Monday, August 5, 2019
Features of Transport Layer Security (TLS)
Features of Transport Layer Security (TLS) à TRANSPORT LAYER SECURITY TLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains significantly the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption troubles connected to TLS. à TLS Features TLS is a generic application layer security protocol that runs over reliable transport. It provides a secure channel to application protocol clients. This channel has three primary security features: Authentication of the server. Confidentiality of the communication channel. Message integrity of the communication channel. Optionally TLS can also provide authentication of the client. In general, TLS authentication uses public key based digital signatures backed by certificates. Thus, the server authenticates either by decrypting a secret encrypted under his public key or by signing an ephemeral public key. The client authenticates by signing a random challenge. Server certificates typically contain the servers domain name. Client certificates can contain arbitrary identities. à The Handshake Protocols The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients. Provide security parameters to the record layer. A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher, and compression method from the choices offered by the client. The Server sends its Certificate (depending on the selected cipher, this may be omitted by the Server). The server may request a certificate from the client, so that the connection can be mutually authenticated, using a Certificate Request. The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation. The Client responds with a ClientKeyExchange which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher). The Handshake protocol provides a number of security functions. Such as Authentication, Encryption, Hash Algorithms à · Authentication A certificate is a digital form of identification that is usually issued by a certification authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. For authentication purposes, the Handshake Protocol uses an X.509 certificate to provide strong evidence to a second party that helps prove the identity of the party that holds the certificate and the corresponding private key. à · Encryption There are two main types of encryption: symmetric key (also known as Private Key) and asymmetric key (also known as public key. TLS/SSL uses symmetric key for bulk encryption and public key for authentication and key exchange. à · Hash Algorithms A hash is a one-way mapping of values to a smaller set of representative values, so that the size of the resulting hash is smaller than the original message and the hash is unique to the original data. A hash is similar to a fingerprint: a fingerprint is unique to the individual and is much smaller than the original person. Hashing is used to establish data integrity during transport. Two common hash algorithms are Message Digest5 (MD5) produce 128-bit hash value and Standard Hash Algorithm1 (SHA-1) produce 160-bit value. à The Change Cipher Spec The Change Cipher Spec Protocol signals a transition of the cipher suite to be used on the connection between the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This message consists of a single byte with the value1. Message after this will be encrypted and compressed using the new cipher suite. à The Alert The Alert Protocol includes event-driven alert messages that can be sent from either party. the session is either ended or the recipient is given the choice of whether or not to end the session. Schannel SSP will only generate these alert messages at the request of the application. à The Record Layer/Protocol The TLS record protocol is a simple framing layer with record format as shown below: struct { ContentType type; ProtocolVersion version; uint16 length; opaque payload[length]; } TLSRecord; As with TLS, data is carried in records. In both protocols, records can only be processed when the entire record is available. The Record Layer might have four functions: It fragments the data coming from the application into manageable blocks (and reassemble incoming data to pass up to the application). Schannel SSP does not support fragmentation at the Record Layer. It compresses the data and decompresses incoming data. Schannel SSP does not support compression at the Record Layer. It applies a Message Authentication Code (MAC), or hash/digest, to the data and uses the MAC to verify incoming data. It encrypts the hashed data and decrypts incoming data. à Application Protocol TLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. These applications use public key certificates to verify the identity of endpoints. à TSL/ SSL Security The client may use the CAs public key to validate the CAs digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas. The client checks the servers certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. à IPSec IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as PIX Firewalls, Cisco routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a framework of open standards. Because it isnt bound to specific algorithms, IPSec allows newer and better algorithms to be implemented without patching the existing IPSec standards. IPSec provides data confidentiality, data integrity, and data origin authentication between participating peers at the IP layer. IPSec is used to secure a path between a pair of gateways, a pair of hosts, or a gateway and a host. Some of the standard algorithms are as follows: Data Encryption Standard (DES) algorithmââ¬âUsed to encrypt and decrypt packet data. 3DES algorithmââ¬âeffectively doubles encryption strength over 56-bit DES. Advanced Encryption Standard (AES)ââ¬âa newer cipher algorithm designed to replace DES. Has a variable key length between 128 and 256 bits. Cisco is the first industry vendor to implement AES on all its VPN-capable platforms. Message Digest 5 (MD5) algorithmââ¬âUsed to authenticate packet data. Secure Hash Algorithm 1 (SHA-1)ââ¬âUsed to authenticate packet data. Diffie-Hellman (DH)ââ¬âa public-key cryptography protocol that allows two parties to establish a shared secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure communications channel. IPSec security services provide four critical functions: Confidentiality (encryption)ââ¬âthe sender can encrypt the packets before transmitting them across a network. By doing so, no one can eavesdrop on the communication. If intercepted, the communications cannot be read. Data integrityââ¬âthe receiver can verify that the data was transmitted through the Internet without being changed or altered in any way. Origin authenticationââ¬âthe receiver can authenticate the packets source, guaranteeing and certifying the source of the information. Anti-replay protectionââ¬âAnti-replay protection verifies that each packet is unique, not duplicated. IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. Late and duplicate packets are dropped. v How IPSec works The goal of IPSec is to protect the desired data with the needed security services. IPSecs operation can be broken into five primary steps: Define interesting trafficââ¬âTraffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected. IKE Phase 1ââ¬âThis basic set of security services protects all subsequent communications between the peers. IKE Phase 1 sets up a secure communications channel between peers. IKE Phase 2ââ¬âIKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints. Data transferââ¬âData is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. IPSec tunnel terminationââ¬âIPSec SAs terminate through deletion or by timing out. TASK 1(b) IPSecs advantage over TLS: It has more plasticity on choosing the Authentication mechanisms (like the Pre Shared Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with tools, its possible to do man in the Middle breaking TLS. Going one step down the OSI stack, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, regardless of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the underlying secure IP network. Nothing has to be rewritten or modified; it even is possible that users wont be aware their data is being processed through encrypting devices. This solution is the most transparent one for end users and the one most likely to be adopted in the future in the widest range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands several components to work properly. IPSec deployment must be planned and carri ed out by network administrators, and it is less likely to be adopted directly by end users. TLSs advantage over IPSec: The advantage of TLS over generic application-level security mechanisms is the application no longer has the burden of encrypting user data. Using a special socket and API, the communication is secured. The problem with TLS is an application wishing to exploit its functionality must be written explicitly in order to do so (see Resources). Existing applications, which constitute the majority of data producers on the Internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applications we use everyday: mail clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file sharing systems and so on. Also, most network services (such as mail relays, DNS servers, routing protocols) currently run over plain sockets, exchanging vital information as clear text and only seldomly adopting application-level counter-measures (mostly integrity checks, such as MD5 sums). à IGMP IGMP is a protocol used by IP hosts, and adjacent multicast network devices to identify their memberships. If they are part of the same multicast group they communicate with each other. ICMP communicates 1 to 1.IGMP communicates 1 to many. à Establish Multicast group We describe a distributed architecture for managing multicast addresses in the global Internet. A multicast address space partitioning scheme is proposed, based on the Unicast host address and a per-host address management entity. By noting that port numbers are an integral part of end-to-end multicast addressing we present a single, unified solution to the two problems of dynamic multicast address management and port resolution. We then present a framework for the evaluation of multicast address management schemes, and use it to compare our design with three approaches, as well as a random allocation strategy. The criteria used for the evaluation are blocking probability and consistency, address acquisition delay, the load on address management entities, robustness against failures, and processing and communications overhead. With the distributed scheme the probability of blocking for address acquisition is reduced by several orders of magnitude, to insignificant levels, while consi stency is maintained. At the same time, the address acquisition delay is reduced to a minimum by serving the request within the host itself. It is also shown that the scheme generates much less control traffic, is more robust against failures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive primarily due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once) The Routing and Remote Access administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The Routing and Remote Access administrative tool or the route command line utility can be used to con a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the Routing and Remote Access tool, the following information is entered: Interface Specify the network card that the route applies to which is where the packets will come from. Destination Specify the network address that the packets are going to such as 192.168.1.0. Network Mask The subnet mask of the destination network. Gateway The IP address of the network card on the network that is cond to forward the packets such as 192.168.1.1. Metric The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network. à Dynamic Routing Windows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 supported Dynamic routing protocols are: Routing Information Protocol (RIP) version 2 for IP Open Shortest Path First (OSPF) Internet Group Management Protocol (IGMP) version 2 with router or proxy support. The Routing and Remote Access tool is used to install, con, and monitor these protocols and routing functions. After any of these dynamic routing protocols are installed, they must be cond to use one or more routing interfaces. à Protocol Independent Multicast (PIM): This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional { dense-mode} approach to multicast routing for campus networks, as developed by Deering [2][3] and implemented previously in MOSPF and DVMRP [4][5]. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient; data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group. à The Protocol Independent Multicast (PIM) architecture: maintains the traditional IP multicast service model of receiver-initiated membership; can be cond to adapt to different multicast group and network characteristics; is not dependent on a specific unicast routing protocol; uses soft-state mechanisms to adapt to underlying network conditions and group dynamics. The robustness, flexibility, and scaling properties of this architecture make it well suited to large heterogeneous inter-networks. This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional { dense-mode} approach to multicast routing for campus networks, as developed by Deering [2][3] and implemented previously in MOSPF and DVMRP [4][5]. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient; data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occas ionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group. A user of an internet- connected pc, Adam; send an email message to another internet connected pc user beryl. 1. Outlinethe function of four internet host that would normally be involved be involved in this task. . : 1. Adams Computer : :2. Server of Adams Internet Service Provider : : 3. Server of Beryls Internet Service Provider: :4. Beryls Computer : . This program allows you to build and deal with a large mailing list, and to create modified messages from predefined templates while sending. It lets you define multiple independent SMTP server connections and will utilize the latest in multithreading technology, to send emails to you as fast as it is possible. You can use all the standard message formats like plain text, HTML or even create a rich content message in the Microsoft Outlook Express and export it into the program. The interface of the program is very simple and easy to learn nearly all functions can be performed using hotkeys on the keyboard. E-mail is a growing source of an enterprises records and needs to be treated as any written memo, letter or report has been treated. The information in e-mail has the potential to add to the enterprises knowledge assets, from interactions with the users or customers in the enterprise to interactions with colleagues overseas. 2. List the internet protocol which would be used in this task. Internet Protocol (IP) is packet-based protocol that allows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol called Transport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but theres no direct link between you and the recipient. . : 1. HTTP : :2. IMAP(Version 4): : 3.SMTP : :4.POP (Version 3) : . à HTTP (Hyper-Text Transfer Protocol) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTP/1.0, as defined by RFC 1945 [6], improved the protocol by allowing messages to be in the format of MIME-like messages, containing meta information about the data transferred and modifiers on the request/response semantics. à IMAP4 (Internet Message Access Protocol) A mail protocol that provides management of received messages on a remote server. The user can review headers, create or delete folders/mailboxes and messages, and search contents remotely without downloading. It includes more functions than the similar POP protocol. à POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into most popular e-mail products, such as Eudora and Outlook Express. Its also built into the Netscape and Microsoft Internet Explorer browsers. POP3 is designed to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be saved for some period of time. POP can be thought of as a store-and-forward service. à SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail. 3. Taking the case that the message include the text please find attached abstract and 1. as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages. .. : 1. MIME : .. à MIME (Multi-Purpose Internet Mail Extensions) is an extension of the original Internet e-mail protocol that lets people use the protocol to exchange different kinds of data files on the Internet: audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file types were added to mail as a supported Internet Protocol file type. Servers insert the MIME header at the beginning of any Web transmission. Clients use this header to select an appropriate player application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle HTML files). 4. How would received message differ the sent messages? The email address that receives messages sent from users who click à ¿Ã ½replyà ¿Ã ½ in their email clients. Can differ from the à ¿Ã ½fromà ¿Ã ½address which can be an automated or unmonitored email address used only to send messages to a distribution list. à ¿Ã ½Reply-toà ¿Ã ½ should always be a monitored address. à IPv4: Internet Protocol (Version 4) The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the primary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is equally well suited for both LAN and WAN communications. IP (Internet Protocol) has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through a network; and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is assigned a unique logical address (32-bit in IPv4) that is divided into two main parts: the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as nece ssary. The host number identifies a host on a network and is assigned by the local network administrator. à IPv6 (IPng): Internet Protocol version 6 IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions: IPv4 and IPv6. IPv6 is also called next generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD (hexadecimal) instead of IPv4s 0800. The IPv4 is described in separate documents. IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a-f). A sample ipv6 address looks like: 3ffe: ffff: 100:f101:210:a4ff:fee3:9566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two major improvements in IPv6 vs. v4: * Improved support for extensions and options IPv6 options are placed in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. à · Flow labeling capability A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service. à Comparison between IPv6 with IPv4 Data structure of IPv6 has modified as follows: Header length field found in IPv4 is removed in IPv6. Type of Service field found in IPv4 has been replaced with Priority field in IPv6. Time to live field found in IPv4 has been replaced with Hop Limit in IPv6. Total Length field has been replaced with Payload Length field Protocol field has been replaced with Next Header field Source Address and Destination Address has been increased from 32-bits to 128-bits. à Major Similarities IPv6 with IPv4 Both protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 broadcast does. Both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services. à Major Differences between IPv6 with IPv4 IPv6 host to IPv6 host routing via IPv4 network: Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach an IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space. IPv6 host to IPv4 host and vice versa: The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to access both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagrams ICMP: IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are stricter. ICMPv6 uses the Neighbor Discovery Protocol. New messages have been added also. Absence of ARP RARP: Features of Transport Layer Security (TLS) Features of Transport Layer Security (TLS) à TRANSPORT LAYER SECURITY TLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains significantly the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption troubles connected to TLS. à TLS Features TLS is a generic application layer security protocol that runs over reliable transport. It provides a secure channel to application protocol clients. This channel has three primary security features: Authentication of the server. Confidentiality of the communication channel. Message integrity of the communication channel. Optionally TLS can also provide authentication of the client. In general, TLS authentication uses public key based digital signatures backed by certificates. Thus, the server authenticates either by decrypting a secret encrypted under his public key or by signing an ephemeral public key. The client authenticates by signing a random challenge. Server certificates typically contain the servers domain name. Client certificates can contain arbitrary identities. à The Handshake Protocols The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients. Provide security parameters to the record layer. A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher, and compression method from the choices offered by the client. The Server sends its Certificate (depending on the selected cipher, this may be omitted by the Server). The server may request a certificate from the client, so that the connection can be mutually authenticated, using a Certificate Request. The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation. The Client responds with a ClientKeyExchange which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher). The Handshake protocol provides a number of security functions. Such as Authentication, Encryption, Hash Algorithms à · Authentication A certificate is a digital form of identification that is usually issued by a certification authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. For authentication purposes, the Handshake Protocol uses an X.509 certificate to provide strong evidence to a second party that helps prove the identity of the party that holds the certificate and the corresponding private key. à · Encryption There are two main types of encryption: symmetric key (also known as Private Key) and asymmetric key (also known as public key. TLS/SSL uses symmetric key for bulk encryption and public key for authentication and key exchange. à · Hash Algorithms A hash is a one-way mapping of values to a smaller set of representative values, so that the size of the resulting hash is smaller than the original message and the hash is unique to the original data. A hash is similar to a fingerprint: a fingerprint is unique to the individual and is much smaller than the original person. Hashing is used to establish data integrity during transport. Two common hash algorithms are Message Digest5 (MD5) produce 128-bit hash value and Standard Hash Algorithm1 (SHA-1) produce 160-bit value. à The Change Cipher Spec The Change Cipher Spec Protocol signals a transition of the cipher suite to be used on the connection between the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This message consists of a single byte with the value1. Message after this will be encrypted and compressed using the new cipher suite. à The Alert The Alert Protocol includes event-driven alert messages that can be sent from either party. the session is either ended or the recipient is given the choice of whether or not to end the session. Schannel SSP will only generate these alert messages at the request of the application. à The Record Layer/Protocol The TLS record protocol is a simple framing layer with record format as shown below: struct { ContentType type; ProtocolVersion version; uint16 length; opaque payload[length]; } TLSRecord; As with TLS, data is carried in records. In both protocols, records can only be processed when the entire record is available. The Record Layer might have four functions: It fragments the data coming from the application into manageable blocks (and reassemble incoming data to pass up to the application). Schannel SSP does not support fragmentation at the Record Layer. It compresses the data and decompresses incoming data. Schannel SSP does not support compression at the Record Layer. It applies a Message Authentication Code (MAC), or hash/digest, to the data and uses the MAC to verify incoming data. It encrypts the hashed data and decrypts incoming data. à Application Protocol TLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. These applications use public key certificates to verify the identity of endpoints. à TSL/ SSL Security The client may use the CAs public key to validate the CAs digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas. The client checks the servers certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. à IPSec IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as PIX Firewalls, Cisco routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a framework of open standards. Because it isnt bound to specific algorithms, IPSec allows newer and better algorithms to be implemented without patching the existing IPSec standards. IPSec provides data confidentiality, data integrity, and data origin authentication between participating peers at the IP layer. IPSec is used to secure a path between a pair of gateways, a pair of hosts, or a gateway and a host. Some of the standard algorithms are as follows: Data Encryption Standard (DES) algorithmââ¬âUsed to encrypt and decrypt packet data. 3DES algorithmââ¬âeffectively doubles encryption strength over 56-bit DES. Advanced Encryption Standard (AES)ââ¬âa newer cipher algorithm designed to replace DES. Has a variable key length between 128 and 256 bits. Cisco is the first industry vendor to implement AES on all its VPN-capable platforms. Message Digest 5 (MD5) algorithmââ¬âUsed to authenticate packet data. Secure Hash Algorithm 1 (SHA-1)ââ¬âUsed to authenticate packet data. Diffie-Hellman (DH)ââ¬âa public-key cryptography protocol that allows two parties to establish a shared secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure communications channel. IPSec security services provide four critical functions: Confidentiality (encryption)ââ¬âthe sender can encrypt the packets before transmitting them across a network. By doing so, no one can eavesdrop on the communication. If intercepted, the communications cannot be read. Data integrityââ¬âthe receiver can verify that the data was transmitted through the Internet without being changed or altered in any way. Origin authenticationââ¬âthe receiver can authenticate the packets source, guaranteeing and certifying the source of the information. Anti-replay protectionââ¬âAnti-replay protection verifies that each packet is unique, not duplicated. IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. Late and duplicate packets are dropped. v How IPSec works The goal of IPSec is to protect the desired data with the needed security services. IPSecs operation can be broken into five primary steps: Define interesting trafficââ¬âTraffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected. IKE Phase 1ââ¬âThis basic set of security services protects all subsequent communications between the peers. IKE Phase 1 sets up a secure communications channel between peers. IKE Phase 2ââ¬âIKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints. Data transferââ¬âData is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. IPSec tunnel terminationââ¬âIPSec SAs terminate through deletion or by timing out. TASK 1(b) IPSecs advantage over TLS: It has more plasticity on choosing the Authentication mechanisms (like the Pre Shared Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with tools, its possible to do man in the Middle breaking TLS. Going one step down the OSI stack, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, regardless of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the underlying secure IP network. Nothing has to be rewritten or modified; it even is possible that users wont be aware their data is being processed through encrypting devices. This solution is the most transparent one for end users and the one most likely to be adopted in the future in the widest range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands several components to work properly. IPSec deployment must be planned and carri ed out by network administrators, and it is less likely to be adopted directly by end users. TLSs advantage over IPSec: The advantage of TLS over generic application-level security mechanisms is the application no longer has the burden of encrypting user data. Using a special socket and API, the communication is secured. The problem with TLS is an application wishing to exploit its functionality must be written explicitly in order to do so (see Resources). Existing applications, which constitute the majority of data producers on the Internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applications we use everyday: mail clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file sharing systems and so on. Also, most network services (such as mail relays, DNS servers, routing protocols) currently run over plain sockets, exchanging vital information as clear text and only seldomly adopting application-level counter-measures (mostly integrity checks, such as MD5 sums). à IGMP IGMP is a protocol used by IP hosts, and adjacent multicast network devices to identify their memberships. If they are part of the same multicast group they communicate with each other. ICMP communicates 1 to 1.IGMP communicates 1 to many. à Establish Multicast group We describe a distributed architecture for managing multicast addresses in the global Internet. A multicast address space partitioning scheme is proposed, based on the Unicast host address and a per-host address management entity. By noting that port numbers are an integral part of end-to-end multicast addressing we present a single, unified solution to the two problems of dynamic multicast address management and port resolution. We then present a framework for the evaluation of multicast address management schemes, and use it to compare our design with three approaches, as well as a random allocation strategy. The criteria used for the evaluation are blocking probability and consistency, address acquisition delay, the load on address management entities, robustness against failures, and processing and communications overhead. With the distributed scheme the probability of blocking for address acquisition is reduced by several orders of magnitude, to insignificant levels, while consi stency is maintained. At the same time, the address acquisition delay is reduced to a minimum by serving the request within the host itself. It is also shown that the scheme generates much less control traffic, is more robust against failures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive primarily due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once) The Routing and Remote Access administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The Routing and Remote Access administrative tool or the route command line utility can be used to con a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the Routing and Remote Access tool, the following information is entered: Interface Specify the network card that the route applies to which is where the packets will come from. Destination Specify the network address that the packets are going to such as 192.168.1.0. Network Mask The subnet mask of the destination network. Gateway The IP address of the network card on the network that is cond to forward the packets such as 192.168.1.1. Metric The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network. à Dynamic Routing Windows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 supported Dynamic routing protocols are: Routing Information Protocol (RIP) version 2 for IP Open Shortest Path First (OSPF) Internet Group Management Protocol (IGMP) version 2 with router or proxy support. The Routing and Remote Access tool is used to install, con, and monitor these protocols and routing functions. After any of these dynamic routing protocols are installed, they must be cond to use one or more routing interfaces. à Protocol Independent Multicast (PIM): This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional { dense-mode} approach to multicast routing for campus networks, as developed by Deering [2][3] and implemented previously in MOSPF and DVMRP [4][5]. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient; data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group. à The Protocol Independent Multicast (PIM) architecture: maintains the traditional IP multicast service model of receiver-initiated membership; can be cond to adapt to different multicast group and network characteristics; is not dependent on a specific unicast routing protocol; uses soft-state mechanisms to adapt to underlying network conditions and group dynamics. The robustness, flexibility, and scaling properties of this architecture make it well suited to large heterogeneous inter-networks. This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional { dense-mode} approach to multicast routing for campus networks, as developed by Deering [2][3] and implemented previously in MOSPF and DVMRP [4][5]. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient; data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occas ionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group. A user of an internet- connected pc, Adam; send an email message to another internet connected pc user beryl. 1. Outlinethe function of four internet host that would normally be involved be involved in this task. . : 1. Adams Computer : :2. Server of Adams Internet Service Provider : : 3. Server of Beryls Internet Service Provider: :4. Beryls Computer : . This program allows you to build and deal with a large mailing list, and to create modified messages from predefined templates while sending. It lets you define multiple independent SMTP server connections and will utilize the latest in multithreading technology, to send emails to you as fast as it is possible. You can use all the standard message formats like plain text, HTML or even create a rich content message in the Microsoft Outlook Express and export it into the program. The interface of the program is very simple and easy to learn nearly all functions can be performed using hotkeys on the keyboard. E-mail is a growing source of an enterprises records and needs to be treated as any written memo, letter or report has been treated. The information in e-mail has the potential to add to the enterprises knowledge assets, from interactions with the users or customers in the enterprise to interactions with colleagues overseas. 2. List the internet protocol which would be used in this task. Internet Protocol (IP) is packet-based protocol that allows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol called Transport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but theres no direct link between you and the recipient. . : 1. HTTP : :2. IMAP(Version 4): : 3.SMTP : :4.POP (Version 3) : . à HTTP (Hyper-Text Transfer Protocol) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTP/1.0, as defined by RFC 1945 [6], improved the protocol by allowing messages to be in the format of MIME-like messages, containing meta information about the data transferred and modifiers on the request/response semantics. à IMAP4 (Internet Message Access Protocol) A mail protocol that provides management of received messages on a remote server. The user can review headers, create or delete folders/mailboxes and messages, and search contents remotely without downloading. It includes more functions than the similar POP protocol. à POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into most popular e-mail products, such as Eudora and Outlook Express. Its also built into the Netscape and Microsoft Internet Explorer browsers. POP3 is designed to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be saved for some period of time. POP can be thought of as a store-and-forward service. à SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail. 3. Taking the case that the message include the text please find attached abstract and 1. as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages. .. : 1. MIME : .. à MIME (Multi-Purpose Internet Mail Extensions) is an extension of the original Internet e-mail protocol that lets people use the protocol to exchange different kinds of data files on the Internet: audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file types were added to mail as a supported Internet Protocol file type. Servers insert the MIME header at the beginning of any Web transmission. Clients use this header to select an appropriate player application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle HTML files). 4. How would received message differ the sent messages? The email address that receives messages sent from users who click à ¿Ã ½replyà ¿Ã ½ in their email clients. Can differ from the à ¿Ã ½fromà ¿Ã ½address which can be an automated or unmonitored email address used only to send messages to a distribution list. à ¿Ã ½Reply-toà ¿Ã ½ should always be a monitored address. à IPv4: Internet Protocol (Version 4) The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the primary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is equally well suited for both LAN and WAN communications. IP (Internet Protocol) has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through a network; and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is assigned a unique logical address (32-bit in IPv4) that is divided into two main parts: the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as nece ssary. The host number identifies a host on a network and is assigned by the local network administrator. à IPv6 (IPng): Internet Protocol version 6 IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions: IPv4 and IPv6. IPv6 is also called next generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD (hexadecimal) instead of IPv4s 0800. The IPv4 is described in separate documents. IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a-f). A sample ipv6 address looks like: 3ffe: ffff: 100:f101:210:a4ff:fee3:9566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two major improvements in IPv6 vs. v4: * Improved support for extensions and options IPv6 options are placed in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. à · Flow labeling capability A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service. à Comparison between IPv6 with IPv4 Data structure of IPv6 has modified as follows: Header length field found in IPv4 is removed in IPv6. Type of Service field found in IPv4 has been replaced with Priority field in IPv6. Time to live field found in IPv4 has been replaced with Hop Limit in IPv6. Total Length field has been replaced with Payload Length field Protocol field has been replaced with Next Header field Source Address and Destination Address has been increased from 32-bits to 128-bits. à Major Similarities IPv6 with IPv4 Both protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 broadcast does. Both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services. à Major Differences between IPv6 with IPv4 IPv6 host to IPv6 host routing via IPv4 network: Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach an IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space. IPv6 host to IPv4 host and vice versa: The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to access both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagrams ICMP: IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are stricter. ICMPv6 uses the Neighbor Discovery Protocol. New messages have been added also. Absence of ARP RARP:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.