SSL IPSec S MIME Internet Security Protocols and Standards Secure Sockets Layer SSL Transport Layer Security TLS IPv4 and IPv6 Security S MIME Secure Multipurpose Internet Mail Extension CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME Secure Sockets Layer SSL One of the most widely used security service is the SSL transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard RFC2246 Transport Layer Security TLS use TCP to provide a reliable end to end service may be provided in underlying protocol suite and is transparent to applications or embedded in specific packages CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME SSL Protocol Stack SSL session SSL connection CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME SSL Record Protocol Services Defines 2 services for SSL connections message integrity defines a shared secret key that is used to form a message authentication code MAC which is similar to HMAC confidentiality defines a shared secret key that is used for conventional encryption of SSL payloads the message is compressed before being concatenated with the MAC and encrypted with a range of ciphers being supported as shown AES IDEA RC2 40 DES 40 DES 3DES Fortezza RC4 40 RC4 128 CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME SSL Record Protocol Operation CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME SSL Alert Protocol conveys SSL related alerts First byte indicates severity Warning 1 or fatal 2 will terminate connection Other connections on the same session may continue but no new connections on this session may be established Second byte contains a code that indicates the specific alert warning close notify no certificate bad certificate unsupported certificate certificate revoked certificate expired certificate unknown fatal unexpected message bad record MAC decompression failure handshake failure As with other applications that use SSL alert messages are compressed and encrypted CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME SSL Handshake Protocol allows server client to authenticate each other to negotiate encryption MAC algorithms to negotiate cryptographic keys to be used comprises a series of messages in phases 1 Establish Security Capabilities 2 Server Authentication and Key Exchange 3 Client Authentication and Key Exchange 4 Finish SSL Change Cipher Spec Protocol one of 3 SSL specific protocols which use the SSL Record protocol a single message causes pending state to become current CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME IP Security various application security mechanisms eg S MIME PGP SSL HTTPS security concerns cross protocol layers hence would like security implemented by the network for all applications authentication encryption security features included in next generation IPv6 also usable in existing IPv4 CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME IP Headers IPv4 Version Header Type of service Length 16 bit Identifier Time To Live Datagram Length bytes Flags Upper layer protocol 13 bit fragmentation offset Header Checksum IPv6 Version Traffic Class Payload Length Flow Label Next Header 128 bit Source IP address 32 bit Source IP address 32 bit Destination IP address Options if any Data Data 32 bits 32 bits CSCI 415 Computer and Network Security 128 bit Destination IP address Dr Nazli Hardy Hop Limit SSL IPSec S MIME IPSec IP level security encompasses three functional areas Authentication this mechanism assures that a received packet was transmitted by the party identified as the source in the packet header and that the packet has not been altered in transit Confidentiality this facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties Key management this facility is concerned with the secure exchange of keys The key management IPSec provides the capability to secure communications across a LAN across private and public WANs and across the Internet CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME IPSec Uses The principal feature of IPSec that enables it to support varied applications is that it can encrypt and or authenticate all traffic at the IP level Thus all distributed applications including remote logon client server e mail file transfer Web access and so on can be secured CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME Benefits of IPSec in a firewall router provides strong security to all traffic crossing the perimeter in a firewall router is resistant to bypass is below transport layer hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME S MIME Secure Multipurpose Internet Mail Extensions security enhancement to MIME email original Internet RFC822 email was text only MIME provided support for varying content types text images video audio application S MIME adds security enhancements S MIME provides the ability to sign and or encrypt email messages S MIME support in many mail agents eg MS Outlook Firefox Mac Mail etc CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME S MIME Functions S MIME content types support four new functions Enveloped data This consists of encrypted content of any type and encrypted content encryption keys for one or more recipients Signed data A digital signature is formed by taking the message digest of the content to be signed and then encrypt that with the private key of the signer The content plus signature are then encoded using base64 encoding A signed data message can only be viewed by a recipient with S MIME capability Clear signed data As with signed data a digital signature of the content is formed However in this case only the digital signature is encoded using base64 As a result recipients without S MIME capability can view the message content although they cannot verify the signature Signed and enveloped data Signed only and encrypted only entities may be nested so that encrypted data may be signed and signed data or clearsigned data may be encrypted CSCI 415 Computer and Network Security Dr Nazli Hardy SSL IPSec S MIME Typical S MIME Process CSCI 415 Computer and Network Security Dr Nazli