VPNs IETF developing IPsec security standards IP securityIP security At the internet layerAt the internet layer Protects all messages at the transport.

VPNsVPNs IETF developing IETF developing IPsecIPsec security security

standardsstandards• IP securityIP security• At the internet layerAt the internet layer• Protects all messages at the transport Protects all messages at the transport

and application layersand application layers

IPsec

TCP UDP

E-Mail, WWW, Database, etc.

VPNsVPNs IPsec Transport ModeIPsec Transport Mode

• End-to-end security for hostsEnd-to-end security for hosts

LocalNetwork

Internet LocalNetwork

Secure Communication

VPNsVPNs IPsec Tunnel ModeIPsec Tunnel Mode

• IPsec server at each siteIPsec server at each site• Secure communication between sitesSecure communication between sites

LocalNetwork

Internet LocalNetwork

Secure Communication

IPsecServer

VPNsVPNs IPsec Modes Can be CombinedIPsec Modes Can be Combined

• End-to-end transport mode connectionEnd-to-end transport mode connection• Within site-to-site tunnel connectionWithin site-to-site tunnel connection

LocalNetwork

Internet LocalNetwork

Tunnel Mode Transport Mode

VPNsVPNs

Another Security System for VPNs Another Security System for VPNs is the Point-to-Point Tunneling is the Point-to-Point Tunneling Protocol (PPTP)Protocol (PPTP)• For dial-up connections, based on PPPFor dial-up connections, based on PPP• Connects user with securely to a Connects user with securely to a

remote access server at a siteremote access server at a siteInternet Local

Network

Remote Access Server

Dial-UpConnection

PPTP Connection

PKIsPKIs

To use public key methods, an To use public key methods, an organization must establish a organization must establish a comprehensive comprehensive Public Key Public Key Infrastructure (PKI)Infrastructure (PKI)• A PKI automates most aspects of using A PKI automates most aspects of using

public key encryption and public key encryption and authenticationauthentication

• Uses a Uses a PKI ServerPKI ServerPKI

Server

PKIsPKIs PKI Server Creates Public Key-Private PKI Server Creates Public Key-Private

Key PairsKey Pairs• Distributes private keys to applicants Distributes private keys to applicants

securelysecurely• Often, private keys are embedded in Often, private keys are embedded in

delivered softwaredelivered software

PKIServer

Private Key

PKIsPKIs PKI Server Provides CRL ChecksPKI Server Provides CRL Checks

• Distributes digital certificates to Distributes digital certificates to verifiersverifiers

• Checks certificate revocation list before Checks certificate revocation list before sending digital certificatessending digital certificates

PKIServer

Digital Certificate

PKIsPKIs CRL CRL (Certificate Revocation List)(Certificate Revocation List) Checks Checks

• If applicant gives verifier a digital If applicant gives verifier a digital certificate,certificate,

• The verifier must check the certificate The verifier must check the certificate revocation listrevocation list

PKIServer

OK?

OK or Revoked

CRL

Integrated Security SystemIntegrated Security System

When two parties communicate …When two parties communicate …

• Their software usually handles the detailsTheir software usually handles the details

• First, negotiate security methodsFirst, negotiate security methods

• Then, authenticate one anotherThen, authenticate one another

• Then, exchange symmetric session keyThen, exchange symmetric session key

• Then can communicate securely using Then can communicate securely using symmetric session key and message-by-symmetric session key and message-by-message authenticationmessage authentication

SSL Integrated Security SystemSSL Integrated Security System

SSLSSL• Secure Sockets LayerSecure Sockets Layer• Developed by NetscapeDeveloped by Netscape

TLS (now)TLS (now)• Netscape gave IETF control over SSLNetscape gave IETF control over SSL• IETF renamed it TLS (Transport Layer Security)IETF renamed it TLS (Transport Layer Security)• Usually still called SSLUsually still called SSL

Location of SSLLocation of SSL

Below the Application LayerBelow the Application Layer• IETF views it at the transport layerIETF views it at the transport layer• Protects all application exchangesProtects all application exchanges• Not limited to any single applicationNot limited to any single application

WWW transactions, e-mail, etc.WWW transactions, e-mail, etc.

SSL SSL

E-Mail WWW E-Mail WWW

SSL OperationSSL Operation

Browser & Webserver Software Browser & Webserver Software Implement SSLImplement SSL• User can be unawareUser can be unaware

SSL OperationSSL Operation SSL ISS ProcessSSL ISS Process

• Two sides negotiate security Two sides negotiate security parametersparameters

• Webserver authenticates itselfWebserver authenticates itself

• Browser may authenticate itself but Browser may authenticate itself but rarely doesrarely does

• Browser selects a symmetric session Browser selects a symmetric session key, sends to webserverkey, sends to webserver

• Adds a digital signature and encrypts all Adds a digital signature and encrypts all messages with the symmetric keymessages with the symmetric key

Importance of SSLImportance of SSL

Supported by Almost All BrowsersSupported by Almost All Browsers• De facto standard for Internet application De facto standard for Internet application

securitysecurity ProblemsProblems

• Relatively weak securityRelatively weak security

• Does not involve security on merchant Does not involve security on merchant serverserver

• Does not validate credit card numbersDoes not validate credit card numbers

• Viewed as an available but temporary Viewed as an available but temporary approach to consumer securityapproach to consumer security

Other ISSsOther ISSs

SSL is merely an example integrated SSL is merely an example integrated security systemsecurity system

Many other ISSs existMany other ISSs exist• IPsec IPsec • PPP and PPTPPPP and PPTP• Etc.Etc.

Other ISSsOther ISSs

All ISSs have the same general stepsAll ISSs have the same general steps

• Negotiate security parametersNegotiate security parameters

• Authenticate the partnersAuthenticate the partners

• Exchange a session keyExchange a session key

• Communicate with message-by-Communicate with message-by-message privacy, authentication, and message privacy, authentication, and message integritymessage integrity