Integrated Security System Cryptographic Systems
-
Upload
caesar-kline -
Category
Documents
-
view
18 -
download
0
description
Transcript of Integrated Security System Cryptographic Systems
Integrated Security System
Cryptographic Systems
When two parties communicate …
Their software usually handles the details
First, negotiate security methods
Then, authenticate one another
Then, exchange symmetric session key
Then can communicate securely using symmetric session key and message-by-message authentication
Cryptographic Systems
Initial Hand-Shaking Phases Negotiation of parameters Mutual authentication Key exchange of symmetric session key
Ongoing Communication Message-by-message confidentiality,
authentication, and message integrity
Occur at several layers
Cryptographic System
Phase 1:Initial Negotiation
of Security Parameters
Phase 2:Mutual Authentication
Client PCServer
Phase 3:Key Exchange orKey Agreement
Three Initial “Hand-Shaking” Phases
Cryptographic System
Phase 4:Ongoing Communication with
Message-by-MessageConfidentiality, Authentication,
and Message IntegrityClient PC
Server
The Initial Hand-Shaking Stages are Very BriefAlmost All Messages are Sent During the Ongoing Exchange Phase
Major Cryptographic Systems
Application
Layer
Transport
Internet
Data Link
Physical
PPTP, L2TP (really only a tunneling system)
Not applicable. No messages are sent at thislayer—only individual bits
IPsec
SSL/TLS
Kerberos
Cryptographic System
SSL/ TLS
SSL Secure Sockets Layer
Developed by Netscape
TLS (now) Netscape gave IETF control over SSL
IETF renamed it TLS (Transport Layer Security)
Usually still called SSL
SSL/TLS Works at the transport layer
Protects SSL/TLS-aware applications Mostly HTTP
Widely used in e-commerce
It is also used for remote access HTTP access Web applications (e-mail) With downloaded client program
Negotiation of security parameters
Server authenticates self to client using digital certificate (usually not mutual authentication)
Client generates random session key, sends to server with public key exchange
SSL/TLS Protocol Stack
ISO Open Systems
Interconnect model
SSL runs beneath
application layers. E.g. HTTP, FTP, SMTP etc
SSL runs above transport
protocols such as TCP.
SSL/TLS Operation
Protects All Application TrafficThat is SSL/TLS-Aware
SSL/TLS Works at Transport Layer
Applicant(Customer Client)
Verifier(Merchant Server)
SSL/TLS Operation
Applicant(Customer Client)
Verifier(Merchant Server)
1. Negotiation of Security Options (Brief)
2. Merchant Authenticates Self to CustomerUses a Digital Certificate
Customer Authentication is Optional and Uncommon
SSL/TLS Operation
Applicant(Customer Client)
Verifier(Merchant Server)
3. Client Generates Random Session KeyClient Sends Key to Server Encrypted
with Public Key Encryption
4. Ongoing Communication with Confidentialityand Merchant Digital Signatures
Virtual Private Networks (see separate slides for more details)
Secure communication over the Internet
Site-to-Site VPNs Between security gateways at each site Must handle a large amount of intersite traffic
Remote Access VPNs To connect an individual user to a site
Host-to-Host (not mentioned in the text)
SSL/TLS VPNs
Growing rapidly in popularity for remote access Easy to implement
Webservers already implement it Clients already have browsers If only using HTTP, very easy Becoming popular
SSL/TLS gateways at sites allow more Single point of encryption for access to multiple webservers Output from some applications, such as Outlook and Outlook
express, are “webified” so that they can be delivered to browsers If browser will accept a downloaded add-in program, can get
access to even more applications