ADITYA ENGINEERING COLLEGE (A)

Cryptography & Network Security

By

K. Govindaraju
Assistant Professor
Dept of Computer Science & Engineering
Aditya Engineering College(A)
Surampalem.
 Aditya Engineering College (A)

Unit-V Outcomes

At the end of this unit, Student will be able to:

CO5: Utilize the services provided by the PGP, S/MIME & SSL, TLS.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Web Security Considerations

The World Wide Web is fundamentally a client/server application
running over the Internet and TCP/IP intranets
The following characteristics of Web usage suggest the need for tailored
security tools:
Web servers are relatively easy to configure and manage Web content is
increasingly easy to develop .
Casual and untrained (in security matters) users are common clients for
Web-based services.
Such users are not necessarily aware of the security risks that exist and
do not have the tools or knowledge to take effective countermeasures
Cryptography & Network
K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Web Security Threats

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Web Traffic Security Approaches

A number of approaches to providing Web security are possible.
One way to provide Web security is to use IP security (IPsec)
(Figure(a)). The advantage of using IPsec is that it is transparent to
end users and applications and provides a general-purpose solution.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Web Traffic Security Approaches

Another relatively general-purpose solution is to implement security
just above TCP (Figure (b)).
The foremost example of this approach is the Secure Sockets Layer
(SSL) and the follow-on Internet standard known as Transport Layer
Security (TLS).
At this level, there are two implementation choices. For full
generality, SSL (or TLS) could be provided as part of the underlying
protocol suite and therefore be transparent to applications.
Alternatively, SSL can be embedded in specific packages. For example,
Netscape and Microsoft Explorer browsers come equipped with SSL,
and most Web servers have implemented the protocol.
Cryptography & Network
K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Web Traffic Security Approaches

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Web Traffic Security Approaches

Application-specific security services are embedded within the
particular application.
Figure (c) shows examples of this architecture.
The advantage of this approach is that the service can be tailored to
the specific needs of a given application.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Secure Socket Layer (SSL)

SSL probably most widelyProtocol
used Web security mechanism, and it is
implemented at the Transport layer.
SSL is designed to make use of TCP to provide a reliable end-to-end
secure service.
Netscape originated SSL.
Version 3 of the protocol was designed with public review and input
from industry and was published as an Internet draft document.
Subsequently, became Internet standard known as TLS (Transport
Layer Security)

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Architecture
SSL is designed to make use of TCP to provide a reliable end-to-end secure
service.
SSL is not a single protocol but rather two layers of protocols.
Two important SSL concepts are the SSL session and the SSL connection,
which are defined in the specification as follows.
1. Connection: A connection is a transport that provides a suitable type of
service. For SSL, such connections are peer-to-peer relationships. Every
connection is associated with one session.
2. Session: An SSL session is an association between a client and a server.
Sessions are created by the Handshake Protocol. Sessions define a set of
cryptographic security parameters which can be shared among multiple
connections.
Cryptography & Network
K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Protocol Stack

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Record Protocol

SSL Record Protocol defines two services for SSL connections:
1. Confidentiality: The Handshake Protocol defines a shared secret key
that is used for conventional encryption of SSL payloads. The message
is compressed before being concatenated with the MAC and encrypted,
with a range of ciphers being supported as shown.
2. Message Integrity: The Handshake Protocol also defines a shared
secret key that is used to form a message authentication code (MAC).

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Record Protocol

 Figure shows the overall operation of the SSL Record Protocol.
 The Record Protocol takes an application message to be
transmitted, fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts, adds a header, and
transmits the resulting unit in a TCP segment.
 Received data are decrypted, verified, decompressed, and
reassembled before being delivered to higher-level users.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Record Protocol

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Record Format

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Record Format

The final step of SSL Record Protocol processing is to prepare a
header consisting of the following fields:
1. Content Type (8 bits): The higher-layer protocol used to process the
enclosed fragment.
2. Major Version (8 bits): Indicates major version of SSL in use.
3. Minor Version (8 bits): Indicates minor version in use.
4. Compressed Length (16 bits): The length in bytes of the plaintext
fragment (or compressed fragment if compression is used). The
maximum value is 214 + 2048.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Change Cipher Spec Protocol

 The Change Cipher Spec Protocol is one of the three SSL-specific
protocols that use the SSL Record Protocol.
 It is the simplest, consisting of a single message, which consists of
a single byte with the value 1.
 The sole purpose of this message is to cause the pending state to
be copied into the current state, which updates the cipher suite to
be used on this connection.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Alert Protocol

The Alert Protocol is used to convey SSL-related alerts to the peer
entity.
As with other applications that use SSL, alert messages are
compressed and encrypted, as specified by the current state.
Each message in this protocol consists of two bytes, the first takes the
value warning (1) or fatal to convey the severity of the message.
The second byte contains a code that indicates the specific alert.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Handshake Protocol

• The most complex part of SSL is the Handshake Protocol.
• This protocol allows the server and client to authenticate each other
and to negotiate an encryption and MAC algorithm and cryptographic
keys to be used to protect data sent in an SSL record.
• The Handshake Protocol is used before any application data is
transmitted.
• The Handshake Protocol consists of a series of messages exchanged
by client and server.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Handshake Protocol Phases

The exchange can be viewed in 4 phases:
Phase 1. Establish Security Capabilities - this phase is used by the client
to initiate a logical connection and to establish the security capabilities
that will be associated with it
Phase 2. Server Authentication and Key Exchange - the server begins
this phase by sending its certificate if it needs to be authenticated.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Handshake Protocol Phases

Phase 3. Client Authentication and Key Exchange - the client should
verify that the server provided a valid certificate .

Phase 4. Finish - this phase completes the setting up of a secure

connection. The client sends a change_cipher_spec message and copies
the pending CipherSpec into the current CipherSpec. At this point the
handshake is complete and the client and server may begin to exchange
application layer data.

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

SSL Handshake Protocol Phases

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Summary
Unit-V Outcomes
Web Security Considerations
Web Security Threats
Web Traffic Security Approaches
Secure Socket Layer (SSL) Protocol
SSL Architecture
SSL Protocol Stack
SSL Record Protocol

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security
 Aditya Engineering College (A)

Summary
SSL Record Format
ChangeCipherSpec Protocol
SSL Alert Protocol
SSL Handshake Protocol
SSL Handshake Protocol Phases

Cryptography & Network

K. Govindaraju Tuesday, April 8, 2025
Security