Security Protocols

vs Cryptographic Primitives
Crypto Primitives
Block Ciphers
Stream Ciphers
Hash Functions
Public Key Encryption/Decryption
Public Key Signing/Verification
All primitives can be seen as an algorithm (or a
function) with well-defined inputs and outputs
Cryptographic Protocols
Utilize Cryptographic primitives
A sequence of steps where each step uses
cryptographic functions
For example, CBC defines a protocol for
encrypting a file or a packet
CBC involves repeated use of a simple function
(a block cipher) in a specific manner
Network Security Protocols
Most network security protocols can be seen
as consisting of two broad components
1. A strategy for establishment of a shared
secret between two parties
2. A strategy for using the shared secret to
encrypt/authenticate (by appending a
HMAC) a packet
Key Establishment
1. Uses asymmetric primitives
2. Relies on a certificate authority (PKI) for
authenticated establishment of shared
secret.
3. Certification is necessary to prevent man-in-
the-middle attacks
SSL/TLS
1. Handshake protocol for establishing a secret
between client and server (plus server
authentication) (asymmetric primitives +
PKI)
2. SSL Record protocol for encrypting (using a
block cipher in CBC mode) and/or
authenticating (using a hash function for
HMAC) SSL payload
IPSEC
1. ISAKMP for establishing a secret (security
association or SA) between two hosts
2. IPSec ESP/AH for encrypting/authenticating
IPSec payload
a. IPSec payload is a transport segment (for transport
mode)
b. or an entire IP packet (for tunnel mode)
WEP/WPA
1. Shared secret is established
a. statically, for home networks
b. Using 802.1x for enterprise networks (after client
successfully authenticates itself to the RADIUS
server)
c. 802.1x may rely on PKI (if EAP-TLS or EAP-TTLS is
used)
2. WPA/WEP uses the shared secret to
encrypt/authenticate the MAC layer payload
(typically an IP packet)
 SSL Rec Prot IPSec ESP/AH WPA/WEP

shared secrets
SSL HShake ISAKMP 802.1x

Stream Cipher PKI

Block Cipher hash function asymmetric primitives

 Network Stack in a scenario where both IPSec and SSL are used.
Tunnel mode (left), Transport mode (right)

DATA

H.S / HTTP DATA

SSL Record H.S / HTTP

TCP SSL Record

IP TCP

IPSec IPSec

IP Tunnel IP

DLL DLL
 Packet Nesting Structure in a scenario where both IPSec (transport
mode) and SSL are used.
Data link Header (DLH), IP header (IP), ESP/AH header, SSL
record protocol header, SSL handshake (during key exchange) or
HTTP header, application date, data link footer (CRC).

If WEP/WPA is used all fields from IP header to CRC are encrypted

using RC4 stream cipher.

DATA ESP/AH SSL RP HS/HTT

DLH IP TH P DATA CRC
H.S / HTTP

SSL Record

TCP

IPSec

IP

DLL