All of these algorithms work together to make up the protocol of TLS (and previously
SSL). To accomplish effective encryption that is protected against compromise, all of
these algorithms are necessary. We need to be able to derive a session key. We need to
be able to authenticate the parties and share information using encryption before we
have generated our session key. We need to have a session key and an algorithm to
encrypt and then decrypt our session data. Finally, we need to make sure that nothing
has been tampered with. What you see in the example is a collection of strong
encryption suites.
If you were to see something like 3DES in the output, you would have an example of
a server that was susceptible to attacks against the session key. This could result in the
key being compromised, which would result in the ciphertext being decrypted into
plain text in the hands of someone for whom it was not meant. Additionally, though
it was breezed over earlier, a tool like
sslscan
can verify that the protocols used are not
vulnerable to attack using known exploits.
You may on rare occasions see NULL in the place where we have seen AES256. This
means that the request is that no encryption is used. There are reasons for this. You
may not care so much about protecting the contents of the transmissions, but you
may care very much that you know who you are talking to and that the data hasn’t
been modified in transit. So, you ask for no encryption so as not to incur any over‐
head from the encryption, but you get the benefit of the other parts of the cipher suite
selected.
The war over encryption never ends. Even now research is being done to identify vul‐
nerabilities that can be exploited in the encryption algorithms and protocols in use.
You will see differences in the suites listed in your testing output over time as stron‐
ger keys begin to be used and new algorithms are developed.
Packet Captures
As you are performing network testing, you will find it useful to be able to see what is
being transmitted over the network. To see what is sent, we need to use a program
that captures packets. In fairness, though, what we are doing is capturing frames. The
reason I say that is each layer of the network stack has a different term for the bundle
of data that includes that layer. Keep in mind that headers are tacked on as we move
down the network stack, so the last set of headers added is the layer 2 headers. The
protocol data unit (PDU) at that layer is the frame. When we get up to layer 3, we are
talking about a packet. Layer 4 has datagrams or segments, depending on the proto‐
col used there.
Years ago, capturing packets was an expensive proposition, because it required a spe‐
cial network interface that could be put into promiscuous mode. The reason it’s called
that is because by default, network interfaces look at the MAC address. The network
