs TLS 1.2 ptotects the clent any more against ransomware or phising attacks.

    I suspect this uses more copier resources to accomodate the increased encryption demands.
    TLS 1.3 is purported to be more efficient by reducing the number of turns required to establish the session, along with other performance improvements resulting in reduced latency.

    As others have stated, it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption.


    Kyocera '4' Series is released with TLS 1.3 support, and all prior versions are still available (Including deprecated ciphers). SHA Hash length limit was NOT increased from 384 to 512 though
    "Being ignorant is not so much a shame, as being unwilling to learn" - Benjamin Franklin

  7. #7
    Service Manager 5,000+ Posts
    TLS 1.3

    SalesServiceGuy's Avatar
    Join Date
    Dec 2009
    Location
    Nova Scotia
    Posts
    5,772
    Rep Power
    166

    Re: TLS 1.3

    Quote Originally Posted by PrintWhisperer View Post
    TLS 1.3 is purported to be more efficient by reducing the number of turns required to establish the session, along with other performance improvements resulting in reduced latency.

    As others have stated, it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption.


    Kyocera '4' Series is released with TLS 1.3 support, and all prior versions are still available (Including deprecated ciphers). SHA Hash length limit was NOT increased from 384 to 512 though
    " it's about session integrity against MITM and hijacking session keys, particularly in session resumption along with payload encryption."

    ... I have to try and break this statement down into English so that I can explain it:

    ... "it is about session integrity against Man in the Middle attacks"

    ... A man-in-the-middle attack is a type of eavesdropping attack, where attackers interrupt an existing conversation or data transfer. After inserting themselves in the "middle" of the transfer, the attackers pretend to be both legitimate participants.

    ... "hijacking session keys"

    ... In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system.

    ... "particularly in session resumption"

    ... This is done so that when a client reconnects to a server with a session ID, the server can quickly look up the session keys and resume the encrypted communication.

    ... "along with payload resumption"

    ... that is a ton of geek speak in one sentenace that 99% of my SMB customers would look back at me with a blank stare.

    I find a successful copier sales or service guy has to deal more and more with highly educated and specialized Managed Service Providers who have been sub-contracted to protect their customer's network. Every network can be hacked, look at Ikea's recent experience. All a good MSP can do is detect the intrusion as early as possible and react with a good mitigation plan.

  8. #8
    Service Manager 5,000+ Posts
    TLS 1.3

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    7,752
    Rep Power
    270

    Re: TLS 1.3

    Quote Originally Posted by SalesServiceGuy View Post

    ... that is a ton of geek speak in one sentenace that 99% of my SMB customers would look back at me with a blank stare.

    .

    Both rthonpm and Print Whisperer are very advanced in IT. They've learned it over years and years, I would imagine.
    Embrace the process, not the outcome.

  9. #9
    Service Manager 5,000+ Posts
    TLS 1.3

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    7,752
    Rep Power
    270

    Re: TLS 1.3

    Just for the hell of it, I studied up on TLS 1.3. Much of this has been said already, but what you really need to know is that there are 2 big advantages to using 1.3 vs. 1.2


    a.) performance

    TLS 1.2 has been around for a long time and the "handshake" is considered to be a bit "clunky" and time consuming, if you will. This especially comes into play when we're on our cell phone and they have to perform all these complex calculations to exchange security keys.

    TLS 1.3 uses a shorter and less complex handshake that puts less of a drain on resources.



    And then there's Zero Round Trip time which is getting a little deep but it basically means that after the 1st session has ended that if you want to go back to the website (server) the 2nd session will be established faster due to using some of the old information (handshake is shortened eve more ?) from the 1st session.


    It should be noted that theoretically that Zero Round Trip Time is is susceptible to a Man-In-The-Middle Attack.




    b.) security

    -Old ciphers have been removed. Anything that was considered a risk is now gone. New ciphers are now used that are stronger and less susceptible to attack. Only AEAD ciphers are used in TLS 1.3

    - All data is encrypted after "server hello" message. What that means is that data that is included in the "handshake" is now encrypted where is wasn't in TLS 1.2

    -Version negotiation has been removed. You used to be able to negotiate which version of TLS you wanted to use between client and server. This was a security risk because an attacker could step in and force the server to downgrade to the lowest version. I won't go any further because I think it's clear why that is a bad thing?

    - The last thing you need to know is PFS - Perfect Forward Secrecy. This is a bit complicated. Basically it has to do with a static security key that's on the server. The server used to be able to share out the security key with trusted clients. This is no longer allowed with Perfect Forward Secrecy.



    That's 30-minuts of my life that I'll never get back.

    PS - Most of the protocols aren't overly complicated. We'll never be able to understand everything about them. It simply isn't possible.
    Last edited by BillyCarpenter; 11-30-2021 at 06:48 AM.
    Embrace the process, not the outcome.

  10. #10
    Service Manager 5,000+ Posts
    TLS 1.3

    BillyCarpenter's Avatar
    Join Date
    Aug 2020
    Location
    Long Beach, Mississippi
    Posts
    7,752
    Rep Power
    270

    Re: TLS 1.3

    Once I dig into one of these protocols I find it difficult to let it go. I wasn't clear on the new AEAD ciphers. Of course, I had to study up on it a bit.


    Here's what i gather.

    There are 2 parts to the AEAD cipher. There's the AE part. Then there's the AD part.


    AE part has do to with the actual encryption of the data to ensure privacy but it also includes the "integrity" ....which means that it makes sure that whomever sent the data that it hasn't been changed. So that's the AE portion which covers encryption and authentication. Hence: AE = "Authentication Encryption."


    The AD is the Associated Data part of it. This is starting to get overly complicated. lol. Basically the AD part of it has to do with the header that precedes the data packet. The data packet is encrypted but the header is in plain text.


    Unless you plan on using Wireshark....well...you get the picture.
    Embrace the process, not the outcome.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Get the Android App
click or scan for the Copytechnet Mobile App

-= -= -= -= -=


IDrive Remote Backup

Lunarpages Internet Solutions

Advertise on Copytechnet

Your Link Here