Professional Documents
Culture Documents
UNIT 5
WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail - establishing
keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good
Privacy-S/MIME.
IPSecurity: Overview of IPSec - IP and IPv6-Authentication Header-Encapsulation Security
Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding).
Web Security: SSL/TLS Basic Protocol-computing the keys- client authentication-PKI as
deployed by SSLAttacks fixed in v3- Exportability-Encoding-Secure Electronic Transaction
(SET).
EMAIL SECURITY:
• E-mail is one of the most widely used and regarded network services
• Grows a demand for Authentication and confidentiality services.
• These two services are achieved by 2 approaches
– PGP
– S/MIME
PRETTY GOOD PRIVACY (PGP):
• Open source, freely available software package for secure e-mail security.
• de facto standard for secure email
• developed by Phil Zimmermann
• selected best available cryptographic algorithms to use
• Runs on a variety of platforms like Unix, PC, Macintosh and other systems
• originally free (now also have commercial versions available)
Operational Description:
• Consists of five services:
– Authentication
– Confidentiality
– E-mail compatibility
– segmentation
Authentication:
1. sender creates message
2. Generates a digital signature for the message
3. use SHA-1 to generate 160-bit hash of message
4. signed hash with RSA using sender's private key, and is attached to message
5. receiver uses RSA with sender's public key to decrypt and recover hash code
6. receiver verifies received message using hash of it and compares with decrypted hash
code
JEPPIAAR ENGINEERING COLLEGE
Confidentiality:
1. Sender generates a message and encrypts it.
2. Generates a128-bit random number as session key
3. Encrypts the message using CAST-128 / IDEA / 3DES in CBC mode with session key
4. session key encrypted using RSA with recipient's public key and attached to the msg
5. receiver uses RSA with private key to decrypt and recover session key
6. session key is used to decrypt message
Compression:
JEPPIAAR ENGINEERING COLLEGE
• PGP compresses messages to save space for e-mail transmission and storage
• by default PGP compresses message after signing but before encrypting
– so can store uncompressed message & signature for later verification
– Encryption after compression strengthens security (because compression has less
redundancy)
• uses ZIP compression algorithm
Email Compatibility:
• when using PGP will have binary data (8-bit octets) to send (encrypted message, etc)
• however email was designed only for text
• hence PGP must encode raw binary data into printable ASCII characters
• uses radix-64 algorithm
– maps 3 bytes to 4 printable chars
– also appends a CRC
• PGP also segments messages if too big
(maximum length 50,000 octets)
Encoding binary data in radix64 format:
Notations:
RNG – Random Number Generator
JEPPIAAR ENGINEERING COLLEGE
S/MIME:
• S/MIME(Secure/Multipurpose Internet Mail Extension)
– Security enhancement to the MIME
– Industry standard for commercial and organizational use, while PGP for personal
e-mail security
RFC 822
– The header and the body
– The header is separated from the body by a blank line
– A message is ASCII text
– Eg:
Date : Tue, 16 Jan 1998 10:37:17
From : “William Stallings” ws@shore.net
Subject: The Syntax in RFC 822
To: Smith@other-host.com
Cc: Jones@another-host.com
Hello. This section begins the actual message body, which is Delimited
from the message heading by a blank line
Limitations of the SMTP/822 scheme
– Cannot transmit executable files or other binary objects
– Cannot transmit text data that includes national language characters(8-bit codes),
822 is limited to 7-bit ASCII
– SMTP servers may reject mail message over a certain size etc.,
– MIME is intended to resolve these problems
– Five new message header fields are defined
– A number of content format are defined
– Transfer encodings are defined
MIME - Five header fields:
• MIME-Version - Must have the parameter value 1.0. This field indicates that the
message conforms to RFCs 2045 and 2046.
• Content-Type - Describes the data contained in the body with sufficient detail
JEPPIAAR ENGINEERING COLLEGE
•
Content-Transfer-Encoding - Indicates the type of transformation that has been
used to represent the body of the message in a way that is acceptable for mail
transport.
• Content-ID - Used to identify MIME entities uniquely in multiple contexts
• Content-Description - A text description of the object with the body; this is
useful when the object is not readable (e.g., audio data).
MIME Content Types:
– Provides standardized ways of dealing with a wide variety of information
representations in a multimedia environment
– Ex)
From : Nathaniel Borenstein <nsb@bellcore.com>
To: Smith@other-host.com
Subject: Sample message
MIME-Version: 1.0
Content-type: multipart/alternative;boundary=boundary42
--boundary42
Content-type: text/plain; charset=us-ascii
--boundary42
Canonical Form:
– Appropriate to the content type, that is standardized for use between systems
– Contrast to native form, which is a format that may be peculiar to a particular
system.
S/MIME Functionality:
• Enveloped data
• Signed data
• Clear-signed data
• Signed and enveloped data
Enveloped data
• Consists of encrypted content of any type and encrypted-content encryption
keys for one or more recipients.
JEPPIAAR ENGINEERING COLLEGE
Signed data
• A digital signature is formed by taking the message digest of the content to be
signed and then encrypting that with the private key of the signer
• The content plus signature are then encoded using base64 encoding
• A signed data message can only be viewed by a recipient with S/MIME capability
Clear-signed data
• Only the digital signature is encoded using base64
• Recipients without S/MIME capability can view the message content, although
they cannot verify the signature
Signed and enveloped data
• Signed-only and encrypted-only entities may be nested
• Encrypted data may be signed and signed data or clear-signed data may be
encrypted
S/MIME Message:
• Represented in BER(Basic Encoding Rules)
– ITU-T Recommendation X.209
– Arbitrary octet string
– Transfer encoded with base64 in the outer MIME message
IP SECURITY:
• The Architecture deals with the general concepts, definitions, mechanism etc.,
• IPSec Services
– Access control
– Data origin authentication
– Confidentiality( encryption) etc.,
SA( Security Associations)
– Key concept for IPSec
– One-way relationship between a sender and a receiver
– Identified by three Parameters
• Security parameters Index(SPI)
• IP Destination Address
JEPPIAAR ENGINEERING COLLEGE
• Next Header(8bits)
– Identifies the type of header immediately following this header
• Payload Length(8bits)
– Length of AH in 32-bit words minus 2
• Reserved(16bits)
• Security Parameters Index(32bits)
– Identifies a security association
• Sequence Number(32bits)
– A monotonically increasing counter value
• Authentication Data(variable)
– Contains ICV( Integrity Check value) or MAC
Transport mode and Tunnel mode:
JEPPIAAR ENGINEERING COLLEGE
Key Management:
• Determination and distribution of secret keys
– Manual
• Practical for small, relatively static environments
– Automated
• On-demand creation of keys in large distributed system
• ISAKMP(Internet Security Association and Key Management Protocol)
WEB SECURITY
Virtually all businesses, most governments agencies, and many individuals now have
Web sites, the number of sites expanding rapidly. As a result, businesses are setting up facilities
on the web for electronic commerce. This explosive growth of the Internet and the World Wide
Web has brought with it a need to securely protect sensitive communications sent over this open
network.
SSL / TLS
SSL (Secure Socket Layer):
• SSL provides security services between TCP and application that use TCP.
• The internet standard version is called transport layer service(TLS).
SSL Architecture:
• It is a layer of protocol use TCP to provide reliable end to end secure service.
3 layers of SSL
• Handshake protocol
• Change cipher spec protocol
• Alert protocol
SSL architecture:
Two important SSL concepts
• SSL connection
– a peer-to-peer, communications link
– associated with a session
JEPPIAAR ENGINEERING COLLEGE
• SSL session
– an association between client & server
– created by the Handshake Protocol
– define a set of cryptographic parameters
SSL Protocol stack:
Phase 3
• Client key exchange
JEPPIAAR ENGINEERING COLLEGE