Chapter 14 - Encrypting network traffic (Virtual Private Networks) with IPSec. By Kurt Seifried, kurt@seifried.org, Copyright Kurt Seifried With sensitive data moving across public networks some form of encryption is needed to protect the data, provide authentication, and prevent spoofing/etc. The emerging standard for this problem is IPSec (IP Security), which has broad industry support and a recognized set of RFC's laying down the rules. Unfortunately one of the major areas of IPSec is key management, and this is one area where many vendors have trouble interoperating, so if you are considering a hetrogenous network do plenty of testing beforehand.
The good news is most vendors support IPSec, many "out of the box", and there are numerous free to cheap clients for Windows 95/98/NT (2000 has built in support). The first decision needed when implementing IPSec is to decide what traffic you want to encrypt. . [ Back | TOC | Forwards] Public key infrastructure. Diagram of a public key infrastructure A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.[1] In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the assurance level of the binding, may be carried out by software at a CA or under human supervision.
The PKI role that assures this binding is called the registration authority (RA), which ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation. Design[edit] A PKI consists of:[4][6][7] Methods of certification[edit] Web of trust[edit] Man-in-the-middle attack. In cryptography and computer security, a man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle.[1] Example of an attack[edit] Illustration of man-in-the-middle attack.
Suppose Alice wishes to communicate with Bob. 1. SSH File Transfer Protocol. In computing, the SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) is a network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0 to provide secure file transfer capability, but is also intended to be usable with other protocols.
The IETF Internet Draft states that even though this protocol is described in the context of the SSH-2 protocol, it could be used in a number of different applications, such as secure file transfer over Transport Layer Security (TLS) and transfer of management information in VPN applications. This protocol assumes that it is run over a secure channel, such as SSH, that the server has already authenticated the client, and that the identity of the client user is available to the protocol. Capabilities[edit] History and development[edit] Version 3[edit] SSH in Chrome. SOCKS. SOCKS performs at Layer 5 of the OSI model (the session layer, an intermediate layer between the presentation layer and the transport layer).
History[edit] The protocol was originally developed/designed by David Koblas, a system administrator of MIPS Computer Systems. After MIPS was taken over by Silicon Graphics in 1992, Koblas presented a paper on SOCKS at that year's Usenix Security Symposium, making SOCKS publicly available.[1] The protocol was extended to version 4 by Ying-Da Lee of NEC. The SOCKS reference architecture and client are owned by Permeo Technologies,[2] a spin-off from NEC. (Blue Coat Systems bought out Permeo Technologies.)[3][4] Usage[edit] SOCKS is a de facto standard for circuit-level gateways. Another use of SOCKS is as a circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked, e.g., by governments, workplaces, schools, and country-specific web services.[7] Comparison to HTTP proxying[edit] SOCKET[edit] HTTP[edit] SOCKS4[edit] Secure Shell.
Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively.[1] The protocol specification distinguishes between two major versions that are referred to as SSH-1 and SSH-2. The best-known application of the protocol is for access to shell accounts on Unix-like operating systems, but it can also be used in a similar fashion for accounts on Windows. Definition[edit] SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary.[1] There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on.
Key management[edit] Usage[edit]