Transport Layer Security Tls Network Security Protocol Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

TLS is industry standard network security protocol that is designed to provide data privacy and data integrity between two communicating applications. TLS was derived from earlier Secure Socket Layer (SSL) developed by Netscape in early 1990s. TLS is defined in IETF RFC 2246. TLS/SSL can be used to create a secure environment for emailing, web browsing or other client-server applications. TLS requires the use of a digital certificate which contains identity information about the owner as well as a public key to encrypting communications. Normally the certificates are installed on a server, if a web server intention to create a secure web environment, the certificates can install on mail or other servers for encrypting other client-server communications. (Tipton & Krause, 2003)

TLS protocol is made up of two layers. TLS record protocol provides an encapsulation layer for TLS data and provides functions similar to those performed by UDP and TCP. The record protocol accepts message from higher layer protocols and packages those messages for secure transmission. The record protocol breaks up message into manageable chunks and then may apply one or more types of compression, data integrity or encryption to the data before passing it along to the transport layer protocol. While, TLS handshake protocol allows authentication between the server and client and the negotiation of an encryption algorithm and cryptographic keys before the application protocol transmits or receives any data. (Loshin, 2003)

TLS operation where the client contacts the server requesting a TLS session be established and includes in that request the version(s) of TLS and SSL that can be used, ciphers supported by the client, session ID, and other required parameters. Then, the server responds with the version of TLS/SSL that will be used, the cipher algorithm to be used, and some random data that is used to generate a session key. The server then sends the client its Certificate (which contains a public key) and an indication that client authentication is to be performed. After that, client attempts to authenticate the server Certificate, indicates success or failure to the server, and if successful, indicates that all further communication will be encrypted. The client also forwards its certificate to the server. The server authenticates the client Certificate and acknowledges that all further communication will be encrypted. The client generates a session key using the random data previously provided by the server, encrypts it to the server's public key, and sends it to the server. The server decrypts the session key using its private key and acknowledges receipt of the session key. (Joshi, 2008)

1.2 IPSEC (Internet Protocol Security)

IPSEC is a network layer security protocol that is designed to support secure TCP/IP environment over the Internet considering flexibility, scalability, and interoperability. IPSEC primarily supports security among hosts rather than users unlike the other security protocols. Recently, IPSEC is emphasized as one of the important security infrastructures in the NGI (Next Generation Internet). It also has suitable features to implement VPN (Virtual Private Network) efficiently and its application areas are expected to grow rapidly. (Sheila Frankel, 2001)

IPsec has two modes of operation, transport mode and tunnel mode. When operating in transport mode, the source and destination hosts must directly perform all cryptographic operations. Encrypted data is sent through a single tunnel that is created with L2TP (Layer 2 Tunnelling Protocol). Data (cipher text) is created by the source host and retrieved by the destination host. This mode of operation establishes end-to-end security. (Dooley & Brown, 2003)

When operating in tunnel mode, special gateways perform cryptographic processing in addition to the source and destination hosts. Here, many tunnels are created in series between gateways, establishing gateway-to-gateway security (Shinder, 2003) When using either of these modes, it's important to provide all gateways with the ability to verify that a packet is real and to authenticate the packet at both ends. Any invalid packets must be dropped. (C.L.WU,2003)

Two types of data packet encodings (DPE) are required in IPsec. These are the authentication header (AH) and the encapsulating security payload (ESP) DPEs. These encodings offer network-level security for the data. The AH provides authenticity and integrity of the packet. The authentication is made available through keyed hash functions, also known as MACs (message authentication codes). This header also prohibits illegal modification and has the option of providing ant replay security. The AH can establish security between multiple hosts, multiple gateways, or multiple hosts and gateways, all implementing AH (Kent, 1998) ESP header provides encryption, data encapsulation and data confidentiality. Data confidentiality is made available through symmetric key encryption (Perlman, 2001)

During its journey through the various tunnels and gateways, additional headers are added to the packet. On each pass through a gateway, a datagram is wrapped in a new header. Included in this header is the security parameter index (SPI). The SPI specifies the algorithms and keys that were used by the last system to view the packet. The payload is also protected in this system because any change or error in the data will be detected, causing the receiving party to drop the packet. The headers are applied at the beginning of each tunnel and then verified and removed at the end of each tunnel. This method prevents the build up of unnecessary overhead (Guttman, Herzog & Thayer, 2000)

1.3 Advantages IPSEC and TLS

Although IPsec and TLS provide strong encryption and authentication in similar way but there have few key philosophical differences in the design. The major advantage of TLS over IPsec is wide availability, very easy configuration of the client and no OS-level modifications required. Additional configuration can be pushed to the client. Solutions are available for windows 2000/XP, mac OS-X and Linux. TLS are available against no additional cost. There is no licensing structured for TLS. While IP sec requires specific software and the software will cost client. Besides that, TLS operates in ring 3 of the secure OS ring architecture, there is no interwining with OS kernel like IPsec, but IPsec operates in ring 0 when IPSEC software becomes unstable the whole OS can become instable.

IPsec over TLS is that IPSec also protects against attacks TCP, IPsec over TCP wouldn't have that protection for the outer TCP session. Besides that IP sec can encrypt any protocol and encrypts the entire packet including IP header, but TLS can't provide that.

2.1 IGMP basic architecture

Internet Group Management Protocol (IGMP) is the protocol used in multicast implementations between the end hosts and the local router. ICMP defined in RFC 1112 as the standard for IP multicasting in the Internet. It's used to establish host memberships in particular multicast groups on a single network. The mechanism of the protocol allow a host to inform its local router by using Host Membership Reports, that it wants to receive messages addressed to a specific multicast group. All hosts conforming to level 2 of the IP multicasting specification require IGMP. Only IPv4 networks needed IGMP, multicast is handled differently in IPV6 networks. (Webopedia, 2010)

Base on the diagram above, multicast it according. When a host joins a new multicast group, it sends an IGMP message to the group multicast address declaring its membership. Local multicast routers receive the message and establish necessary routing by propagating the group membership information to other multicast routers through the internet. Because membership is dynamic, local multicast routers periodically poll hosts on the local network to determine whether any hosts still remain member of each group. If any host responds for a given group, the router keeps the groups active. If no host reports membership in a group after several polls, the multicast router assumes that none of the hosts on the network remain in the group and stop advertising group membership to other multicast routers. (Corner, 2000)

2.2 Initial exchange for Multicast group

This figure illustrates the process whereby a client receives a video multicast from the server. Firstly, the receiver sends an IGMP join message to its designated multicast router. The destination MAC address maps to the Class D address of group being joined rather are being the MAC address of the router. The body of the IGMP datagram also includes the Class D group address. (Minoli, 2008)

Then, the router logs the join message and uses PIM or another multicast routing protocol to add this segment to the multicast distribution tree. Later, IP multicast traffic transmitted from the server is now distributed via the designated router to the client's subnet. The destination MAC address corresponds to the Class D address of group. The switch receives the multicast packet and examines its forwarding table. If no entry exists for the MAC address, the packet will be flooded to all ports within the broadcast domain. If an entry does exist in the switch table, the packet will be forwarded only to the designated ports. (Minoli, 2008)

With IGMP V1, the client remains a member of the group until it fails to send a join message in response to a query from the router. Multicast routers also periodically send an IGMP query to the "all multicast hosts" group or to a specific multicast group on the subnet to determine which groups are still active within the subnet. Each host delays its response to a query by a small random period and will then respond only if no other host in the group has already reported. This mechanism prevents many hosts from congesting the network with simultaneous reports. (Minoli, 2008)

2.3 PIM dense mode and Sparse mode

Protocol Independent Multicast (PIM) is responsible for the accurate and timely delivery of multicast data to various receivers throughout a network. The PIM architecture is actually split into two different revisions: PIM sparse mode (PIM-SM), detailed in RFC 2362, and PIM dense mode outlined in RFC 3973. PIM is not dependant on any particular routing protocol, which allows it to be implemented across various network architectures using a range of different routing protocols. PIM uses the unicast forwarding table to build the multicast forwarding table. This is a key feature which allows PIM to scale better than most dependent protocols like MOSPF.

PIM dense mode requires only a multicast source and series of multicast-enabled routers running PIM dense mode to allow receivers to obtain multicast content. Dense mode makes sure that everything gets everywhere by periodically flooding the network with multicast traffic, and relies on prune messages to make sure that subnets where all receivers are uninterested in that particular multicast group stop receiving packets.

PIM dense mode is less sophisticated than PIM sparse mode. PIM dense mode is useful for multicast LAN applications, the main environment for all dense mode protocols. PIM dense mode implements the same flood-and-prune mechanism that DVMRP and other dense mode routing protocols employ. The main difference between DVMRP and PIM dense mode is that PIM dense mode introduces the concept of protocol independence. PIM dense mode can use the routing table populated by any underlying unicast routing protocol to perform reverse-path-forwarding (RPF) checks. ISP typically appreciate the ability to use any underlying unicast routing protocol with PIM dense mode because they need not introduce and manage a separate routing protocol just for RPF checks. Unicast routing protocols extended as multiprotocol Border Gateway Protocol (MBGP) and multitopology routing for Intermediate System-to-Intermediate System (M-ISIS) were later employed to build special tables to perform RPF checks, but PIM dense mode does not require them. PIM dense mode can use the unicast routing table populated by Open Shortest Path First (OSPF), IS-IS, BGP, and so on, or PIM dense mode can be configured to use a special multicast RPF table populated by MBGP or M-ISIS when performing RPF checks.

PIM-SM is quite different from PIM-DM. Rather than allowing traffic to be sent everywhere and then pruned back where it not needed, PIM-SM uses a configured Rendezvous Point (RP) provides a registration service for a multicast group. PIM-SM relies on IGMP which lets a host join a group by sending a membership report message and detach from a group by sending a leave message. A designated router for a network segment track membership report and leave message on its segment and periodically send join and prune PIM message to the RP. The join and prune message are processed by all router between the designated router and RP, The result is a distribution tree reaches all group members and is centered at the RP. The distribution tree for a multicast group is initially used for any source .Each source registers with the RP and it initially forwards the multicast data to the receivers throughout the network. PIM-SM uses a combination of either a shared or source based trees as shown in the figure below (Unidirectional). (Oppenheimer, 1999)

As shown in the figure the registering process begins when a DR creates a new (S, G) state. The DR encapsulates all the data packets that match the (S, G) state into PIM register messages and unicasts those register messages to the RP. If an RP has downstream receivers that want to receive register messages from a new source, the RP can either continue to receive the register messages through the DR or join the shortest path leading toward the source. By default, the RP will join the shortest path, because delivery of native multicast traffic provides the highest throughput. Upon receipt of the first packet that arrives natively through the shortest path, the RP will send a register-stop message back to the DR. When the DR receives this register-stop message, it will stop sending register messages to the RP.

If an RP has no downstream receivers that want to receive register messages from a new source, the RP will not join the shortest path. Instead, the RP will immediately send a register-stop message back to the DR. When the DR receives this register-stop message, it will stop sending register messages to the RP.

3.1 Internet hosts function

The internet host is refer to machine or application where connect to internet that has internet protocol address. The four of internet host are sender, sender server, receiver server and receiver. Below is the diagram show the internet host connected.

Sender is users using mail software to compose a document possibly including attachments such as voice, tables, photographs or video recording. Then sender sever will divides the message into packets and adds information about how each packet should be handled-for instance, in what order packets were transmitted from the sender. At that time, packets are sent to a mail submission server which internal network of company or Internet service provider to converts the domain name of the recipient's mail address into a numeric IP address. It does this by querying domain name servers interspersed throughout the Internet. (Gralla, 2003)

When reach to destination server, it will places the packets in their original order according to the instructions contained in each packet, and stores the message in the recipient's mailbox. Then recipient's client software can then display the message. Message receiver needs an account on a mail server, then use mail software to retrieve the mail. (Gralla, 2003)

3.2 Internet Protocol for email

Basically, a protocol is set of rules for the order in which messages of particular types are exchanges. In order to deal with email, the user must use a mail client to access a mail server. Using a variety of protocols, the mail client and mail server can exchange information with each other. For this connection, the user will need to use SMTP, HTTP, IMAP, POP3 and LDAP. (Sharp, 1995)

IMAP (Internet Message Access Protocol) is application layer protocols used for email across the internet.IMAP in that an email message is held on server and then download to an email client application. POP (Post Office Protocol 3) protocol is a simple, standardized way for users to retrieve mail from server and download messages to their computers. SMTP (Simple Mail Transfer Protocol) protocol is the application layer protocol used for transmitting email messages. SMTP is capable of receiving email messages but it's limited in its capabilities. HTTP protocol is not a protocol dedicated for email communications, but it can be used for accessing mailbox. It also called web based email where used to compose or retrieve emails from the account, example hotmail. LDAP (Lightweight Directory Access Protocol) is an Internet protocol that email and other programs use to look up information from a server. (Cormer, 2008)

3.3 Format of the sent message with attachment

The format would use sent message with attachment is MIME, which is a standard for encoding interpreting binary files, images, video and non- ASCII character sets within an email message. (Dean, 2010) Furthermore, BinHex is used mainly Apple Mac machines but not widely used on other operating systems. BinHex encoding converts a file into 7-bit format similar to other encoding techniques but in case also preservers file attributes as well as Macintosh resources forks. In addition, Uuencoding was method binary-to-text encoding and was first developed for BSD UNIX 4.0 to encoding binary data for transmission over the mail system. (Miller, 2009)

3.4 Difference received message and sent message

Differ between received messages and sent message where the received message has include extra mandatory header. The header must be included in order for the message to pass through the mail system, it possesses sufficient information to enter mail system and transit it to a destination.

4. Introduction

Internet Protocol is a set of technical rules that defines how computers communicate over a network. Currently IP version has are IP version 4 (IPv4) and IP version 6 (IPv6). IPv4 was the first version of Internet Protocol to be widely used, and accounts for most of today's Internet traffic. There are just over 4 billion IPv4 addresses. While that is a lot of IP addresses, it is not enough to last forever. IPv6 is a newer numbering system that provides a much larger address pool than IPv4, amongst other features. It was deployed in 1999 and should meet the world's IP addressing needs well into the future.

4.1. Quick primer of the IPv6 protocol

The IPv6 header has a new format that is designed to minimize header overhead. The IPv6 header is only twice the size of the IPv4 header, even though the number of bits in IPv6 addresses is four times larger than IPv4 addresses. This is achieved by moving both nonessential and optional fields to extension headers that are placed after the IPv6 header. Therefore streamlined IPv6 header more efficiently processed at intermediate router. Differences between IPv4 and IPv6 protocol headers are illustrated in Figure 4.1.

4.2 Addressing

The main point of IPv6 addressing is the 128 bits addresses, which give a wide addressing space (more than 1038 addresses). In this case, the addresses are assigned to interfaces, and it is possible that one interface has multiple addresses.

Figure 4.2: structure of IPv6 address

In the figure 4.2 is shown the main structure of an IPv6 address, where there is a network prefix, that depends on the topology of the network, and that identifies the network in which the device with that address is connected, and the interface prefix, that identifies a node of that network.

The IPv6 address space supports three types of address; Unicast, Multicast and Anycast. Unicast is identifies a single interface. A packet with an address of this type in the destiny is delivered only to that interface. While multicast is identifies a set of interfaces. A packet with this address as destiny is delivered to all the interfaces of the set. Anycast identifies also a set of interfaces, but in this case, a packet with this kind of address as destiny, is delivered only to one interface of the set. Usually the next interface is according to the routing protocol.

The main differences between IPv4 and IPv6 addresses are the appearance of the IPv6 anycast addresses, and the disappearance of IPv4 broadcast addresses, that are replaced by the IPv6 multicast addresses.

The auto configuration is a very important feature of IPv6, as it provides that a node can configured its address by itself. This characteristic is what allows saying that IPv6 is "plug & play". There are 2 different ways of auto configuration in IPv6, the stateless address auto configuration, and the stateful auto configuration.

In the case of the stateless address auto configuration, the host does not require any kind of manual configuration, and the routers need only a minimal configuration, or sometimes nothing. The router can create its own address by a combination of information from the routers, and information available locally. The information provided by the routers is the prefixes of the network where the host is connected, and the local information of the router is an interface identifier that, usually, is the MAC address of the interface card. Combining these 2 elements, the IP address is obtained.

With the stateful auto configuration, the host obtains the IP addresses of its interfaces from a DHCPv6 server, which has a database with all the addresses that have been assigned to all the interfaces. This kind of auto configuration would be like the DHCP protocol of IPv4, but with some improved features.

4.3. Security mechanisms built into the IPv6 protocol

IPv6 as the follow up protocol to IPv4 has addressed several missing points of the IPv4 protocol. One of them is the security aspect of the protocol. Security features which are developed for IPv6 are known under the name of IPsec. IPsec is today most commonly used in IPv4 where it is optional, while it is mandatory to use it in the IPv6 protocol. IPsec is, if properly used, certainly changing security paradigm of IP (v4 and v6) communications and is very well known and interoperable in multiple vendor implementations. IPsec consists of enhancements to original IP protocol which provide authenticity, integrity, confidentiality and access control to each IP packet through usage of the two new headers: AH (authentication header) and ESP (Encapsulations Security Payload) as it is illustrated on the Figure 4.3:

4.4 Neighbour discovery and router solicitation

Neighbour discovery and stateless address auto configuration are yet two other powerful flexibilities in the world of IPv6 protocol. However flexibility and security are just the opposite requirements. The neighbour discovery as well as the router solicitation in the IP network (v4 or v6) is using the Internet Control Messaging Protocol (ICMP). While the ICMPv4 is a separate protocol on a side of IPv4, the ICMPv6 is the protocol which runs directly on the top of the IPv6 protocol, which might cause a security problem. (Majstor, 2003)

Exchanging the ICMPv6 messages on the top of the IPv6 protocol for the vital "network health" messages and environment solicitations are crucial for IPv6 communication. However it could also be abused with sending the fake, crafted response messages for the purpose of the denial of service, traffic re-routing or any other malicious purpose. For security reasons, the IPv6 protocol definition recommends that all ICMP messages use the IPsec AH (Authentication Header) and its functionality of integrity, authentication and anti-replay. Unfortunately in practice and early commercial implementations we do face that very few IPv6 implementations support IPsec or support itin very limited fashion, which opens the ICMPv6 messages to potential security attacks. (Majstor, 2003)

4.5 Header extensions

IPv6 header is simpler compared to IPv4 header as we have seen briefly in the IPv6 primer at the beginning. Simplicity is achieved due to additional header chaining which allows routing devices to process only IPv6 header while the other headers are processed only by the end nodes. Examples of chained extension headers are illustrated in Figure 4.

Routing header in IPv6 is comparable to IPv4 source-route option. Source route in the header of the IPv4 packet defines the hop-by-hop path from the source of the packet to the destination of the packet throughout the whole network. Source-routing is from the security perspective very unwelcome feature in IPv4 networks, as it could be abused for spoofing attack and hence has to be used with care or disabled on the portions of the network where it is not needed. In the IPv6 world there is no source-routing option in the IP header. This functionality is instead achieved with a routing header, with the same security consequence, however it couldn't be always easily turned off or filtered. If there is a need for using mobile IP (MIP) functionality within the IPv6 network, than the routing header must be used. While some more detailed description of the MIP is following later, it is important to mention here that MIP is natively build into IPv6 protocol stack and it requires routing header to work.

4.6 Dual stacks

IPv4 headers and IPv6 headers are not interoperable. IPv6 is not a superset of functionality that is backward compatible with IPv4 but rather a new protocol with its own specific requirements for filtering at the perimeter of the network. This opens the whole new area of the statefull perimeter security for the native IPv6 communication. In the transition towards the complete native IPv6 networks there will be a period where devices on the network will need to run both IPv4 and IPv6 protocols and process or recognize both header formats. This mixed environment would certainly be just another area where devices would be exposed to bother IPv4 as well as IPv6 protocol security issues.

4.7. Conclusion

It is obvious and easy to say that two decades younger protocol, IPv6 is bringing security enhancements into a modern IP network. It brings a lot of flexibility which also opens the security problems. IPv6 mandates usage of the IPsec protocol and also has flexible extension header options. In practice that could help, however does not solve all the security problems for the all requirements. As security is a journey and not a destination, it is also yet to be seen what the additional security exposures could have in the IPv6 based network environment.