Chat with us, powered by LiveChat Analyze asymmetric and symmetric encryption. Evaluate the differences between the two of them and which one that you would determine is the most secure.?The writing assignment require - Writingforyou

Analyze asymmetric and symmetric encryption. Evaluate the differences between the two of them and which one that you would determine is the most secure.?The writing assignment require

Analyze asymmetric and symmetric encryption. Evaluate the differences between the two of them and which one that you would determine is the most secure. The writing assignment requires a minimum of two written pages to evaluate the history. You must use a minimum of three scholarly articles to complete the assignment. The assignment must be properly APA formatted with a separate title and reference page.  

Cryptography and Network Security:

Principles and Practice Eighth Edition

Chapter 17

Transport-Level Security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Web Security Considerations (1 of 2)

• The World Wide Web is fundamentally a client/server

application running over the Internet and TCP/IP intranets

• The following characteristics of Web usage suggest the

need for tailored security tools:

– Web servers are relatively easy to configure and

manage

– Web content is increasingly easy to develop

– The underlying software is extraordinarily complex

▪ May hide many potential security flaws

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Web Security Considerations (2 of 2)

– A Web server can be exploited as a launching pad into

the corporation’s or agency’s entire computer complex

– Casual and untrained (in security matters) users are

common clients for Web-based services

▪ Such users are not necessarily aware of the security

risks that exist and do not have the tools or

knowledge to take effective countermeasures

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 17.1 A Comparison of Threats

on the Web

Blank Threats Consequences Countermeasures

Integrity • Modification of user data

• Trojan horse browser

• Modification of memory

• Modification of message

traffic in transit

• Loss of information

• Compromise of machine

• Vulnerability to all other

threats

Cryptographic

checksums

Confidentiality • Eavesdropping on the net

• Theft of info from server

• Theft of data from client

• Info about network

configuration

• Info about which client talks

to server

• Loss of information

• Loss of privacy

Encryption, Web

proxies

Denial of

Service

• Killing of user threads

• Flooding machine with bogus

requests

• Filling up disk or memory

• Isolating machine by DNS

attacks

• Disruptive

• Annoying

• Prevent user from getting

work done

Difficult to prevent

Authentication • Impersonation of legitimate

users

• Data forgery

• Misrepresentation of user

• Belief that false information

is valid

Cryptographic

techniques

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.1 Relative Location of

Security Facilities in the TCP/IP

Protocol Stack

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Transport Layer Security (TLS)

• One of the most widely used security services

• Defined in RFC 5246

• Is an Internet standard that evolved from a commercial protocol known

as Secure Sockets Layer (SSL)

• Is a general purpose service implemented as a set of protocols that

rely on TCP

• Could be provided as part of the underlying protocol suite and

therefore be transparent to applications

• Can be embedded in specific packages

• Most browsers come equipped with TLS, and most Web servers have

implemented the protocol

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.2 TLS Protocol Stack

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

TLS Architecture

• Two important TLS concepts are:

• TLS connection

– A transport that provides a suitable type of service

– For TLS such connections are peer-to-peer relationships

– Connections are transient

– Every connection is associated with one session

• TLS session

– An association between a client and a server

– Created by the Handshake Protocol

– Define a set of cryptographic security parameters which can be

shared among multiple connections

– Are used to avoid the expensive negotiation of new security

parameters for each connection

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A session state is defined by the following

parameters:

• Session identifier

– An arbitrary byte sequence chosen by the server to identify an active or

resumable session state

• Peer certificate

– An X509.v3 certificate of the peer; this element of the state may be null

• Compression method

– The algorithm used to compress data prior to encryption

• Cipher spec

– Specifies the bulk data encryption algorithm and a hash algorithm used

for MAC calculation; also defines cryptographic attributes such as the

hash_size • Master secret

– 48-byte secret shared between the client and the server • Is resumable

– A flag indicating whether the session can be used to initiate new connections

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A connection state is defined by the

following parameters: (1 of 2)

• Server and client random

– Byte sequences that are chosen by the server and client for each

connection

• Server write MAC secret

– The secret key used in MAC operations on data sent by the server

• Client write MAC secret

– The secret key used in MAC operations on data sent by the client

• Server write key

– The secret encryption key for data encrypted by the server and

decrypted by the client

• Client write key

– The symmetric encryption key for data encrypted by the client and

decrypted by the server

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

A connection state is defined by the

following parameters: (2 of 2)

• Initialization vectors

– When a block cipher in CBC mode is used, an initialization vector

(IV) is maintained for each key

– This field is first initialized by the TLS Handshake Protocol

– The final ciphertext block from each record is preserved for use as

the IV with the following record

• Sequence numbers

– Each party maintains separate sequence numbers for transmitted

and received messages for each connection

– When a party sends or receives a change cipher spec message,

the appropriate sequence number is set to zero

– Sequence numbers may not exceed 264 – 1

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

TLS Record Protocol

• The TLS Record Protocol provides two services for TLS

connections

– Confidentiality

▪ The Handshake Protocol defines a shared secret

key that is used for conventional encryption of TLS

payloads

– Message Integrity

▪ The Handshake Protocol also defines a shared

secret key that is used to form a message

authentication code (MAC)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.3 TLS Record Protocol

Operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.4 TLS Record Format

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.5 TLS Record Protocol

Payload

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 17.2 TLS Handshake Protocol

Message Types

Message Type Parameters

hello_request null

client_hello version, random, session id, cipher suite,

compression method

server_hello version, random, session id, cipher suite,

compression method

certificate chain of X.509v3 certificates

server_key_exchange parameters, signature

certificate_request type, authorities

server_done null

certificate_verify signature

client_key_exchange parameters, signature

finished hash value

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.6 Handshake Protocol Action

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Cryptographic Computations

• Two further items are of interest:

– The creation of a shared master secret by means of the

key exchange

▪ The shared master secret is a one-time 48-byte

value generated for this session by means of secure

key exchange

▪ The creation is in two stages

– First, a pre_master_secret is exchanged

– Second, the master_secret is calculated by both

parties

– The generation of cryptographic parameters from the

master secret

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Generation of Cryptographic Parameters

• CipherSpecs require:

– A client write MAC secret

– A server write MAC secret

– A client write key

– A server write key

– A client write IV

– A server write IV

——Which are generated from the master secret in that

order

• These parameters are generated from the master secret

by hashing the master secret into a sequence of secure

bytes of sufficient length for all needed parameters

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.7 TLS Function P_hash (secret,

seed)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

SSL/TLS Attacks

• The attacks can be grouped into four general categories:

– Attacks on the handshake protocol

– Attacks on the record and application data protocols

– Attacks on the PKI

– Other attacks

• The constant back-and-forth between threats and

countermeasures determines the evolution of Internet-

based protocols

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

TLSv1.3

• Primary aim is to improve the security of TLS

• Significant changes from version 1.2 are:

– TLSv1.3 removes support for a number of options and functions

▪ Deleted items include:

– Compression

– Ciphers that do not offer authenticated encryption

– Static RSA and DH key exchange

– 32-bit timestamp as part of the Random parameter in the

client_hello message

– Renegotiation

– Change Cipher Spec Protocol

– RC4

– Use of MD5 and SHA-224 hashes with signatures

– TLSv1.3 uses Diffie-Hellman or Elleptic Curve Diffie-Hellman for key

exchange and does not permit RSA

– TLSv1.3 allows for a “1 round trip time” handshake by changing the order

of message sent with establishing a secure connection

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Hyper Text Transfer Protocol Secure

(HTTPS)

• The secure version of HTTP

• HTTPS encrypts all communications between the browser

and the website

• Data sent using HTTPS provides three important areas of

protection:

– Encryption

– Data integrity

– Authentication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Connection Initiation (1 of 2)

• For HTTPS, the agent acting as the HTTP client also acts

as the TLS client

– The client initiates a connection to the server on the

appropriate port and then sends the TLS ClientHello to

begin the TLS handshake

– When the TLS handshake has finished, the client may

then initiate the first HTTP request

– All HTTP data is to be sent as TLS application data

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Connection Initiation (2 of 2)

• There are three levels of awareness of a connection in HTTPS:

– At the HTTP level, an HTTP client requests a connection to

an HTTP server by sending a connection request to the next

lowest layer

▪ Typically the next lowest layer is TCP, but is may also be

TLS/SSL

– At the level of TLS, a session is established between a TLS

client and a TLS server

▪ This session can support one or more connections at

any time

– A TLS request to establish a connection begins with the

establishment of a TCP connection between the TCP entity

on the client side and the TCP entity on the server side

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Connection Closure

• An HTTP client or server can indicate the closing of a connection by

including the line Connection: close in an HTTP record

• The closure of an HTTPS connection requires that TLS close the

connection with the peer TLS entity on the remote side, which will

involve closing the underlying TCP connection

• TLS implementations must initiate an exchange of closure alerts

before closing a connection

– A TLS implementation may, after sending a closure alert, close the

connection without waiting for the peer to send its closure alert,

generating an “incomplete close”

• An unannounced TCP closure could be evidence of some sort of

attack so the HTTPS client should issue some sort of security warning

when this occurs

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Secure Shell (SSH)

• A protocol for secure network communications designed to be

relatively simple and inexpensive to implement

• The initial version, SSH1 was focused on providing a secure remote

logon facility to replace TELNET and other remote logon schemes that

provided no security

• SSH also provides a more general client/server capability and can be

used for such network functions as file transfer and e-mail

• SSH2 fixes a number of security flaws in the original scheme and is

documented as a proposed standard in IETF RFCs 4250 through 4256

• SSH client and server applications are widely available for most

operating systems

– Has become the method of choice for remote login and X

tunneling

– Is rapidly becoming one of the most pervasive applications for

encryption technology outside of embedded systems

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.8 SSH Protocol Stack

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Transport Layer Protocol

• Server authentication occurs at the transport layer, based on the

server possessing a public/private key pair

• A server may have multiple host keys using multiple different

asymmetric encryption algorithms

• Multiple hosts may share the same host key

• The server host key is used during key exchange to authenticate the

identity of the host

• RFC 4251 dictates two alternative trust models:

– The client has a local database that associates each host name

with the corresponding public host key

– The host name-to-key association is certified by a trusted

certification authority (CA); the client only knows the CA root key

and can verify the validity of all host keys certified by accepted

CAs

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.9 SSH Transport Layer

Protocol Packet Exchanges

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.10 SSH Transport Layer

Protocol Packet Formation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Table 17.3 SSH Transport Layer

Cryptographic Algorithms

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Key Generation

• The keys used for encryption and MAC (and any needed

IVs) are generated from the shared secret key K, the hash

value from the key exchange H, and the session identifier,

which is equal to H unless there has been a subsequent

key exchange after the initial key exchange

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

User Authentication Protocol

• The User Authentication Protocol provides the means by

which the client is authenticated to the server

• Three types of messages are always used in the User

Authentication Protocol

• User name is the authorization identity the client is

claiming, service name is the facility to which the client is

requesting access, and method name is the authentication

method being used in this request

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Message Exchange (1 of 2)

• The message exchange involves the following steps.

▪ The client sends a

SSH_MSG_USERAUTH_REQUEST with a

requested method of none

▪ The server checks to determine if the user name is

valid. If not, the server returns

SSH_MSG_USERAUTH_FAILURE with the partial

success value of false. If the user name is valid, the

server proceeds to step 3

▪ The server returns

SSH_MSG_USERAUTH_FAILURE with a list of one

or more authentication methods to be used

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Message Exchange (2 of 2)

▪ The client selects one of the acceptable authentication

methods and sends a

SSH_MSG_USERAUTH_REQUEST with that method

name and the required method-specific fields. At this

point, there may be a sequence of exchanges to perform

the method

▪ If the authentication succeeds and more authentication

methods are required, the server proceeds to step 3,

using a partial success value of true. If the authentication

fails, the server proceeds to step 3, using a partial

success value of false

▪ When all required authentication methods succeed, the

server sends a SSH_MSG_USERAUTH_SUCCESS

message, and the Authentication Protocol is over

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Authentication Methods

• Publickey

– The client sends a message to the server that contains the client’s public

key, with the message signed by the client’s private key

– When the server receives this message, it checks whether the supplied

key is acceptable for authentication and, if so, it checks whether the signature is correct

• Password

– The client sends a message containing a plaintext password, which is

protected by encryption by the Transport Layer Protocol

• Hostbased

– Authentication is performed on the client’s host rather than the client itself

– This method works by having the client send a signature created with the

private key of the client host

– Rather than directly verifying the user’s identity, the SSH server verifies

the identity of the client host

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Connection Protocol

• The SSH Connection Protocol runs on top of the SSH Transport Layer

Protocol and assumes that a secure authentication connection is in

use

– The secure authentication connection, referred to as a tunnel, is

used by the Connection Protocol to multiplex a number of logical

channels

• Channel mechanism

– All types of communication using SSH are supported using

separate channels

– Either side may open a channel

– For each channel, each side associates a unique channel number

– Channels are flow controlled using a window mechanism

– No data may be sent to a channel until a message is received to

indicate that window space is available

– The life of a channel progresses through three stages: opening a

channel, data transfer, and closing a channel

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Figure 17.11 Example of SSH

Connection Protocol Message

Exchange

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Channel Types

Four channel types are recognized in the SSH Connection Protocol specification

• Session

– The remote execution of a program

– The program may be a shell, an application such as file transfer or e-mail,

a system command, or some built-in subsystem

– Once a session channel is opened, subsequent requests are used to start the remote program

• X11

– Refers to the X Window System, a computer software system and

network protocol that provides a graphical user interface (GUI) for networked computers

– X allows applications to run on a network server but to be displayed on a

desktop machine

• Forwarded-tcpip

– Remote port forwarding

• Direct-tcpip

– Local port forwarding

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.

Port Forwarding

• One of the most useful features of SSH

• Provides the ability to convert any insecure TCP

connection into a secure SSH connection (also referred to

as SSH tunneling)

&#x202