Integrated Security System

Cryptographic Systems

When two parties communicate …

Their software usually handles the details

First, negotiate security methods

Then, authenticate one another

Then, exchange symmetric session key

Then can communicate securely using symmetric session key and message-by-message authentication

Cryptographic Systems

Initial Hand-Shaking Phases Negotiation of parameters Mutual authentication Key exchange of symmetric session key

Ongoing Communication Message-by-message confidentiality,

authentication, and message integrity

Occur at several layers

Cryptographic System

Phase 1:Initial Negotiation

of Security Parameters

Phase 2:Mutual Authentication

Client PCServer

Phase 3:Key Exchange orKey Agreement

Three Initial “Hand-Shaking” Phases

Cryptographic System

Phase 4:Ongoing Communication with

Message-by-MessageConfidentiality, Authentication,

and Message IntegrityClient PC

Server

The Initial Hand-Shaking Stages are Very BriefAlmost All Messages are Sent During the Ongoing Exchange Phase

Major Cryptographic Systems

Application

Layer

Transport

Internet

Data Link

Physical

PPTP, L2TP (really only a tunneling system)

Not applicable. No messages are sent at thislayer—only individual bits

IPsec

SSL/TLS

Kerberos

Cryptographic System

SSL/ TLS

SSL Secure Sockets Layer

Developed by Netscape

TLS (now) Netscape gave IETF control over SSL

IETF renamed it TLS (Transport Layer Security)

Usually still called SSL

SSL/TLS Works at the transport layer

Protects SSL/TLS-aware applications Mostly HTTP

Widely used in e-commerce

It is also used for remote access HTTP access Web applications (e-mail) With downloaded client program

Negotiation of security parameters

Server authenticates self to client using digital certificate (usually not mutual authentication)

Client generates random session key, sends to server with public key exchange

SSL/TLS Protocol Stack

ISO Open Systems

Interconnect model

SSL runs beneath

application layers. E.g. HTTP, FTP, SMTP etc

SSL runs above transport

protocols such as TCP.

SSL Operation

Browser & Webserver Software Implement SSL User can be unaware

SSL/TLS Operation

Protects All Application TrafficThat is SSL/TLS-Aware

SSL/TLS Works at Transport Layer

Applicant(Customer Client)

Verifier(Merchant Server)

SSL/TLS Operation

Applicant(Customer Client)

Verifier(Merchant Server)

1. Negotiation of Security Options (Brief)

2. Merchant Authenticates Self to CustomerUses a Digital Certificate

Customer Authentication is Optional and Uncommon

SSL/TLS Operation

Applicant(Customer Client)

Verifier(Merchant Server)

3. Client Generates Random Session KeyClient Sends Key to Server Encrypted

with Public Key Encryption

4. Ongoing Communication with Confidentialityand Merchant Digital Signatures

Virtual Private Networks (see separate slides for more details)

Secure communication over the Internet

Site-to-Site VPNs Between security gateways at each site Must handle a large amount of intersite traffic

Remote Access VPNs To connect an individual user to a site

Host-to-Host (not mentioned in the text)

SSL/TLS VPNs

Growing rapidly in popularity for remote access Easy to implement

Webservers already implement it Clients already have browsers If only using HTTP, very easy Becoming popular

SSL/TLS gateways at sites allow more Single point of encryption for access to multiple webservers Output from some applications, such as Outlook and Outlook

express, are “webified” so that they can be delivered to browsers If browser will accept a downloaded add-in program, can get

access to even more applications