10 Week
10 Week
(10th Week)
Outline
• 4. Network Security
—4.1. Internet Security Protocols and Standards
—4.2. Internet Authentication Applications
—4.3 Wireless Network Security
4.1 Internet Security Protocols and
Standards
4.1. Outline
• Secure Email and S/MIME
• DomainKeys Identified Mail
• Secure Sockets Layer (SSL) and Transport
Layer Security (TLS)
• HTTPS
• IPv4 and IPv6 Security
MIME and S/MIME
MIME S/MIME
• Extension to the old RFC • Secure/Multipurpose
822 specification of an Internet Mail Extension
Internet mail format
• RFC 822 defines a simple
• Security enhancement to
heading with To, From, the MIME Internet
Subject e-mail format
• Assumes ASCII text format • Based on technology from
• Provides a number of RSA Data Security
One-time
secret key
Sender’s Encrypt
private key (e.g., RSA)
Sign
M sg (e.g., RSA/ M sg Encrypt M sg
SHA-256) (e.g,
AES-128/
CBC
Sig Sig
Receiver’s
private key
Sender’s
Secret key public key
generated by
sender
Decrypt
(e.g., RSA)
Decrypt Verify
M sg M sg signature
(e.g,
AES-128/ (e.g., RSA/
CBC SHA-256)
Sig Sig
SM TP (SM TP,
local)
ESM TP ESM TP
(Submission) (Submission)
M essage user M essage store
agent (M UA) (M S)
(I M AP, POP,
local)
M essage user
M essage agent (M UA)
author
M essage
recipient
MTA
MTA
SMTP
SMTP
MDA
MSA
DNS
Signer Verifier
POP, IMAP
SMTP
MUA
MUA
Record Protocol
TCP
IP
Fragment
Compress
Add MAC
Encrypt
Append SSL
Record Header
Negotiate Negotiate
Authenticate encryption and cryptographic
each other MAC keys to be
algorithms used
ate
certific
ge
key _exchan
server_ Phase 2
Server may send certificate, key exchange,
te_req uest and request certificate. Server signals end
certifica of hello message phase.
e
he llo_don
server_
Time
certifica
te
client_k Phase 3
e y_ e xc h
an ge Client sends certificate if requested. Client
sends key exchange. Client may send
certifica certificate verification.
te_verif
y
change_
cipher_
spec
finished
Phase 4
Change cipher suite and finish
spec
cipher_ handshake protocol.
change_
finished
Four general
categories:
Also an Specification is
authentication-only quite complex
function, • Numerous RFC’s
implemented using 2401/4302/
an Authentication 4303/4306
Header (AH)
• Because message
authentication is provided
by ESP, the use of AH is
included in IPsecv3 for
backward compatibility
but should not be used in
new applications
Security Associations
• A one-way relationship
between sender and Defined by 3
receiver that affords
security for traffic flow parameters:
• If a peer relationship is Security Parameter Index
needed for two-way secure
exchange then two security (SPI)
associations are required
• Is uniquely identified by IP Destination Address
the Destination Address in
the IPv4 or IPv6 header
and the SPI in the enclosed Protocol Identifier
extension header (AH or
ESP)
Bit: 0 16 24 31
Sequence Number
Authentication Coverage
Confidentiality Coverage