Features of Transport Layer Security (TLS)

Features of Trans expression class gage (TLS)TRANSPORT work SECURITYTLS is a successor to Secure Sockets horizontal surface communications communications communications communications communications communications protocol. TLS admits secure dialogue theory on the vane for lots(prenominal)(prenominal) things as e institutionalise, meshing faxing, and distinguishable selective education f bes. There ar slight differences betwixt SSL 3.0 and TLS 1.0, however the protocol system signifi nookietly the same. It is unplayful idea to keep in mind that TLS resides on the Application social class of the OSI model. This entrust save you a lot of frustrations mend debugging and troubleshooting codeion troubles committed to TLS.TLS FeaturesTLS is a generic natural c alone e genuinelyplaceing form warrantor protocol that runs all everyplace reliable rapture. It take into accounts a secure communication channel to application broadcast protocol nodes. Th is channel has three primary gage featuresAuthentication of the horde.Confidentiality of the communication channel. essence fairness of the communication channel.Optionally TLS advise too provide credential of the knob. In general, TLS authentication maps piece of music tell apart base digital tactual sensations backed by auspices measures. Thus, the server attests either(prenominal) by decrypting a indivi treble(a) encrypted under his familiar key or by signing an passing(a) public key.The guest authenticates by signing a haphazard challenge. emcee credentials typically stop everywhere the servers dobriny name. Client certificates butt joint brinytain capricious identities.The shingle communications protocolsThe TLS handclasp protocol takes the server and node to authenticate apiece contrastive(a) and to carry off an encryption algorithm and cryptographic keys in the beginning info is exchanged. In a typical scenario, only the server is aut henticated and its individualism is ensured while the client remains unauthenticated. The mutual authentication of the servers take ins public key deployment to clients.Provide security parameters to the platter layer.A Client channelizes a ClientHello content specifying the highest TLS protocol trans arrangeion it rewards, a random material body, a list of suggested zero entourages and compression method actings.The master of ceremonies responds with a emceeHello, containing the chosen protocol variation, a random crook, elaborate, and compression method from the choices offered by the client.The emcee calculates its pre displace (depending on the selected view, this whitethorn be omitted by the Server).The server may invite a certificate from the client, so that the friendship deal be mutually authenticated, development a Certificate Request.The Server sends a ServerHelloD mavin capacity, indicating it is d i with handshake negotiation.The Client responds wi th a ClientKeyExchange which may contain a PreMasterSecret, public key, or nonhing. (Again, this depends on the selected cipher).The handshake protocol provides a fig of security functions. Such as Authentication, Encryption, chop up Algorithms AuthenticationA certificate is a digital form of realization that is usually issued by a certification authority (CA) and contains identification instruction, a legality period, a public key, a serial bet, and the digital speck of the issuer. For authentication goals, the Handshake communications protocol uses an X.509 certificate to provide strong say to a uphold party that helps prove the identity of the party that holds the certificate and the corresponding reclusive key. EncryptionThere be devil main causas of encryption radiate key ( all overly cognise as Private Key) and unsymmetric key (also known as public key. TLS/SSL uses symmetric key for mint encryption and public key for authentication and key exchange. ha shish AlgorithmsA chopeesh is a superstar-way mapping of look upons to a smaller cut back of interpretive program values, so that the size of it of the resulting hash is smaller than the reliable message and the hash is unique to the overlord info. A hash is uniform to a fingermark a fingerprint is unique to the individual and is such(prenominal) smaller than the original person. Hashing is apply to establish entropy righteousness during head. dickens commonalty hash algorithms ar meaning Digest5 (MD5) produce 128-bit hash value and normal Hash Algorithm1 (SHA-1) produce 160-bit value.The channelize Cipher specThe Change Cipher Spec communications protocol signals a transition of the cipher suite to be use on the spliceion amidst the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This message consists of a single byte with the value1. Message after this impart be encrypted a nd compressed utilise the refreshing(a) cipher suite.The AlertThe Alert protocol embroils flatt-driven alert messages that end be sent from either party. the session is either ended or the recipient is given the choice of whether or non to end the session. Schannel SSP will only generate these alert messages at the take of the application.The Record Layer/communications protocolThe TLS record protocol is a aboveboard framing layer with record coif as shown belowstruct ContentType oddball protocolVersion versionuint16 durationopaque payload continuance TLSRecordAs with TLS, entropy is carried in records. In both protocols, records toilette only be touch when the entire record is available.The Record Layer might have four functionsIt fragments the information culmination from the application into hu realizable blocks (and reassemble introduction data to pass up to the application). Schannel SSP does non donjon fragmentation at the Record Layer.It compresses the data and decompresses incoming data. Schannel SSP does non sup expression compression at the Record Layer.It applies a Message Authentication autograph (MAC), or hash/digest, to the data and uses the MAC to bank incoming data.It encrypts the hashed data and decrypts incoming data.Application ProtocolTLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable trans appearance protocol, transmission control protocol for example. bandage it house add security to any protocol that uses reliable connections (such as TCP), it is nigh commonly apply with HTTP to form HTTPS. HTTPS is utilise to secure orbit Wide Web pages for applications such as electronic commerce and addition cargon. These applications use public key certificates to verify the identity of endpoints.TSL/ SSL SecurityThe client may use the CAs public key to affirm the CAs digital signature on the server certificate. If the digital signature atomic number 50 be verified, the cli ent accepts the server certificate as a valid certificate issued by a trusted CA.The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas.The client checks the servers certificate severeness period. The authentication parade stops if the current date and time pass off outside of the rigour period.IPSecIPSec acts at the ne cardinalrk layer, entertaining and authenticating IP softw atomic number 18 packages mingled with participating IPSec devices (peers), such as PIX Firewalls, lake herring routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other(a) IPSec-compliant products. IPSec is non choke to any unique(predicate) encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a framework of open bills. Because it isnt bound to specific algorithms, IPSec allows rude(a)er and let out algorithms to be implemented without patching the existing IPSec standardizeds. IPSec provides data confide ntiality, data oneness, and data origin authentication between participating peers at the IP layer. IPSec is use to secure a path between a pair of gateways, a pair of arrays, or a gateway and a military. Some of the standard algorithms be as followsselective information Encryption pattern (DES) algorithmuse to encrypt and decrypt piece of land data.3DES algorithmin effect doubles encryption strength over 56-bit DES.Advanced Encryption Standard (AES)a newer cipher algorithm knowing to replace DES. Has a variable key continuance between 128 and 256 bits. Cisco is the first industry seller to implement AES on all its VPN-capable platforms.Message Digest 5 (MD5) algorithmUsed to authenticate packet data.Secure Hash Algorithm 1 (SHA-1)Used to authenticate packet data.Diffie-Hellman (DH)a public-key cryptography protocol that allows devil parties to establish a sh atomic number 18d secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure c ommunications channel.IPSec security operate provide four critical functionsConfidentiality (encryption)the sender can encrypt the packets before transfer them crosswise a mesh topology. By doing so, no oneness can listen in on the communication. If intercepted, the communications can non be read.Data integritythe receiver can verify that the data was transmitted done the earnings without cosmos changed or altered in any way.Origin authenticationthe receiver can authenticate the packets source, guaranteeing and certifying the source of the info.Anti-replay protectionAnti-replay protection verifies that all(prenominal) packet is unique, not duplicated. IPSec packets ar protected by comparing the while number of the authentic packets and a sliding window on the speech host, or security gateway. Late and duplicate packets argon useped.v How IPSec industrial plantThe goal of IPSec is to protect the desired data with the needed security services. IPSecs heroprogram can b e broken into five primary steps find interesting affairTraffic is deemed interesting when the VPN device recognizes that the traffic you indirect request to send inevitably to be protected.IKE stagecoach 1This basic set of security services protects all subsequent communications between the peers. IKE Phase 1 sets up a secure communications channel between peers.IKE Phase 2IKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints.Data transferData is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.IPSec delve releaseIPSec SAs terminate done deletion or by timing out.trade union movement 1(b)IPSecs advantage over TLSIt has more than plasticity on choosing the Authentication mechanisms ( akin the Pre dual-lane Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with apparatuss, its devolve-at-able to do man in the Middle breaking TLS. Going one step smoothen the OSI messiness, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, disregardless of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the primal secure IP profit. Nothing has to be re pen or limited it even is possible that exploiters fashion be aware their data is cosmos subroutineed through encrypting devices. This radical is the to the highest degree transparent one for end drug users and the one most apparent to be espouse in the future in the dewy-eyedst range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands several components to work properly. IPSec deployment must(prenominal) be think and carried out by meshwork administrators, and it is less likely to be adopted directly b y end users.TLSs advantage over IPSecThe advantage of TLS over generic application-level security mechanisms is the application no eight-day has the burden of encrypting user data. Using a special(prenominal) socket and API, the communication is secured. The enigma with TLS is an application deprivation to exploit its functionality must be written explicitly in position to do so (see Resources). Existing applications, which constitute the mass of data producers on the internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applications we use everyday get by clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file share-out systems and so on. Also, most network services (such as carry relays, DNS servers, routing protocols) before long run over plain sockets, exchanging vital information as evanesce text and only seldomly adopting application-level counter-measures (mostly integrity ch ecks, such as MD5 sums).IGMPIGMP is a protocol used by IP hosts, and adjacent multicast network devices to identify their memberships. If they are part of the same multicast conclave they communicate with to each one other. ICMP communicates 1 to 1.IGMP communicates 1 to many.Establish Multicast meetingWe describe a distributed calculator computer computer computer architecture for managing multicast wordses in the orbicular net income. A multicast shout out space partitioning scheme is proposed, based on the Unicast host computer words and a per-host turn focussing entity. By noting that port numbers are an integral part of lengthwise multicast squalling we present a single, unified solution to the two problems of dynamic multicast address charge and port resolution. We then present a framework for the valuation of multicast address direction schemes, and use it to compare our design with three onslaughtes, as salubrious as a random allocation strategy. The cr iteria used for the military rank are blocking hazard and dead body, address acquisition clog, the load on address attention entities, robustness against failures, and processing and communications overhead. With the distributed scheme the prob might of blocking for address acquisition is reduced by several severalizes of magnitude, to peanut levels, while congruity is maintained. At the same time, the address acquisition delay is reduced to a minimum by serving the request within the host itself. It is also shown that the scheme generates untold less swear traffic, is more robust against failures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive generally due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once)The Routing and Remote Access administrative cock is used to modify r outing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 schoolmaster cannot be a router. The Routing and Remote Access administrative tool or the route command line utility can be used to con a static router and add a routing delay. A routing remand is lookd for static routing. high-octane routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the Routing and Remote Access tool, the followers information is entered porthole Specify the network card that the route applies to which is where the packets will come from.refinement Specify the network address that the packets are breathing out to such as 192.168.1.0. profit Mask The subnet mask of the cultivation network. admittance The IP address of the network card on the network that is cond to forth the packets such as 192.168.1.1.Metric The number of routers that packets must pass through to reach the intend network. If there are more than 1, the Gateway address will not match the network address of the destination network.Dynamic RoutingWindows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 support Dynamic routing protocols areRouting Information Protocol (RIP) version 2 for IPOpen Shortest be active guidebook First (OSPF) net income Group Management Protocol (IGMP) version 2 with router or proxy support.The Routing and Remote Access tool is used to install, con, and superintend these protocols and routing functions. After any of these dynamic routing protocols are installed, they must be cond to use one or more routing user interfaces.Protocol supreme Multicast (PIM)This document describes an architecture for economically routing to multicast assorts that may span full-area (and inter-domain) meshs. We refer to the come on as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol.The most significant innovation in this architecture is the streamlined support of sparse, wide area themes. This sparse mode (SM) of operation complements the handed-down duncical-mode approach to multicast routing for campus networks, as expanded by Deering 23 and implemented previously in MOSPF and DVMRP 45. These traditionalistic obtuse mode multicast schemes were intended for use within regions where a group is wide represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not high-octane data packets (in the grimace of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many cerebrate that do not lead to receivers or senders, respectively. The purpose of this work is to bob up a multicast routing architecture that efficiently establishes distribution trees e ven when good-nigh or all members are sparsely distributed. Efficiency is evaluated in terms of the state, curb message, and data packet overhead required across the entire network in enact to deliver data packets to the members of the group.The Protocol Independent Multicast (PIM) architecturemaintains the traditional IP multicast service model of receiver-initiated membershipcan be cond to adapt to different multicast group and network characteristicsis not dependent on a specific unicast routing protocoluses soft-state mechanisms to adapt to underlying network conditions and group dynamics.The robustness, flexibility, and scaling properties of this architecture make it well suitable to large disparate inter-networks.This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routin g protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional dense-mode approach to multicast routing for campus networks, as developed by Deering 23 and implemented previously in MOSPF and DVMRP 45. These traditional dense mode multicast schemes were intended for use within regions where a group is wide represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many cogitate that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when roughly or all members are sparsely distributed. Effici ency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.A user of an internet- attached pc, Adam send an netmail message to another internet connected pc user beryl.1. Outlinethe function of four internet host that would usually be touch on be involved in this task.. 1. Adams Computer 2. Server of Adams net income serving provider 3. Server of Beryls Internet military service Provider4. Beryls Computer .This program allows you to build and deal with a large mail list, and to create modified messages from pre delimit templates while sending. It lets you define multiple independent SMTP server connections and will give the latest in multithreading technology, to send electronic mails to you as disruptive as it is possible. You can use all the standard message formats like plain text, hypertext markup language or even create a full content message in t he Microsoft mental capacity Express and export it into the program. The interface of the program is very simple and easy to learn nearly all functions can be performed using hotkeys on the keyboard.E-mail is a suppuration source of an enterprises records and demand to be treated as any written memo, letter or report has been treated. The information in e-mail has the emf to add to the enterprises noesis assets, from interactions with the users or customers in the enterprise to interactions with colleagues overseas.2. List the internet protocol which would be used in this task.Internet Protocol (IP) is packet-based protocol that allows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol calledTransport carry Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to addr ess a package and drop it in the system, but theres no direct link up between you and the recipient.. 1. HTTP 2. IMAP(Version 4) 3.SMTP 4. surface (Version 3) .HTTP(Hyper-Text transport Protocol) is the underlying protocol used by the public Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to different commands. HTTP/1.0, as defined by RFC 1945 6, improved the protocol by allowing messages to be in the format of mimer-like messages, containing meta information about the data transferred and modifiers on the request/response semantics.IMAP4(Internet Message Access Protocol) A mail protocol that provides management of received messages on a remote server. The user can revue heads, create or delete folders/ call boxes and messages, and search contents remotely without downloading. It includes more functions than the similar POP protocol.POP3(Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into mostpopular e-mail products, such as Eudora and Outlook Express. Its also built into the Netscape and Microsoft Internet Explorer browsers. POP3 is designed to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be relieve for some period of time. POP can be thought of as a store-and-forward service.SMTP( impartial get out Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to get hold messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial-grade package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in europium is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail.3. Taking the case that the message include the text please find attached snarf and 1. as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages... 1. MIME ..MIME(Multi-Purpose Internet Mail Extensions) is an continuation of the original Internet e-mail protocol that lets pile use the protocol to exchangedifferent kinds of data files on the Internet audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file geeks were added to mail as a support Internet Protocol file type.Servers insert the MIME read/write head at the beginning of any Web transmission. Clients use this header to select an give up player application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle hypertext markup language files).4. How would received message differ the sent messages?The email address t hat receives messages sent from users who click reply in their email clients. raft differ from the fromaddress which can be an automated or unmonitored email address used only to send messages to a distribution list. Reply-to should unendingly be a monitored address.IPv4 Internet Protocol (Version 4)The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the primary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the core group of the Internet protocols. IP is equally well suited for both local area network and WAN communications.IP (Internet Protocol) has two primary responsibilities providing connectionless, topper-effort spoken language of datagrams through a network and providing fragmentation and reassembly of datagrams to support data links with different maximum-t ransmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is depute a unique logical address (32-bit in IPv4) that is divided into two main parts the network number and the host number. The network number identifies a network and must be designate by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself qualify address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.IPv6 (IPng) Internet Protocol version 6IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions IPv4 and IPv6. IPv6 is also called bordering generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD ( hex) instead of IPv4s 0800. The IPv4 is described in stop documents.IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much great number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a-f). A sample ipv6 address looks like 3ffe ffff 100f101210a4fffee39566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two majo r improvements in IPv6 vs. v4* Improved support for extensions and options IPv6 options are set(p) in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. Flow labeling capability A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service. affinity between IPv6 with IPv4Data structure of IPv6 has modified as followsHeader length palm rear in IPv4 is removed in IPv6.Type of Service field effectuate in IPv4 has been replaced with Priority field in IPv6. quantify to live field found in IPv4 has been replaced with Hop Limit in IPv6.Total duration field has been replaced with Payload Length fieldProt ocol field has been replaced with conterminous Header fieldSource Address and stopping point Address has been increase from 32-bits to 128-bits.Major Similarities IPv6 with IPv4 two protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 broadcast does. both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services.Major Differences between IPv6 with IPv4IPv6 host to IPv6 host routing via IPv4 network Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach an IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space.IPv6 host to IPv4 host and vice versa The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to glide path both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagramsICMP IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are stricter. ICMPv6 uses the neighbour Discovery Protocol. new-made messages have been added also.Absence of ARP RARPFeatures of Transport Layer Security (TLS)Features of Transport Layer Security (TLS)TRANSPORT LAYER SECURITYTLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SS L 3.0 and TLS 1.0, but the protocol remains significantly the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption troubles connected to TLS.TLS FeaturesTLS is a generic application layer security protocol that runs over reliable transport. It provides a secure channel to application protocol clients. This channel has three primary security featuresAuthentication of the server.Confidentiality of the communication channel.Message integrity of the communication channel.Optionally TLS can also provide authentication of the client. In general, TLS authentication uses public key based digital signatures backed by certificates. Thus, the server authenticates either by decrypting a secret encrypted under his public key or by signing an ephemeral public key.The client authenticates by signing a random challenge. Server certificates typically contain the server s domain name. Client certificates can contain arbitrary identities.The Handshake ProtocolsThe TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients.Provide security parameters to the record layer.A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher, and compression method from the choices offered by the client.The Server sends its Certificate (depending on the selected cipher, this may be omitted by the Server).The server may request a certificate from the client, so that the connection can be mutually authenticated, using a Certificate Request.The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.The Client responds with a ClientKeyExchange which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher).The Handshake protocol provides a number of security functions. Such as Authentication, Encryption, Hash Algorithms AuthenticationA certificate is a digital form of identification that is usually issued by a certification authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. For authentication purposes, the Handshake Protocol uses an X.509 certificate to provide strong evidence to a second party that helps prove the identity of the party that holds the certificate and the corresponding private key. EncryptionThere are two main types of encryption symmetri c key (also known as Private Key) and asymmetric key (also known as public key. TLS/SSL uses symmetric key for bulk encryption and public key for authentication and key exchange. Hash AlgorithmsA hash is a one-way mapping of values to a smaller set of representative values, so that the size of the resulting hash is smaller than the original message and the hash is unique to the original data. A hash is similar to a fingerprint a fingerprint is unique to the individual and is much smaller than the original person. Hashing is used to establish data integrity during transport. Two common hash algorithms are Message Digest5 (MD5) produce 128-bit hash value and Standard Hash Algorithm1 (SHA-1) produce 160-bit value.The Change Cipher SpecThe Change Cipher Spec Protocol signals a transition of the cipher suite to be used on the connection between the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This messag e consists of a single byte with the value1. Message after this will be encrypted and compressed using the new cipher suite.The AlertThe Alert Protocol includes event-driven alert messages that can be sent from either party. the session is either ended or the recipient is given the choice of whether or not to end the session. Schannel SSP will only generate these alert messages at the request of the application.The Record Layer/ProtocolThe TLS record protocol is a simple framing layer with record format as shown belowstruct ContentType typeProtocolVersion versionuint16 lengthopaque payloadlength TLSRecordAs with TLS, data is carried in records. In both protocols, records can only be processed when the entire record is available.The Record Layer might have four functionsIt fragments the data coming from the application into manageable blocks (and reassemble incoming data to pass up to the application). Schannel SSP does not support fragmentation at the Record Layer.It compresses the data and decompresses incoming data. Schannel SSP does not support compression at the Record Layer.It applies a Message Authentication Code (MAC), or hash/digest, to the data and uses the MAC to verify incoming data.It encrypts the hashed data and decrypts incoming data.Application ProtocolTLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. These applications use public key certificates to verify the identity of endpoints.TSL/ SSL SecurityThe client may use the CAs public key to validate the CAs digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a tru sted CA.The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas.The client checks the servers certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.IPSecIPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as PIX Firewalls, Cisco routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a framework of open standards. Because it isnt bound to specific algorithms, IPSec allows newer and better algorithms to be implemented without patching the existing IPSec standards. IPSec provides data confidentiality, data integrity, and data origin authentication between participating peers at the IP layer. IPSec is used to secure a path between a pair of ga teways, a pair of hosts, or a gateway and a host. Some of the standard algorithms are as followsData Encryption Standard (DES) algorithmUsed to encrypt and decrypt packet data.3DES algorithmeffectively doubles encryption strength over 56-bit DES.Advanced Encryption Standard (AES)a newer cipher algorithm designed to replace DES. Has a variable key length between 128 and 256 bits. Cisco is the first industry vendor to implement AES on all its VPN-capable platforms.Message Digest 5 (MD5) algorithmUsed to authenticate packet data.Secure Hash Algorithm 1 (SHA-1)Used to authenticate packet data.Diffie-Hellman (DH)a public-key cryptography protocol that allows two parties to establish a shared secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure communications channel.IPSec security services provide four critical functionsConfidentiality (encryption)the sender can encrypt the packets before transmitting them across a network. By doing so, no one can eavesdrop on the communication. If intercepted, the communications cannot be read.Data integritythe receiver can verify that the data was transmitted through the Internet without being changed or altered in any way.Origin authenticationthe receiver can authenticate the packets source, guaranteeing and certifying the source of the information.Anti-replay protectionAnti-replay protection verifies that each packet is unique, not duplicated. IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. Late and duplicate packets are dropped.v How IPSec worksThe goal of IPSec is to protect the desired data with the needed security services. IPSecs operation can be broken into five primary stepsDefine interesting trafficTraffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.IKE Phase 1This basic set of security services protects all subse quent communications between the peers. IKE Phase 1 sets up a secure communications channel between peers.IKE Phase 2IKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints.Data transferData is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.IPSec tunnel terminationIPSec SAs terminate through deletion or by timing out.TASK 1(b)IPSecs advantage over TLSIt has more plasticity on choosing the Authentication mechanisms (like the Pre Shared Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with tools, its possible to do man in the Middle breaking TLS. Going one step down the OSI stack, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, regardless of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the underlying secure IP network. Nothing has to be rewritten or modified it even is possible that users wont be aware their data is being processed through encrypting devices. This solution is the most transparent one for end users and the one most likely to be adopted in the future in the widest range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands several components to work properly. IPSec deployment must be planned and carried out by network administrators, and it is less likely to be adopted directly by end users.TLSs advantage over IPSecThe advantage of TLS over generic application-level security mechanisms is the application no longer has the burden of encrypting user data. Using a special socket and API, the communication is secured. The problem with TLS is an application wishing to exploit its functionality must be written explicitly in order to do so (see Resources ). Existing applications, which constitute the majority of data producers on the Internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applications we use everyday mail clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file sharing systems and so on. Also, most network services (such as mail relays, DNS servers, routing protocols) currently run over plain sockets, exchanging vital information as clear text and only seldomly adopting application-level counter-measures (mostly integrity checks, such as MD5 sums).IGMPIGMP is a protocol used by IP hosts, and adjacent multicast network devices to identify their memberships. If they are part of the same multicast group they communicate with each other. ICMP communicates 1 to 1.IGMP communicates 1 to many.Establish Multicast groupWe describe a distributed architecture for managing multicast addresses in the global Internet. A multicast address space partitioning scheme is proposed, based on the Unicast host address and a per-host address management entity. By noting that port numbers are an integral part of end-to-end multicast addressing we present a single, unified solution to the two problems of dynamic multicast address management and port resolution. We then present a framework for the evaluation of multicast address management schemes, and use it to compare our design with three approaches, as well as a random allocation strategy. The criteria used for the evaluation are blocking probability and consistency, address acquisition delay, the load on address management entities, robustness against failures, and processing and communications overhead. With the distributed scheme the probability of blocking for address acquisition is reduced by several orders of magnitude, to insignificant levels, while consistency is maintained. At the same time, the address acquisition delay is reduced to a minimum by serving the request with in the host itself. It is also shown that the scheme generates much less control traffic, is more robust against failures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive primarily due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once)The Routing and Remote Access administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The Routing and Remote Access administrative tool or the route command line utility can be used to con a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the Routing and Remote Access tool, the following information is enteredInterface Specify the network card that the route applies to which is where the packets will come from.Destination Specify the network address that the packets are going to such as 192.168.1.0.Network Mask The subnet mask of the destination network.Gateway The IP address of the network card on the network that is cond to forward the packets such as 192.168.1.1.Metric The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network.Dynamic RoutingWindows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 supported Dynamic routing protocols areRouting Information Protocol (RIP) version 2 for IPOpen Shortest Path First (OSPF)Internet Group Management Protocol (IGMP) version 2 with router or proxy support.The Routing and Remote Access tool is used to install, con, and monitor these protocols and routing functions. After any of these dynamic routing protocols are installed, they must be cond to use one or more routing interfaces.Protocol Independent Multicast (PIM)This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol.The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional dense-mode approach to multicast routing for campus networks, as developed by Deering 23 and implemented previously in MOSPF and DVMRP 45. Thesetraditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group me mbers, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.The Protocol Independent Multicast (PIM) architecturemaintains the traditional IP multicast service model of receiver-initiated membershipcan be cond to adapt to different multicast group and network characteristicsis not dependent on a specific unicast routing protocoluses soft-state mechanisms to adapt to underlying network co nditions and group dynamics.The robustness, flexibility, and scaling properties of this architecture make it well suited to large heterogeneous inter-networks.This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional dense-mode approach to multicast routing for campus networks, as developed by Deering 23 and implemented previously in MOSPF and DVMRP 45. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely acro ss a wide area, these schemes are not efficient data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.A user of an internet- connected pc, Adam send an email message to another internet connected pc user beryl.1. Outlinethe function of four internet host that would normally be involved be involved in this task.. 1. Adams Computer 2. Server of Adams Internet Service Provider 3. Server of Beryls Internet Service Provider4. Beryls Computer .This program allows you to build and deal with a large mailin g list, and to create modified messages from predefined templates while sending. It lets you define multiple independent SMTP server connections and will utilize the latest in multithreading technology, to send emails to you as fast as it is possible. You can use all the standard message formats like plain text, HTML or even create a rich content message in the Microsoft Outlook Express and export it into the program. The interface of the program is very simple and easy to learn nearly all functions can be performed using hotkeys on the keyboard.E-mail is a growing source of an enterprises records and needs to be treated as any written memo, letter or report has been treated. The information in e-mail has the potential to add to the enterprises knowledge assets, from interactions with the users or customers in the enterprise to interactions with colleagues overseas.2. List the internet protocol which would be used in this task.Internet Protocol (IP) is packet-based protocol that al lows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol calledTransport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but theres no direct link between you and the recipient.. 1. HTTP 2. IMAP(Version 4) 3.SMTP 4.POP (Version 3) .HTTP(Hyper-Text Transfer Protocol) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTP/1.0, as defined by RFC 1945 6, improved the protocol by allowing messages to be in the format of MIME-like messages, containing meta information about the data transferred and modifiers on the request/response semantics.IMAP4(Internet Message Access Pro tocol) A mail protocol that provides management of received messages on a remote server. The user can review headers, create or delete folders/mailboxes and messages, and search contents remotely without downloading. It includes more functions than the similar POP protocol.POP3(Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into mostpopular e-mail products, such as Eudora and Outlook Express. Its also built into the Netscape and Microsoft Internet Explorer browsers. POP3 is designed to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be saved for some period of time. POP can be thought of as a store-and-forward service.SMTP(Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-m ail.3. Taking the case that the message include the text please find attached abstract and 1. as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages... 1. MIME ..MIME(Multi-Purpose Internet Mail Extensions) is an extension of the original Internet e-mail protocol that lets people use the protocol to exchangedifferent kinds of data files on the Internet audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file types were added to mail as a supported Internet Protocol file type.Servers insert the MIME header at the beginning of any Web transmission. Clients use this header to select an appropriate player application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle HTML files).4. How would received message differ the sent messages?The email address that receives messages sent from users who click reply in their email clients. Can differ from the fromaddress which can be an automated or unmonitored email address used only to send messages to a distribution list. Reply-to should always be a monitored address.IPv4 Internet Protocol (Version 4)The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the primary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is equally well suited for both LAN and WAN communic ations.IP (Internet Protocol) has two primary responsibilities providing connectionless, best-effort delivery of datagrams through a network and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is assigned a unique logical address (32-bit in IPv4) that is divided into two main parts the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.IPv6 (IPng) Internet Protocol version 6IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions IPv4 and IPv6. IPv6 is also called next generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD (hexadecimal) instead of IPv4s 0800. The IPv4 is described in separate documents.IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a- f). A sample ipv6 address looks like 3ffe ffff 100f101210a4fffee39566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two major improvements in IPv6 vs. v4* Improved support for extensions and options IPv6 options are placed in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. Flow labeling capability A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service.Comparison between IPv6 with IPv4Data structure of IPv6 has modified as followsHeader length field found in IPv4 is remove d in IPv6.Type of Service field found in IPv4 has been replaced with Priority field in IPv6.Time to live field found in IPv4 has been replaced with Hop Limit in IPv6.Total Length field has been replaced with Payload Length fieldProtocol field has been replaced with Next Header fieldSource Address and Destination Address has been increased from 32-bits to 128-bits.Major Similarities IPv6 with IPv4Both protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 broadcast does. Both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services.Major Differences between IPv6 with IPv4IPv6 host to IPv6 host routing via IPv4 network Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach a n IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space.IPv6 host to IPv4 host and vice versa The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to access both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagramsICMP IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are stricter. ICMPv6 uses the Neighbor Discovery Protocol. New messages have been added also.Absence of ARP RARP