Download presentation
Presentation is loading. Please wait.
Published byAnne Douglas Modified over 9 years ago
1
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition
2
2 IP Level Security - IPSec IP Security (IPSec) is a collection of protocols designed by the IETF to provide security for a packet at the IP level. Provides a framework and a mechanism. Leaves the selection of the encryption, authentication, and hashing methods to the user.
3
3 IPSec – Security Association IPSec requires a logical connection between two hosts using a signaling protocol, called Security Association (SA). Needs the connectionless IP protocol changed to a connection-oriented protocol. An SA connection is a simplex (unidirectional) connection between a source and destination. Two SA connections are required for a duplex connection.
4
4 IPSec – Security Association An SA connection is defined by: A 32-bit security parameter index (SPI), which acts as a virtual circuit identifier in connection- oriented protocols such as Frame Relay or ATM. Alternative security protocols: AH and ESP. Source IP address.
5
5 IPSec – Two modes Transport mode and tunnel mode: defines where the IPSec header is added to the IP packet. Transport mode
6
6 IPSec – Two modes Tunnel mode
7
7 IPSec – Two modes Example VPN technology uses IPSec in the tunnel mode.
8
8 Two security protocols Authentication Header (AH) protocol: Designed to authenticate the source host and to ensure the integrity of the payload. Calculates a message digest, using a hashing function and a symmetric key, and inserts the digest in the authentication header. AH is put in the appropriate location based on the mode. Provide source authentication and data integrity, but not privacy.
9
9 Two security protocols Authentication header in transport mode: Protocol field: http://www.networksorcery.com/enp/protocol/ip.htm#Protocol http://www.networksorcery.com/enp/protocol/ip.htm#Protocol
10
10 Two security protocols Next header – Defines the type of payload carried by the IP datagram. (e.g. TCP/UDP/ICMP, …) Payload length – Defines the length of the authentication header. Security parameter index – Plays the role of a virtual circuit identifier and is the same for all packets sent during a SA connection. Sequence number – Provides ordering information for a sequence of datagrams, and prevent playback. Authentication data – The result of applying a hash function to the entire IP datagram.
11
11 Two security protocols Encapsulating Security Payload (ESP) Provide source authentication, integrity, and privacy. Adds a header and trailer. Authentication data – In AH, part of the IP header is included in the calculation of the authentication data; in ESP, it is not.
12
12 Two security protocols ESP (Transport mode)
13
13 AH versus ESP ESP protocol was designed after AH protocol was already in use. ESP does whatever AH does with additional functionality (privacy). AH will remain part of the Internet until the products are phased out. Ref: http://www.microsoft.com/technet/itsolutions/network /security/ipsecarc.mspx http://www.microsoft.com/technet/itsolutions/network /security/ipsecarc.mspx
14
14 Secure Sockets Layer (SSL) Commonly used protocols for managing the security of a message transmission across the “insecure” Internet. Developed by Netscape for transmitting private documents via the Internet. Uses a public key to encrypt data that is transferred over the SSL connection. URLs that require an SSL connection start with “https:” instead of “http:”.
15
15 Secure Sockets Layer (SSL) Runs on top of the TCP, not over UDP or directly over IP. Uses TCP/IP on behalf of higher-level protocols Allows SSL-enabled server to authenticate itself to SSL-enabled client Allows client to authenticate itself to server Allows both machines to establish an encrypted connection.
16
16 Secure Sockets Layer (SSL) - Examples HTTP over SSL Securing the web was the main initial drive for designing SSL, and HTTP is the first application-layer protocol secured by SSL. HTTPS operates on TCP port 443, while HTTP operates on TCP port 80 by default. Standardized in RFC 2818.
17
17 Secure Sockets Layer (SSL) - Examples Email over SSL Similar to HTTP over SSL, e-mail protocols such as SMTP, Post Office Protocol 3 (POP3), and Internet Message Access Protocol (IMAP) can be supported by SSL.
18
18 Secure Sockets Layer (SSL) Uses ciphers to enable encryption of data between two parties. Uses digital certificates to enable authentication of the parties involved in a secure transaction. Asymmetric encryption (public key encryption). Symmetric encryption (secret key encryption).
19
19 Secure Sockets Layer (SSL) - Digital Certificates Components Certificate user’s name Entity for whom certificate is being issued Public key of the subject Time stamp Typically issued by a CA that acts as a trusted third party Public certificate authorities Private certificate authorities
20
20 Transport Layer Security - TLS Derived from a security protocol called Secure Socket Layer (SSL). TLS is a nonproprietary version of SSL designed by IETF. Lies between the application layer and the transport layer.
21
21 Transport Layer Security - TLS For transactions on the Internet, a browser needs the following: The server must be authenticated. The integrity of the message must be preserved. There is a need for privacy. TLS is actually two protocols: Handshake protocol Data exchange protocol
22
22 TLS – Handshake protocol Responsible for negotiating security, authenticating the server to the browser, and (optionally) defining other communication parameters.
23
23 TLS – Handshake protocol The browser sends a hello message that includes the TLS version and some preferences. The server sends a certificate message that includes the public key of the server. The public key is certified by some certification authority, which means the public key is encrypted by a CA private key. The browser has a list of CAs and their public keys. It uses the corresponding key to decrypt the certificate and finds the server public key. This also authenticates the server. The browser generates a secret key, encrypts it with the server public key, and sends it to the server. The browser sends a message, encrypted by the secret key, to inform the server that handshaking is terminating from the browser side. The server decrypts the secret key using its private key and decrypts the message using the secret key. It then sends a message, encrypted by the secret key, to inform the browser that handshaking is terminating from the server side.
24
24 TLS – Data exchange protocol The data exchange (record) protocol uses the secret key to encrypt the data for secrecy and to encrypt the message digest for integrity.message digest The details and specification of algorithms agreed upon during the handshake phase.
25
25 SSL VPN Emerging remote access technology that provides secure connectivity to the internal corporate resources through a web browser or a dedicated client. The greatest strength of SSL VPN comes from the fact that SSL is a mature protocol and is readily available in virtually all web browsers. Using SSL VPN, you can securely navigate your internal web server, or even check your e-mails, from a kiosk or Internet cafe.
26
26 SSL VPN SSL VPN offers the advantage that it is platform independent. Using any browser that supports SSL, you can access resources without worrying about the underlying operating system. Secondly, you do not have to troubleshoot a third-party VPN client, should the connection not work as expected. Additionally, SSL VPN solves the network traversal problem, as many organizations restrict most forms of VPN traffic, such as IPsec and PPTP, to pass through their networks.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.