Information Security Notes 5 - IPSec, TLS, VPN, HTTPS

Security Goal

1. End-to-end Encryption: Only accessible by the sender and receiver
2. Tunneling: Traffic pattern is hidden. Except the very last end point
3. Authentication: Packets are authentic
4. Fast
5. Free

OSI model in Security

VPN is Network Layer(IP); Proxy is Transport Layer(TCP/UDP)

• Application Layer
• Physical/Data Link: hop-to-hop security
• IP Layer: IPSec
• Transport Layer: TLS/SSL
• Upper Layer: HTTPS

IPSec

IPSec aka IP Security. Its purpose is to provide high security features for IP, and VPNs are solutions that arise from the way this security is achieved. ipsec is a framework architecture, consisting of two specific types of protocols.

AH - Authentication Header

• To authenticate
• By Hash(MD5, SHA1)
• Less used than ESP

ESP - Encapsulated Security Payload

• To encapsulate / encrypt

Why is AH less used? Because AH cannot provide encrypt. Also, AH cannot pass NAT network(because the authenticate function)
Of course, IPSec can use both AH and ESP to achieve the most complete security features in extreme cases, but such solutions are extremely rare.

Transport Mode

• The IP header remains unchanged and is mainly used for End-to-End application scenarios
• Provide protection primarily for upper-layer protocols (TCP/UDP)

Tunnal Mode

• Tunnel mode encapsulates an external IP header after AH and ESP processing, which is mainly used in Site-to-Site application scenarios
• Provide protection to the entire IP packet
• Although tunnal mode can be applied to any scenario, tunnal mode requires an additional header overhead
• For PC-to-PC scenarios, it is recommended to use transport mode

IPSec Traffic Processing

• IPSec is executed on a packet-by-packet basis
• IPSec searches the security policy database for a match
• Discard if no match
• Policy say bypass: send right away
• Policy say PROTECT: look for a key to encrypt
  • Run IKE if no key is found

Security Association (SA)

• Can be understood of the “Choose of parameter”
• SPI: I local identifier enables receiving system to select the SA.
• IP Destination: Unicast receiver address
• Security Protocol: indicates it is an AH or ESP association

SSL

• Protocols which provide secure communication on the internet
• Encrypts network connection at the Transport Layer
  • On top of TCP; Under HTTP/FTP
  • TLS successor of SSL,TLS for transport Layer Security
• Designed to prevent eavesdropping, tampering, and message forgery
• End-to-End service through TCP

• Encrypted communications over Internet
• Ensures that the information is sent unchanged, and only to the server you intended
• Asymmetric encryption for authentication and key exchange
• Symmetric encryption to encrpyt data

SSL connection and SSL session

Different types of Handshaking

• One way Authentication
• Two way Authentication
• Abbreviated Handshake
  • important and tedious.

Lower Layer stack of SSL

• SSL Record Protocol
  • To provide supports to upper layer protocols
    • Message integrity
    • Confidentiality
  • Fragmentation: Cut the data into 2^14 bytes
  • Compression: Optionally, but must be lossless
  • Add MAC: compute a message authentication code

Upper Layer stack of SSL

• SSL Handshake Protocol
• SSL Change Cipher Spec. Protocol
• SSL Alert Protocol
• Application Protocol

HSTP

• HTTP Strict Transport Security
• A web security policy mechanism
• Header:
  Strict-Transport-Sceurity: max-age=31536000
• Turn any http to https
• abort connection if cannot be ensured