Puppw Sau Lakshman

GNS A5ignmernt -2 20BAIAOSM2;CSE-D

Onbe the tansport Layer protorols sSL and TLS

Srity socket CSSL)+
Laye istiansfered beture
.Pondes KUri ty to tthe dalay thot
betweern au
Webbser anc Serv S3L encTypt s the link
Sesve Qnd a biocuses cuhich ensures ttat all daf0
attack
passd betUeen hem Temain piode and free from
SsL Protrols!
* S5L eco d protoCo|
* Handshoke protocol
* Change -ciphes spec protol
* Alet protocol.

Handshoke chonne ciphes Alert potrol HTTP

protocol spec prtocol
SSL Recovd Protoco

TCP

S5L Recovd Protol:

eel Rerord provicles t o services to SSL Connetion
confiderntiai t
MeSsage intity
sL record protool ppicotion data is divided into frasm
foament is compreSScd ad then ertypted MAC
ents The
ike
sessag Authentication Code) generated by Algoithms
Mes sage Digest) s obpel
AuA Csecure Hash Potbcol ) and MDS
Aft e that enc TMphon oy data is dane and n Last
-nded
S3L
heades is appended to the data.
 Frogment
CompTeSSio
Coptional) AMAC
Compression +
MAC

Encryption
35L Heodea Header
Appended.
fssL K

Handohokk potocolt
Handshake protocal i5 ujed to estabish 3essions " hisprdo
authenticate each othea
-Col alows the cient and serves to
sending Series of messases to each oths. tands hakd
by
protocol uses four phases to complete. its CHcle.
phase.I n phase. both client and Serves Sen helo packe
-ts to cach othes n this TP Ses5ion, Ciphes suite and prooc
-ol version are exchanged for securiby purposes.
phase- 2: 3erves Sends his cerifiate ard Serves- key echarge.
The SerVeY end phase -a by sending
the Sey ves- hello- ed
Packet:
phase- 3! In this phase cient Teplie s to the Sesves by send
-ng his Certificate and client- exchange-key
phase-4 : Tn phase- 4 change- ciphes site occurs andaftes
thu's the ttand¢hake protool ends.
s5L Handshake protoeol phaye s diagramati
Tepreserntation:
 CLIENT SERVER

phase- )
ient Helo
Estabüsh
Connection
Setve Helo

phase-2 Jerves sends cetit

Server equests Client
Authernticatior certificate
Servea key echanye
hase-3
cient caient serds Certiiote
Authentcation
elient key enchange
Phase-4
Hcndshake change ciper spec
ends. Hardshokc finished

chng- cpho proto col

rhis protocol uses the s5L vecosd potocol Uness ttandshake
protocol is competecd , the 35L Tecod output eoill be in o
pendin Stoute. After the handshake protocol, the pending state
13 Converted into the Cerent Stote.
hich is
ehange- ciphe protocol Consists of c Single mssage
byte in length and can have only one value Ths proto
tols purpose is to cause the pending State to Be copied
into the Current stote.

| byte
Alert potocol !
This potool 1s ed to Conve y s5L -related alerts to the
peer enti . Each mes sase in this prtocol contains 2
bytes Level Alert

C bgte) byte)
The (evel is furthes classified intu teoo parts
INarnig (levcl )
betuDeen Serd
This Alest has nO innpat on the conecion
-e nd eceives SOme o of them aare

" Bad certiicate

" No certiticae
cerbficate expid
"Certificate, unknouon
close notity
unsprorted Certificate
certificate yevoked.
FatalETYOTClevel= 2)
recejves
This Alert breaks the connection btuUee) endes cnd
cnnection coilI be stopped, Cannot be reSumed b t can
The
be restarted Some of them are
" Handshafe fallure
becompresoioN fatlure
" itlegal parameters
" Bad TeCosd MAC
" Une<pected Messaye
The second byte in the Alert protocol describes the er rOS
Salient featuYeS of 5SLi
** The oduantase of this approach Ås that the servie an
be tailored to the specific need of the given appication
secure, Socket layes was o iginated bd Net sccape
k This is ttoo layered pro tocol.
charactesisics o Ssl
The sSL Certificate has several inmpotant chasacterisbcs
that mate it a Teliabc Solution toy 3ecuning nine
tnsactiond

C2) Authenication

(3) Integit
(49 Non- repudaion
(3) public -kry cngptgraphy
(3) Ses5ion Manament
() cestificates i55ued by tsusted cAs .

TLS ase desined to povide security at the. transport

tayes. TL5 cOas derived from a Seceurity psotocol Called
Secre Socket Laes rssL). TLS enSures that no tìsd
tamperS oth ang
pauty may ecves drop or tampers meSSage.
There' are. seyerall beneits of TL 3
Encyption: TL3l55L Can help to BeC Ure transmitted datoy

using encyption.
Interopesabiü ty: TL5/55L o0TRS coith mast cueb brocse3)
inclucding Mic rosott Irternet Exploe and on most opesot
ring sYstem3 and Cueb server.
Algonthm flexibilty* TL9/5sL provides opeoations for,
authentication'mechaism, encyption algonthm and
hashing algortthm that are wyed durìng th Secure ;
esson
Ease of Deployment Ny apicatons TLS I5sL tempo
on ay windos SeVea 2003
operasng oystem.
Ease of BecasG we împlement TLslssl beneath
the appiation loyes , most of its orationg o07c Coplc
-tely invisible to the ciert
 oskin& of TLS
client ConneCt to erves Cusing TCP), the, cient cDir
The
be Sonnethin The cie nt
Sends number o Specifcation:

(9 VerSiOn t 55LTLS
compresSion Method it cants to ut.
ites,
(2) oich cipbes
checks what the highest ssL TLS Version is that
> Serves tn
SwpPOted by them both I picks au ciphes Site
is compe
option ard optionc picks
one of the eents
-551on metho.
setup is done the server proide)
’ Aftes this the bosic
tUsted eithes
must be
its ceti fcate. This certiticcte
cicnt itself oy'a Party thct the ient trUsts
by the
Hawing vesihed the Cert icote and beng Certun ths
’
Serves really is coho he claims to be, uky is
crchanges.
’ This an be a pubic, keY, Pre Mastejecret or simg
nothing depercing upon ciphe su

3 Ezporc the importane of yoten seuntg through

Firecoallo.

Flreoal A firecuall is a neteok security device,.

erthesharduae, or goftware - bard, cohich onitors au
inconingg and outyoing traytic and bad on the predefind
Set ot security Teles it eithes accepts, sejeCts
drops thcit spCfc traffic .
AU dtau pckets,entering or (eaving the interal ntuosk
must Pass thouah the fireale " The trecall examin
-cs each acket and blocks tho that dorot meet the
Spaitied Security Criterna.
* FrcCuCus establish a barmes betucen local Arecu
NeluorE CLAN) and the untrustcd Tntemet
* t ulowS keeping private resOUrces Confidenticl and
minimi zes the rcurity Tisks
bottb the dixctions Cies
e Tt Contsols netok trattic in
Packets to LAN and outaoins packets {om LAND
incoming
Seunty p
Firccoals foTming a Singe chofe pnt cohere
Gudit can be imposed
eed oft Fiycoalls t.
* connectivity to the Dnternct 1s no
tongeA,optional fos ogprii
Accessing the internet provides benefits to the Oranizton
*
ard individuas.
Connectiyity to the nternet al soeables the outside oosld
e corth the
to interaCt
Users Cboth truste and unusted
interal netoork o the oranization.
damage to
|* Some untrusted user_ may intentonaly Create un
may be
Ous datay in LAN and Some tUsted Users
íntentionally CYeate a damase to ous tata in LAN.
and
connectiuity to the frternet is compulso
f 50
also Ceates a thret to the ranizctio.
net0rk fTon un
* n ovdes to geCure the internal
trotG we need au FiYe U l .
authored NAN

aclministe red
netoork
Pubic
Intcrnet LAN
trusted "pod untrusteo bad

Cutside, and tsideto inie

Al the toafic trom inside, to
auttord tratic
must passthough the firecoallonly
toill be allocued to Pass.
The firecuae it sct is au tustcd Gystern oith a scure
cperating 6y stem.
Fiveual uses fouccuing Controls to po vide guty
Service contool + Determines the types o} Internet se vi
an be aceSS d,
inbound or otbourd.
-es that
Direction Contol: Determanes the
dir cton n Cohich Par
alowed to flocw
-Cula servie Tquests ae
a ServcG acording to
Uses Contol+ ContGd access to
cohich uses is attenmpting to access it
sesvices ae wseo
Behavior Control: ConGol s how pautcula

Limitatians ot FireCyalls +
bypass the firecall.
4) Cannot potect aainst atacks that
an 15P , or dial ~in
Ex* PCs coi th dial-ot capabiTtyto
modemn pool use,
interral threats.
(2) Do not protect apçnst coith ar
Ez+ iitated enplee eT OR coho CO-oeTatei
ttacke).
infectec
k3) annot protect aspinst the transte of virus-

THPes ot fixccuass+
Fincals aue. generally classi fied ay three types
* packet filtcring Toutes
* Applkation-level qatecny
k Cicut- level gatcay.