SlideShare a Scribd company logo

Parallel and distributed computing .pptx

Download as PPTX, PDF
A
AmnaNadeem27

The document provides an overview of various internet security protocols, including S/MIME for secure email communication and the operation of SSL/TLS protocols for secure data transmission. It discusses cryptographic techniques, the importance of public key certificates, and the structure of messages in S/MIME and DKIM. Additionally, it covers IPsec, its authentication and encryption capabilities, as well as its applications in secure communications and the specifics of transport and tunnel modes.

Engineering
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Week: 13 Internet Security Protocols and Standards
MIME S/MIME • Extension to the old RFC 822 specification of an Internet mail format o RFC 822 defines a simple heading with To, From, Subject o Assumes ASCII text format • Provides a number of new header fields that define information about the body of the message • Secure/Multipurpose Internet Mail Extension • Security enhancement to the MIME Internet e- mail format o Based on technology from RSA Data Security • Provides the ability to sign and/or encrypt e- mail messages
Parallel and distributed computing .pptx
Parallel and distributed computing .pptx
This is an S/MIME message from Bob to Alice. Bob will sign and encrypt the message before sending it to DhYz949avHVA t5UpjUXn8L79o ADnluV3vpuhE HMEcMBB1K9 Y8ZoJOYAmF2 BsIpLbjDkNJQR j98IklSSmju650 SoDlFkYYtTqw po9812KKlmHx cFGIU8700qQrR sdfgIUYTp0m8 H7G4FF32jkoN NNmj78uqwplH This is an S/MIME message from Bob to Alice. Bob will sign and encrypt the message before sending it to Plaintext message (unisigned) Digital signature added (DSS/SHA) Bob's private key One-time session key Message with signature encrypted with one-time session key (Triple DES) Encrypted copy of session key added (El Gamal) Document converted to Radix-64 format Figure 22.1 Typical S/MIME Process for Creating an S/MIME Message Alice's public key
Signed and Clear-Signed Data • Default algorithms used for signing messages are DSS and SHA-1 • RSA public-key encryption algorithm can be used with SHA-1 or the MD5 message digest algorithm for forming signatures • Radix-64 or base64 mapping is used to map the signature and message into printable ASCII characters
S/MIME Public Key Certificates • Default algorithms used for encrypting S/MIME messages are 3DES and EIGamal o EIGamal is based on the Diffie-Hellman public-key exchange algorithm • If encryption is used alone radix-64 is used to convert the ciphertext to ASCII format • Basic tool that permits widespread use of S/MIME is the public-key certificate • S/MIME uses certificates that conform to the international standard X.509v3
Enveloped data Encrypted content and associated keys Signed data Encoded message + signed digest Clear- signed data Cleartextmessage + encoded signed digest Signed and enveloped data Nesting of signed and encrypted entities
DomainKeys Identified Mail (DKIM) • Specification of cryptographically signing e-mail messages permitting a signing domain to claim responsibility for a message in the mail stream • Proposed Internet Standard (RFC 4871: DomainKeys Identified Mail (DKIM) Signatures) • Has been widely adopted by a range of e-mail providers
Message user agent (MUA) Message author Message recipient SMTP SMTP SMTP SMTP (SMTP, local) (SMTP, local) (IMAP, POP, local) Mail submission agent (MSA) Message transfer agent (MTA) Message transfer agent (MTA) Message handling system (MHS) Message transfer agent (MTA) Mail delivery agent (MDA) Message store (MS) Message user agent (MUA) Figure 22.2 Function Modules and Standardized Protocols Used Between Them
Figure 22.3 Simple Example of DKIM Deployment Mail origination network Mail delivery network DNS Public key query/response DNS = domain name system MDA = mail delivery agent MSA = mail submission agent MTA = message transfer agent MUA = message user agent SMTP MUA MUA SMTP SMTP Signer Verifier SMTP POP, IMAP MTA MSA MTA MDA DNS
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) • One of the most widely used security services • General-purpose service implemented as a set of protocols that rely on TCP • Subsequently became Internet standard RFC4346: Transport Layer Security (TLS) Two implementation choices: Provided as part of the underlying protocol suite Embedded in specific packages
IP Figure 22.4 SSL/TLS Protocol Stack TCP Record Protocol Handshake Protocol Change Cipher Spec Protocol Alert Protocol HTTP Heartbeat Protocol
TLS Concepts TLS Session TLS Connection • An association between a client and a server • Created by the Handshake Protocol • Define a set of cryptographic security parameters • Used to avoid the expensive negotiation of new security parameters for each connection • A transport (in the OSI layering model definition) that provides a suitable type of service • Peer-to-peer relationships • Transient • Every connection is associated with one session
Application Data Fragment Compress Add MAC Encrypt Append SSL Record Header Figure 22.5 TLS Record Protocol Operation
Change Cipher Spec Protocol • One of four TLS specific protocols that use the TLS Record Protocol • Is the simplest • Consists of a single message which consists of a single byte with the value 1 • Sole purpose of this message is to cause pending state to be copied into the current state • Hence updating the cipher suite in use
Alert Protocol Conveys TLS-related alerts to peer entity Alert messages are compressed and encrypted Each message consists of two bytes: First byte takes the value warning (1) or fatal (2) to convey the severity of the message If the level is fatal, TSL immediately terminates the connection Other connections on the same session may continue, but no new connections on this session may be established Second byte contains a code that indicates the specific alert
Handshake Protocol • Most complex part of TLS • Is used before any application data are transmitted • Allows server and client to: • Comprises a series of messages exchanged by client and server • Exchange has four phases Authenticate each other Negotiate encryption and MAC algorithms Negotiate cryptographic keys to be used
server_key_exchange Figure 22.6 Handshake Protocol Action Client Server Time client_hello certificate client_key_exchange certificate_verify change_cipher_spec finished server_hello certificate certificate_request server_hello_done change_cipher_spec finished Phase 1 Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers. Phase 2 Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. Phase 3 Client sends certificate if requested. Client sends key exchange. Client may send certificate verification. Phase 4 Change cipher suite and finish handshake protocol. Note: Shaded transfers are optional or situation-dependent messages that are not always sent.
Heartbeat Protocol • A periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a system • Typically used to monitor the availability of a protocol entity • Defined in 2012 in RFC 6250 • Runs on top of the TLS Record Protocol • Use is established during Phase 1 of the Handshake Protocol • Each peer indicates whether it supports heartbeats • Serves two purposes: o Assures the sender that the recipient is still alive o Generates activity across the connection during idle periods
SSL/TLS Attacks Attacks on the Handshake Protocol Attacks on the record and application data protocols Attacks on the PKI Other attacks Four general categories:
Parallel and distributed computing .pptx
HTTPS (HTTP over SSL) • Combination of HTTP and SSL to implement secure communication between a Web browser and a Web server • Built into all modern Web browsers o Search engines do not support HTTPS o URL addresses begin with https:// • Documented in RFC 2818, HTTP Over TLS • Agent acting as the HTTP client also acts as the TLS client • Closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection
IP Security (IPsec) • Various application security mechanisms o S/MIME, Kerberos, SSL/HTTPS • Security concerns cross protocol layers • Would like security implemented by the network for all applications • Authentication and encryption security features included in next-generation IPv6 • Also usable in existing IPv4
IPsec Authentication • Assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header and that the packet has not been altered in transit Confidentiality • Enables communicating nodes to encrypt messages to prevent eavesdropping by third parties Key management • Concerned with the secure exchange of keys • Provided by the Internet exchange standard IKEv2
Applications of IPsec Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security
Benefits of IPsec • When implemented in a firewall or router, it provides strong security to all traffic crossing the perimeter • In a firewall it is resistant to bypass • Below transport layer, hence transparent to applications • Can be transparent to end users • Can provide security for individual users • Secures routing architecture
The Scope of IPsec Provides two main functions: • A combined authentication/encry ption function called Encapsulating Security Payload (ESP) • Key exchange function Also an authentication- only function, implemented using an Authentication Header (AH) • Because message authentication is provided by ESP, the use of AH is included in IPsecv3 for backward compatibility but should not be used in new applications VPNs want both authentication and encryption Specification is quite complex • Numerous RFC’s 2401/4302/ 4303/4306
• A one-way relationship between sender and receiver that affords security for traffic flow o If a peer relationship is needed for two-way secure exchange then two security associations are required • Is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP) Defined by 3 parameters: Security Parameter Index (SPI) IP Destination Address Protocol Identifier
Security Parameters Index (SPI) Sequence Number Authentication Data (variable) Authentication Coverage Confidentiality Coverage 0 Bit: 24 16 31 Figure 22.8 IPSec ESP Format Payload Data (variable) Padding (0 - 255 bytes) Pad Length Next Header
Transport and Tunnel Modes Transport Mode Tunnel Mode • Extends to the payload of an IP packet • Typically used for end-to-end communication between two hosts • ESP encrypts and optionally authenticates the IP payload but not the IP header • Provides protection to the entire IP packet • The entire original packet travels through a tunnel from one point of an IP network to another • Used when one or both ends of a security association are a security gateway • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec
Summary • HTTPS o Connection institution o Connection closure • IPv4 and IPv6 security o IP security overview o The scope of IPsec o Security associations o Encapsulating security payload o Transport and tunnel modes • Secure E-mail and S/MIME o MIME o S/MIME • DomainKeys identified mail o Internet mail architecture o DKIM strategy • SSL and TLS o TLS architecture o TLS protocols o TLS attacks o SSL/TLS attacks

More Related Content

PPTX
Chapter 22 Internet Security Protocols and Standards
GoldenMIT
 
PDF
ip security
saivarunsamudrala
 
PPT
ch22.ppt
ImXaib
 
PPT
Network security
anoop negi
 
PDF
CS6004 CYBER FORENSICS
Kathirvel Ayyaswamy
 
PPT
Lecture 6 web security
rajakhurram
 
PPTX
ssl-tls-ipsec-vpn.pptx
jithu26327
 
PPTX
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
Chapter 22 Internet Security Protocols and Standards
GoldenMIT
 
ip security
saivarunsamudrala
 
ch22.ppt
ImXaib
 
Network security
anoop negi
 
CS6004 CYBER FORENSICS
Kathirvel Ayyaswamy
 
Lecture 6 web security
rajakhurram
 
ssl-tls-ipsec-vpn.pptx
jithu26327
 
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 

Similar to Parallel and distributed computing .pptx (20)

PPT
Ip sec and ssl
Mohd Arif
 
PDF
CNS ppt.pdf
ChaitanyaK65
 
PPT
Web Security
Ram Dutt Shukla
 
PDF
Web Security
Dr.Florence Dayana
 
PPT
Web securiy - Network security essentials
ssuser000e54
 
PPT
2800967 for internet and networkings.ppt
allfather027
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
PDF
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
PDF
BAIT1103 Chapter 4
limsh
 
PDF
IS - SSL
FumikageTokoyami4
 
PDF
information security by cryptography sid
faiziikanwal47
 
PDF
Network Security CS2
Infinity Tech Solutions
 
PPT
Ip sec
shifanabasheer
 
PPTX
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
ThanushB1
 
PDF
TLS/SSL Protocol Design
Nate Lawson
 
PPTX
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPT
tls security fda fkj k kjkfjsdkl jkjfsdk.ppt
sandhyadevit
 
PPT
Web Security
Ram Dutt Shukla
 
PPTX
Secure socket layer
Emprovise
 
PDF
Network Security_Module_2.pdf
Dr. Shivashankar
 
Ip sec and ssl
Mohd Arif
 
CNS ppt.pdf
ChaitanyaK65
 
Web Security
Ram Dutt Shukla
 
Web Security
Dr.Florence Dayana
 
Web securiy - Network security essentials
ssuser000e54
 
2800967 for internet and networkings.ppt
allfather027
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
BAIT1103 Chapter 4
limsh
 
IS - SSL
FumikageTokoyami4
 
information security by cryptography sid
faiziikanwal47
 
Network Security CS2
Infinity Tech Solutions
 
Ip sec
shifanabasheer
 
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
ThanushB1
 
TLS/SSL Protocol Design
Nate Lawson
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
tls security fda fkj k kjkfjsdkl jkjfsdk.ppt
sandhyadevit
 
Web Security
Ram Dutt Shukla
 
Secure socket layer
Emprovise
 
Network Security_Module_2.pdf
Dr. Shivashankar
 
Ad

Recently uploaded (20)

DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
composite construction of structures.pdf
AinieButt1
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Welding lecture in detail for understanding
sahilpoonia10
 
Well-logging-methods_new................
ZafriFarid
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
composite construction of structures.pdf
AinieButt1
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Ad

Parallel and distributed computing .pptx

  • 1. Week: 13 Internet Security Protocols and Standards
  • 2. MIME S/MIME • Extension to the old RFC 822 specification of an Internet mail format o RFC 822 defines a simple heading with To, From, Subject o Assumes ASCII text format • Provides a number of new header fields that define information about the body of the message • Secure/Multipurpose Internet Mail Extension • Security enhancement to the MIME Internet e- mail format o Based on technology from RSA Data Security • Provides the ability to sign and/or encrypt e- mail messages
  • 5. This is an S/MIME message from Bob to Alice. Bob will sign and encrypt the message before sending it to DhYz949avHVA t5UpjUXn8L79o ADnluV3vpuhE HMEcMBB1K9 Y8ZoJOYAmF2 BsIpLbjDkNJQR j98IklSSmju650 SoDlFkYYtTqw po9812KKlmHx cFGIU8700qQrR sdfgIUYTp0m8 H7G4FF32jkoN NNmj78uqwplH This is an S/MIME message from Bob to Alice. Bob will sign and encrypt the message before sending it to Plaintext message (unisigned) Digital signature added (DSS/SHA) Bob's private key One-time session key Message with signature encrypted with one-time session key (Triple DES) Encrypted copy of session key added (El Gamal) Document converted to Radix-64 format Figure 22.1 Typical S/MIME Process for Creating an S/MIME Message Alice's public key
  • 6. Signed and Clear-Signed Data • Default algorithms used for signing messages are DSS and SHA-1 • RSA public-key encryption algorithm can be used with SHA-1 or the MD5 message digest algorithm for forming signatures • Radix-64 or base64 mapping is used to map the signature and message into printable ASCII characters
  • 7. S/MIME Public Key Certificates • Default algorithms used for encrypting S/MIME messages are 3DES and EIGamal o EIGamal is based on the Diffie-Hellman public-key exchange algorithm • If encryption is used alone radix-64 is used to convert the ciphertext to ASCII format • Basic tool that permits widespread use of S/MIME is the public-key certificate • S/MIME uses certificates that conform to the international standard X.509v3
  • 8. Enveloped data Encrypted content and associated keys Signed data Encoded message + signed digest Clear- signed data Cleartextmessage + encoded signed digest Signed and enveloped data Nesting of signed and encrypted entities
  • 9. DomainKeys Identified Mail (DKIM) • Specification of cryptographically signing e-mail messages permitting a signing domain to claim responsibility for a message in the mail stream • Proposed Internet Standard (RFC 4871: DomainKeys Identified Mail (DKIM) Signatures) • Has been widely adopted by a range of e-mail providers
  • 10. Message user agent (MUA) Message author Message recipient SMTP SMTP SMTP SMTP (SMTP, local) (SMTP, local) (IMAP, POP, local) Mail submission agent (MSA) Message transfer agent (MTA) Message transfer agent (MTA) Message handling system (MHS) Message transfer agent (MTA) Mail delivery agent (MDA) Message store (MS) Message user agent (MUA) Figure 22.2 Function Modules and Standardized Protocols Used Between Them
  • 11. Figure 22.3 Simple Example of DKIM Deployment Mail origination network Mail delivery network DNS Public key query/response DNS = domain name system MDA = mail delivery agent MSA = mail submission agent MTA = message transfer agent MUA = message user agent SMTP MUA MUA SMTP SMTP Signer Verifier SMTP POP, IMAP MTA MSA MTA MDA DNS
  • 12. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) • One of the most widely used security services • General-purpose service implemented as a set of protocols that rely on TCP • Subsequently became Internet standard RFC4346: Transport Layer Security (TLS) Two implementation choices: Provided as part of the underlying protocol suite Embedded in specific packages
  • 13. IP Figure 22.4 SSL/TLS Protocol Stack TCP Record Protocol Handshake Protocol Change Cipher Spec Protocol Alert Protocol HTTP Heartbeat Protocol
  • 14. TLS Concepts TLS Session TLS Connection • An association between a client and a server • Created by the Handshake Protocol • Define a set of cryptographic security parameters • Used to avoid the expensive negotiation of new security parameters for each connection • A transport (in the OSI layering model definition) that provides a suitable type of service • Peer-to-peer relationships • Transient • Every connection is associated with one session
  • 15. Application Data Fragment Compress Add MAC Encrypt Append SSL Record Header Figure 22.5 TLS Record Protocol Operation
  • 16. Change Cipher Spec Protocol • One of four TLS specific protocols that use the TLS Record Protocol • Is the simplest • Consists of a single message which consists of a single byte with the value 1 • Sole purpose of this message is to cause pending state to be copied into the current state • Hence updating the cipher suite in use
  • 17. Alert Protocol Conveys TLS-related alerts to peer entity Alert messages are compressed and encrypted Each message consists of two bytes: First byte takes the value warning (1) or fatal (2) to convey the severity of the message If the level is fatal, TSL immediately terminates the connection Other connections on the same session may continue, but no new connections on this session may be established Second byte contains a code that indicates the specific alert
  • 18. Handshake Protocol • Most complex part of TLS • Is used before any application data are transmitted • Allows server and client to: • Comprises a series of messages exchanged by client and server • Exchange has four phases Authenticate each other Negotiate encryption and MAC algorithms Negotiate cryptographic keys to be used
  • 19. server_key_exchange Figure 22.6 Handshake Protocol Action Client Server Time client_hello certificate client_key_exchange certificate_verify change_cipher_spec finished server_hello certificate certificate_request server_hello_done change_cipher_spec finished Phase 1 Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers. Phase 2 Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. Phase 3 Client sends certificate if requested. Client sends key exchange. Client may send certificate verification. Phase 4 Change cipher suite and finish handshake protocol. Note: Shaded transfers are optional or situation-dependent messages that are not always sent.
  • 20. Heartbeat Protocol • A periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a system • Typically used to monitor the availability of a protocol entity • Defined in 2012 in RFC 6250 • Runs on top of the TLS Record Protocol • Use is established during Phase 1 of the Handshake Protocol • Each peer indicates whether it supports heartbeats • Serves two purposes: o Assures the sender that the recipient is still alive o Generates activity across the connection during idle periods
  • 21. SSL/TLS Attacks Attacks on the Handshake Protocol Attacks on the record and application data protocols Attacks on the PKI Other attacks Four general categories:
  • 23. HTTPS (HTTP over SSL) • Combination of HTTP and SSL to implement secure communication between a Web browser and a Web server • Built into all modern Web browsers o Search engines do not support HTTPS o URL addresses begin with https:// • Documented in RFC 2818, HTTP Over TLS • Agent acting as the HTTP client also acts as the TLS client • Closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection
  • 24. IP Security (IPsec) • Various application security mechanisms o S/MIME, Kerberos, SSL/HTTPS • Security concerns cross protocol layers • Would like security implemented by the network for all applications • Authentication and encryption security features included in next-generation IPv6 • Also usable in existing IPv4
  • 25. IPsec Authentication • Assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header and that the packet has not been altered in transit Confidentiality • Enables communicating nodes to encrypt messages to prevent eavesdropping by third parties Key management • Concerned with the secure exchange of keys • Provided by the Internet exchange standard IKEv2
  • 26. Applications of IPsec Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security
  • 27. Benefits of IPsec • When implemented in a firewall or router, it provides strong security to all traffic crossing the perimeter • In a firewall it is resistant to bypass • Below transport layer, hence transparent to applications • Can be transparent to end users • Can provide security for individual users • Secures routing architecture
  • 28. The Scope of IPsec Provides two main functions: • A combined authentication/encry ption function called Encapsulating Security Payload (ESP) • Key exchange function Also an authentication- only function, implemented using an Authentication Header (AH) • Because message authentication is provided by ESP, the use of AH is included in IPsecv3 for backward compatibility but should not be used in new applications VPNs want both authentication and encryption Specification is quite complex • Numerous RFC’s 2401/4302/ 4303/4306
  • 29. • A one-way relationship between sender and receiver that affords security for traffic flow o If a peer relationship is needed for two-way secure exchange then two security associations are required • Is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP) Defined by 3 parameters: Security Parameter Index (SPI) IP Destination Address Protocol Identifier
  • 30. Security Parameters Index (SPI) Sequence Number Authentication Data (variable) Authentication Coverage Confidentiality Coverage 0 Bit: 24 16 31 Figure 22.8 IPSec ESP Format Payload Data (variable) Padding (0 - 255 bytes) Pad Length Next Header
  • 31. Transport and Tunnel Modes Transport Mode Tunnel Mode • Extends to the payload of an IP packet • Typically used for end-to-end communication between two hosts • ESP encrypts and optionally authenticates the IP payload but not the IP header • Provides protection to the entire IP packet • The entire original packet travels through a tunnel from one point of an IP network to another • Used when one or both ends of a security association are a security gateway • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec
  • 32. Summary • HTTPS o Connection institution o Connection closure • IPv4 and IPv6 security o IP security overview o The scope of IPsec o Security associations o Encapsulating security payload o Transport and tunnel modes • Secure E-mail and S/MIME o MIME o S/MIME • DomainKeys identified mail o Internet mail architecture o DKIM strategy • SSL and TLS o TLS architecture o TLS protocols o TLS attacks o SSL/TLS attacks