4

Can anyone tell me the key differences between Transport layer encryption and Application layer encryption and outline example use cases where each are most appropriate?

The research I have done so far is that the Application layer encrypts everything down, as the Application is at the highest level in the OSI model. In comparison, Transport layer encryption means that Application, Presentation and Session layers are all in plain text?

I did have a look at this post before. The answers in the post pretty much said it depends on what you are trying to protect, as I'm not designing anything in particular, it didn't really help my understanding of it. I'm really looking for the Pros and Cons for both and perhaps an analogy or at least some context to where each would/should be used?

Improve this question
0

    1 Answer 1

    Reset to default
    5

    This is a question about scope and application interaction. So where one is better than the other depends on the scope of access of the data.

    With application layer encrypt the data is only view able in your applications memory space. If this is what you need then application level encryption is the way to go. However when sent to another application, that information is encrypted and they can't view it. This is useful in JSON Web Tokens where the server encrypts and de-crypts the information for checks and balances while preventing other layers of the OSI model from modifying it.

    Transportation layer encryption though is akin to TLS/SSL/SSH and such. It's where you encrypt it in transport so people can't listen in unless they are accessing the shared memory on the machine that would release the information. This is useful for sending user input to a server that doesn't need to be encrypted, but still having it view able in a web page.

    To condense those explanations down a little further:

    • Application layer encryption should be used when NOTHING else should have access to the data even on the same machine.

    • Transport layer encryption should be used when you don't want people listening into the data when it is in transport and no longer on the machine it was created on.

    Now I mentioned a website example earlier and that's the perfect way to think about it since all OSI models apply to that on the server side.

    Websites are data and in transport if they contain user specific information need to be encrypted but should still be view able to the user when the page displays again on the application layer on their end. This is where the transport layer encryption happens.

    However to protect against attacks when a user is sending information back they often include a check in the form of a JSON web token or CSRF cookie/field that is not view able by the client, and is encrypted in the application layer so that no one else can view it or modify it. Then if it's the same when it comes back and the information inside of it checks out, they know it's still valid and can honor it on the server side.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.