Security In The Internet

Dr. Ahmad Salem AL safar

PhD Students : Mustafa Mohammed Hadi

1
12/17/2021
Security in The Internet

Chapter 32 Security in the Internet:

In this chapter, we want to show how certain security aspects,

particularly privacy and message authentication, can be applied
to the network, transport, and application layers of the Internet
model. We briefly show how the IPSec protocol can add
authentication and confidentiality to the IP protocol, how SSL
(or TLS) can do the same for the TCP protocol, and how PGP
can do it for the protocol (e-mail).

32.1
 Figure 32.1 Common structure of three security
protocols

One common issue in all these protocols is security parameters. Even

the simplified structure in Figure 32.1 suggests that Alice and Bob
need to know several pieces of information, security parameters,
before they can send secured data to each other. In particular, they
need to know which algorithms to use for authentication and
encryption/decryption.

32.3

32-1 IPSecurity (IPSec)

❖ IPSecurity (IPSec) is a collection of protocols designed by the

Internet Engineering Task Force (IETF) to provide security for a
packet at the network level.
❖ IPsec helps to create authenticated and confidential packets for
the IP layer as shown in Figure 32.2.
Figure 32.2 TCP/IP protocol suite and
IPSec

32.4
32-1 introduction to IP Security (IPSec)

❖ Two Modes of IPSec

- transport mode
- tunnel mode
❖ Two Security or version Protocols
- Authentication Header (AH) Protocol
- Encapsulating Security Payload (ESP )
❖ Then we talk about Security Association
❖ Finally , one application of IPSec: Virtual Private Network (VPN)

32.5

IP Security (IPSec(
◼ IPSec operates in one of two different modes: the transport
mode or the tunnel mode as shown in Figure

32.6 Figure 32.3 Transport mode and tunnel modes of IPSec

protocol
 IP Security (IPSec( : Transport Mode

❖ IPSec protects what is delivered from the transport layer to the network
layer. The transport mode protects the network layer payload, the payload
to be encapsulated in the network layer.
❖ The transport mode does not protect the IP header .The transport mode
does not protect the whole IP packet; it protects only the packet from the
transport layer (the IP layer payload). In this mode, the IPSec header and
trailer are added to the information coming from the transport layer. The IP
header is added later.

32.7

Not
❖e IPSec in the transport mode does not protect the IP header; it only
protects the information coming from the transport layer.

❖ The transport mode is normally used when we need host-to-host

(end-to-end) protection of data.

32.8
IP Security (IPSec): Tunnel Mode

❖ IPSec protects the entire IP packet. It takes an IP packet, including the

header, applies IPSec security methods to the entire packet, and then
adds a new IP header.
❖ It is normally used between two routers, between a host and a router, or
between a router and a host .
❖ IPSec tunnel mode is the default mode.

32.9 Figure 32.5 Tunnel mode in

action

Two Security Protocols

IPSec defines two protocols-the Authentication Header (AH) Protocol and the Encapsulating
Security Payload (ESP) Protocol-to provide authentication and/or encryption for packets at the
IP level.

1. Authentication Header (AH)

❖ The Authentication Header (AH) Protocol is designed to authenticate
the source host and to ensure the integrity of the payload carried in
the IP packet.
❖ The protocol uses a hash function and a symmetric key to create a
message digest; the digest is inserted in the authentication header.
❖ The AH is then placed in the appropriate location based on the mode
(transport or tunnel).
❖ The authentication data are inserted in the authentication header.

32.10
 1. Authentication Header (AH)

Figure 32.6 Authentication Header (AH) Protocol in transport

mode

32.11

1. Authentication Header (AH)

brief description of each field follows:

❑ Next header The 8-bit next-header field defines the type of payload carried by the IP datagram
(such as TCP, UDP, ICMP , or OSPF).
❑ Payload length The name of this 8-bit field is misleading. It does not define the length of the
payload; it defines the length of the authentication header in 4-byte multiples.
❑ Security parameter index The 32-bit security parameter index (SPI) field plays the role of a
virtual-circuit identifier and is the same for all packets sent during a connection called a security
association.
❑ Sequence number: A 32-bit sequence number provides ordering information for a sequence of
datagram. The sequence numbers prevent a playback. Note that the sequence number is not
repeated even if a packet is retransmitted.
❑ Authentication data: Finally, the authentication data field is the result of applying a hash
function to the entire IP datagram except for the fields that are changed during transit (Such as
TTL).
Note : The AH Protocol provides source authentication and data integrity,
but not privacy.
32.12
 2- Encapsulating Security Payload (ESP)

◦ The protocol is provides source authentication, integrity, and privacy .

◦ The ESP procedure follows these steps:
❑ An ESP trailer is added to the payload.
❑ The payload and the trailer are encrypted.
❑ The ESP header is added.
❑ The ESP header, payload, and ESP trailer are used to create the
authentication data.
❑ The authentication data are added to the end of the ESP trailer.
❑ The IP header is added after the protocol value is changed to 50 and the
field inside the ESP trailer ( the next header field) hold the original value. .

32.13

2- Encapsulating Security Payload (ESP)

Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport

mode

32.14
2- Encapsulating Security Payload (ESP)
The fields for the header and trailer are as follows:
❖ Security parameter index: The 32-bit security parameter index field is similar
to that defined for the AH Protocol.
❖ Sequence number: The 32-bit sequence number field is similar to that defined
for the AH Protocol.
❖ Padding: This variable-length field (0 to 255 bytes) of Os serves as padding.
The value is between 0 and 255; the maximum value is rare.
❖ Next header: The 8-bit next-header field is similar to that defined in the AH
Protocol. It serves the same purpose as the protocol field in the IP header
before encapsulation.
❖ Authentication data: The authentication data field is the result of applying an
authentication scheme to parts of the datagram.
Note :
✓ The difference between the authentication data in AH and ESP. In AH, part of the IP header
is included in the calculation of the authentication data; in ESP, it is not.
✓ IPSec supports both IPv4 and IPv6. In IPv6, AH and ESP are part of the extension header.
32.15

IPSec Services

The two protocols, AH and ESP, can provide several

security services for packets at the network layer. The
table shows the list of services available for each
protocol.

Table 32.1 IPSec

services

32.16
Security Association

Security association is a very important aspect of IPSec. Using

security association, IPSec changes a connectionless protocol, IP, to
a connection-oriented protocol.
For this type of communication, the security parameters can be established
in one of three ways:-

❖security parameter index (SPI)

❖destination IP address
❖ security protocol ID (AH or ESP).

32.17

Security Association

A Simple Example
A security association is a very complex set of pieces of information. However, we can
show the simplest case in which Alice wants to have an association with Bob for use in a
two-way communication. Alice can have an outbound association (for datagrams to
Bob) and an inbound association (for datagrams from Bob). Bob can have the same. In
this case, the security associations are reduced to two small tables for both Alice and
Bob as shown in Figure 32.8.

The figure shows that when Alice needs to send a datagram to Bob, she uses the ESP
Protocol of IPSec. Authentication is done by using SHA-l with key x. The encryption is
done by using DES with key y. When Bob needs to send a datagram to Alice, he uses the
AH Protocol of IPSec. Authentication is done by using MD5 with key z. Note that the
inbound association for Bob is the same as the outbound association for Alice, and
vice versa.

32.18
 Figure 32.8 Simple inbound and outbound security
associations

32.19

Virtual private network (VPN)

A virtual private network (VPN) extends a private network across a public network and
enables users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. Applications running
across a VPN may therefore benefit from the functionality, security, and management of
the private network. Encryption is a common, although not an inherent, part of a VPN
connection.
❖ It uses the IPSec Protocol to apply security
❖Internet users may secure their connections with a VPN to circumvent
geo-blocking and censorship
❖Internal IP addresses from your on-premises networks are hidden from
external users.
❖The entire communication between the on-premises network and
public networks is encrypted, significantly lowering the chances of
information theft
32.20
 Virtual private network (VPN)

Note: VPN technology uses IPSec in the tunnel mode to provide authentication,
integrity, and privacy.

A VPN is created by establishing a virtual point-to-point connection through the use

of dedicated circuits or with tunneling protocols over existing networks. A VPN
available from the public Internet can provide some of the benefits of a wide area
network (WAN). From a user perspective, the resources available within the private
network can be accessed remotely

32.21 Figure 32.12 Virtual private

network

Secure Socket Layer SSL/TLS

Two protocols are dominant today for providing security at the transport
layer:
the Secure Sockets Layer (SSL) Protocol and the Transport Layer
Security (TLS) Protocol. The latter is actually an IETF version of the
former.
❖ A transport layer security provides end-to-end security services for applications
that use a reliable transport layer protocol such as TCP. The idea is to provide
security services for transactions on the Internet.

32.22
 Figure 32.14 Location of SSL and TLS in the Internet
model

32.23

Secure Socket Layer SSL/TLS

❖ It is designed to provide security and compression

services to data generated from the application layer.
❖ SSL can receive data from any application layer protocol,
but usually the protocol is HTTP.
❖ The data received from the application are compressed
(optional), signed, and encrypted.
❖ The data are then passed to a reliable transport layer
protocol such as TCP.

24
 SSL Services

◦ Fragmentation
First, SSL divides the data into blocks of 214 bytes or less.
◦ Compression
Each fragment of data is compressed by using one of the lossless
compression methods negotiated between the client and server. This
service is optional.
◦ Message Integrity
To preserve the integrity of data, SSL uses a keyed-hash function to
create a MAC.
◦ Confidentiality
To provide confidentiality, the original data and the MAC are encrypted
using symmetric-key cryptography.
◦ Framing
A header is added to the encrypted payload. The •payload is then passed
to a reliable transport layer protocol.
25

Transport Layer Security TLS

It is the IETF standard version of SSL. The two are very similar, with
slight differences. We highlight the differences below:
Version: The SSLv3.0 discussed in this section is compatible with
TLSvl.0.
Cipher Suite: TLS cipher suite does not support Fortezza.
Cryptography Secret: There are several differences in the
generation of cryptographic secrets. TLS uses a pseudorandom
function (PRF) to create the master key and the key materials.
Alert Protocol: TLS deletes some alert messages and adds some
new ones.
26
12/17/2021 Security in The Internet
 Transport Layer Security TLS

Handshake Protocol: The details of some messages have been

changed in TLS.
Record Protocol: Instead of using MAC, TLS uses the HMAC

27
12/17/2021 Security in The Internet

32-3 Pretty Good Protocol (PGP)

One of the protocols to provide security at the application layer is

Pretty Good Privacy (PGP). PGP is designed to create
authenticated and confidential e-mails.

Figure 32.19 Position of PGP in the TCP/IP protocol

suite
Note :In PGP, the sender of the message needs to include the identifiers of the
algorithms used in the message as well as the values of the keys.

32.28
 PGP Services

Plaintext :The simplest case is to send the e-mail message in

plaintext.
Message Authentication: Probably the next improvement is to
let sender sign the message. The sender creates a digest of the
message and signs it with her private key. When the receiver
receives the message, he verifies the message by using
sender's public key.
Compression: A further improvement is to compress the
message and digest to make the packet more compact.
Confidentiality with One-Time Session Key: confidentiality in an
e-mail system can be achieved by using conventional
29 encryption with a one-time session key.
12/17/2021 Security in The Internet

PGP Services

Code Conversion : Another service provided by PGP is code

conversion. Most e-mail systems allow the message to consist
of only ASCII characters. To translate other characters not in
the ASCII set, PGP uses Radix 64 conversion.
Segmentation : PGP allows segmentation of the message after it
has been converted to Radix 64 to make each transmitted unit
the uniform size allowed by the underlying e-mail protocol.

30
12/17/2021 Security in The Internet
 32-4 FIREWALLS

❖ The security parameters need to be sent with the

message.
❖ In PGP, the sender of the message needs to include
the identifiers of the algorithms used in the message
as well as the values of the keys.

Topics discussed in this section:

Packet-Filter Firewall
Proxy Firewall

32.31

Figure 32.22 Firewall

32.32
 Figure 32.23 Packet-filter
firewall
❖ A firewall can be used as a packet filter.
❖ It can forward or block packets based on the information in the network layer and
transport layer headers: source and destination IP addresses, source and destination
port addresses, and type of protocol (TCP or UDP).
❖ A packet-filter firewall is a router that uses a filtering table to decide which packets
must be discarded (not forwarded).

Note: A packet-filter firewall filters

at the network or transport layer.

32.33

Proxy firewall

❖ Sometimes we need to filter a message based on the information

available in the message itself (at the application layer).
❖ Testing must be done at the application level (using URL’s).

Figure 32.24 Proxy

32.34
firewall
 Proxy firewall

❖ When the user client process sends a message, the proxy firewall runs a
server process to receive the request.
❖ The server opens the packet at the application level and finds out if the
request is legitimate.
❖ If it is, the server acts as a client process and sends the message to the real
server in the corporation.
❖ If it is not, the message is dropped and an error message is sent to the
external user.
❖ In this way, the requests of the external users are filtered based on the
contents at the application layer.
Note : A proxy firewall filters at the application layer.
32.35