ELEX 4550 : Wide Area Networks2015 Winter SessionCommunications Security Protocolsis lecture describes some protocols that are used to secure communications.SSL and TLSis protocol, first known as SSL (Secure SocketsLayer), was defined in 1994 by Netscape for securingcommunication between web browsers and servers.e current version is called Transport Layer Security(TLS) and is probably the most common securityprotocol.TLS operates at the “session” layer because itencrypts a TCP connection (this corresponds to a“session” in OSI terminology). TLS provides secrecy,authentication and integrity. It is most oen usedfor securing access to web sites using the HTTP(Hypertext Transport Protocol), but can also be usedfor secure versions of other TCP-based protocols suchas FTP (file transfer) and SMTP (mail transport).A TLS session begins with a negotiation of com-patible ciphers (both public-key and symmetric) andhash algorithms. e server then sends it’s public keyin a certificate and the client checks it and verifies thatthe server knows the private key by asking the serverto decrypt a random value that is encrypted with theserver’s public key. is randomly-chosen value isthen used to derive session keys.Various public-key and symmetric encryptionalgorithms and hash functions can be used, includingRSA, AES and SHA-1 described previously.Since access to a web site may involve many con-nections over a short period of time, a session ID canbe used to recall previously-negotiated encryptionparameters.S/MIMES/MIME (secure multipurpose internet mail exten-sions) is an IETF protocol for securing e-mail. Itcan provide authentication, secrecy and also digitalsignatures.S/MIME is based on public-key encryption anduses a certificate format called PKCS7. For authenti-cation, a user can obtain a certificate signed by a CAthat has verified their identity.Once a user receives a public key from an initialsigned but un-encrypted message the public key canbe used to encrypt a reply. is typically includes thereplying party’s own certificate and from then on theexchange can happen securely.IPSecIPSec is another IETF security protocol similar toTLS whose purpose is to encrypt connections onIP networks. However, while the TLS protocol isimplemented in an application (e.g. a web browser),IPSec is typically used to set up secure connectionsthat are used by unmodified applications. IPSec canuse private (“pre-shared”) keys as well as public keys.e main application of IPSec today is VPNs.VPNsA VPN (Virtual Private Network) is a way to emulate aprivate connection between two endpoints, typicallytwo routers. A typical application is to connect aremote office to a corporate LAN. All IP traffic passedbetween the two routers is passed through a secure“tunnel” that ensures the endpoints are authenticatedand that traffic is encrypted. Since all IP traffic(including DHCP and DNS) can be passed over thetunnel, devices connected to the remote router appearto be connected to the central LAN.SSHSSH (Secure SHell) is a remote terminal applicationthat is primarily used to connect to a shell program(command interpreter) on a remote computer.However, SSH can also be used to transfer files (bypiping data between processes on the two ends) andalso allows a user to set up tunnels that connect TCPports on the two ends.lec20.tex 1SSH supports various authentication mechanismincluding public-key authentication and passwords.Various encryption algorithms can be negotiated.802.1x802.1x is an IEE standard for authenticating usersbefore they are allowed to use a LAN (or WLAN)link-layer interface (which is oen also an interfaceon a router). It requires the use of authenticationserver that stores credentials (oen passwords) forauthorized users.A client (e.g. a PC, called a “supplicant”) that wantto communicate through the interface exchangesmessages with the router (“authenticator”) which inturn verifies the supplicant’s with an authenticationserver. e most common protocol for this authen-tication is EAP (Extensible Authentication Protocol)which allows for many different authentication al-gorithms. Examples include EAP-PSK (a pre-sharedkey), PEAP (EAP protected by TLS) and EAP-TLSwhich uses the TLS authentication mechanismsincluding a client certificate.802.1x allows use of a centralized authenticationdatabase and so is used when there are many dif-ferent users connecting to many different devices.It avoids the need to have a single access passwordshared between all users and avoid having to embedauthentication information in each router.e authentication server provides what are called“AAA” services (Authentication, Authorization andAccounting) and usually use the RADIUS (RemoteAuthentication Dial In User Service) protocol.Authentication is performed using a sequence ofchallenges to verify the authenticity of the supplicant.Typically this involves having the supplicant respondwith a hash of the password, possibly combined witha