secure connections. secure connections examples application layeremail – pretty good privacy...
TRANSCRIPT
Secure connections
Secure connections examplesApplication Layer Email – Pretty Good Privacy
Transport Layer Secure Socket Layer
Network Layer Ipsec (VPN)
DataLink Layer Wifi – WEP (not part of curriculum)
Physical Layer N/A
Secure Application layer email - PGP (Pretty Good Privacy)
• Alice wants to send confidential e-mail, m, to Bob
KS( ).
KB( ).+
+ -
KS(m )
KB(KS )+
m
KS
KS
KB+
Internet
KS( ).
KB( ).-
KB-
KS
mKS(m )
KB(KS )+
Secure Application layer email - PGP (Pretty Good Privacy)
• Alice wants to provide sender authentication message integrity
H( ). KA( ).-
+ -
H(m )KA(H(m))-
m
KA-
Internet
m
KA( ).+
KA+
KA(H(m))-
mH( ). H(m )
compare
PGP – Both confidential & Integrity
H( ). KA( ).-
+
KA(H(m))-
m
KA
-
m
KS( ).
KB( ).+
+
KB(KS )+
KS
KB+
Internet
KS
Secure Transport layerSecure Socket Layer (SSL)
• SSL support Confidential (HTTPS is based on SSL)• SSL can support Integrity
• Four keys (part of EMS – Encrypted Master Secret):
– Kc = encryption key for data sent from client to server
– Mc = MAC key for data sent from client to server
– Ks = encryption key for data sent from server to client
– Ms = MAC key for data sent from server to client
Secure Transport layer - Secure Socket Layer (SSL)
hello
certificate, nonce
KB+(MS) = EMS
type 0, seq 1, datatype 0, seq 2, data
type 0, seq 1, data
type 0, seq 3, data
type 1, seq 4, close
type 1, seq 2, close
enc
rypt
ed
bob.com
Normal TCP 3way Connection
Secure Network layer IPsec (Virtual Private Network - VPN)
• edge routers IPsec-aware (tunnel)
IPsec IPsecIPsec IPsec
hosts IPsec-aware
Secure Network layer IPsec (Virtual Private Network - VPN)
• Authentication Header (AH) protocol• provides source authentication & data
integrity but not confidentiality• Encapsulation Security Protocol (ESP)
• provides source authentication, data integrity, and confidentiality
• more widely used than AH
VPNSA – or VPN as tunnel - the most often used security at Network layer
193.68.2.23200.168.1.100
172.16.1/24172.16.2/24
security association
Internetheadquartersbranch office
R1R2
new IPheader
ESPhdr
originalIP hdr
Original IPdatagram payload
ESPtrl
ESPauth
encrypted
“enchilada” authenticated
paddingpad
lengthnext
headerSPI
Seq#
Secure DataLink layerWEP - Wired Equivalent Privacy
authentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
Not very secure ! – use WPA -- Wifi Protected Access
Secure DataLink layerEAP- Extensible Authentication Protocol
Network Security
EAP TLS
EAP
EAP over LAN (EAPoL)
IEEE 802.11
RADIUS
UDP/IP
wirednetwork