Features of Transport Layer Security (TLS)

Features of Trans look horizontal surface security department (TLS)TRANSPORT track SECURITYTLS is a successor to Secure Sockets storey communications communications protocol. TLS deceases secure communications on the net profit for such things as e-mail, earnings faxing, and other selective study transfers. in that respect be slight differences surrounded by SSL 3.0 and TLS 1.0, but the protocol remains signifi bay windowtly the kindred. It is good idea to keep in mind that TLS re places on the Application Layer of the OSI fashionl. This provide save you a lot of frustrations epoch debugging and troubleshooting write in codeion troubles connected to TLS.TLS FeaturesTLS is a generic application layer aegis protocol that runs oer secure sway. It provides a secure channel to application protocol lymph nodes. This channel has three innocent security featuresAuthentication of the horde.Confidentiality of the communication channel.Message integrity of the co mmunication channel.optionally TLS earth-closet also provide hallmark of the leaf node. In general, TLS authentication uses open distinguish based digital feelings backed by suretys. Thus, the server authenticates either by decrypting a inscrutable encrypted under his public key or by signing an ephemeral public key.The client authenticates by signing a stochastic challenge. horde certificates typically contain the servers domain name. lymph gland certificates kindle contain arbitrary identities.The Handshake protocolsThe TLS Handshake communications protocol allows the server and client to authenticate from each single other and to negotiate an encryption algorithm and cryptological keys before info is exchanged. In a typical scenario, just the server is authenticated and its identity is ensured bit the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients.Provide security parameters to the record layer .A Client trip outs a ClientHello subject specifying the highest TLS protocol reading it games, a random consider, a numerate of suggested secret writing suites and compression methods.The Server responds with a ServerHello, containing the chosen protocol strain, a random hail, cipher, and compression method from the choices offered by the client.The Server blames its Certificate (depending on the selected cipher, this whitethorn be omitted by the Server).The server may request a certificate from the client, so that the connection rump be mutually authenticated, utilise a Certificate Request.The Server sends a ServerHelloDone essence, indicating it is done with handshake negotiation.The Client responds with a ClientKeyExchange which may contain a PreMasterSecret, public key, or nonhing. (Again, this depends on the selected cipher).The Handshake protocol provides a physique of security functions. Such as Authentication, Encryption, Hash Algorithms AuthenticationA certi ficate is a digital form of identification that is usually issued by a evidence authority (CA) and contains identification information, a validity period, a public key, a serial come in, and the digital signature of the issuer. For authentication purposes, the Handshake protocol uses an X.509 certificate to provide strong evidence to a second activatey that helps prove the identity of the party that holds the certificate and the correspond private key. EncryptionThere argon cardinal main types of encryption symmetric key (also know as Private Key) and asymmetric key (also known as public key. TLS/SSL uses symmetric key for come out encryption and public key for authentication and key exchange. Hash AlgorithmsA hash is a one-way mapping of values to a smaller organise of representative values, so that the size of the resulting hash is smaller than the cowcatcher message and the hash is unique to the original information. A hash is similar to a fingermark a fingerprint is un ique to the indivi soprano and is much smaller than the original person. Hashing is employ to establish information integrity during transport. Two common hash algorithms argon Message jump5 (MD5) produce 128-bit hash value and Standard Hash Algorithm1 (SHA-1) produce 160-bit value.The Change Cipher stipulationThe Change Cipher Spec Protocol signals a transition of the cipher suite to be employ on the connection amid the client and server. This protocol is composed of a single message which is encrypted and thined with the current cipher suite. This message consists of a single byte with the value1. Message after this leave be encrypted and rigorous using the impudent cipher suite.The alarumThe Alert Protocol complicates event-driven alert messages that keister be sent from either party. the session is either ended or the recipient is given the choice of whether or not to end the session. Schannel SSP will only generate these alert messages at the request of the applica tion.The Record Layer/ProtocolThe TLS record protocol is a simple frame layer with record format as shown belowstruct ContentType typeProtocolVersion versionuint16 aloofnessopaque payloadlength TLSRecordAs with TLS, entropy is carried in records. In both protocols, records underside only be processed when the entire record is available.The Record Layer might have iv functionsIt fragments the data coming from the application into manageable blocks (and piece incoming data to pass up to the application). Schannel SSP does not support fragmentation at the Record Layer.It compresses the data and decompresses incoming data. Schannel SSP does not support compression at the Record Layer.It applies a Message Authentication Code (MAC), or hash/digest, to the data and uses the MAC to avouch incoming data.It encrypts the hashed data and decrypts incoming data.Application ProtocolTLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protoc ol, transmission soften protocol for example. While it can add security to each protocol that uses reliable connections (such as TCP), it is well-nigh commonly used with HTTP to form HTTPS. HTTPS is used to secure existence Wide meshing pages for applications such as electronic commerce and asset management. These applications use public key certificates to verify the identity of endpoints.TSL/ SSL SecurityThe client may use the CAs public key to validate the CAs digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas.The client checks the servers certificate validity period. The authentication process stop if the current date and time fall outside of the validity period.IPSecIPSec acts at the net tame layer, cherishing and authenticating IP sh ars between alive(p) IPSec devices (peers), such as pix Firewalls, Cisco routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to any finicky encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a good example of open standards. Because it isnt bound to specific algorithms, IPSec allows newer and better algorithms to be implement without patching the existing IPSec standards. IPSec provides data confidentiality, data integrity, and data origin authentication between participating peers at the IP layer. IPSec is used to secure a path between a pair of gateways, a pair of emcees, or a gateway and a force. Some of the standard algorithms ar as follows entropy Encryption Standard (DES) algorithmUsed to encrypt and decrypt megabucks data.3DES algorithmeffectively manifold encryption strength over 56-bit DES.Advanced Encryption Standard (AES)a newer cipher algorithm knowing to replace DES. Has a varia ble key length between 128 and 256 bits. Cisco is the first industry vendor to implement AES on all its VPN-capable platforms.Message Digest 5 (MD5) algorithmUsed to authenticate packet data.Secure Hash Algorithm 1 (SHA-1)Used to authenticate packet data.Diffie-Hellman (DH)a public-key cryptography protocol that allows two parties to establish a sh ard secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure communications channel.IPSec security services provide four critical functionsConfidentiality (encryption)the vector can encrypt the packets before transmitting them across a entanglement. By doing so, no one can eavesdrop on the communication. If intercepted, the communications cannot be read. information integritythe receiver can verify that the data was transmitted through the Internet without being changed or altered in any way.Origin authenticationthe receiver can authenticate the packets source, guaranteeing and certifying the source of the information.Anti-replay protectionAnti-replay protection verifies that each packet is unique, not paralleld. IPSec packets are protected by comparing the sequence number of the reliable packets and a sliding window on the terminal figure host, or security gateway. Late and duplicate packets are dropped.v How IPSec worksThe goal of IPSec is to protect the desired data with the needed security services. IPSecs operation can be broken into five primary stepsDefine interesting traffic business is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.IKE Phase 1This staple fiber set of security services protects all later(prenominal) communications between the peers. IKE Phase 1 sets up a secure communications channel between peers.IKE Phase 2IKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints.Data transferData is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.IPSec tunnel terminationIPSec SAs terminate through de allowion or by timing out. undertaking 1(b)IPSecs favor over TLSIt has to a greater extent plasticity on choosing the Authentication mechanisms ( identical the Pre Shared Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with joyrides, its possible to do man in the Middle breaking TLS. Going one step down the OSI stack, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, disregarding of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the underlying secure IP entanglement. cryptograph has to be rewritten or modified it even is possible that substance abusers wont be aware their data is being processed through encrypting devices. This solution i s the to the highest degree ethereal one for end users and the one most likely to be adopted in the future in the widest range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands some(prenominal) components to work properly. IPSec deployment must be planned and carried out by entanglement administrators, and it is slight likely to be adopted directly by end users.TLSs advantage over IPSecThe advantage of TLS over generic application- train security mechanisms is the application no longer has the burden of encrypting user data. Using a special socket and API, the communication is secured. The task with TLS is an application wishing to exploit its functionality must be written explicitly in order to do so (see Resources). Existing applications, which constitute the majority of data producers on the Internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applic ations we use general mail clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file sacramental manduction systems and so on. Also, most engagement services (such as mail relays, DNS servers, routing protocols) currently run over seemingly sockets, exchanging vital information as clear schoolbook and only seldomly adopting application-level counter-measures (mostly integrity checks, such as MD5 sums).IGMPIGMP is a protocol used by IP hosts, and contiguous multicast network devices to identify their social statuss. If they are part of the same multicast pigeonholinging they communicate with each other. ICMP communicates 1 to 1.IGMP communicates 1 to many.Establish Multicast groupWe describe a distributed architecture for managing multicast book of factses in the global Internet. A multicast head stead partitioning turning away is proposed, based on the Unicast host insure and a per-host regale management entity. By noting that port numbers are an integral part of end-to-end multicast prognosticateing we present a single, unified solution to the two problems of dynamic multicast verbalise management and port resolution. We then present a framework for the rating of multicast compensate management schemes, and use it to compare our design with three approaches, as well as a random allocation strategy. The criteria used for the evaluation are blocking probability and consistency, address acquisition delay, the load on address management entities, robustness against failures, and impact and communications overhead. With the distributed scheme the probability of blocking for address acquisition is reduced by several(prenominal) orders of magnitude, to insignificant levels, while consistency is maintained. At the same time, the address acquisition delay is reduced to a tokenish by serving the request at heart the host itself. It is also shown that the scheme generates much less accommodate traffic, is more robust against f ailures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive primarily due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once)The Routing and Remote opening administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The Routing and Remote Access administrative tool or the route command line utility can be used to con a static router and add a routing table. A routing table is call for for static routing. high-octane routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the Routing and Remote Access tool, the following information is enteredport Specify the network c ard that the route applies to which is where the packets will come from.Destination Specify the network address that the packets are going to such as 192.168.1.0. mesh topology Mask The subnet mask of the destination network.Gateway The IP address of the network card on the network that is cond to forward the packets such as 192.168.1.1.Metric The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network.Dynamic RoutingWindows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 support Dynamic routing protocols areRouting Information Protocol (RIP) version 2 for IPOpen Shortest Path First (OSPF)Internet Group Management Protocol (IGMP) version 2 with router or proxy support.The Routing and Remote Access tool is used to install, con, and monitor these protocols and routing functions. After any of these dynami c routing protocols are installed, they must be cond to use one or more routing interfaces.Protocol Independent Multicast (PIM)This instrument describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol.The most significant designing in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the conventionalistic dense-mode approach to multicast routing for campus networks, as essential by Deering 23 and implemented previously in MOSPF and DVMRP 45. Thesetraditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient data packets (in the oddball of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes dissemination trees even when some or all members are sparsely distributed. efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to mouth data packets to the members of the group.The Protocol Independent Multicast (PIM) architecturemaintains the traditional IP multicast service model of receiver-initiated membershipcan be cond to adapt to different multicast group and network characteristicsis not dependent on a specific unicast routing protocoluses soft-state mechanisms to adapt to underlying network conditions and group dynamics.The robustness, flexibleness, and scaling properties of thi s architecture make it well suit to large heterogeneous inter-networks.This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional dense-mode approach to multicast routing for campus networks, as developed by Deering 23 and implemented previously in MOSPF and DVMRP 45. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.A user of an internet- connected pc, Adam send an telecommunicate message to another internet connected pc user beryl.1. Outlinethe function of four internet host that would normally be compound be involved in this task.. 1. Adams Computer 2. Server of Adams Internet Service provider 3. Server of Beryls Internet Service Provider4. Beryls Computer .This program allows you to build and deal with a large mailing list, and to draw modified messages from pre delineate templates while move. It lets you define multiple independent SMTP server connections and will utilize the latest in multithreading technology, to send emails to you as fast as it is possible. You can use all the standard message formats like plain text, hypertext mark-up language or even create a affluent content message in the Microsoft Outlook Express and export it into the program. The interface of the program is very simple and easy to learn nearly all functions can be performed using hotkeys on the keyboard.E-mail is a growing source of an openings records and needs to be hardened as any written memo, letter or report has been treated. The information in e-mail has the potential to add to the enterprises knowledge assets, from interactions with the users or customers in the enterprise to interactions with colleagues overseas.2. List the internet protocol which would be used in this task.Internet Protocol (IP) is packet-based protocol that allows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol calledTransport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but theres no direct link between you and the recipient.. 1. HTTP 2. IMAP(Version 4) 3.SMTP 4. obliterate (Version 3) .HTTP(Hyper-Text Transfer Protocol) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTP/1.0, as defined by RFC 1945 6, improved the protocol by allowing messages to be in the format of pantomimer-like messages, containing meta information about the data transferred and modifiers on the request/response semantics.IMAP4(Internet Message Access Protocol) A mail protocol that pro vides management of authoritative messages on a remote server. The user can review headers, create or delete folders/mailboxes and messages, and await contents remotely without downloading. It includes more functions than the similar POP protocol.POP3(Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into mostpopular e-mail products, such as Eudora and Outlook Express. Its also built into the Netscape and Microsoft Internet Explorer browsers. POP3 is intentional to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be saved for some period of time. POP can be thought of as a stor e-and-forward service.SMTP(Simple send Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail.3. Taking the c ase that the message include the text please get a line attached abstract and 1. as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages... 1. MIME ..MIME(Multi-Purpose Internet Mail Extensions) is an extension of the original Internet e-mail protocol that lets people use the protocol to exchangedifferent kinds of data files on the Internet audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file types were added to mail as a supported Internet Protocol file type.Servers insert the MIME header at the beginning of any Web transmission. Clients use this header to select an appropriate musician application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle HTML files).4. How would received message differ the sent messages?The email address that receives messages sent from users who click reply in their email clients. Can differ from the fromaddress which can be an automated or unmonitored email address used only to send messages to a distribution list. Reply-to should always be a monitored address.IPv4 Internet Protocol (Version 4)The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the primary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is equally well suited for both LAN and WAN communications.I P (Internet Protocol) has two primary responsibilities providing connectionless, outdo-effort delivery of datagrams through a network and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. severally IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is delimitateed a unique logical address (32-bit in IPv4) that is divided into two main parts the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address sp ace as necessary. The host number identifies a host on a network and is assigned by the local network administrator.IPv6 (IPng) Internet Protocol version 6IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions IPv4 and IPv6. IPv6 is also called next generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD (hexadecimal) alternatively of IPv4s 0800. The IPv4 is described in rive documents.IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a-f). A sample ipv6 address looks like 3ffe ffff 100f101210a4fffee39566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two major improvements in IPv6 vs. v4* Improved support for extensions and options IPv6 options are placed in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. Flow labeling capability A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service.Comparison between IPv6 with IPv4Data structure of IPv6 has modified as followsHeader length field found in IPv4 is removed in IPv6.Type of Service field found in IPv4 has been replaced with Priority field in IPv6.Time to live field found in IPv4 has been replaced with Hop Limit in IPv6.Total Length field has been replaced with Payload Length fieldProtocol field has been replaced with Next Header field antecedent Address and Destination Address has been increased from 32-bits to 128-bits.Major Similarities IPv6 with IPv4Both protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 open does. Both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services.Major Differences between IPv6 with IPv4IPv6 host to IPv6 host routing via IPv4 network Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach an IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space.IPv6 host to IPv4 host and vice versa The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to access both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagramsICMP IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are stricter. ICMPv6 uses the Neighbor Discovery Protocol. New messages have been added also.Absence of ARP RARPFeatures of Transport Layer Security (TLS)Features of Transport Layer Security (TLS)TRANSPORT LAYER SECU RITYTLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains significantly the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption troubles connected to TLS.TLS FeaturesTLS is a generic application layer security protocol that runs over reliable transport. It provides a secure channel to application protocol clients. This channel has three primary security featuresAuthentication of the server.Confidentiality of the communication channel.Message integrity of the communication channel.Optionally TLS can also provide authentication of the client. In general, TLS authentication uses public key based digital signatures backed by certificates. Thus, the server authenticates either by decrypting a secret encrypted under his public key or by signing an ephemeral public key.The client authenticates by signing a random challenge. Server certificates typically contain the servers domain name. Client certificates can contain arbitrary identities.The Handshake ProtocolsThe TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients.Provide security parameters to the record layer.A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.The Server responds with a ServerHello, containing the chosen protocol version, a random n umber, cipher, and compression method from the choices offered by the client.The Server sends its Certificate (depending on the selected cipher, this may be omitted by the Server).The server may request a certificate from the client, so that the connection can be mutually authenticated, using a Certificate Request.The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.The Client responds with a ClientKeyExchange which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher).The Handshake protocol provides a number of security functions. Such as Authentication, Encryption, Hash Algorithms AuthenticationA certificate is a digital form of identification that is usually issued by a certification authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. For authentication purposes, the Handshake Protocol uses an X.509 ce rtificate to provide strong evidence to a second party that helps prove the identity of the party that holds the certificate and the corresponding private key. EncryptionThere are two main types of encryption symmetric key (also known as Private Key) and asymmetric key (also known as public key. TLS/SSL uses symmetric key for bulk encryption and public key for authentication and key exchange. Hash AlgorithmsA hash is a one-way mapping of values to a smaller set of representative values, so that the size of the resulting hash is smaller than the original message and the hash is unique to the original data. A hash is similar to a fingerprint a fingerprint is unique to the individual and is much smaller than the original person. Hashing is used to establish data integrity during transport. Two common hash algorithms are Message Digest5 (MD5) produce 128-bit hash value and Standard Hash Algorithm1 (SHA-1) produce 160-bit value.The Change Cipher SpecThe Change Cipher Spec Protocol signal s a transition of the cipher suite to be used on the connection between the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This message consists of a single byte with the value1. Message after this will be encrypted and compressed using the new cipher suite.The AlertThe Alert Protocol includes event-driven alert messages that can be sent from either party. the session is either ended or the recipient is given the choice of whether or not to end the session. Schannel SSP will only generate these alert messages at the request of the application.The Record Layer/ProtocolThe TLS record protocol is a simple framing layer with record format as shown belowstruct ContentType typeProtocolVersion versionuint16 lengthopaque payloadlength TLSRecordAs with TLS, data is carried in records. In both protocols, records can only be processed when the entire record is available.The Record Layer might have four functions It fragments the data coming from the application into manageable blocks (and reassemble incoming data to pass up to the application). Schannel SSP does not support fragmentation at the Record Layer.It compresses the data and decompresses incoming data. Schannel SSP does not support compression at the Record Layer.It applies a Message Authentication Code (MAC), or hash/digest, to the data and uses the MAC to verify incoming data.It encrypts the hashed data and decrypts incoming data.Application ProtocolTLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. These applications use public key certificates to verify the identity of endpoints.TSL/ SSL SecurityThe clie nt may use the CAs public key to validate the CAs digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas.The client checks the servers certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.IPSecIPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as PIX Firewalls, Cisco routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a framework of open standards. Because it isnt bound to specific algorithms, IPSec allows newer and better algorithms to be implemented without pa tching the existing IPSec standards. IPSec provides data confidentiality, data integrity, and data origin authentication between participating peers at the IP layer. IPSec is used to secure a path between a pair of gateways, a pair of hosts, or a gateway and a host. Some of the standard algorithms are as followsData Encryption Standard (DES) algorithmUsed to encrypt and decrypt packet data.3DES algorithmeffectively doubles encryption strength over 56-bit DES.Advanced Encryption Standard (AES)a newer cipher algorithm designed to replace DES. Has a variable key length between 128 and 256 bits. Cisco is the first industry vendor to implement AES on all its VPN-capable platforms.Message Digest 5 (MD5) algorithmUsed to authenticate packet data.Secure Hash Algorithm 1 (SHA-1)Used to authenticate packet data.Diffie-Hellman (DH)a public-key cryptography protocol that allows two parties to establish a shared secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure communications channel.IPSec security services provide four critical functionsConfidentiality (encryption)the sender can encrypt the packets before transmitting them across a network. By doing so, no one can eavesdrop on the communication. If intercepted, the communications cannot be read.Data integritythe receiver can verify that the data was transmitted through the Internet without being changed or altered in any way.Origin authenticationthe receiver can authenticate the packets source, guaranteeing and certifying the source of the information.Anti-replay protectionAnti-replay protection verifies that each packet is unique, not duplicated. IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. Late and duplicate packets are dropped.v How IPSec worksThe goal of IPSec is to protect the desired data with the needed security services. IPSecs operation can be broken into five prim ary stepsDefine interesting trafficTraffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.IKE Phase 1This basic set of security services protects all subsequent communications between the peers. IKE Phase 1 sets up a secure communications channel between peers.IKE Phase 2IKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints.Data transferData is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.IPSec tunnel terminationIPSec SAs terminate through deletion or by timing out.TASK 1(b)IPSecs advantage over TLSIt has more plasticity on choosing the Authentication mechanisms (like the Pre Shared Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with tools, its possible to do man in the Middle breaking TLS. Going one step down the OSI stack, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, regardless of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the underlying secure IP network. Nothing has to be rewritten or modified it even is possible that users wont be aware their data is being processed through encrypting devices. This solution is the most transparent one for end users and the one most likely to be adopted in the future in the widest range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands several components to work properly. IPSec deployment must be planned and carried out by network administrators, and it is less likely to be adopted directly by end users.TLSs advantage over IPSecThe advantage of TLS over generic application-level security mechanisms is the application no longer has the burden of en crypting user data. Using a special socket and API, the communication is secured. The problem with TLS is an application wishing to exploit its functionality must be written explicitly in order to do so (see Resources). Existing applications, which constitute the majority of data producers on the Internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applications we use everyday mail clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file sharing systems and so on. Also, most network services (such as mail relays, DNS servers, routing protocols) currently run over plain sockets, exchanging vital information as clear text and only seldomly adopting application-level counter-measures (mostly integrity checks, such as MD5 sums).IGMPIGMP is a protocol used by IP hosts, and adjacent multicast network devices to identify their memberships. If they are part of the same multicast group they communicate with each other. ICMP communicates 1 to 1.IGMP communicates 1 to many.Establish Multicast groupWe describe a distributed architecture for managing multicast addresses in the global Internet. A multicast address space partitioning scheme is proposed, based on the Unicast host address and a per-host address management entity. By noting that port numbers are an integral part of end-to-end multicast addressing we present a single, unified solution to the two problems of dynamic multicast address management and port resolution. We then present a framework for the evaluation of multicast address management schemes, and use it to compare our design with three approaches, as well as a random allocation strategy. The criteria used for the evaluation are blocking probability and consistency, address acquisition delay, the load on address management entities, robustness against failures, and processing and communications overhead. With the distributed scheme the probability of blocking for add ress acquisition is reduced by several orders of magnitude, to insignificant levels, while consistency is maintained. At the same time, the address acquisition delay is reduced to a minimum by serving the request within the host itself. It is also shown that the scheme generates much less control traffic, is more robust against failures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive primarily due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once)The Routing and Remote Access administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The Routing and Remote Access administrative tool or the route command line utility can be used to con a static router and add a routing table. A rou ting table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the Routing and Remote Access tool, the following information is enteredInterface Specify the network card that the route applies to which is where the packets will come from.Destination Specify the network address that the packets are going to such as 192.168.1.0.Network Mask The subnet mask of the destination network.Gateway The IP address of the network card on the network that is cond to forward the packets such as 192.168.1.1.Metric The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network.Dynamic RoutingWindows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 supported Dynam ic routing protocols areRouting Information Protocol (RIP) version 2 for IPOpen Shortest Path First (OSPF)Internet Group Management Protocol (IGMP) version 2 with router or proxy support.The Routing and Remote Access tool is used to install, con, and monitor these protocols and routing functions. After any of these dynamic routing protocols are installed, they must be cond to use one or more routing interfaces.Protocol Independent Multicast (PIM)This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol.The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional dense-mode approach to multicast routing for campus networks, as developed by Deering 23 and implement ed previously in MOSPF and DVMRP 45. Thesetraditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.The Protocol Independent Multicast (PIM) architecturemaintains the traditional IP multicast service model of rece iver-initiated membershipcan be cond to adapt to different multicast group and network characteristicsis not dependent on a specific unicast routing protocoluses soft-state mechanisms to adapt to underlying network conditions and group dynamics.The robustness, flexibility, and scaling properties of this architecture make it well suited to large heterogeneous inter-networks.This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional dense-mode approach to multicast routing for campus networks, as developed by Deering 23 and implemented previously in MOSPF and DVMRP 45. These traditional dense mode multica st schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.A user of an internet- connected pc, Adam send an email message to another internet connected pc user beryl.1. Outlinethe function of four internet host that would normally be involved be involved in this task.. 1. Adams Computer 2. Server of Adams Internet Service Provider 3. Server of Beryls Internet Service Provider4. Beryls Computer .This program allows you to build and deal with a large mailing list, and to create modified messages from predefined templates while sending. It lets you define multiple independent SMTP server connections and will utilize the latest in multithreading technology, to send emails to you as fast as it is possible. You can use all the standard message formats like plain text, HTML or even create a rich content message in the Microsoft Outlook Express and export it into the program. The interface of the program is very simple and easy to learn nearly all functions can be performed using hotkeys on the keyboard.E-mail is a growing source of an enterprises records and needs to be treated as any written memo, letter or report has been treated. The information in e-mail has the potential to add to the enterprises knowledge assets, from i nteractions with the users or customers in the enterprise to interactions with colleagues overseas.2. List the internet protocol which would be used in this task.Internet Protocol (IP) is packet-based protocol that allows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol calledTransport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but theres no direct link between you and the recipient.. 1. HTTP 2. IMAP(Version 4) 3.SMTP 4.POP (Version 3) .HTTP(Hyper-Text Transfer Protocol) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTP/1.0, as defined by RFC 1945 6, impro ved the protocol by allowing messages to be in the format of MIME-like messages, containing meta information about the data transferred and modifiers on the request/response semantics.IMAP4(Internet Message Access Protocol) A mail protocol that provides management of received messages on a remote server. The user can review headers, create or delete folders/mailboxes and messages, and search contents remotely without downloading. It includes more functions than the similar POP protocol.POP3(Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into mostpopular e-mail products, such as Eudora and Outlook Express. Its also built into the Netscape and Microsoft Internet Explorer browse rs. POP3 is designed to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be saved for some period of time. POP can be thought of as a store-and-forward service.SMTP(Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail.3. Taking the case that the message include the text please find attached abstract and 1. as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages... 1. MIME ..MIME(Multi-Purpose Internet Mail Extensions) is an extension of the original Internet e-mail protocol that lets people use the protocol to exchangedifferent kinds of data files on the Internet audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file types were added to mail as a supported Internet Protocol file type.Servers insert the MIME header at the beginning of any Web transmission. Clients use this header to select an appropriate player application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle HTML files).4. How would received message differ the sent messages?The email address that receives messages sent from users who click reply in their email clients. Can differ from the fromaddress which can be an automated or unmonitored email address used only to send messages to a distribution list. Reply-to should always be a monitored address.IPv4 Internet Protocol (Version 4)The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the pr imary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is equally well suited for both LAN and WAN communications.IP (Internet Protocol) has two primary responsibilities providing connectionless, best-effort delivery of datagrams through a network and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is assigned a unique logical address (32-bit in IPv4) that is divided into two main parts the network number and the host number. The network number identifies a network and must be assigned by the Intern et Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.IPv6 (IPng) Internet Protocol version 6IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions IPv4 and IPv6. IPv6 is also called next generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD (hexadecimal) instead of IPv4s 0800. The IPv4 is described in separate documents.IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a-f). A sample ipv6 address looks like 3ffe ffff 100f101210a4fffee39566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two major improvements in IPv6 vs. v4* Improved support for extensions and options IPv6 options are placed in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future. Flow labeling capability A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service.Comparison between IPv6 with IPv4Data structure of IPv6 has modified as followsHeader length field found in IPv4 is removed in IPv6.Type of Service field found in IPv4 has been replaced with Priority field in IPv6.Time to live field found in IPv4 has been replaced with Hop Limit in IPv6.Total Length field has been replaced with Payload Length fieldProtocol field has been replaced with Next Header fieldSource Address and Destination Address has been increased from 32-bits to 128-bits.Major Similarities IPv6 with IPv4Both protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 broadcast does. Both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services.Major Differences between IPv6 with IPv4IPv6 host to IPv6 host routing via IPv4 network Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach an IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space.IPv6 host to IPv4 host and vice versa The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to access both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagramsICMP IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are strict er. ICMPv6 uses the Neighbor Discovery Protocol. New messages have been added also.Absence of ARP RARP