4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2
Cryptographic System Standards Transmission across Un-trusted Networks Internet, Wireless LAN’s, etc. Companies will (should) apply Cryptographic Systems Virtual Private Network (VPN) SSL/TLS Secure Socket Layer/Transport Layer Security Non-Transparent, doesn’t automatically protect application messages. Only messages from applications that are SSL/TSL aware Web Browsers/Web Servers; Many email But there’s a problem But there’s a problem IPsec Operates on the Internet layer Everything in IP packet data file is protected Transparent protection – applications and transport layer are protected (see Module A) Copyright Pearson Prentice-Hall 2010 3 LayerHybrid TCP/IP-OSI Application InternetTransport (TCP, UDP) IP Single NetworkData Link Physical
Remote Access VPNs Connects a single Client to a Network Connection is to a VPN Gateway Used for Authentication and Access Control Depending on Access Authorization connection can be to multiple computers on the network. Uses SSL/TSL between Browser and Gateway The Gateway is a WebServer to SSL/TSL SSL/TSL protects messages between client and Gateway Gateway authenticates with the client via Public Key Authentication Copyright Pearson Prentice-Hall 2010 7
Types of Remote Access Connections Web server Database server Gateway translates browser requests to Queries to database Gateway translates database response to web pages “webifies” Router Connection to subnet of network Copyright Pearson Prentice-Hall 2010 8
4-5: SSL/TLS and Remote Access VPN Using a Gateway Copyright Pearson Prentice-Hall 2010 9
4-4: SSL/TLS Handshaking Phase Copyright Pearson Prentice-Hall 2010 10 StepSenderName of Message Semantics (Meaning) 1ClientClient HelloClient requests secure connection. Client lists cipher suites it supports. 2ServerServer HelloServer indicates willingness to proceed. Selects a cipher suite to use in the session. 3ServerCertificateServer sends its digital certificate containing its public key. (Client should check the certificate’s validity.) 4ServerServerHelloDoneServer indicates that its part in the initial introduction is finished. Stage 1 Stage 2 & 3 ???
4-4: SSL/TLS Handshaking Phase Copyright Pearson Prentice-Hall 2010 11 StepSenderName of Message Semantics (Meaning) 5ClientClientKey Exchange Client generates a random symmetric session key. Encrypts it with the server’s public key. It sends this encrypted key to the server. Only the server can decrypt the key, using the server’s own private key. The server decrypts the session key. Both sides now have the session key. 6ClientChangeCipher Spec* Client changes selected cipher suite from pending to active. 7ClientFinishClient indicates that its part in the initial introduction is finished. *Not cipher suite. Key Exchange using public key encryption for confidentiality Key Exchange using public key encryption for confidentiality Stage 2 & 3
4-4: SSL/TLS Handshaking Phase Copyright Pearson Prentice-Hall 2010 12 StepSenderName of MessageSemantics (Meaning) 8ServerChangeCipherSpec*Server changes selected cipher suite from pending to active. 9ServerFinishServer indicates that its role in selecting options is finished. 10Ongoing communication stage begins *Not cipher suite.
Site-to-Site VPNs Protects all traffic between two sites VPN Gateway on both ends of transmission VPN Gateway’s encrypt/decrypt messages Copyright Pearson Prentice-Hall 2010 14
IPsec Modes Transport (Host-to-Host) Protects messages from host-to-host Over the internet and Internet Requires installing IPsec on each client/server (not built into browser) Costly Eliminates ability of Firewall to filter content as it is encrypted Tunnel (Site-to-Site) Protects messages between VPN Gateways over the Internet Less Costly than Transport Firewall can filter content Copyright Pearson Prentice-Hall 2010 15
IPsec Operation: Transport Mode Copyright Pearson Prentice-Hall 2010 16 1. End-to-End Security (Good) 1. End-to-End Security (Good) 2. Security in Site Network (Good) 2. Security in Site Network (Good) 3. Setup Cost On Each Host (Costly) 3. Setup Cost On Each Host (Costly)
IPsec Operation: Tunnel Mode Copyright Pearson Prentice-Hall 2010 17 2. No Security in Site Network (Bad) 2. No Security in Site Network (Bad) 3. No Setup Cost On Each Host (Good) 3. No Setup Cost On Each Host (Good)
4-8: Comparing IPsec Transport and Tunnel Modes Copyright Pearson Prentice-Hall 2010 18 CharacteristicTransport ModeTunnel Mode Uses an IPsec VPN Gateway? NoYes Cryptographic Protection All the way from the source host to the destination host, including the Internet and the two site networks. Only over the Internet between the IPsec gateways. Not within the two site networks. Setup CostsHigh. Setup requires the creation of a digital certificate for each client and significant configuration work. Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured.
4-8: Comparing IPsec Transport and Tunnel Modes Copyright Pearson Prentice-Hall 2010 19 CharacteristicTransport ModeTunnel Mode Firewall FriendlinessBad. A firewall at the border to a site cannot filter packets because the content is encrypted. Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet. The “Bottom Line”End-to-end security at high cost. Low cost and protects the packet over the most dangerous part of its journey.
4-6: IP Security (IPsec) versus SSL/TLS Copyright Pearson Prentice-Hall 2010 20 SSL/TLSIPsec Cryptographic security standardYes Cryptographic security protectionsGoodGold Standard Supports central managementNoYes Complexity and expenseLowerHigher Layer of operationTransportInternet Transparently protects all higher-layer traffic NoYes Works with IPv4 and IPv6NAYes Modes of operationNATransport, Tunnel
4-9: IPsec Security Associations Copyright Pearson Prentice-Hall 2010 21 Kind of like a cipher suite