Internet Security Protocols

• Encryption (SSL and TLS)

• The Web (HTTP and HTTPS)
• Directory Services (DAP and LDAP)
• File Transfer (FTP and SFTP)
• Mail (MIME/SMIME)
• IPSec

1
 Encryption (SSL and TLS)
• Secure Sockets Layer (SSL) is a general-purpose protocol
developed by Netscape for managing the encryption of
information being transmitted over the Internet.
• Transport Layer Security (TLS) SSL and TLS are
essentially the same, although not interchangeable.
• Cryptographic methods are an ever-evolving field, and
because both parties must agree on an implementation
method, SSL/TLS has embraced an open, extensible, and
adaptable method to allow flexibility and strength.
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS)
• One of the most widely
used security services
• General-purpose service
implemented as a set of
protocols that rely on
TCP
• Subsequently became
Internet standard
RFC4346: Transport
Layer Security (TLS)
 TLS Concepts
TLS Session TLS Connection
• An association between a • A transport (in the OSI
client and a server layering model definition)
• Created by the that provides a suitable
Handshake Protocol type of service
• Define a set of • Peer-to-peer relationships
cryptographic security
parameters • Transient

• Used to avoid the • Every connection is

expensive negotiation of associated with one
new security parameters session
for each connection
 Handshake Protocol
• Most complex part of TLS
• Is used before any application data are transmitted
• Allows server and client to:

• Comprises a series of messages exchanged by client and

server
• Exchange has four phases
 SSL/TLS Handshake

1. The client sends to the server the client’s SSL version number, cipher settings, and session-specific data.
2. The server sends to the client the server’s SSL version number, cipher settings, session-specific data, and its own
certificate. If the resource requested requires client authentication, the server requests the client’s certificate.
3. The client authenticates the server using the information it has received. If the server cannot be authenticated, the user is
warned of the problem and informed that an encrypted and authenticated connection cannot be established.
4. The client encrypts a seed value with the server’s public key (from certificate—step 2) and sends it to the server. If the
server requested client authentication, the client also sends the client certificate.
5. If the server requested client authentication, the server attempts to authenticate the client certificate. If the client
certificate cannot be authenticated, the session ends.
6. The server uses its private key to decrypt the secret, and then performs a series of steps (which the client also performs)
to generate a master secret. The required steps depend on the cryptographic method used for key exchange.
7. Both the client and the server use the master secret to generate the session key, which is a symmetric key used to
encrypt and decrypt information exchanged during the SSL session.
8. The client sends a message informing the server that future messages from the client will be encrypted with the session
key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished.
9. The server sends a message informing the client that future messages from the server will be encrypted with the session
key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.
10.The SSL handshake is now complete and the session can begin.
 The Web (HTTP and HTTPS)
• HTTP is used for the transfer of hyperlinked data
over the Internet, from web servers to browsers.
• When a secure connection is needed, SSL/TLS is
used and appears in the address as https://.
 HTTPS
(HTTP over SSL)
• Combination of HTTP and SSL to implement secure
communication between a Web browser and a Web server
• Built into all modern Web browsers
• Search engines do not support HTTPS
• URL addresses begin with https://

• Documented in RFC 2818, HTTP Over TLS

• Agent acting as the HTTP client also acts as the TLS client
• Closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side, which
will involve closing the underlying TCP connection
 Directory Services (DAP and LDAP)
• A directory is designed and optimized for reading data,
offering very fast search and retrieval operations.
• LDAP offers all of the functionality most directories need
and is easier and more economical to implement.
 SSL/TLS LDAP
• SSL/TLS provides several important functions to
LDAP services:
• Establish the identity of a data source through the use of
certificates.
• Provide for the integrity and confidentiality of the data
being presented.
 File Transfer (FTP and SFTP)
• FTP is a standard network protocol used to
exchange and manipulate files over a TCP/IP
based network.
• Secure FTP (SFTP) is used when confidential
transfer is required and combines both the Secure
Shell (SSH) protocol and FTP.
 MIME and S/MIME
MIME S/MIME
• Extension to the old RFC • Secure/Multipurpose
822 specification of an Internet Mail Extension
Internet mail format
• RFC 822 defines a simple
• Security enhancement to
heading with To, From, Subject the MIME Internet e-
• Assumes ASCII text format mail format
• Provides a number of • Based on technology from RSA
Data Security
new header fields that
define information • Provides the ability to
sign and/or encrypt
about the body of the
e-mail messages
message
S/MIME Functions
Signed and Clear-Signed Data
• The preferred algorithms used for signing S/MIME
messages use either an RSA or a DSA signature of a SHA-
256 message hash

• The process works as follows:

• Take the message you want to send and map it into a fixed-length code of 256
bits using SHA-256
• The 256-bit message digest is unique for this message making it virtually
impossible for someone to alter this message or substitute another message and
still come up with the same digest
• S/MIME encrypts the digest using RSA and the sender’s private RSA key
• The result is the digital signature, which is attached to the message
• Now, anyone who gets the message can recompute the message digest then
decrypt the signature using RSA and the sender’s public RSA key
• Since this operation only involves encrypting and decrypting a 256-bit block, it
takes up little time
 Enveloped Data
• Default algorithms used for encrypting S/MIME
messages are AES and RSA
• S/MIME generates a pseudorandom secret key that is used to encrypt
the message using AES or some other conventional encryption scheme
• A new pseudorandom key is generated for each new message
encryption
• This session key is bound to the message and transmitted with it
• The secret key is used as input to the public-key encryption algorithm,
RSA, which encrypts the key with the recipient’s public RSA key
• On the receiving end, S/MIME uses the receiver's private RSA key to
recover the secret key, then uses the secret key and AES to recover the
plaintext message
• If encryption is used alone, radix-64 is used to convert the ciphertext to
ASCII format
 IP Security (IPsec)
• Various application security mechanisms
• S/MIME, Kerberos, SSL/HTTPS
•Security concerns cross protocol layers
• Would like security implemented by the
network for all applications
• Authentication and encryption security
features included in next-generation IPv6
• Also usable in existing IPv4
 Benefits of IPsec
• When implemented in a firewall or router, it
provides strong security to all traffic crossing the
perimeter
• In a firewall it is resistant to bypass
• Below transport layer, hence transparent to
applications
• Can be transparent to end users
• Can provide security for individual users
• Secures routing architecture
The Scope of IPsec
Transport and Tunnel Modes
Transport Mode Tunnel Mode
• Provides protection to the entire
• Extends to the payload of an IP IP packet
packet
• The entire original packet travels
• Typically used for end-to-end through a tunnel from one point
communication between two of an IP network to another
hosts
• Used when one or both ends of a
• ESP encrypts and optionally security association are a
authenticates the IP payload security gateway
but not the IP header
• A number of hosts on networks
behind firewalls may engage in
secure communications without
implementing IPsec
 Summary
• Secure E-mail and
S/MIME • HTTPS
• MIME • Connection institution
• S/MIME • Connection closure

• DomainKeys • IPv4 and IPv6

identified mail security
• Internet mail architecture • IP security overview
• DKIM strategy • The scope of IPsec
• SSL and TLS • Security associations
• TLS architecture • Encapsulating security
• TLS protocols payload
• TLS attacks • Transport and tunnel
• SSL/TLS attacks modes