Scribd
Upload
12 views

503049-Chapter 11.1 Internet Security Protocols and Standards

Uploaded by

fecotran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

503049-Chapter 11.1 Internet Security Protocols and Standards

Uploaded by

fecotran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

Chapter 11.

1
Internet Security Protocols and
Standards

Book Reading: Computer Security Principles and Practice (3ed),


2015, p.693-708

Introduction to computer security


1
503049 - Network Security
S/MIME (Secure/Multipurpose
Internet Mail Extensions)

• Security enhancement to MIME email


– Original Internet RFC822 email was text only
– MIME provided support for varying content types
and multi-part messages
– With encoding of binary data to textual form
– S/MIME added security enhancements
• Have S/MIME support (e.g., signed or
encryption) in many mail agents
– MS Outlook, Mozilla, Mac Mail etc
Introduction to computer security
2
503049 - Network Security
MIME
Types

Introduction to computer security


3
503049 - Network Security
S/MIME Types

Introduction to computer security


4
503049 - Network Security
S/MIME Functions
• Enveloped data
– encrypted content and associated keys
• Signed data
– digital signature (hash code of msg encrypted with sender’s private
key)
– encrypted msg (random sym key later encrypted)
– can be view by recipient with S/MIME
• Clear-signed data
– cleartext message + encoded signed digest
• Signed & enveloped data
– nesting of signed & encrypted entities

Introduction to computer security


5
503049 - Network Security
S/MIME Functions (Summary)

Introduction to computer security


6
503049 - Network Security
S/MIME Process

Introduction to computer security


7
503049 - Network Security
S/MIME Cryptographic Algorithms

• Digital signatures: DSS & RSA


• Hash functions: SHA-1 & MD5
• Session key encryption: ElGamal & RSA
• Message encryption: AES, 3DES, etc
• MAC: HMAC with SHA-1
• Must map binary values to printable ASCII
– use radix-64 or base64 mapping

Introduction to computer security


8
503049 - Network Security
S/MIME Public Key Certificates

• S/MIME has effective encryption and


signature services
• But also need to manage public-keys
• S/MIME uses X.509 v3 certificates
• Each client has a list of trusted CA’s certs
• And own public/private key pairs & certs
• Certificates must be signed by trusted CA’s

Introduction to computer security


9
503049 - Network Security
DomainKeys Identified Mail
(DKIM)

• Specification of cryptographically signing e-


mail messages permitting a signing domain to
claim responsibility for a message in the mail
stream
• Proposed Internet Standard: DomainKeys
Identified Mail (DKIM) Signatures
• Widely adopted by a range of e-mail providers

Introduction to computer security


10
503049 - Network Security
Internet E-Mail Architecture

Introduction to computer security


11
503049 - Network Security
DKIM Purpose

• Email authentication between hosts


• Transparent to the user
• Each email is signed by the private key of the
administrative domain
• To authenticate that the message comes from
the claimed administrative domain
• Mail delivery agent (MDA) does the
verification
Introduction to computer security
12
503049 - Network Security
Domain Keys Identified Mail (DKIM)
Deployment

Introduction to computer security


13
503049 - Network Security
DKIM vs S/MIME
• S/MIME depends on both sender and receiver
users using S/MIME (many users however
don’t user it)
• S/MIME only signs the contents; email header
may be compromised
• DKIM is not implemented in client programs
(MUAs) – transparent to the users
• DKIM applies to all emails
• DKIM allows good senders to prove they sent
a particular message
Introduction to computer security
14
503049 - Network Security
Internet Security Protocols and
Standards

• Secure Sockets Layer (SSL) and the follow-up


Transport Layer Security (TLS)
– SSL: a general-purpose set of protocols; relies on
TCP
– Full generality as part of the a protocol suite
(transparent to apps)
– Embedded in a specific app (e.g., IE)
• IPv4 and IPv6 (IP level security)
• HTTPS
Introduction to computer security
15
503049 - Network Security
Secure Sockets Layer (SSL)

• Transport layer security service


– originally developed by Netscape
– version 3 designed with public input
• Subsequently became Internet standard Transport Layer
Security (TLS)
• Use TCP to provide a reliable end-to-end service
• May be provided in underlying protocol suite transparent to
apps)
• Or embedded in specific packages (WWW browsers)

Introduction to computer security


16
503049 - Network Security
SSL Protocol Stack

SSL Rec Protocol provides


Basic sec services to the above
Protocols (eg, HTTP):

• HTTP provides xfer svc for Web


client/server interactions

• Other three protocols are used


in management of SSL

Introduction to computer security


17
503049 - Network Security
Two Important SSL
Concepts
• SSL session: an association
between a client and a server
created by the Handshake
protocol

• SSL connection: a transport


layer, peer-to-peer, short-live
connection
– Every connection is associated
with one session

Introduction to computer security


18
503049 - Network Security
SSL Record Protocol Services

• Confidentiality
– The Handshake Protocol defines a shared secret
key for symmetric encryption of SSL payloads
– AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
RC4-40, RC4-128
– Message is compressed before encryption
• Message integrity
– the Handshake Protocol also defines a shared
secret key to form a msg authentication code
(MAC)
Introduction to computer security
19
503049 - Network Security
SSL Record Protocol Operation

Steps:
1. Fragment the message
2. Compress (optional)
3. Compute and add MAC
4. Encrypt msg and MAC
5. Append SSL header

Introduction to computer security


20
503049 - Network Security
SSL Record Protocol Operation

Introduction to computer security


21
503049 - Network Security
SSL Record Protocol Operation

Introduction to computer security


22
503049 - Network Security
SSL Change Cipher Spec Protocol

• One of 3 SSL specific protocols which use the


SSL Record protocol
• A single message (a single byte with value 1)
• Causes pending state to become current (last
stage of a handshake)
• Hence updating the cipher suite in use
(collection of cryptographic algorithms
supported by both parties)
Introduction to computer security
23
503049 - Network Security
SSL Alert Protocol

• Conveys SSL-related alerts to peer entity


• Severity: warning or fatal
• Specific alert
• fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
• warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown
• Compressed & encrypted like all SSL data
Introduction to computer security
24
503049 - Network Security
SSL Handshake Protocol

• Allows server & client to:


– authenticate each other
– to negotiate encryption & MAC algorithms
– to negotiate cryptographic keys to be used
• Comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
Introduction to computer security
25
503049 - Network Security
SSL Handshake Protocol

Introduction to computer security


26
503049 - Network Security
SSL Handshake Protocol

Introduction to computer security


27
503049 - Network Security
SSL Handshake Protocol

Introduction to computer security


28
503049 - Network Security
IP Security (IPSec)

• various application security mechanisms


– eg. S/MIME, PGP, Kerberos, SSL/HTTPS
• security concerns cross protocol layers
• hence would like security implemented by the
network for all applications
• authentication & encryption security features
included in next-generation IPv6
• also usable in existing IPv4
Introduction to computer security
29
503049 - Network Security
IPSec

• general IP Security mechanisms


• provides
– authentication
– confidentiality
– key management
• applicable to use over LANs, across public &
private WANs, & for the Internet

Introduction to computer security


30
503049 - Network Security
IPSec Uses

Introduction to computer security


31
503049 - Network Security
Benefits of IPSec

• when implemented in a firewall/router, it


provides strong security to all traffic crossing
the perimeter
– no overhead of security-related processing
• is below transport layer, hence transparent to
applications
• can be transparent to end users; no need to
train users on sec mechanisms such as keys
• secures routing architecture
Introduction to computer security
32
503049 - Network Security
IP Security Architecture

• mandatory in IPv6, optional in IPv4


• have three main functions:
– Authentication Header (AH): auth only
– Encapsulating Security Payload (ESP): auth & encryption
– Key Exchange function: manual/auto exchange of
keys
• Example: VPNs want both auth and encryption
– hence usually use ESP
• specification is quite complex
– numerous RFC’s 2401/2402/2406/2408
Introduction to computer security
33
503049 - Network Security
Security Associations (SA)

• a one-way relationship between sender &


receiver that affords security for traffic flow
• defined by 3 parameters:
– Security Parameters Index (SPI): and index in AH
and ESP; tells receiver which SA to select
– IP Destination Address: destination endpoint of a
SA
– Security Protocol Identifier
• has a number of other parameters
– seq no, AH & EH info, lifetime etc
Introduction to computer security
34
503049 - Network Security
Authentication Header (AH)

• provides support for data integrity &


authentication of IP packets
– end system/router can authenticate user/app
– prevents address spoofing attacks by tracking
sequence numbers
• based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key

Introduction to computer security


35
503049 - Network Security
Authentication Header

Type of the header following this header; size of the AH; for future use;
SA; increasing seq counter; authentication data, e.g., MAC or
integrity check value

Introduction to computer security


36
503049 - Network Security
Encapsulating Security Payload
(ESP)

Introduction to computer security


37
503049 - Network Security
Key Management

• handles key generation & distribution


• typically need 2 pairs of keys
– 2 per direction for AH & ESP
• manual key management
– sysadmin manually configures every system
• automated key management
– automated system for on demand creation of keys
for SA’s in large systems
– has Oakley & ISAKMP elements
Introduction to computer security
38
503049 - Network Security
Summary

• Secure Sockets Layer (SSL) / Transport Layer


Security (TLS)
• IPv4 and IPv6 Security
• S/MIME (Secure/Multipurpose Internet Mail
Extension)

Introduction to computer security


39
503049 - Network Security

You might also like