We can use cryptosystems for ensuring the CIA triad for an upper service in two different models :
# First model :: Cryptosystems will integrate with services to be a new system ; http is the service , ssl is the cryptosystem and https is the new system .
# Second model :: Service independent cryptosystems , the service knows nothing about the cryptosystem that will ensure the CIA triad for the service traffic ; VPN is the model of service independent cryptosystems.
So , VPN is used for securing connections between a client and a service this service does not know any thing about this new security features offered to its generated traffic.
We can use IPSEC for ensuring integrity or both integrity and confidentiality .
If we are using IPSEC for integrity then we should operate in AH (Authentication Header ) ; for ensuring both integrity and confidentiality we should operate in ESP (Encapsulating Security Payload ) mode .
So , we can operate using IPSEC in these four different modes :
1- AH transport mode .
2-AH tunnel mode .
3-ESP transport mode .
4-ESP tunnel mode .
Each of these four modes has its own header structure .
We need to trust the entity before starting to communicate with , this trust can be ensured by using either a pre-shared key or a certificate .
As we can do encryption ( ESP mode) , then we should have a secret key known by the communicating parties ; this key can be configured manually or automatically generated by using Diffie-Hellman negotiation .
IPSEC uses a standalone protocol for implementing Diffie-Hellman , this protocol is known as IKE (Internet Key Exchange ) ; IKE provides more features for IPSEC than only secret key exchange , it can secure the negotiation of algorithms used for encryption and hashing .
So , IKE is used for :
1- a secure negotiation of used encryption and hashing algorithms .
2- implementing Diffie-Hellman algorithm for generating secret keys
phase 1: symmetric encryption and hashing algorithms are negotiated between the communicating parties for encrypting and digitally signing the phase2 parameters . A secret key will be generated using Diffie-Hellman for symmetric encryption .
phase 2: algorithms that will be actually used for dealing with clear data will be negotiated securely (as a result of phase1) during this phase . Secret key that will be used with symmetric encryption algorithms can be generated using another Diffie-Hellman process or it could be the previously generated one (during phase 1) . Phase 2 negotiated parameters will be saved in a temporary database known as SA (Security Association) .
SSL offers the full CIA triad for the data , it operates at the application layer , it is famous of binding to specific protocols like http over ssl which equals to https and it is also used for establishing VPN connections .
SSL is layered protocol composed of two layers :
1- SSL Handshake Protocol :a layer for handling the connection establishment (authentication and configurations negotiations ) .
2- SSL Record Protocol :a layer for encrypting the data and generating SSL header after the payload .
SSL header is very simple :
1- HMAC portion : is a hash of a key, the data, padding, and a sequence number .
2- Padding portion : is used to ensure that the data is a multiple of the block size when a block cipher is used.
The next figure will discuss the connection setup .