Sccs 420 Ch 32 (internet Security)

Contents

LECTURE x

1. IPSecurity (IPSec) , VPN

Internet Security

2. SSL/TLS 3. PGP 4. Firewalls 5. HTTPS

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls (Forouzan, Data Communications and Networking, 4th Edition)

2

1

Security in the Internet

32-1 IPSecurity (IPSec)

Figure 32.1 Common structure of three security protocols

IPSecurity (IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to provide security for a packet at the network level.

Topics discussed in this section:

• We will look at application of security to Network, Transport, and Application layers —All are based on Message Authentication Code (MAC) and encryption 3

Two Modes Two Security Protocols Security Association Internet Key Exchange (IKE) Virtual Private Network 4

Figure 32.2 TCP/IP protocol suite and IPSec

Figure 32.3 Transport mode and tunnel modes of IPSec protocol

Protect payload from transport layer (suitable for end-to-end)

5

Figure 32.4 Transport mode in action

Protect payload at the network layer (suitable for router-to-router)

IPSec in the transport mode does not protect the IP header; it only protects the information coming from the transport layer.

6

Figure 32.5 Tunnel mode in action

IPSec in tunnel mode protects the original IP header. 7

8

Authentication Header

Figure 32.6 Authentication Header (AH) Protocol in transport mode

• Payload length: length of AH in 4-byte unit — Exclude the first 8 bytes

• Security parameter index: Virtual circuit identifier — Same for all packets sent during session association

• Use hash and symmetric key

• Sequence number prevents playback

— Of the total packet

• IP’s protocol field = 51 (AH) • Next header = Original payload type (TCP, UDP, etc.) The AH Protocol provides source authentication and data integrity, but not privacy.

— Not repeated with retransmission — Not wrap around, new connection must be created

• Authentication data is calculated over the entire packet — Except fields that change from hop to hop (TTL) — Calculated assuming digest = 0’s

9

Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode

10

Table 32.1 IPSec services

4 2 6

5

3 1

ESP provides source authentication, data integrity, and privacy.

• IP’s protocol field = 50 (ESP) • Pad length = length of padding

• Entity authentication via keyed-hash digest

— Depend on encryption algorithm and key size

• AH and ESP are part of the IPv6 extension header — IPv4 version is a new protocol type (50 & 51)

11

12

Figure 32.9 IKE components

Figure 32.8 Simple inbound and outbound security associations

Security Association Database (SADB)

• Oakley: key creation protocol • SKEME: key exchange protocol • ISAKMP: Implementation that define packets, protocols, and parameters

Security Parameter Index (SPI)

• Security Association — Establishment of security parameters (At first message to a receiver)

• Authentication = SHA-1 with key = x

IKE creates security association for IPSec.

13

Virtual Private Network (VPN)

14

Figure 32.10 Private network

• Intranet: Private network inside an organization —Can use a set of private IP addresses

• Consists of private LAN + private WAN

• Extranet: Intranet that allow access from a specific group of outsiders

15

16

Figure 32.12 Virtual private network

Figure 32.11 Hybrid network

• Use global Internet for both private and public communications • Most common • Allow both intra-organization and inter-organization communications • Still use global IP address

— Private communication is encrypted using IPsec tunneling

17

18

32-2 SSL/TLS

Figure 32.13 Addressing in a VPN

Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) Protocol and the Transport Layer Security (TLS) Protocol. The latter is actually an IETF version of the former. Topics discussed in this section: • Stations on the Internet cannot even see the source and destination addresses

19

SSL Services Security Parameters Sessions and Connections Four Protocols Transport Layer Security 20

Figure 32.14 Location of SSL and TLS in the Internet model

Table 32.3 SSL cipher suite list

• Transport layer security provides end-to-end security to TCP applications • SSL provides compression, authentication, and encryption — Authentication is based on keyed-hash and MAC — Encryption is based on symmetric key

• Cipher suite is a combination of three algorithms

• SSL rely on Cipher suite and Cryptographic secret — Instead of security association

21

22

Figure 32.15 Creation of cryptographic secrets in SSL

Table 32.3 SSL cipher suite list (continued)

• IV is needed for block encryption

23

The client and the server have six different cryptography secrets (4 keys and 2 Initiation vectors).

24

Figure 32.17 Handshake Protocol

Figure 32.16 Four SSL protocols

• Record protocol: Fragmentation and compression • Handshake protocol: Setup cipher suite and cryptographic secrets • Alert protocol: Reporting error 25

26

32-3 PGP

Figure 32.18 Processing done by the Record Protocol

One of the protocols to provide security at the application layer is Pretty Good Privacy (PGP). PGP is designed to create authenticated and confidential e-mails. Topics discussed in this section: Security Parameters Services A Scenario PGP Algorithms Key Rings PGP Certificates 27

28

Figure 32.20 A scenario in which an e-mail message is Figure 32.19 Position of PGP in the TCP/IP protocol suite

authenticated and encrypted

• Assuming that public keys are known

In PGP, the sender of the message needs to include the identifiers of the algorithms used in the message as well as the values of the keys.

2b 3 2a

1

• Email requires uni-directional security — No negotiation, no session setup

• PGP provides services for plaintext, authentication, compression, confidentiality with one-time session key, code conversion, and segmentation

Session key 29

Table 32.4 PGP Algorithms

30

Figure 32.21 Rings

31

• PGP also support multiple keys per person and multiple recipients per message

32

32-4 FIREWALLS

PGP Certificates • Public key can come from CA’s certificates or PGP’s own certificate system • Distributed architecture

All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system, we need firewalls. A firewall is a device installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.

—Bob introduces Alice to the web-of-trust —Everyone determine the trust level of each member

Topics discussed in this section: Packet-Filter Firewall Proxy Firewall

In PGP, there can be multiple paths from fully or partially trusted authorities to any subject. 33

Figure 32.22 Firewall

34

Figure 32.23 Packet-filter firewall • Packet meeting these rules are blocked

• Firewall can deny access to a specific host or specific service in the organization (TELNET) *

35

(Internal server) (No web browsing 80 allowed)

A packet-filter firewall filters at the network or transport layer.

36

Figure 32.24 Proxy firewall • Used when filtering decision must be done at the application layer — E.g., Based on message or request type — Block web browsing to a specific website — Allow access from a certain user

A proxy firewall filters at the application layer.

37