Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
ssl-tls-ipsec-vpn.pptx
1. CIA TRAID
• Confidentiality – Data is only accessible by client and server -
Encryption
• Integrity- Data is not modified between client and server- Hashing
• Availability- Client/server are indeed who they say they are –PKI -
Public key infrastructure, Digital certificate.
3. What are SSL and TLS?
• SSL – Secure Socket Layer
• TLS – Transport Layer Security
• Both provide a secure transport connection between applications (e.g., a web server and
a browser)
• SSLv1 was developed by Netscape.
• SSlv2 in 1994, uses RC4 for encryption and MD5 for authentication
• SSL version 3.0 has been implemented in many web browsers (e.g., Netscape Navigator
and MS Internet Explorer) and web servers and widely used on the Internet, DSS for
authentication and DH for key agreement
• SSL v3.0 was specified in an Internet Draft (1996)
• It evolved into TLS specified in RFC 2246 by IETF
• TLS can be viewed as SSL v3.1 , DSS for authentication , DH for Key Exchange, 3DES for
encryption.
• Most recent TLS version 1.3 published in 2018
4. SSL
• Intermediate security layer between the transport layer and the
application layer
• Based on connection-oriented and reliable service (e.g., TCP)
• Able to provide security services for any TCP-based application
protocol, e.g., HTTP, FTP, TELNET, POP3, etc.
• Application independent
5. Figure :- Location of TLS /SSL in the Internet model
SSL ARCHITECTURE
SSL is designed to provide security and compression services to
data generated from the application layer.
6. SSL Architecture
IP
SSL Record Protocol
User Datagram P. Transport Control P.
Handshake Chng. Ciph. Alert Appl. data
…
IMAPS FTPS HTTPS TELNETS
Application Layer
Intermediate Security
Layer
Transport Layer
Internet Layer
8. Advantages of SSL
• The connection is private
– Encryption is used after initial handshake to define a secret key
– Encryption uses symmetric cryptography (DES or RC4)
• Peer’s identity can be authenticated using asymmetric cryptography
(RSA or DSS)
• The connection is reliable
– Message transport includes message integrity check using a keyed
MAC. Secure hash functions (SHA or MD5) are used for MAC
computation.
9.
10.
11. SSL components
• Four Protocols
• Handshake Protocol
• Change Cipher Spec Protocol
• Alert Protocol
• Record Protocol
16. HANDSHAKE PROTOCOL : Phase 1
• After Phase I, the client and server know the following:
❏ The version of SSL
❏ The algorithms for key exchange, message authentication, and encryption
❏ The compression method
❏ The two random numbers for key generation
18. HANDSHAKE PROTOCOL : Phase 2
• After Phase II,
❏ The server is authenticated to the client.
❏ The client knows the public key of the server if required.
20. HANDSHAKE PROTOCOL : Phase 3
• After Phase III,
❏ The client is authenticated for the server.
❏ Both the client and the server know the pre-master secret.
22. HANDSHAKE PROTOCOL : Phase 4
• After Phase IV,
• Client and server are ready to exchange data.
23. Alert protocol
• SSL Alert Protocol
• error messages (fatal alerts and warnings)
• SSL-related alerts to the peer entity.
• Each message in this protocol contains 2 bytes.
24. Alert protocol
• Warning (level = 1):
This Alert has no impact on the connection between sender and
receiver. Some of them are:
• Bad certificate: When the received certificate is corrupt.
• No certificate: When an appropriate certificate is not available.
• Certificate expired: When a certificate has expired.
• Certificate unknown: When some other unspecified issue
arose in processing the certificate, rendering it unacceptable.
• Close notify: It notifies that the sender will no longer send any
messages in the connection.
25. Alert protocol
• Fatal Error (level = 2):
• This Alert breaks the connection between sender and receiver. The
connection will be stopped, cannot be resumed but can be restarted.
Some of them are :
• Handshake failure: When the sender is unable to negotiate an acceptable
set of security parameters given the options available.
• Decompression failure: When the decompression function receives
improper input.
• Illegal parameters: When a field is out of range or inconsistent with other
fields.
• Bad record MAC: When an incorrect MAC was received.
• Unexpected message: When an inappropriate message is received.
• The second byte in the Alert protocol describes the error.
26. Change Cipher Spec Protocol
• SSL Change Cipher Spec Protocol
• A single message that indicates the end of the SSL handshake
27. Change Cipher Spec Protocol
• Change-cipher protocol consists of a single message which is 1
byte in length and can have only one value.
• This protocol’s purpose is to cause the pending state to be
copied into the current state.
28. Record Protocol
•SSL Record Protocol
• Fragmentation
•Compression
• Message Authentication And Integrity Protection
• Encryption
33. SSL TLS
SSL stands for Secure Socket Layer. TLS stands for Transport Layer Security.
SSL (Secure Socket Layer) supports
the Fortezza algorithm.
TLS (Transport Layer Security) does not support
the Fortezza algorithm.
SSL (Secure Socket Layer) is the 3.0 version. TLS (Transport Layer Security) is the 1.0 version.
In SSL( Secure Socket Layer), the Message digest is used
to create a master secret.
In TLS(Transport Layer Security), a Pseudo-random
function is used to create a master secret.
In SSL( Secure Socket Layer), the Message Authentication
Code protocol is used.
In TLS(Transport Layer Security), Hashed Message
Authentication Code protocol is used.
SSL (Secure Socket Layer) is more complex than
TLS(Transport Layer Security).
TLS (Transport Layer Security) is simple.
SSL (Secure Socket Layer) is less secured as compared to
TLS(Transport Layer Security).
TLS (Transport Layer Security) provides high security.
SSL is less reliable and slower.
TLS is highly reliable and upgraded. It provides less
latency.
SSL has been depreciated. TLS is still widely used.
SSL uses port to set up explicit connection. TLS uses protocol to set up implicit connection.
34.
35. NETWORK LAYER Security
1. IPSEC is a suite of protocols for securing network connections. It is rather a
complex mechanism, because instead of giving straightforward definition of a
specific encryption algorithm and authentication function,
• It provides a framework that allows an implementation of anything that both
communicating ends agree upon.
• Setting up an IPSEC connection involves all kinds of crypto choices.
• Authentication: Verifying identity of a network entity like user/device by means
of (PSK, RSA)
• Integrity : Received message is same message that was sent is built on top of a
cryptographic hash such as MD5 or SHA-1.
• Confidentiality: Encryption algorithms are DES, 3DES, Blowfish, and AES being
commonly used.
• Key management: IKE (Internet Key Exchange), to agree on key used for
authentication and other purpose
• (269) IPsec - IKE Phase 1 | IKE Phase 2 - YouTube
38. Internet Engineering Task Force Standardization
• IPv6 development requirements: Strong security features
• Security features algorithm-independent
• Must enforce wide variety of security policies
• Avoid adverse impact on Internet users who do not need security
• 1992: IPSEC WG (IETF)
• Define security architecture
• Standardize IP Security Protocol and Internet Key Management Protocol
• 1998: revised version of IP Security Architecture
• IPsec protocols (two sub-protocols AH and ESP)
• Internet Key Exchange (IKE)
42. IP SEC TRANSPORT MODE
• IPSec in the transport mode does not protect the IP header, does not protect the
whole IP packet; it only protects the information coming from the transport layer.
• In this mode, the IPSec header and trailer are added to the information coming
from the transport layer. The IP header is added later.
43. IP SEC TRANSPORT MODE
• Used when we need host-to-host (end-to-end) protection of data. The sending
host uses IPSec to authenticate and/or encrypt the payload delivered from the
transport layer.
• The receiving host uses IPSec to check the authentication and/or decrypt the IP
packet and deliver it to the transport layer.
44. IPSEC TUNNEL MODE
• IPSec protects the entire IP packet. It takes an IP packet, including the
header, applies IPSec security methods to the entire packet, and then
adds a new IP header.
45. IPSEC TUNNEL MODE
• The tunnel mode is normally used between two routers, between a
host and a router, or between a router and a host.
48. Authentication Header
• (AH) Protocol is designed to authenticate the source host
and to ensure the integrity of the payload carried in the IP
packet.
• It uses a hash function and a symmetric key to create a
message digest; the digest is inserted in the authentication
header.
• The AH is then placed in the appropriate location based on
the mode (transport or tunnel).
49. Authentication Header
• The AH Protocol provides source authentication ,data integrity,
but not privacy(confidentiality).
50. Encapsulation Security payload
• Security service: confidentiality, authentication (optional)
• Encryption algorithms: 3DES, RC5, IDEA, BLOWFISH,…….., CBC mode.
• ESP can be used to provide only encryption; encryption and integrity protection;
or only integrity protection.
• The ESP procedure follows these steps:
• an ESP trailer is added to the payload.
• the payload and the trailer are encrypted.
• the ESP header is added.
• the ESP header, payload, and ESP trailer are used to create the authentication
data.
• the authentication data are added to the end of the ESP trailer.
• the IP header is added after the protocol value is changed to 50.
• Transport mode: confidentiality of packet between two hosts.
• Tunnel mode: confidentiality of packet between two gateways or a host and a
gateway.
54. Security Association
• Associates security services and keys with the traffic to be protected
• Identified by Security Parameter Index (SPI)
• retrieve correct SA parameters from Security Association Database (SAD)
• IPsec protocol identifier
• Destination address (direction)
• Simplex connection
need to establish two SAs for secure bidirectional communication
55. Security Association
• Defines security services and mechanisms between two end points (or
IPsec modules):
• Hosts
• Network security gateways (e.g., routers, application gateways)
• Hosts and security gateways
• Security service, parameters, mode of operation, and initialization
vector
• e.g., Confidentiality using ESP with DES in CBC mode with IV initialization vector
56. Encryption
• Block ciphers in Cipher Block Chain (CBC) mode
• Need
• Padding at the end of data
• Initialization vector (IV) – contained in the packet
57. Encryption and Compression
• Interdependence between encryption and compression
• When encryption is applied at Internet layer prevents effective
compression by lower protocol layers
• IPsec: does not provide data compression
58. Key Management Protocols
• IP security architecture supports manual and automated SA and key
agreement
• Key management protocol: e.g., IKE
• Proposals for automated key management protocol
59. IPSec SSL
Internet protocol security (IPsec) is a set of
protocols that provide security for Internet
Protocol.
SSL is a secure protocol developed for sending
information securely over the Internet.
It Work in Internet Layer of the OSI model.
It Work in Between the transport layer and
application layer of the OSI model.
Configuration of IPsec is Complex Configuration of SSL is Comparatively Simple
IPsec is used to secure a Virtual Private
Network.
SSL is used to secure web transactions.
Installation process is Vendor Non-Specific Installation process is Vendor Specific
Changes are required to OS for implementation.
NO Changes are required to the application
No changes are required to OS for
implementation but Changes are required to
application
IPsec resides in the for operating the system
space
SSL resides in user space
IPsec has a pre-shared key. SSL does not have a pre-shared Key.