1Security ProtocolsECE 646 - Lecture 14Algorithms(e.g., DES, AES, RSA)Security mechanisms(e.g., digital signatures)Security protocols(e.g., S-MIME, SSL, IPSec)Secure Communication Systems(e.g., DMS)CryptographiccomponentNon-cryptographiccomponent(communications,administration,OS security,database security,etc.)100%2Cost of cryptography in the layer model of the Internet Application layerhttp, ftp, e-mailTransport layertcp, udpInternet protocol layeripNetwork access layerethernet, atmPhysical layerS/MIME, PGPSSLIPsecCost of adding cryptographyS/MIME: Secure Electronic E-mail• work on the corresponding Internet standard started by IETF, 1997• multiple products using S/MIME(e.g., Netscape Communicator, Microsoft Outlook, etc.)• enables secure communication between e-mail programsfrom various companiesCompetition: PGP (in the past also PEM, MOSS)Cryptographic algorithms:Triple DES, RC2-40 / RSA, D-H, DSA / SHA-1, MD5• protocol developed by RSA Data Security, Inc. in cooperationwith consortium of several big companies in 19953SSL: Secure WWW• protocol developed by Netscape in 1994• the most widely deployed security protocolSecure browsers, e.g., Netscape, MS ExplorerSecure servers, e.g., Netscape, MicrosoftCompetition: Practically none, in the past S-HTTP, PCT• SSL v. 3.0 in use since 1996, SSL v.2.0 withdrawnSecure Sockets Layer• since 1996 work on the equivalent Internet standard IETFTLS - Transport Layer Security, TLS 1.0 = SSL 3.1Multiple libraries: SSL Ref (Netscape), OpenSSL (open source), SSL Plus (Consensus Development), SSLeay, SSLJava, etc.SSL: Secure WWWCryptographic algorithms:Confidentiality: none, RC4-40, RC2-40, DES-40RC4-128, RC2-128, DES, IDEA, Triple DESDigital signatures: RSA, DSSHash functions: SHA-1, MD5Key agreement: RSA, D-H, Fortezzaclientbrowserserver WWW1. Parameter negotiation2. Server authentication3. Client authentication (only on request)4. Key Exchange5. Confidential and authenticated message exchangeserver4IPsec: Virtual Private Networks (VPN)Local networkSecuritygatewayInternet• local networks may belong to the same or different organizations• security gateways may come from different vendorsRemote userLocal networkLocal networkSecuritygatewaySecuritygatewayVPN = Economic alternative to networks based on leased linesIPsec: Virtual Private Networks (VPN)• S/WAN (Secure Wide Area Network) interoperability test for productsdeveloped by various vendors, 1995• development by IETF (Internet Engineering Task Force) started in 1994, first IPSec version, RFC 1825-29, published in 1995• IPsec required in IPv6, optional w IPv4Algorithms:confidentiality: DES, Triple DES, AES, and othersauthentication: HMAC-MD5, HMAC-SHA-1key agreement: IKECompetition: PPTP
View Full Document