Application layer security protocols
1 / 27

Application Layer Security Protocols - PowerPoint PPT Presentation

  • Updated On :

Application Layer Security Protocols By: Mudassar Hayee Jasbir Singh “This report was prepared for Professor L. Orozco-Barbosa in partial fulfillment of the requirements for the course ELG/CEG 4183” SITE University of Ottawa Topics That Will Be Discussed Security over the internet

Related searches for Application Layer Security Protocols

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Application Layer Security Protocols' - benjamin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Application layer security protocols l.jpg

Application Layer Security Protocols

By: Mudassar Hayee

Jasbir Singh

“This report was prepared for Professor L. Orozco-Barbosa in partial fulfillment of the requirements for the course ELG/CEG 4183”


University of Ottawa

Topics that will be discussed l.jpg
Topics That Will Be Discussed

  • Security over the internet

    • Introduction (chapter 7 of this course)

  • Firewalls

  • Authentication and key distribution systems

    • Keberos

    • SESAME

  • Security enhanced application protocols

    • Electronic Mail

      • S/MIME

    • Remote Terminal Access

      • TELNET

Security over the internet introduction l.jpg
Security Over the Internet (Introduction)

  • Why do we need security?

    • Packet sniffing

    • IP Spoofing

    • Denial of Service (DOS)

  • We desire security to address these main concerns:

    • Secrecy (encryption)

    • Authentication (confirm identity)

    • Message integrity

Security over the internet introduction4 l.jpg
Security Over the Internet (Introduction)

  • Techniques used:

    • Network layer security

      • Cryptography

      • Public key encryption

      • Digital signatures

      • Trusted intermediaries

    • Application layer security

      • Firewalls

        • Top 3 myths about firewalls

      • Protocols

        • Electronic mail

          • PGP – discussed in class!

          • S/MIME

        • Remote communication

          • Telnet

        • WWW transactions (HTTP)

          • Discussed in class!

Application layer firewalls l.jpg
Application Layer Firewalls

  • A firewall is an intermediate system that can be placed between two networks to protect one from the other.

  • A firewall is a host running proxy servers, which control the network access.

Authentication and key distribution systems l.jpg
Authentication and Key Distribution Systems

Authentication is a problem that can be tackled by providing a password to access the resource. A key distribution system to authenticate a system (ie. public key encryption) makes it very secure.

Kerberos l.jpg

  • Is a protocol that provides authentication and authorization.

  • It uses a symmetric key which is based on the password the client entered.

How kerberos works l.jpg
How Kerberos Works:

  • Client(C) wants to connect to application server(V).

  • 1. Client sends his name and name of TGS server to AS.

  • 2. AS replies with a TGT that is encrypted with a key based on the client’s password. If the client types in the correct password, the client will be able to decipher the message and obtain TGT.

How kerberos works cont d l.jpg
How Kerberos Works(cont’d):

  • 3. The client sends the TGT to the TGS. The TGT contains encrypted identification and time stamp information by a key that is shared between the AS and the TGS.

  • 4. Once the AS has been verified by the TGS, the TGS gives access to the application server.

How kerberos works cont d10 l.jpg
How Kerberos Works(cont’d):

  • 5. The client sends the message to the application server(V). The client encrypts the message with a public key.

  • 6. This is an optional message when the user requires authentication by the verifier.

Sesame l.jpg

  • Was developed because many companies were either not protecting themselves or buying an insurance policy.

  • Objective was to define and implement protocols for authentication, access control, data confidentiality, and data integrity.

  • An extension to Kerberos

Sesame on line authorities l.jpg
SESAME on-line Authorities

  • AS: authenticates the user.

  • PAS: returns the appropriate certificate for the user.

  • KDS: is used to generate the keys to talk with the application.

How sesame works l.jpg
How SESAME works:

  • The client sends authenticator message to AS. The AS uses the public key that was obtained from PAS. Once the digital signature has been verified on the authenticator, the client has been authenticated to the system.

  • The AS will now sends the client’s public key encrypted by a session key generated by AS. AS will also send an authenticator digitally signed with it’s private key.

How sesame works cont d l.jpg
How SESAME works(cont’d):

  • The client will now verify this authenticator with AS’s public key that was obtained from AS’s certificate.

  • If it has been verified, the AS has been authenticated to the client.

Security enhanced application protocols l.jpg
Security Enhanced Application Protocols

  • At the application layer, security services must be defined, implemented and incorporated into each application individually.

    • ie. the application developer needs to address the issue of security.

Electronic mail l.jpg
Electronic Mail

  • The US Postal service (USPS) recently announced their PosteCS service. In the future they promise full support for digital signatures and encryption through public/private key digital certificate technology.

  • Other approaches to electronic mail security include secure MIME (S/MIME), and SMTP-based security.

  • S/MIME = secure multi-purpose internet mail extension.

Why s mime l.jpg

  • It claims to provide the highest level of protection against intrusions, message-content tampering, spoofing, and unwanted viewing of message content.

How s mime works l.jpg
How S/MIME Works?

  • It uses public and private key pairs maintained for users involved in the secure communication.

  • A sender can add a digital signature (to assure the recipient that the message is authentic) or encrypt the message (to protect the content from unwanted viewing or tampering) using X.509v3 certificates.

  • Certificate validation steps occur when client sends or opens a secure message: certificate revocation checking, timestamp checking, digital signature validation.

How s mime works19 l.jpg
How S/MIME Works?

  • Outlook 2000 and Outlook Express 5.0 support certificate revocation list (CRL ) distribution points (CDPs) which can provide automated certificate revocation checking. CDPs are defined by the ITU-T as part of the X.509 standard.

  • Certificate life time needs to be validated by client as well because certificates have limited lifespans.

    • to check digital signatures, use a trusted CA certificate's public key to check for integrity and authenticity.

    • the certificate must be on a certificate trust list (CTL) that resides with the client.

    • if the certificate’s ID differs from the sender's SMTP address, an error message notifies the client. This protects the client against impersonation and "man-in-the-middle" attacks.

Limitations l.jpg

- when somebody digitally signs a message, it adds a copy of his/her public key to it…..and somebody could extract the key from the message, posing a potential security threat.

- to prevent this, encryption is also necessary to protect the key itself, but difficult to implement

Remote terminal access telnet l.jpg
Remote Terminal Access - TELNET

  • Telnet has long been a standard Internet protocol ; however, a standard way of ensuring privacy and integrity of Telnet sessions has been lacking. Traditional Telnet severs operate without presentation of authorization credentials (due to historical reasons). Currently, a TLS-based Telnet Security Internet-draft (IETF) exists which addresses Telnet security and proposes a standard method for Telnet servers and clients to use the TLS security protocol. It describes how the participants decide whether or not to attempt TLS negotiation, and how to process authentication credentials as part of the TLS start-up.

  • This 5th version paper expires April 2001.

Telnet authentication and authorization l.jpg
Telnet Authentication and Authorization

  • Authentication of the server by the client:

    • PKI-based authentication via TLS handshake

    • Non-PKI based authentication via TLS handshake

    • Authentication by Telnet AUTH option (RFC 2941)

  • Authentication of the client by the server:

    • PKI-based authentication via TLS handshake

    • Non-PKI based authentication via TLS handshake

    • Authentication by Telnet AUTH option (RFC 2941)

    • Traditional Username and Password

Telnet authentication and authorization cont d l.jpg
Telnet Authentication and Authorization(cont’d)

  • For client-server authentication of anonymous connections

    • Both the client’s and the server’s TLS finished messages must be verified according to their content.

      Example: Authentication via Kerberos 4 after TLS negotiation

References l.jpg

Angerbauer, Ralf. Internet Mail Security. Presentation for ECE575 – Data Security and Cryptography. Spring 1998.

Ashley, Paul. SESAME. August 20, 1998.

Boe, Michael and Altman, Jeffrey. TLS-based Telnet Security. IETF Internet-Draft. The Internet Society, October 24th, 2000.

Chochran, Jerry. Secure Messaging Solutions for Exchange. Exchange & Outlook Update: Windows2000 Magazine. January 31st, 2001.

References cont d l.jpg

Clercq, Jan De. Certificate Validation. Windows2000 Magazine. June 1st, 2000.

Curtin, Matt and Ranum, Marcus J. Internet Firewalls: Frequently Asked Questions. December 1st, 2000.

Oppliger, Rolf. Securing the Internet. INET'99: The International Global Summit. McEnery Convention Centre, San Jose, California, United States. June 22-25, 1999.

Vijayan, Jaikumar. Microsoft issues new security patch for Win2k telnet security hole. ComputerWorld, September 22, 2000.,1199,NAV47_STO51149,00.html

References cont d27 l.jpg
References (cont’d)

Vanderwauver, Mark and Govaerts, Rene and Vanderwalle, Joos. Overview of Authentication Protocols.