International Workshop on Security Protocols - Report Example

College Security protocols The term security protocols refers to a sequence of operations that make sure data is protected. They ensure secure delivery of data between two parties when used with communication protocols. They are a package of components that work together. There are various types of security protocols which include SSL (secure sockets layer) and TLS (transport layer security). The following can be identified as the main components of security protocols: 1. Access Control. This is the component that authenticates the identity of the user. 2. Encryption Algorithm This is the component of the security protocol that contains a cryptography cipher together with the other various methods used to encrypt and decrypt the text. 3. Message Integrity This is the component of security protocols that ensures that the integrity of the information being transmitted does not get tampered with. 4. Key management This component creates, distributes the keys. Security sockets layer This is a standard technology for establishing a link between a server and a client. This could be typically a browser and a client or a mail client and a mail server. It is used for managing the transfer of data over the internet. It is commonly used in conjunction with the transfer layer protocol. It uses a layer located between the hypertext transfer protocol and the transfer control protocol. It is integrated in most browsers and has been used in most of the web server products. It allows sensitive information to be propagated securely. Data sent between web servers and browsers is normally sent in plain text, leaving the sender vulnerable to eavesdropping. This means that an attacker can be able to track the information being transmitted and use it for their own good. Protocols provide a description of how algorithms should be used. Being a security protocol, SSL determines the variables of the encryption to be used for both the link and the data being transmitted. This is a crucial protocol which secures over a billion of transactions every day to protect customers online especially when transmitting confidential information. Internet users associate their online security with the lock icon that often comes with a website secured using SSL or the green address bar that is found on the extended validation website secured using SSL. (CHRISTIANSON, 2011) One of best ways to determine the SSL secured sites is via the web address. SSL secured sites begin with https rather than http. All web browsers have the ability to be used to interact with SSL secured web servers. A SSL certificate is however needed for the server and the browser to be able to establish secure connectivity. SSL certificates exist in pairs and have two keys; a public and a private key. These keys work in tandem to ensure an encrypted connection. The certificate also contains the subject which is the identity of the website owner. One must make a certificate signing request on their server to be able to get a certificate. This request creates a private key and a data file that one sends to the SSL certificate giver. The certificate authority then uses the data file to make a public key to match the private key without having to compromise the key itself. This means that the certificate authority does not see the key. The public key is installed on the server that is hosting the website including the intermediary certificates establishing the credibility of the certificate by tying it to the root certificate of the certificate authority. The installation instructions depend on the server OS being used. How the SSL certificate creates a secure connection. The web server and the browser create a SSL connection whenever a browser attempts to access a website. This is established using a process called a SSL handshake. This process is invisible to the user and happens rapidly. The three keys are then used to establish the SSL connection i.e. private, public and the session keys. All data encrypted using the private key can be decrypted with the use of a private key. Encrypting and decrypting processes take a lot of processing power hence they are only used during the handshake to make the symmetric session key. The session is normally used to encrypt transmitted data after the connection is deemed secure. How SSL secures VPN The SSL creates a secure VPN by performing two tasks: 1. Only authorized users can establish a connection. Therefore some authentication is required from the user. An error is produced in case the authentication fails and the user is warned that a connection cannot be made lest proper authentication is provided. 2. All the data transmitted through the channel to the user and back is encrypted by the SSL. This is achieved through the use of encryption protocols. Advantages of SSL 1. It creates a trusted environment when conducted online business, the customers feel confident when buying. The customers can be able to identify a secure browser by using visual cues like the lock icon and bar. 2. SSL certificate keeps the users information confidential and cannot be seen by anyone even those using the same wireless. 3. The information is encrypted first before being sent over the internet. 4. It offers a private communication channel. Disadvantages of SSL 1. It makes the communication slower due the extra work done exchanging handshakes while encrypting and decrypting the messages. 2. It also increases network traffic three times the normal speed due to the disadvantage above. 3. The speed of the response time between the runtime server and agent requests is reduced largely depending on the agent platform. Proposal to curb disadvantages of SSL 1. One is to reduce the connections that a browser makes hence reduce the session handshakes that are made by using technologies like rocket loader. 2. One can also increase the OCR and OCSP speeds 3. OCSP stapling can also be rolled out so as the question whether the certificate is invalid to be sent from the server without making any more requests to the certificate authority infrastructure. 4. One needs to examine the type of data that you are sending and also look at the security strategies put in place in order to determine whether this level of security is needed. (Evans, 2001) Transport Layer Security. (TLS) These are set of rules for exchanging information over the internet for two computer users and is key to achieving confidentiality. It ensures that neither eavesdropping nor message alteration or interception takes place during the transmission of the message. The secure sockets layer is known to be the predecessor of the TLS. Two layers make up the TLS protocol, that is the handshake and the record protocol. A secure connection using the record protocol is ensured by using encryption mechanisms such as information encryption standard. Without encrypting, the record protocol is thus implemented. A transport protocol seen to be as reliable as TCP is layered beneath the TLS.By using the symmetric mechanism of data encryption, the connection is highly privatized. The handshake protocol enables both the server and the client to ensure the data is genuine and to also design the encryption algorithm along with cryptographic keys before the message is transmitted.(Christianson, 2009). Most protocols can operate either with or without the TLS presence, it is therefore necessary to indicate whether a connection is being made by the client or not. This is accomplished through the server. This is achieved by either using a separate digit for the connection or making use of the regular port number and having the server to switch the connection to TLS. The client does this using a special protocol mechanism. (International workshop on security protocols, 2004). Once the decision to use TLS has been reached, a statefull connection is made by the handshaking protocol. During this stage, the sender and the receiver agree on how they will ensure a secure connection during the period when they exchange information. use case representation of the TLS (Evans, 2001) Below is a series of steps necessary for the establishment of the connection: a) The client is required to send the receiver every prior data needed for communication to happen with the server. b) The server on the other hand is needed to send every data needed for communication to happen using the layer of sockets security. The server sends its own certificate also. c) Using the information received, the server is able to be authenticated by the client. If there is a failure in the authentication, then the client is alarmed that a proper connection can neither be encrypted nor authenticated. (Thomas, 2000) d) The client thereafter designs a premaster for that session and then encrypts the premaster with the server’s public key. The encrypted premaster key is transmitted to the server. e) Should the server opt for client authentication, a piece of data unique to the handshake protocol confirmed by the client and server is signed by the client. f) In the case that client authentication is unsuccessful, the session is halted hence using the private key the server is forced to decrypt the pre-master secret. The server thereafter performs a series of steps so as to generate a master secret. g) The client and the server use the master keys to generate the session keys. The session keys are symmetric and are used to decrypt and encrypt information being transmitted in the SSL session. h) The server receives a message from the client informing it that in future message encryption from the client will be performed using the session key. Thereafter a separate message to indicate the completion of the client handshake is sent. (Frahim and huang, 2008) Since the handshakes have been finalized, the session begins. The client and the server both use the session keys to encrypt and decrypt data exchanged between them and for the confirmation of its integrity. (Frankel, 2008) This needs to be done for a secure channel’s normal operation. The process can recur in the presence of external and or internal causes which renegotiate the connection by either sides. The handshake protocol is concluded and there starts a secure connection that uses the key mechanism to encrypt and decrypt information throughout the session. (Bella, 2007) Upon failure of these series of steps, the TLS handshake protocol is unsuccessful and hence the connection does not happen. How VPN is secured by TLS. Virtual Private Network is secured by TLS by: 1. Preventing the downgrading of the designed protocol to a prior less secure form. 2. Having the adjacent application files sequentially numbered and using the digits at the data Authenticating code. 3. Making use of the key enhanced message digest. 4. The message concluding the handshake has to send a hash of each and every message interchanged and viewed by the two parties. 5. Data input is symmetrically split by a pseudorandom function and both are processed using separate hashing algorithm. (Oppliger, 2009) TLS advantages The three main advantages are: 1. Authenticity of the peers’ identity can be done using asymmetric, cryptography or public keys. This makes sure that encrypted data is transmitted securely in conjunction with a naming certificate that allows validation of the consistency between the DNS and the IP address records. The content is protected from interception when en route between clients by the negotiation exchange hence the content cannot be altered in transit. Either party can easily detect violation if so arises. 2. TLS deployment is relatively simple and well understood. 3. TLS applies to both the a message and its attachments (Rescorla, 2001) Disadvantages of TLS 1. The protocol is normally tightly coupled with the transport layer procedure. 2. To implementation of secure connections, the security shows an all to nothing approach. This indicates that it is completely oblivious of the information sent and hence not able to apply security to portions of the message as you can with message layer security. 3. Message protection is normally transient that is, it’s only secured when in transit hence when the message reaches the recipient, protection is withdrawn. 4. It is not and an end to end solution simply a point to point. 5. It can’t quickly adapt to scalability more so for specific transactions where the arrangement of the session is highly important. 6. A particular hardware is needed to handle a vast number of connections since it is an issue to have transmission through TSL in a short time period. 7. The whole process is required to last only for a short period and is therefore uneconomical for smaller transactions 8. Protection is required to be implemented at the same period as the content is being delivered. (Davies, 2011) Suggestion to the above disadvantages 1. During situations where connections are abound, handle them using a special hardware. 2. Use zix-corp addresses which completely remove major loopholes of the TLS. 3. When the disadvantages outnumber the benefits, SSL should be preferably used. This could be achieved by establishing an analysis of the requirements and needs of the network before coming to a close on the best problem solution at that time References INTERNATIONAL WORKSHOP ON SECURITY PROTOCOLS, & CHRISTIANSON, B. (2011). Security protocols. Berlin, Springer. BRUCE CHRISTIANSON. (2009). Security Protocols. S .l, Springer Berlin / Heidelberg INTERNATIONAL WORKSHOP ON SECURITY PROTOCOLS. (2004). Security protocols 10th international workshop, Cambridge, UK, April 17-19, 2002 : revised papers. Berlin, Springer. THOMAS, S. A. (2000). SSL & TLS essentials: securing the Web. New York, Wiley. FRAHIM, J., & HUANG, Q. (2008). SSL and Remote Access VPNs: an introduction to designing and configuring SSL virtual private networks. Indianapolis, IN, Cisco Systems. FRANKEL, S. (2008). Guide to SSL VPNs recommendations of the National Institute of Standards and Technology. Gaithersburg, MD, U.S. Dept. of Commerce, National Institute of Standards and Technology. http://purl.access.gpo.gov/GPO/LPS96637. DAVIES, J. D. (2011). Implementing SSL. Indianapolis, Ind, Wiley Pub., Inc. OPPLIGER, R. (2009). SSL and TLS theory and practice. Boston, Artech House. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=305447. RESCORLA, E. (2001). SSL and TLS: designing and building secure systems. Boston, Addison-Wesley. BELLA, G. (2007). Formal correctness of security protocols. Berlin, Springer. http://dx.doi.org/10.1007/978-3-540-68136-6. Read More