When many protocols were created, they were designed with little or no security controls. An unsecured protocol is one that does not provide authentication or encryption, or that uses plaintext for passing authentication protocols or data. Security services (authentication and encryption) are often added to new or existing protocols using one of the following secure protocols:
|Secure Sockets Layer (SSL)
||Secure Socket Layer (SSL) secures messages being transmitted on the Internet. SSL:
- Requires the server to have a certificate issued by a CA and uses asymmetric encryption.
- Uses RSA or the Key Exchange Protocol (KEA) for secure exchanging of encryption keys.
- Requires two types of keys for a server and workstation to communicate:
- A public key is used to secure the communication.
- A session key is used between the client and the server for the duration of the SSL session.
- Uses the SSL Handshake Protocol to establish the secure channel.
- Operates at the Session layer (layer 5) of the OSI model.
- Uses port 443 for encrypted traffic. Most firewalls allow port 443 traffic even when other traffic is blocked. For this reason, technologies that can use SSL are more likely to be allowed through firewalls than technologies that require other ports to be opened.
- Provides an end-to-end encrypted tunnel that is impossible to monitor, scan, or sniff.
- The advantage is that it increases security.
- The disadvantages are that:
- Security software cannot detect embedded attacks in transit.
- Internal users can use SSL to bypass proxy servers or Internet content filtering systems that have been set up by organizations to control Internet usage and content.
- SSL inspection can be used by organizations to decrypt the SSL session, scan the content, and repackage the SSL session without end users knowing. This is similar to a man-in-the middle attack, but for positive use.
- Has different versions, with the later versions being more secure. Secure Sockets Layer (SSL) 3.0 was the last SSL version.
- Employs session keys in 40-bit, 56-bit, 128-bit, and 256-bit lengths.
|Transport Layer Security (TLS)
||Transport Layer Security (TLS) is the successor to SSL 3.0.
- TLS and SSL are similar but not interoperable, although most applications can use both SSL and TLS.
- Applications that can use both SSL and TLS negotiate which protocol to use during the handshake process.
- Many secure connections that are described as using SSL might actually be using TLS instead.
- TLS uses Diffie-Hellman or RSA to exchange session keys.
- TLS is implemented through two protocols:
- TLS Record provides connection security with encryption (with DES for example).
- TLS Handshake provides mutual authentication and choice of encryption method.
|Secure Shell (SSH)
||SSH allows for secure interactive control of remote systems.
- SSH uses RSA public key cryptography for both connection and authentication.
- SSH uses the IDEA algorithm for encryption by default, but is able to use Blowfish and DES.
- SSH is a secure and acceptable alternative to Telnet.
- SSH is used by unsecured protocols to establish a secure channel. For example, SFTP and SCP are secure file copy protocols that use SSH.
A common unsecured protocol is the Hyper Text Transfer Protocol (HTTP). HTTP is used for exchanging Web content, but passes data in clear text. HTTP uses TCP port 80 and is stateless, which means by default it doesn't keep track of clients. To solve this problem, cookies can be used to keep track of the client's behavior. To secure HTTP, use one of the following protocols:
||Hyper Text Transfer Protocol Secure (HTTPS) is a secure form of HTTP that uses either SSL or TLS to encrypt sensitive data before it is transmitted. HTTPS:
- Is stateful, which means that it keeps track of the client. To do this, the client must communicate with the same HTTPS server for the duration of the session. Load balancing is not possible during the connection, and is only available to initially determine which server will handle the client's session.
- Requires TCP port 443 inbound on the Web server to be allowed.
- Can be identified by verifying that the URL starts with https://, or by looking for a lock symbol in the browser.
||Secure Hypertext Transfer Protocol (S-HTTP) is an alternate protocol that is not widely used because it is not as secure as HTTPS. S-HTTP :
- Is connectionless, unlike SSL which is connection-oriented.
- Provides only message security, unlike HTTPS which provides a full secure channel for all messages.
- Does not use port 443.