Scribd
Upload
10 views

Chapter 6 -4

Uploaded by

randalshalan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

Chapter 6 -4

Uploaded by

randalshalan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Internet Security Protocols

and Standards

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Secure Sockets Layer (SSL) and
Transport Layer Security (TLS)
• One of the most widely used security services
• General-purpose service implemented as a set of
protocols that rely on TCP
• Subsequently became Internet standard RFC 8446:
Transport Layer Security (TLS)

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
SSL/TLS Protocol Stack

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
TLS Concepts
TLS Session T L S Connection
• An association between a • A transport (in the O S I
client and a server layering model definition)
• Created by the Handshake that provides a suitable
Protocol type of service
• Define a set of • Peer-to-peer relationships
cryptographic security • Transient
parameters • Every connection is
• Used to avoid the associated with one
expensive negotiation of session
new security parameters for
each connection

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Handshake Protocol
• Most complex part of TLS
• Is used before any application data are
transmitted
• Allows server and client to:
– Authenticate each other
– Negotiate encryption and M A C algorithms
– Negotiate cryptographic keys to be used
• Comprises a series of messages exchanged by client and
server
• Exchange has four phases

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Handshake Protocol Action

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Change Cipher Spec Protocol
• One of four TLS specific protocols that use the TLS
Record Protocol
• Is the simplest
• Consists of a single message which consists of a single
byte with the value 1
• Sole purpose of this message is to cause pending state to
be copied into the current state
• Hence updating the cipher suite in use

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Alert Protocol
• Conveys T L S-related alerts to peer entity
– Alert messages are compressed and encrypted
• Each message consists of two bytes:
– First byte takes the value warning (1) or fatal (2) to
convey the severity of the message
▪ If the level is fatal, T S L immediately terminates the
connection
▪ Other connections on the same session may
continue, but no new connections on this session
may be established
– Second byte contains a code that indicates the specific
alert

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Heartbeat Protocol
• A periodic signal generated by hardware or software to indicate
normal operation or to synchronize other parts of a system
• Typically used to monitor the availability of a protocol entity
• Defined in 2012 in RFC 6520
• Runs on top of the TLS Record Protocol
• Use is established during Phase 1 of the Handshake Protocol
• Each peer indicates whether it supports heartbeats
• Serves two purposes:
– Assures the sender that the recipient is still alive
– Generates activity across the connection during idle periods

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
TLS Record Protocol Operation

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
SSL/TLS Attacks
• Four general categories:
– Attacks on the Handshake Protocol
– Attacks on the record and application data protocols
– Attacks on the PKI
– Other attacks

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
The Heartbleed Exploit

Source: BAE Systems


Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
HTTPS (HTTP over SSL)
• Combination of HTTP and SSL to implement secure
communication between a Web browser and a Web
server
• Built into all modern Web browsers
– URL addresses begin with https://
• Documented in RFC 2818, HTTP Over TLS
• Agent acting as the HTTP client also acts as the TLS
client
• Closure of an HTTPS connection requires that TLS close
the connection with the peer TLS entity on the remote
side, which will involve closing the underlying TCP
connection

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
TCP/IP protocol suite and IPSec
IP Security (IPsec)
• Various application security mechanisms
– S/MIME, Kerberos, SSL/HTTPS
• Security concerns cross protocol layers
• Would like security implemented by the network for all
applications
• Authentication and encryption security features included in
next-generation IPv6
• Also usable in existing IPv4

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Benefits of IPsec
• When implemented in a firewall or router, it provides
strong security to all traffic crossing the perimeter
• In a firewall it is resistant to bypass
• Below transport layer, hence transparent to applications
• Can be transparent to end users
• Can provide security for individual users
• Secures routing architecture

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
The Scope of IPsec
• Provides two main functions:
– A combined authentication/encryption function
called Encapsulating Security Payload (ESP)
– Key exchange function
• Also an authentication-only function, implemented
using an Authentication Header (AH)
– Because message authentication is provided by ESP,
the use of AH is included in IP secv3 for backward
compatibility but should not be used in new
applications
• VPNs want both authentication and encryption
• Specification is quite complex
– Numerous RFC’s 4301/4302/ 4303/4306
Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Security Associations
• A one-way relationship between sender and receiver that
affords security for traffic flow
– If a peer relationship is needed for two-way secure
exchange, then two security associations are required

• Is uniquely identified by the Destination Address in the I P v


4 or I P v 6 header and the SPI in the enclosed extension
header (AH or ESP)
• Defined by 3 parameters:
– Security Parameter Index (SPI)
– IP Destination Address
– Protocol Identifier

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
IPsec ESP Format

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Transport and Tunnel Modes
Transport Mode
• Extends to the payload of an IP packet
• Typically used for end-to-end communication between two hosts
• ESP encrypts and optionally authenticates the IP payload but not the IP
header

Tunnel Mode
• Provides protection to the entire IP packet
• The entire original packet travels through a tunnel from one point of an IP
network to another
• Used when one or both ends of a security association are a security
gateway
• A number of hosts on networks behind firewalls may engage in secure
communications without implementing IPsec

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Summary
• SSL and TLS • HTTPS
– TLS architecture – Connection institution
– TLS protocols – Connection closure
– TLS attacks • IPv4 and IPv6 security
– SSL/TLS attacks – IP security overview
– The scope of IP sec
– Security associations
– Encapsulating security
payload
– Transport and tunnel modes

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved
Reference

,
Computer Security: Principles and Practice Fifth Edition, Chapter 22

Copyright © 2024, 2018, 2015 Pearson Education, Inc. All Rights Reserved

You might also like