SSL was first used by Netscape.
– To ensure security of data sent through HTTP,
LDAP or POP3.
• Uses TCP to provide reliable end-to-end
secure service.
• In general, SSL can be used for secure data
transfer for any network service running over
TCP/IP.
The main objectives of SSL are:
– Authenticate the client and server to each other.
– Ensure data integrity.
– Ensure data privacy.
• Required for both the protocol data and also
the application data.
SSL Architecture
SSL consists of two layers of protocols:
– SSL Record Protocol
• Ensures data security and integrity.
– Protocols required to establish SSL connection.
• Three protocols used in this layer:
SSL Handshake Protocol
SSL ChangeCipherSpec Protocol
SSL Alert Protocol
SSL Record Protocol
Mainly responsible for data encryption and
integrity.
• Basic function:
– Take an application message to be sent.
– Fragment the application message data.
• 16 Kbytes or smaller.
– Encapsulate it with appropriate headers and
create an object called a record.
– Encrypt the record and forward it to TCP.
The Higher Layer Protocols
SSL Alert Protocol
– Used to send session messages associated with
data exchange and functioning of the protocol.
– Each message consists of two bytes:
• First byte is either 1 (warning) or 2 (fatal). If “fatal”, the
SSL session is terminated.
• Second byte contains one of the defined error codes.
SSL ChangeCipherSpec Protocol
Consists of a single message that carries the
value of 1.
– Purpose of this message is to cause the pending
session state to be established as a fixed state.
• Define the set of protocols to be used.
• Must be sent from client to server, and vice versa.
SSL Handshake Protocol
Used to initiate a session between the server and
the client.
– Within the application data, algorithms and keys
used for data encryption can be negotiated.
– Provides mutual authentication.
– Process of negotiation divided into four phases.
Client sends to the server
• SSL version
• Random (used to protect key exchange)
• Session ID
• CipherSuite
– Server sends back
• SSL version
• Random (a different number is generated)
• Session ID
• CipherSuite
Transport Layer Security (TLS)
Extension of SSL.
• Aim is to provide security and data integrity
features at the transport layer between two
web applications.
• Supported my most web servers and
browsers today.
Secure Shell (SSH)
Originally developed in 1995.
– As a secure replacement for telnet, rlogin, rcp,
etc.
– Allows port forwarding (tunneling over SSH)
– Built-in support for proxies/firewalls.
• Widely used nowadays.
In SSHv1 protocol, the server uses two keys:
– Long-term server identification key.
• Binds the connection to the server.
• 1024 bit RSA.
– Short-term encryption key, changed every hour.
• Makes later recovery impossible.
• Short-term keys are regenerated as a background task.
• 768 bit RSA.
Multiple authentication mechanisms
– Straight passwords (protected by SSH
encryption).
– RSA based authentication.
• Client decrypts a challenge from the server; returns the
hash to the server.
– Plug-in mechanisms (biometrics, smartcard, etc.).
IP Security (IPSec)
Security built into the IP layer.
– Provides host-to-host (or firewall-to-firewall)
encryption and authentication.
– Required for IPv6, but optional for IPv4.
• Consists of two parts:
– IPSec proper (for encryption and authentication).
– IPSec key management.
IPSec
Provides two modes of protection
– Tunnel Mode
– Transport Mode
• Authentication and Integrity
• Confidentiality
• Replay Protection
No comments:
Post a Comment