This chapter covers secure network protocols that protect data in transit: HTTPS, SFTP, and SRTP. These protocols are essential for ensuring confidentiality, integrity, and authentication in network communications. For the SY0-701 exam, this maps to Objective 1.4 (General Security Concepts) and is often tested through scenario-based questions where you must choose the correct protocol for a given situation. Understanding the differences between these protocols and their underlying mechanisms is critical for passing the exam and for real-world network security.
Jump to a section
Imagine you are a spy sending a secret message to your handler. You write the message, place it in an envelope, and seal it with wax. However, anyone who intercepts the envelope can break the wax, read the message, and reseal it with a fake wax stamp. To prevent this, you use a tamper-evident seal: a special wax that shows clear signs of breaking. But even that doesn't protect the message's contents from being read. Now consider a more sophisticated method: you place the message inside a locked box, and you send the key separately in another locked box. This is similar to how HTTPS works: the message (HTTP data) is encrypted inside a TLS tunnel. The courier (network) can't read it. SFTP works like a sealed envelope that is also locked: it uses SSH to encrypt both commands and data. SRTP is like a voice scrambler: it encrypts the audio stream in real-time, but also ensures the stream hasn't been tampered with (using authentication). The key difference is that HTTPS protects web traffic, SFTP protects file transfers, and SRTP protects real-time communications. All three use encryption but with different protocols and purposes.
What Are Secure Network Protocols?
Secure network protocols are communication protocols that incorporate encryption, authentication, and integrity checks to protect data transmitted over a network. The three protocols covered here—HTTPS, SFTP, and SRTP—are each designed for different types of data: web traffic, file transfers, and real-time multimedia streams.
HTTPS (Hypertext Transfer Protocol Secure)
What it is: HTTPS is HTTP over TLS (Transport Layer Security). It protects web browsing by encrypting the entire HTTP request and response, including URLs, headers, and body. HTTPS uses port 443 by default.
How it works: 1. Client (browser) connects to server on port 443. 2. Server presents its TLS certificate (X.509) containing its public key. 3. Client verifies the certificate against a trusted Certificate Authority (CA). 4. Client and server perform a key exchange (e.g., Diffie-Hellman) to derive a symmetric session key. 5. All subsequent HTTP data is encrypted with that session key (e.g., AES-256-GCM). 6. Integrity is ensured via message authentication codes (MACs) like HMAC-SHA256.
Key components: - TLS 1.3 (RFC 8446) is the current standard; TLS 1.2 is still common. - Cipher suites: e.g., TLS_AES_256_GCM_SHA384. - Certificate validation: chain of trust, revocation checks (CRL, OCSP).
Attack vectors: - Man-in-the-middle (MITM) via rogue certificates or CA compromise. - SSL stripping (downgrading HTTPS to HTTP). - POODLE attack (CVE-2014-3566) against SSL 3.0.
Defense: - Use HSTS (HTTP Strict Transport Security) header to enforce HTTPS. - Pin certificates or use Certificate Transparency. - Disable old protocols (SSL, TLS 1.0/1.1).
Real command example:
# Test TLS configuration
openssl s_client -connect example.com:443 -tls1_3SFTP (SSH File Transfer Protocol)
What it is: SFTP is a secure file transfer protocol that runs over SSH (Secure Shell). It is not related to FTP; it is a separate protocol that provides file access, transfer, and management over a secure channel. SFTP uses port 22 by default (same as SSH).
How it works: 1. Client initiates an SSH connection to the server on port 22. 2. Server authenticates via password, public key, or other methods. 3. SSH establishes an encrypted tunnel using key exchange (e.g., Diffie-Hellman) and symmetric encryption (e.g., AES-256-CTR). 4. Within this tunnel, SFTP commands and data are exchanged. 5. SFTP supports resuming transfers, directory listings, and file permissions.
Key components: - SSH-2 protocol (RFC 4251). - Authentication methods: password, public key (RSA, ECDSA, Ed25519), keyboard-interactive. - File integrity via HMAC.
Attack vectors: - Brute-force SSH passwords. - Man-in-the-middle if host key verification is skipped. - Weak cipher suites (e.g., CBC mode).
Defense: - Disable password authentication; use key-based authentication. - Use strong algorithms (e.g., chacha20-poly1305@openssh.com). - Implement fail2ban or rate-limiting.
Real command example:
# Secure file transfer
sftp user@host
# Inside sftp:
get remote_file local_file
put local_file remote_fileSRTP (Secure Real-time Transport Protocol)
What it is: SRTP is a security profile for RTP (Real-time Transport Protocol) used for VoIP, video conferencing, and streaming media. It provides encryption, message authentication, and replay protection. SRTP is defined in RFC 3711.
How it works: 1. RTP packets are generated by the media application. 2. SRTP encrypts the RTP payload (media data) using a symmetric cipher (e.g., AES-128 in counter mode). 3. A message authentication code (e.g., HMAC-SHA1) is appended to each packet for integrity. 4. A sequence number is used to prevent replay attacks. 5. Key management is typically handled by a separate protocol like ZRTP or MIKEY.
Key components: - Encryption: AES-128 or AES-256 in Counter (CTR) or F8 mode. - Authentication: HMAC-SHA1 (80-bit or 32-bit tag). - Master key and session keys derived from a keying protocol.
Attack vectors: - Replay attacks if sequence numbers are not checked. - Key compromise via weak key exchange. - Denial of service via invalid packets.
Defense: - Use strong key management (e.g., ZRTP with Diffie-Hellman). - Always enable authentication (not just encryption). - Monitor for unusual sequence number gaps.
Real tool example:
# Using tshark to filter SRTP traffic
tshark -r capture.pcap -Y "srtp"Comparison of All Three
Purpose: HTTPS for web, SFTP for files, SRTP for real-time media.
Underlying protocol: HTTPS uses TLS over TCP; SFTP uses SSH over TCP; SRTP is an RTP extension over UDP.
Ports: HTTPS: 443; SFTP: 22; SRTP: no fixed port (uses RTP ports, often 5004).
Encryption: All use symmetric encryption; key exchange varies.
Authentication: HTTPS uses certificates; SFTP uses SSH keys/passwords; SRTP uses shared secrets or certificates.
Integrity: All provide integrity via MACs.
Exam-Relevant Standards
RFC 8446 (TLS 1.3)
RFC 4251 (SSH)
RFC 3711 (SRTP)
RFC 5246 (TLS 1.2)
Common Misconfigurations
HTTPS: Using self-signed certificates without proper CA validation.
SFTP: Allowing password authentication and weak ciphers.
SRTP: Enabling encryption without authentication (allows tampering).
Summary of Protection Mechanisms
Confidentiality: Encryption (AES, ChaCha20).
Integrity: MAC (HMAC, Poly1305).
Authentication: Certificates, keys, or shared secrets.
Replay protection: Sequence numbers, timestamps.
Tools for Verification
openssl s_client for TLS.
ssh -v for SSH/SFTP.
tshark or Wireshark for SRTP analysis.
HTTPS Handshake Process
1. Client sends a ClientHello message with supported TLS versions and cipher suites. 2. Server responds with ServerHello, choosing the highest common version and a cipher suite. 3. Server sends its certificate (X.509) and possibly a certificate chain. 4. Client verifies the certificate against trusted CAs, checks expiry, and revocation. 5. Client generates a random pre-master secret, encrypts it with the server's public key, and sends it. 6. Both derive the session keys from the pre-master secret. 7. Client sends a Finished message encrypted with the session key. 8. Server sends its Finished message. 9. Secure communication begins. This process is known as the TLS handshake. Tools like Wireshark show these steps as ClientHello, ServerHello, Certificate, ClientKeyExchange, etc.
SFTP Connection and Transfer
1. Client initiates an SSH connection to port 22. 2. Server sends its host key; client verifies it (first time prompts user). 3. Key exchange (e.g., Diffie-Hellman) establishes a shared secret. 4. Encrypted tunnel is set up using symmetric cipher. 5. Server authenticates the client (password or public key). 6. Client sends SFTP subsystem request (e.g., `sftp-server`). 7. Client sends commands like `OPEN`, `READ`, `WRITE` to transfer files. 8. Data is encrypted and integrity-checked. 9. Connection closes. Logs show SSH authentication events and SFTP commands.
SRTP Packet Encryption
1. RTP packet is generated with header (sequence number, timestamp, SSRC). 2. SRTP encrypts the RTP payload using a cipher like AES-CTR. 3. A MAC is computed over the encrypted payload and header (excluding some fields). 4. The MAC is appended to the packet. 5. The packet is sent over UDP. 6. Receiver checks the MAC, decrypts payload, and verifies sequence number for replay protection. 7. If valid, media is played. Tools like Wireshark can decrypt SRTP if keys are provided. Common mistake: enabling encryption without authentication allows undetected tampering.
TLS Certificate Validation
1. Client receives server's certificate. 2. Client checks that the certificate is not expired and covers the domain. 3. Client builds a chain from the server certificate to a trusted root CA. 4. Each intermediate certificate's signature is verified using the issuer's public key. 5. Client checks revocation via CRL or OCSP. 6. If all checks pass, the certificate is trusted. 7. The client then uses the public key from the certificate for key exchange. This process prevents MITM attacks. Common mistake: ignoring certificate warnings in development leads to security gaps.
Key Exchange in SSH/SFTP
1. Both sides agree on a key exchange algorithm (e.g., diffie-hellman-group14-sha256). 2. Server sends its host key and a temporary key (ephemeral). 3. Client generates a random secret and computes a shared secret using Diffie-Hellman. 4. Both derive session keys (encryption, MAC, IV) from the shared secret. 5. The exchange is authenticated by signing with the host key. 6. After key exchange, all subsequent packets are encrypted. This provides perfect forward secrecy (PFS) if ephemeral keys are used. Weak algorithms (e.g., diffie-hellman-group1-sha1) should be disabled.
Scenario 1: E-commerce Website HTTPS Misconfiguration
A SOC analyst notices that a company's e-commerce site is still using TLS 1.0. Using a tool like openssl s_client, they confirm the vulnerability. The analyst reports this as a critical finding because TLS 1.0 is deprecated and vulnerable to attacks like BEAST (CVE-2011-3389). The correct response is to disable TLS 1.0/1.1 and enable TLS 1.2/1.3 on the web server. A common mistake is to assume that simply having HTTPS is sufficient, ignoring protocol versions. The analyst should also check for HSTS headers and proper certificate chain.
Scenario 2: Secure File Transfer with SFTP
An IT engineer needs to transfer sensitive customer data to a partner. They choose SFTP over FTP. The engineer configures the SFTP server to only accept key-based authentication and disables password logins. They also restrict ciphers to aes256-ctr and hmac-sha2-256. However, they forget to verify the partner's host key, leading to a potential MITM. The correct procedure is to exchange host keys out-of-band and verify fingerprints. A common mistake is using FTP instead of SFTP for simplicity, leaving data in plaintext.
Scenario 3: VoIP Security with SRTP
A company deploys VoIP phones for internal calls. The network team enables SRTP for encryption but forgets to enable authentication (only encryption). An attacker can tamper with the audio stream without detection. The correct configuration is to use SRTP with both encryption and authentication (e.g., AES-128-CM + HMAC-SHA1). Tools like Wireshark can be used to verify that SRTP packets include an authentication tag. A common mistake is assuming encryption alone provides integrity.
What SY0-701 Tests: - Objective 1.4: Given a scenario, analyze potential indicators to determine the type of attack (but this chapter focuses on secure protocols). The exam expects you to know which protocol to use for different scenarios: HTTPS for web, SFTP for file transfer, SRTP for VoIP/video. Also, know the ports: HTTPS=443, SFTP=22, SRTP=no fixed port (uses RTP). Know that SFTP is not FTPS (which is FTP over SSL).
Common Wrong Answers: 1. Choosing FTPS instead of SFTP: FTPS uses port 990 and a different handshake. The exam often tests SFTP vs FTPS. 2. Confusing SRTP with HTTPS: Both encrypt, but SRTP is for real-time media, not web. 3. Thinking SFTP uses port 22 but forgetting it runs over SSH. 4. Assuming HTTPS uses port 80 (that's HTTP).
Specific Terms to Know: - TLS, SSL (deprecated) - X.509 certificate - Cipher suite - Perfect forward secrecy (PFS) - HMAC - AES-GCM, AES-CTR - ZRTP (for SRTP key exchange)
Trick Questions: - 'Which protocol should be used to securely transfer files?' Options: FTPS, SFTP, HTTPS, SCP. Answer: SFTP (or SCP, but SFTP is more common). FTPS is also secure but less common. - 'Which protocol provides encryption and authentication for VoIP?' Options: HTTPS, SFTP, SRTP, SSH. Answer: SRTP. - 'Which port does SFTP use?' Options: 22, 443, 990, 21. Answer: 22.
Decision Rule: When asked to choose a secure protocol for a given scenario, identify the type of data: web pages → HTTPS; files → SFTP or FTPS; real-time audio/video → SRTP. Also consider whether encryption, authentication, and integrity are required. If the scenario mentions 'streaming' or 'real-time', it's SRTP. If it mentions 'file transfer', it's SFTP. If it mentions 'web', it's HTTPS.
HTTPS uses port 443 and TLS; SFTP uses port 22 and SSH; SRTP is an RTP extension for secure real-time media.
SFTP is not FTPS; SFTP runs over SSH, FTPS runs over TLS.
SRTP provides encryption (e.g., AES-CTR) and optional authentication (HMAC-SHA1).
TLS 1.3 (RFC 8446) is the current standard; TLS 1.2 is still common but older versions are deprecated.
Certificate validation in HTTPS involves checking expiry, revocation (CRL/OCSP), and chain of trust.
Perfect forward secrecy (PFS) is achieved in TLS and SSH when ephemeral Diffie-Hellman is used.
Common exam ports: HTTPS=443, SFTP=22, FTPS=990, HTTP=80.
These come up on the exam all the time. Here's how to tell them apart.
HTTPS
Port 443
Uses TLS/SSL
For web traffic (HTTP)
Authentication via X.509 certificates
Key exchange: Diffie-Hellman or RSA
SFTP
Port 22
Uses SSH
For file transfer
Authentication via password or SSH keys
Key exchange: Diffie-Hellman (SSH)
Mistake
SFTP and FTPS are the same thing.
Correct
SFTP (SSH File Transfer Protocol) runs over SSH on port 22. FTPS (FTP over SSL) runs FTP over TLS/SSL on port 990. They are different protocols with different handshakes and authentication methods.
Mistake
HTTPS uses SSL/TLS on port 80.
Correct
HTTPS uses port 443. HTTP uses port 80. HTTPS is HTTP over TLS; the TLS handshake occurs before HTTP data is sent.
Mistake
SRTP only provides encryption, not authentication.
Correct
SRTP provides both encryption and optional authentication (via HMAC). Authentication must be enabled to ensure integrity and prevent tampering.
Mistake
TLS 1.3 is not backward compatible, so most servers still use TLS 1.2.
Correct
TLS 1.3 is backward compatible in the sense that clients and servers negotiate the highest version. Many servers now support TLS 1.3. The exam expects you to know that TLS 1.3 is the current standard.
Mistake
SFTP is just FTP over SSH.
Correct
SFTP is a separate protocol designed for file operations over SSH. It is not FTP tunneled through SSH. FTP over SSH is sometimes called 'FTP over SSH' but is different from SFTP.
SFTP (SSH File Transfer Protocol) runs over SSH on port 22 and uses SSH authentication methods (password, keys). FTPS (FTP over SSL) runs FTP over TLS/SSL on port 990 and uses FTP authentication plus certificates. SFTP is often preferred for its simplicity and firewall friendliness (single port). For the exam, know that both are secure, but they are different protocols.
Yes, HTTPS encrypts the entire HTTP request, including the URL path and query parameters. However, the domain name (hostname) may be visible in SNI (Server Name Indication) during the TLS handshake, and the IP address is always visible. So HTTPS protects the URL from eavesdropping on the network, but some metadata leaks.
SRTP does not have a fixed default port; it uses the same port as the underlying RTP stream, which is typically negotiated dynamically (often in the range 16384-32767). For SIP-based VoIP, ports are often 5004 or 5005. The exam does not require memorizing a specific SRTP port, but know that it is not a well-known port like 443.
Yes, SRTP allows encryption-only mode (no authentication), but this is insecure because an attacker can modify the ciphertext (bit-flipping) without detection. The exam expects you to know that both encryption and authentication should be enabled for proper security.
Certificate Authorities (CAs) issue digital certificates that bind a public key to an identity (domain). Browsers trust a list of root CAs. When a server presents a certificate, the client verifies that it was signed by a trusted CA. This prevents man-in-the-middle attacks by ensuring the server's identity.
PFS ensures that session keys are not compromised if the server's long-term private key is leaked. This is achieved by using ephemeral Diffie-Hellman key exchange, where the session key is derived from temporary keys that are destroyed after the session. TLS 1.3 mandates PFS; TLS 1.2 supports it via DHE or ECDHE cipher suites.
SRTP uses a sequence number in the RTP header. The receiver maintains a replay list and rejects packets with sequence numbers that have already been received or are too far out of order. This prevents an attacker from capturing and re-injecting valid packets.
You've just covered Secure Network Protocols (HTTPS, SFTP, SRTP) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?