IP Security

IPsec
• The IPsec authentication header in transport
mode for IPv4.
 IPsec (2)
Encapsulating Security Payload (ESP)

• (a) ESP in transport mode. (b) ESP in tunnel

mode.

Encapsulating Security Payload (ESP) provides confidentiality, in addition to

authentication, integrity, and anti-replay. ESP can be used alone, or in combination with
AH.
WEB Security

SSL
DNSSEC
 What is SSL?

• A protocol developed by Netscape.

• It is a whole new layer of protocol which
operates above the Internet TCP protocol and
below high-level application protocols.
 What Can SSL Do?
• SSL uses TCP/IP on behalf of the higher-level
protocols.
• Allows an SSL-enabled server to authenticate
itself to an SSL-enabled client;
• Allows the client to authenticate itself to the
server;
• Allows both machines to establish an
encrypted connection.
 What Does SSL Concern?

• SSL server authentication.

• SSL client authentication. (optional)
• An encrypted SSL connection or
Confidentiality. This protects against electronic
eavesdropper.
• Integrity. This protects against hackers.
• The exchange of messages facilitates the
following actions:
Authenticate the server to the client; Allows
the client and server to select a cipher that
they both support; Optionally authenticate
the client to the server; Use public-key
encryption techniques to generate share
secrets; Establish an encrypted SSL conn.
 How does SSL Work?
• How a client and a server create a secure
connection?
• The SSL protocol uses RSA public key
cryptography for Internet Security.
• Public key encryption uses a pair of
asymmetric keys for encryption and
decryption.
 How does SSL Work?
• Each pair of keys consists of a public key and a
private key. The public key is made public by
distributing it widely; the private key is always
kept secret.
• Data encrypted with the public key can be
decrypted only with the private key, and vice
versa.
 SSL architecture
SSL SSL Change SSL
applications
Handshake Cipher Spec Alert
(e.g., HTTP)
Protocol Protocol Protocol

SSL Record Protocol

TCP

IP

11
 SSL components
• SSL Handshake Protocol
– negotiation of security algorithms and parameters
– key exchange
– server authentication and optionally client authentication
• SSL Record Protocol
– fragmentation
– compression
– message authentication and integrity protection
– encryption
• SSL Alert Protocol
– error messages (fatal alerts and warnings)
• SSL Change Cipher Spec Protocol
– a single message that indicates the end of the SSL handshake

12
SSL Record Protocol Operation

13
SSL Handshake

14
SSL Handshake Protocol – overview
client server
client_hello Phase 1: Negotiation of the session ID, key exchange
server_hello algorithm, MAC algorithm, encryption algorithm, and
exchange of initial random numbers

certificate
Phase 2: Server may send its certificate and key
server_key_exchange
exchange message, and it may request the client
certificate_request to send a certificate. Server signals end of hello
phase.
server_hello_done

certificate
Phase 3: Client sends certificate if requested and may
client_key_exchange send an explicit certificate verification message.
certificate_verify Client always sends its key exchange message.

change_cipher_spec

finished
Phase 4: Change cipher spec and finish handshake
change_cipher_spec

finished
15
• SSL includes two sub-protocols: the SSL
Record Protocol and the SSL Handshake
Protocol.
• Record Protocol -- defines the format used to
transmit data.
• Handshake Protocol -- using the Record
protocol to exchange messages b/t an SSL-
enable server and an SSL-enable client.
 SSL—The Secure Sockets Layer
• Layers (and protocols) for a home user
browsing with SSL.
DNSSEC (DNS Security Extensions)
 DNSSEC Mechanisms

• New Resource Records

• Setting Up a Secure Zone
• Delegating Signing Authority
 Data flow through the DNS
Where are the vulnerable
Registrars
points?
& Registrants

Server vulnarability

Secondary
Man in the Middle DNS

primary
DNS

Registry spoofing
&
Secondary Man in the Middle
DNS
 DNSSEC protects all these end-
to-end
• As an aside:
There is a protection mechanism against the man
in the middle: TSIG(Transaction Signature)
– Provides hob-by-hop security
– TSIG is operationally deployed today
– Based on shared secret: not scalable
 What does DNSSEC provide
• provides message authentication and integrity verification through
cryptographic signatures
– You know who provided the signature
– No modifications between signing and validation
• It does not provide authorization
• It does not provide confidentiality
• It does not provide protection against DDOS
Metaphor

OK
 Metaphor
• Envelope sealed when
data is published in the
DNS system
• Does not provide OK
confidentially
• The seal protects the
delivery process
• No assertion about the
message
OK
 Data flow through the DNS
End to end security
Registrars
& Registrants
O
O K
K Secondary
DNS

primary
DNS

Registry

Secondary
DNS
Trust and DNS system

Confidence

Registry system
• DNSSEC enables confidence in the DNS
• It does not change the trust we put in the
Registry/Registrar procedures
– Although introduction of DNSSEC may
improve some of the procedures
 The mechanism used
• Using public key cryptographic algorithms
signatures are applied over the DNS data
• By comparing the signatures with public keys
the integrity and authenticity of the data can
be established.
 Public key cryptography
in a nutshell
• Two large numbers and an encryption and
decryption algorithm
• If one of the numbers (the private key) and a
message are used for encryption
• The other number (public key) and the
decryption algorithm can be used to retrieve
the original message