15.+Internet+Security+Protocols+and+Standards (1)
15.+Internet+Security+Protocols+and+Standards (1)
Read Chapter 22
1
S/MIME (Secure/Multipurpose Internet Mail Extensions)
• MIME extends the old RFC 822 specification of Internet mail format
– RFC 822 defines a simple heading with To, From, Subject, and other fields
– Assumes ASCII text format
– TLS Connection
• Connection is a transport (in the OSI layering model definition) that
provides a suitable type of service
• For TLS, connections are peer-to-peer relationships
• Connections are transient
• Every connection is associated with one session
TLS/SSL Record Protocol Operation
• Record Protocol provides two services for SSL connections:
– Confidentiality: Handshake Protocol defines shared secret key that is used for
symmetric encryption of SSL payloads.
– Message integrity: Handshake Protocol also defines a shared secret key that is
used to form a message authentication code (MAC)
Steps:
1. Fragment the message into blocks of 214
bytes or less
2. Compress (optional)
3. Compute and add MAC
4. Encrypt msg and MAC using symmetric
encryption
5. Prepend SSL header which includes version
and length fields
TLS/SSL Record Protocol Operation
content types
• However, users have some security concerns that cut across protocol
layers
– Example: enterprise wants to run a secure, private TCP/IP network by
disallowing links to untrusted sites, encrypting leaving packets, and
authenticating incoming packets.
• applicable to use over LANs, across public & private WANs, & for
the Internet
Benefits of IPSec
• When IPsec implemented in a firewall/router, it provides strong
security to all traffic crossing the perimeter
– Traffic within a company does not incur overhead of security-related processing
• SA is defined by 3 parameters:
– Security Parameters Index (SPI): bit string assigned to this SA , have local
significance only, carried in ESP header; tells receiver to select SA under which
received packet will be processed.
– IP Destination Address: destination endpoint of a SA (may be an end-user
system or a network system such as a firewall or router.
– Security Protocol Identifier: field in outer IP header indicates whether SA is
AH or ESP
• Tunnel Mode
– Provides protection to the entire IP packet
• after the ESP fields are added to the IP packet, the entire packet plus security fields
are treated as the payload of new outer IP packet with new outer IP header.
– The entire original inner packet travels through a tunnel from one point of an IP
network to another
• no routers along the way are able to examine the inner IP header
– Used when one or both ends of a security association are a security gateway
– A number of hosts on networks behind firewalls may engage in secure
communications without implementing IPsec
Summary
• Secure E-mail and S/MIME
– MIME, S/MIME
• DomainKeys identified mail
– Internet mail architecture, DKIM strategy
• SSL and TLS
– TLS architecture, TLS protocols, TLS attacks, SSL/TLS attacks
• HTTPS
– Connection institution
– Connection closure
• IPv4 and IPv6 security
– IP security overview
– The scope of IPsec
– Security associations
– Encapsulating security payload
– Transport and tunnel modes