ITNE 3013 Advanced Network and Information Security

TUTORIALS WEEK – 2
Name: Rupesh Pandey
Student no. 40290

CONTENTS

Transport Layer Security

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate
privacy and data security for communications over the Internet. A primary use case of TLS is
encrypting the communication between web applications and servers, such as web browsers
loading a website. TLS can also be used to encrypt other communications such as email,
messaging, and voice over IP (VOIP)

1. What are the advantages of each of the three approaches shown in the figure below?

Advantage of IP/IPsec

1. Network layer security

2. Confidentiality
3. Zero dependability on Application

Advantage of SSL
1. SSL Protects Data
2. SSL Affirms Your Identity
3. Better Search Engine Ranking

2) What protocols comprise SSL?

a. SSL Handshake Protocol b. SSL change cipher spec Protocol c. SSL Alert Protocol d. SSL Record
Protocol e. TCP/IP Protocol

3) What is the difference between an SSL connection and an SSL session?

Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable
type of service. For SSL, such connections are peer-topeer relationships. The connections are
transient. Every connection is associated with one session.

Session: An SSL session is an association between a client and a server. Sessions are created by the
Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be
shared among multiple connections. Sessions are used to avoid the expensive negotiation of new
security parameters for each connection."
4) List and briefly define the parameters that define an SSL session state.

 Session Identifier: An arbitrary byte sequence chosen by the server to identify an active or
resumable session state
 Peer Certificate: An X509.v3 certificate of the peer; this element of the state may
 Compression method: The algorithm used to compress data prior to encryption
 Cipher spec: Specifies the bulk data encryption algorithm and a hash algorithm used for MAC
calculation; also defines cryptographic attributes such as the hash_size.
 Master Secret: 48-byte secret shared between the client and the server.
 Is resumable: A flag indicating whether the session can be used to initiate new connections.

5) List and briefly define the parameters that define an SSL session connection.

 Server and client random: Byte sequences that are chosen by the server and client for each
connection
 Server write MAC secret: The secret key used in MAC operations on data sent by the server
 Client write MAC secret: The secret key used in MAC operations on data sent by the client.
 Server write key: The secret encryption key for data encrypted by the server and decrypted
by the client.
 Client write key: The symmetric encryption key for data encrypted by the client and
decrypted by the server

6) What services are provided by the SSL Record Protocol?

The SSL Record Protocol provides two services for SSL connections:

1. Confidentiality: The Handshake Protocol defines a shared secret key that is used for
conventional encryption of SSL payloads
2. Message integrity: The Handshake Protocol also defines a shared secret key that is used to
form a message authentication code (MAC).

7) What steps are involved in the SSL Record Protocol transmission?

There are 4 steps for SSL record protocol transmission:

1. Fragmentation
2. Compression
3. Message authentication code
4. Preparing header

8) What is the purpose of HTTPS?

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary
protocol used to send data between a web browser and a website. HTTPS is encrypted in order to
increase security of data transfer

9) For what applications is SSH useful?

The initial version, SSH1 was focused on providing a secure

remote logon facility to replace TELNET and other remote logon
schemes that provided no security. SSH also provides a more general
client/server capability and can be used for such network functions as
file transfer and e-mail.
10) List and briefly define the SSH protocols.

1. SSH User Authentication Protocol: Authenticates the client-side user to the server.

2. SSH Transport Layer Protocol: Provides server authentication, confidentiality, and integrity. It may
optionally also provide compression.

3. SSH Connection Protocol: Multiplexes the encrypted tunnel into several logical channels.

4. TCP: Transmission control protocol provides reliable, connection-oriented end-to-end delivery.

5. IP: Internet protocol provides datagram delivery across multiple networks.

11. Consider the following threats to Web security and describe how each is countered by a
particular feature of SSL.

i) Brute-Force Cryptanalytic Attack: An exhaustive search of the key space for a conventional
encryption algorithm.

Given that both RC4 and RC2 ciphers have 128-bit encryption, they each have approximately 3.4 *
1038 possible keys, making them very difficult to crack. Assuming that a hacker could test 10,000
(104) keys every second, it could take up to one octillian (1.08 * 10 27) years to break the cipher. Only
when an octillian keys can be tested every second, is it possible that the cipher can be broken within
a year.

ii) Known Plaintext Dictionary Attack: Many messages will contain predictable plaintext, such as the
HTTP GET command. An attacker constructs a dictionary containing every possible encryption of the
known-plaintext message. When an encrypted message is intercepted, the attacker takes the
portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The
ciphertext should match against an entry that was encrypted with the same secret key. If there are
several matches, each of these can be tried against the full ciphertext to determine the right one.
This attack is especially effective against small key

This attack is defeated the same way the earlier attack is addressed. Since there are so many
different sets of keys available, the size of the dictionary required would be too large to be created.
For small key sizes, it could be possible to hack into after a certain amount of time, resources and
money. However, for larger key sizes, specifically 128-bit, it could take a very long time

iii) Replay Attack: Earlier SSL handshake messages are replayed.

The replay attack is countered through the usage of a timestamp in the server authentication
process. The client will check to see if the server's certificate is valid and during that process, a
timestamp would be used to verify that the messages are not old.

iv) Man-in-the-Middle Attack: An attacker interposes during key exchange, acting as the client to the
server and as the server to the client.

The client application checks the server domain name specified in the server certificate is the same
as the actual domain name of the server. If they are not the same, the authentication fails.

v) Password Sniffing: Passwords in HTTP or other application traffic are eavesdropped.

With SSL, key-management is handled well because short-term session keys are generated using
random hash number generators. Each direction of communication generates independent keys for
the connection as well as for each instance of the connection.

vi) IP Spoofing: Uses forged IP addresses to fool a host into accepting bogus data.

If the server requests client authentication, the SSL protocol requires that the client create a digital
signature by creating a one-way hash from randomly generated data during the handshake and
known only to the client and server. The hash data is encrypted with the client's private key that
corresponds to the public key in the certificate received by the server.

vii) IP Hijacking: An active, authenticated connection between two hosts is disrupted and the
attacker takes the place of one of the hosts.

SSL uses HMAC, a simple, fast, hash-based construction with strong theoretical evidence for its
security. Authentication can be requested during the connection in order to protect the confidential
nature of data being passed.

viii) SYN Flooding: An attacker sends TCP SYN messages to request a connection but does not
respond to the final message to establish the connection fully. The attacked TCP module typically
leaves the “half-open connection” around for a few minutes. Repeated SYN messages can clog the
TCP module.

SYN flooding is also handled by SSL in that the source of the message has to be authenticated before
a response is generated. The messages that are continuously sent, can be removed if the source of
the requests are considered invalid.