Application Layer Security Protocols - PowerPoint PPT Presentation

Application layer security protocols l.jpg
Download
1 / 27

Application Layer Security Protocols By: Mudassar Hayee Jasbir Singh “This report was prepared for Professor L. Orozco-Barbosa in partial fulfillment of the requirements for the course ELG/CEG 4183” SITE University of Ottawa Topics That Will Be Discussed Security over the internet

Related searches for Application Layer Security Protocols

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Application Layer Security Protocols

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Application layer security protocols l.jpg

Application Layer Security Protocols

By: Mudassar Hayee

Jasbir Singh

“This report was prepared for Professor L. Orozco-Barbosa in partial fulfillment of the requirements for the course ELG/CEG 4183”

SITE

University of Ottawa


Topics that will be discussed l.jpg

Topics That Will Be Discussed

  • Security over the internet

    • Introduction (chapter 7 of this course)

  • Firewalls

  • Authentication and key distribution systems

    • Keberos

    • SESAME

  • Security enhanced application protocols

    • Electronic Mail

      • S/MIME

    • Remote Terminal Access

      • TELNET


Security over the internet introduction l.jpg

Security Over the Internet (Introduction)

  • Why do we need security?

    • Packet sniffing

    • IP Spoofing

    • Denial of Service (DOS)

  • We desire security to address these main concerns:

    • Secrecy (encryption)

    • Authentication (confirm identity)

    • Message integrity


Security over the internet introduction4 l.jpg

Security Over the Internet (Introduction)

  • Techniques used:

    • Network layer security

      • Cryptography

      • Public key encryption

      • Digital signatures

      • Trusted intermediaries

    • Application layer security

      • Firewalls

        • Top 3 myths about firewalls

      • Protocols

        • Electronic mail

          • PGP– discussed in class!

          • S/MIME

        • Remote communication

          • Telnet

        • WWW transactions (HTTP)

          • Discussed in class!


Application layer firewalls l.jpg

Application Layer Firewalls

  • A firewall is an intermediate system that can be placed between two networks to protect one from the other.

  • A firewall is a host running proxy servers, which control the network access.


Authentication and key distribution systems l.jpg

Authentication and Key Distribution Systems

Authentication is a problem that can be tackled by providing a password to access the resource. A key distribution system to authenticate a system (ie. public key encryption) makes it very secure.


Kerberos l.jpg

Kerberos

  • Is a protocol that provides authentication and authorization.

  • It uses a symmetric key which is based on the password the client entered.


How kerberos works l.jpg

How Kerberos Works:

  • Client(C) wants to connect to application server(V).

  • 1. Client sends his name and name of TGS server to AS.

  • 2. AS replies with a TGT that is encrypted with a key based on the client’s password. If the client types in the correct password, the client will be able to decipher the message and obtain TGT.


How kerberos works cont d l.jpg

How Kerberos Works(cont’d):

  • 3. The client sends the TGT to the TGS. The TGT contains encrypted identification and time stamp information by a key that is shared between the AS and the TGS.

  • 4. Once the AS has been verified by the TGS, the TGS gives access to the application server.


How kerberos works cont d10 l.jpg

How Kerberos Works(cont’d):

  • 5. The client sends the message to the application server(V). The client encrypts the message with a public key.

  • 6. This is an optional message when the user requires authentication by the verifier.


Sesame l.jpg

SESAME

  • Was developed because many companies were either not protecting themselves or buying an insurance policy.

  • Objective was to define and implement protocols for authentication, access control, data confidentiality, and data integrity.

  • An extension to Kerberos


Sesame on line authorities l.jpg

SESAME on-line Authorities

  • AS: authenticates the user.

  • PAS: returns the appropriate certificate for the user.

  • KDS: is used to generate the keys to talk with the application.


How sesame works l.jpg

How SESAME works:

  • The client sends authenticator message to AS. The AS uses the public key that was obtained from PAS. Once the digital signature has been verified on the authenticator, the client has been authenticated to the system.

  • The AS will now sends the client’s public key encrypted by a session key generated by AS. AS will also send an authenticator digitally signed with it’s private key.


How sesame works cont d l.jpg

How SESAME works(cont’d):

  • The client will now verify this authenticator with AS’s public key that was obtained from AS’s certificate.

  • If it has been verified, the AS has been authenticated to the client.


Security enhanced application protocols l.jpg

Security Enhanced Application Protocols

  • At the application layer, security services must be defined, implemented and incorporated into each application individually.

    • ie. the application developer needs to address the issue of security.


Electronic mail l.jpg

Electronic Mail

  • The US Postal service (USPS) recently announced their PosteCS service. In the future they promise full support for digital signatures and encryption through public/private key digital certificate technology.

  • Other approaches to electronic mail security include secure MIME (S/MIME), and SMTP-based security.

  • S/MIME = secure multi-purpose internet mail extension.


Why s mime l.jpg

Why S/MIME?

  • It claims to provide the highest level of protection against intrusions, message-content tampering, spoofing, and unwanted viewing of message content.


How s mime works l.jpg

How S/MIME Works?

  • It uses public and private key pairs maintained for users involved in the secure communication.

  • A sender can add a digital signature (to assure the recipient that the message is authentic) or encrypt the message (to protect the content from unwanted viewing or tampering) using X.509v3 certificates.

  • Certificate validation steps occur when client sends or opens a secure message: certificate revocation checking, timestamp checking, digital signature validation.


How s mime works19 l.jpg

How S/MIME Works?

  • Outlook 2000 and Outlook Express 5.0 support certificate revocation list (CRL ) distribution points (CDPs) which can provide automated certificate revocation checking. CDPs are defined by the ITU-T as part of the X.509 standard.

  • Certificate life time needs to be validated by client as well because certificates have limited lifespans.

    • to check digital signatures, use a trusted CA certificate's public key to check for integrity and authenticity.

    • the certificate must be on a certificate trust list (CTL) that resides with the client.

    • if the certificate’s ID differs from the sender's SMTP address, an error message notifies the client. This protects the client against impersonation and "man-in-the-middle" attacks.


Limitations l.jpg

Limitations

- when somebody digitally signs a message, it adds a copy of his/her public key to it…..and somebody could extract the key from the message, posing a potential security threat.

- to prevent this, encryption is also necessary to protect the key itself, but difficult to implement


Remote terminal access telnet l.jpg

Remote Terminal Access - TELNET

  • Telnet has long been a standard Internet protocol ; however, a standard way of ensuring privacy and integrity of Telnet sessions has been lacking. Traditional Telnet severs operate without presentation of authorization credentials (due to historical reasons). Currently, a TLS-based Telnet Security Internet-draft (IETF) exists which addresses Telnet security and proposes a standard method for Telnet servers and clients to use the TLS security protocol. It describes how the participants decide whether or not to attempt TLS negotiation, and how to process authentication credentials as part of the TLS start-up.

  • This 5th version paper expires April 2001.


Slide22 l.jpg

TELNET HOW IT WORKS:


Telnet authentication and authorization l.jpg

Telnet Authentication and Authorization

  • Authentication of the server by the client:

    • PKI-based authentication via TLS handshake

    • Non-PKI based authentication via TLS handshake

    • Authentication by Telnet AUTH option (RFC 2941)

  • Authentication of the client by the server:

    • PKI-based authentication via TLS handshake

    • Non-PKI based authentication via TLS handshake

    • Authentication by Telnet AUTH option (RFC 2941)

    • Traditional Username and Password


Telnet authentication and authorization cont d l.jpg

Telnet Authentication and Authorization(cont’d)

  • For client-server authentication of anonymous connections

    • Both the client’s and the server’s TLS finished messages must be verified according to their content.

      Example: Authentication via Kerberos 4 after TLS negotiation


References l.jpg

References

Angerbauer, Ralf. Internet Mail Security. Presentation for ECE575 – Data Security and Cryptography. Spring 1998. http://www.security.ece.orst.edu/koc/ece575/98Project/Angerbauer/sld001.htm

Ashley, Paul. SESAME. August 20, 1998. http://www.isrc.qut.edu.au/sesame/index.html

Boe, Michael and Altman, Jeffrey. TLS-based Telnet Security. IETF Internet-Draft. The Internet Society, October 24th, 2000. http://www.ietf.org/internet-drafts/draft-ietf-tn3270e-telnet-tls-05.txt

Chochran, Jerry. Secure Messaging Solutions for Exchange. Exchange & Outlook Update: Windows2000 Magazine. January 31st, 2001. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19815&Key=Secure%20MIME%20%28S%2FMIME%29


References cont d l.jpg

References(cont’d)

Clercq, Jan De. Certificate Validation. Windows2000 Magazine. June 1st, 2000. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=8335&Key=Secure%20MIME%20%28S%2FMIME%29

Curtin, Matt and Ranum, Marcus J. Internet Firewalls: Frequently Asked Questions. December 1st, 2000. http://www.interhack.net/pubs/fwfaq/

Oppliger, Rolf. Securing the Internet. INET'99: The International Global Summit. McEnery Convention Centre, San Jose, California, United States. June 22-25, 1999. http://www.ifi.unizh.ch/~oppliger/Docs/PowerPoint/INET_99/sld001.htm

Vijayan, Jaikumar. Microsoft issues new security patch for Win2k telnet security hole. ComputerWorld, September 22, 2000. http://www.computerworld.com/cwi/story/0,1199,NAV47_STO51149,00.html


References cont d27 l.jpg

References (cont’d)

Vanderwauver, Mark and Govaerts, Rene and Vanderwalle, Joos. Overview of Authentication Protocols. http://www.esat.kuleuven.ac.be/cosic/sesame/papers/carnahan.pdf


  • Login