Transport Encryption
Encryption of data while it travels across networks, protecting communications from eavesdropping and tampering. Key protocols include TLS (Transport Layer Security), IPSec, and SSH.
Understanding Transport Encryption
Transport encryption protects data while it moves across networks—from your browser to a website, between offices, or across the internet. Without it, anyone who can intercept the traffic can read it.
Data in transit is vulnerable to: • Eavesdropping (reading the data) • Man-in-the-middle attacks (intercepting and modifying) • Replay attacks (capturing and resending)
Transport encryption provides confidentiality (can't read it), integrity (can't modify it), and often authentication (verify who you're talking to).
The most common protocols are TLS (for web and applications), IPSec (for VPNs and network-level encryption), and SSH (for secure remote access).
Why This Matters for the Exam
Transport encryption is fundamental to network security and heavily tested on SY0-701. Questions cover which protocol to use, how TLS handshakes work, and the difference between TLS versions.
Understanding transport encryption helps with broader security concepts: VPN design, secure application development, compliance requirements, and attack prevention.
Nearly every "secure" version of a protocol uses transport encryption: HTTP→HTTPS (TLS), FTP→SFTP/FTPS, Telnet→SSH, SMTP→SMTPS. Knowing this pattern helps with protocol questions.
Deep Dive
TLS (Transport Layer Security)
The primary protocol for secure web communications. TLS 1.3 is current; TLS 1.2 is acceptable; earlier versions are deprecated.
What TLS Provides:
- •Confidentiality (encryption)
- •Integrity (message authentication)
- •Authentication (certificates)
TLS Handshake (Simplified):
- 1.Client sends "Hello" with supported cipher suites
- 2.Server responds with chosen cipher suite and certificate
- 3.Client verifies certificate against trusted CAs
- 4.Key exchange establishes shared secret
- 5.Both sides derive session keys
- 6.Encrypted communication begins
TLS Versions:
| Version | Status | Notes |
|---|---|---|
| SSL 2.0/3.0 | Deprecated | Serious vulnerabilities |
| TLS 1.0/1.1 | Deprecated | Known weaknesses |
| TLS 1.2 | Acceptable | Still widely used |
| TLS 1.3 | Recommended | Faster, more secure |
TLS 1.3 Improvements:
- •Faster handshake (1 round trip vs. 2)
- •Removed weak cipher suites
- •Perfect forward secrecy required
- •Encrypted more of the handshake
IPSec (Internet Protocol Security)
Network-layer encryption for VPNs and site-to-site connections.
IPSec Modes:
Transport Mode
- •Encrypts only the payload (data)
- •Original IP header preserved
- •Used for end-to-end communication
Tunnel Mode
- •Encrypts entire original packet
- •New IP header added
- •Used for VPNs (site-to-site, remote access)
IPSec Protocols:
AH (Authentication Header)
- •Provides integrity and authentication
- •Does NOT provide encryption
- •Rarely used alone
ESP (Encapsulating Security Payload)
- •Provides encryption, integrity, and authentication
- •Most commonly used
- •Can work in transport or tunnel mode
IKE (Internet Key Exchange)
- •Negotiates security associations
- •Establishes shared keys
- •IKEv2 is current version
SSH (Secure Shell)
Encrypted remote access protocol replacing Telnet.
Uses:
- •Remote command-line access
- •Secure file transfer (SFTP, SCP)
- •Port forwarding/tunneling
Features:
- •Strong authentication (password, keys)
- •Encrypted channel
- •Integrity protection
Secure Protocol Replacements
| Insecure | Secure Replacement | Encryption |
|---|---|---|
| HTTP | HTTPS | TLS |
| FTP | SFTP or FTPS | SSH or TLS |
| Telnet | SSH | SSH |
| SMTP | SMTPS/STARTTLS | TLS |
| POP3 | POP3S | TLS |
| IMAP | IMAPS | TLS |
| LDAP | LDAPS | TLS |
Perfect Forward Secrecy (PFS)
Even if long-term keys are compromised later, past session keys cannot be recovered.
• Each session uses unique ephemeral keys • Compromising one session doesn't compromise others • Required in TLS 1.3 • Uses Diffie-Hellman ephemeral (DHE) or ECDHE
How CompTIA Tests This
Example Analysis
Scenario: A company needs to securely connect two office locations over the internet so that all traffic between them is encrypted, including internal IP addresses.
Solution: IPSec VPN in Tunnel Mode
Why IPSec Tunnel Mode: • Encrypts entire packets including IP headers • Internal addressing hidden from internet • Site-to-site VPN standard
Why NOT Transport Mode: • Transport mode only encrypts payload • Original IP headers visible • Better for end-to-end host communication
Why NOT TLS: • TLS is application-layer • Would need each application configured • IPSec encrypts ALL traffic transparently
Key insight: Tunnel mode creates an encrypted "tunnel" where the original packet becomes the payload of a new encrypted packet. Perfect for connecting networks over untrusted infrastructure.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"TLS = Top Layer Secure, IPSec = IP Security"
- •TLS works at Top (application layer)
- •IPSec works at IP (network layer)
- •IPSec Mode Memory:
- •Transport = Tails only (payload encrypted)
- •Tunnel = Total packet (everything encrypted)
- •Protocol Evolution:
- •Just add S for Secure:
- •HTTP + S = HTTPS
- •FTP + S = FTPS
- •SMTP + S = SMTPS
- •(Or use SSH variants: SFTP, SCP)
- •TLS Version Memory:
- •1.0, 1.1 = Dead
- •1.2 = Decent
- •1.3 = Desired
- •IPSec Protocols:
- •AH = Authentication only
- •ESP = Encrypts (and authenticates)
Test Your Knowledge
Q1.Which TLS version should be used for new deployments?
Q2.A company needs to create a VPN that encrypts all traffic between two sites, including hiding internal IP addresses. Which IPSec mode should be used?
Q3.What does Perfect Forward Secrecy (PFS) protect against?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on transport encryption and other Objective 1.4 concepts.