Email, IP and Web

Security
- Dr. G.S. Rawat
E-mail Security

electronic mail is the most heavily used network-based application

explosively growing reliance on email
demand for authentication and confidentiality
Email Security Enhancements

confidentiality
protection from disclosure
authentication
of sender of message
message integrity
protection from modification
non-repudiation of origin
protection from denial by sender
E-mail Architecture
E-mail Architecture
E-mail Security
• Pretty Good Privacy (PGP)

• Secure/Multipurpose Internet Mail Extension (S/MIME)

PGP
• Phil Zimmermann - provide e-mail with privacy, integrity, and authentication
• Pretty Good Privacy (PGP)
• PGP can be used to create a secure e-mail message
• store a file securely for future retrieval
• widely used de facto secure email
• selects best available crypto algs to use
• integrated into a single program
• on Unix, PC, Macintosh and other systems
• originally free, now also have commercial versions available
PGP : Scenarios

A plaintext message
PGP : Scenarios

Message Integrity
PGP : Scenarios

Compression
PGP : Scenarios

Confidentiality with One-Time Session Key

PGP : Scenarios
• Code Conversion (Email compatibility)
Radix-64 conversion

• Segmentation
uniform size units
PGP : Key Rings
PGP : Key Rings …
Alice needs to send a message to another person in the community

• She uses her private key to sign the digest

• She uses the receiver’s public key to encrypt a newly created session
key.
• She encrypts the message and signed digest with the session key
created
PGP : Key Rings …
Alice receives a message from another person in the community

She uses her private key to decrypt the session key.

She uses the session key to decrypt the message and digest
She uses her public key to verify the digest
PGP: Public Key Algorithms
PGP : Symmetric Key Algo
PGP: Hash Algo
PGP: Compression Algo
PGP: Summary
S/MIME
Secure/Multipurpose Internet Mail Extension (S/MIME)
enhancement of the Multipurpose Internet Mail Extension (MIME)
protocol
(MIME) is a supplementary protocol that allows non-ASCII data to be
sent through e-mail
MIME
S/MIME: Functional Flow
Sender’s End
S/MIME: Functional Flow …
Receiver's End
S/MIME: Cryptographic
Algorithms
S/MIME : Summary
IP Security
• many applications, such as routing protocols, directly use the service of
IP
• need security services at the IP layer
• IP Security (IPSec) is a collection of protocols designed by the Internet
Engineering Task Force (IETF)
• network layer in the Internet is often referred to as the Internet Protocol
or IP layer
IPSec
IPSec: Applications

• Secure branch office connectivity over the Internet

• Secure remote access over the Internet
• Establishing extranet and intranet connectivity with partners
• Enhancing electronic commerce security
IPSec: Two modes

• Transport Mode
• Tunnel mode
IPSec: Transport Mode

IPSec in transport mode does not protect the IP header; it only protects the
information coming from the transport layer.
IPSec: Transport Mode
IPSec: Tunnel Mode

IPSec in tunnel mode protects the original IP header.

IPSec:Tunnel Mode
IPSec: Comparison
IPSec : Protocols
provide authentication and/or encryption for packets at the IP level

• Authentication Header (AH)

• Encapsulating Security Payload (ESP)
IPSec: Authentication Header
• authenticate the source host
• ensure the integrity of the payload carried in the IP packet
• uses a hash function and a symmetric key to create a message digest
• the digest is inserted in authentication header

AH protocol provides source authentication and data integrity, but not

privacy
IPSec: Authentication Header Protocol
IPSec: Encapsulating Security
Payload (ESP)
• provides source authentication, integrity, and privacy
IPSec: Services
IPSec: SECURITY ASSOCIATION

• IPSec requires a logical relationship, called a Security Association (SA),

between two hosts
• A Security Association is a contract between two parties; it creates a
secure channel between them
• set of SAs that can be collected into a database (Security Association
Database (SAD)
IPSec: SECURITY POLICY
• defines the type of security applied to a packet when it is to be sent or
when it has arrived
• a host must determine the predefined policy for the packet before using
SAD
• Each host that is using the IPSec protocol needs to keep a Security Policy
Database (SPD)
IPSec: INTERNET KEY EXCHANGE
(IKE)
• protocol designed to create both inbound and outbound Security
Associations
IPSec : IKE Phases
IPSec : IKE Modes
Web Security Considerations

• Web is filled with examples of new and upgraded systems, properly

installed, that are vulnerable to a variety of security attacks

• Web server can be exploited as a launching pad into the corporation’s or

agency’s entire computer complex

• Casual and untrained (in security matters) users are common clients for
Web based services.
Web Security Threats
Web Security Threats
Security Facilities in TCP/IP
Security at Transport Layer
• Secure Sockets Layer (SSL) Protocol
• Transport Layer Security (TLS) Protocol

Transport layer security provides end-to-end security services for

applications that use a reliable transport layer protocol such as TCP
Security at Transport Layer
Secure Socket Layer (SSL)

• SSL is designed to provide security and compression services to data

generated from the application layer
• SSL can receive data from any application layer protocol, but usually the
protocol is HTTP
• The data received from the application is compressed (optional), signed,
and encrypted
SSL: Services
• Fragmentation
• Compression
• Message Integrity
• Confidentiality
• Framing
SSL: Services

SSL
SSL : Key Exchange Methods
SSL: Encryption/decryption
algorithms
SSL: Hash Algorithms
SSL: Compression Algorithms
• compression is optional in SSLv3
• No specific compression algorithm is defined for SSLv3
• default compression method is NULL
• a system can use whatever compression algorithm it desires
SSL: Connection and Session
• In a session, one party has the role of a client and the other the role of a
server
• In a connection, both parties have equal roles, they are peers
SSL : Protocols
Transport Layer Security (TLS)

• TLS is an Internet standard that evolved from a commercial protocol

known as Secure Sockets Layer (SSL).
• TLS is a general-purpose service implemented as a set of protocols that
rely on TCP.

• For example, most browsers come equipped with TLS, and most Web
servers have implemented the protocol.
TLS: Protocol Stack
TLS: Session and Connection
Session
• A TLS session is an association between a client and a server.
• Created by the Handshake Protocol
• Sessions define a set of cryptographic security parameters

Connection
• Connections are peer-to-peer relationships
• Connections are transient
• Every connection is associated with one session
TLS: Protocol

• Handshake Protocol

• Record Protocol
TLS: Record Protocol

• Confidentiality
The Handshake Protocol defines a shared secret key that is used for
conventional encryption of TLS payloads.

• Message Integrity
The Handshake Protocol also defines a shared secret key that is used to
form a message authentication code (MAC)
TLS: Record Protocol Operation
TLS: Other Protocols
TLS: Handshake Protocol
TLS: Handshake Protocol…
TLS: Handshake Protocol …
TLS: Handshake Protocol …
TLS: Handshake Protocol …
TLS: Heartbeat Protocol

Runs on top of the TLS Record Protocol and consists of two message
types: heartbeat_request and heartbeat_response

assures the sender that the recipient is still alive, even though there may
not have been any activity over the underlying TCP connection for a while

generates activity across the connection during idle periods, which avoids
closure by a firewall that does not tolerate idle connections.
HTTPS
• HTTP and SSL to implement secure communication between a Web browser and a Web
server

A normal HTTP connection uses port 80

If HTTPS is specified, port 443 is used, which invokes SSL

URL of the requested document

Contents of the document
Contents of browser forms (filled in by browser user)
Cookies sent from browser to server and from server to browser
Contents of HTTP header
Secure Shell (SSH)
• secure network communications
• simple and inexpensive to implement
• Use - file transfer and email
• method of choice for remote login and X tunneling
SSH : Protocol Stack
Secure Electronic Transaction (SET)

• SET is an open encryption and security specification designed to protect

credit card transactions on the Internet
• SET is not a payment system
• SET is a set of security protocols and formats that enables users to
employ the existing credit card payment infrastructure on an open
network securely
SET: Services
• Provides a secure communications channel among all parties involved in
a transaction
• Provides trust by the use of X.509v3 digital certificates
• Ensures privacy because the information is only available to parties in a
transaction when and where necessary
SET: Features
• Confidentiality of information
• Integrity of data
• Cardholder account authentication
• Merchant authentication
SET: Participants

• Cardholder
• Merchant
• Issuer
• Acquirer
• Payment gateway
• Certification authority (CA)
SET: Components