Network Security Application Layer - Network Security

What is Network Security Application Layer?

Various business services are now provided online even though client-server applications. The most popular forms are web application and In each applications, the client communicates to the specific server and obtains services.

While using a provider from any server application, the patron and server change numerous information on the underlying intranet or internet. we are aware of fact that these data transactions are vulnerable to numerous attacks.

Network security entails securing information against assaults even as it is in transit on a network. To attain this purpose, many real-time security protocols were designed. Such protocol needs to offer at least the following primary goals −

  • The parties can negotiate interactively to authenticate each different.
  • Establish a secret session key before changing data on network.
  • Change the data in encrypted form.

Interestingly, these protocols work at unique layers of networking model. for example, S/MIME protocol works at application layer, SSL protocol is developed to work at transport layer, and IPsec protocol works at network layer.

Network Security – Application Layer


In this chapter, we can discuss unique methods for achieving security for e-mail communication and related security protocols. The technique for securing DNS is included subsequently. in the later chapters, the protocols to achieve net protection will be defined.

E-mail Security

Nowadays, e-mail has become very extensively used network application. let’s briefly discuss e-mail infrastructure before proceeding to recognize about e-mail security protocols.

E-mail Infrastructure

The best way of sending an e-mail might be sending a message directly from the sender’s machine to the recipient’s device. In this case, it is important for each the machines to be running on the network simultaneously. but, this setup is impractical as users can also occasionally connect their machines to the network.

Hence, the concept of setting up e-mail servers arrived. On this setup, the e-mail is sent to a e mail server which is completely available at the network. when the recipient’s machine connects to the network, it reads the the e-mail from the e mail server.

In general, e-mail infrastructure includes a mesh of electronic mail servers, also termed as Message Transfer Agents (MTAs) and consumer machines running an e-mail program comprising of user Agent (UA) and local MTA.

Typically, an e-mail message gets forwarded from its UA, goes through the mesh of MTAs and finally reaches the UA at the recipient’s machine.

Network Security – Application Layer

The protocols used forE-Mail are as follows −

  • Simple the email transfer Protocol (SMTP) used for forwarding E-Mail messages.
  • Post office Protocol (POP) and internet Message access Protocol (IMAP) are used to retrieve the messages by recipient from the server.

MIME

Basic internet E-Mail preferred became written in 1982 and it describes the layout of E-Mail message exchanged on the net. It mainly helps E-Mail message written as text in basic Roman alphabet.

By 1992, the want became felt to improve the equal. hence, a further general Multipurpose internet Mail Extensions (MIME) became defined. it is a set of extensions to the basic net E-Mail standard. MIME gives an ability to send E-Mail using characters other than those of the simple Roman alphabet including Cyrillic alphabet (used in Russian), the Greek alphabet, or even the ideographic characters of chinese.

Another want fulfilled through MIME is to send non-text contents, including images or video clips. due to this features, the MIME popular became widely followed with SMTP for E-Mail communication.

E-Mail Security Services

Developing use of E-Mail communication for essential and crucial transactions needs provision of sure fundamental security services as the following −

  • Confidentiality − E-Mail message must now not be read through anyone but the supposed recipient.
  • Authentication − E-Mail recipient can be sure of the identity of the sender.
  • Integrity −Assurance to the recipient that af E-Mail message has now not been altered since it became transmitted through the sender.
  • Non-repudiation − E-Mail recipient is able to show to a third party that the sender simply did send the message.
  • Proof of Submission − E-Mail sender gets the confirmation that the message is passed to the e-mail delivery system.
  • Proof of Delivery − Sender gets a confirmation that the recipient received the message.

Security services including privacy, authentication, message integrity, and non-repudiation are usually provided through using public key cryptography.

Typically, there are three special scenarios of E-Mail communication. we can discuss the methods of achieving above security services in these situations.

One-to-One E-Mail

In this scenario, the sender sends an E-Mail message to best one recipient. usually, not more than MTA are involved in the communication.

Network Security – Application Layer

Let’s assume a sender wants to send a personal E-Mail to a recipient. the provision of privacy in this situation is performed as follows −

  • The sender and receiver have their private-public keys as (SPVT, SPUB) and (RPVT, RPUB) respectively.
  • The sender generates a secret symmetric key, KS for encryption. though the sender should have used RPUB for encryption, a symmetric key is used to obtain faster encryption and decryption.
  • The sender encrypts message with key KS and also encrypts KS with public key of the recipient, RPUB.
  • The sender sends encrypted message and encrypted KS to the recipient.
  • The recipient first obtains KS through decrypting encoded KS using his private key, RPVT.
  • The recipient then decrypts message using the symmetric key, KS.

Network Security – Application Layer

If message integrity, authentication, and non-repudiation services also are needed in this scenario, the following steps are introduced to the above method.

  • The sender produces hash of message and digitally signs this hash with his private key, SPVT.
  • The sender sends this signed hash to the recipient together with other components.

Network Security – Application Layer

  • The recipient uses public key SPUB and extracts the hash received below the sender’s signature.
  • The recipient then hashes the decrypted message and now compares the two hash values. if they match, message integrity is considered to be accomplished.
  • Also, the recipient is certain that the message is sent by the sender (authentication). And finally, the sender cannot deny that he did not send the message (non-repudiation).

One-to-Multiple Recipients E-Mail

In this scenario, the sender sends an E-Mail message to two or more recipients. The list is controlled through the sender’s E-Mail program (UA + local MTA). All recipients get the equal message.

Network Security – Application Layer

Let’s expect, the sender wants to send exclusive E-Mail to many recipients (say R1, R2, and R3). the provision of privacy in this situation is done as follows −

  • The sender and all recipients have their own pair of private-public keys.
  • The sender generates a secret symmetric key, Ks and encrypts the message with this key.
  • The sender then encrypts KS multiple instances with public keys of R1, R2, and R3, getting R1PUB(KS), R2PUB(KS), and R3PUB(KS).
  • The sender sends encrypted message and corresponding encrypted KS to the recipient. as an instance, recipient 1 (R1) receives encrypted message and R1PUB(KS).
  • Each recipient first extracts key KS through decrypting encoded KS the use of his private key.
  • Each recipient then decrypts the message using the symmetric key, KS.

For presenting the message integrity, authentication, and non-repudiation, the steps to be observed are similar to the steps referred to above in one-to-one E-Mail scenario.

One-to-Distribution list E-Mail

In this scenario, the sender sends an E-Mail message to two or greater recipients but the list of recipients is not controlled locally by the sender. usually, E-Mail server (MTA) continues the e-mailing list.

The sender sends a e mail to the MTA coping with the e mailing list and then the e-mail is exploded through MTA to all recipients in the list

Network Security – Application Layer

In this example, when the sender desires to send a exclusive E-Mail to the recipients of the e-mailing list (say R1, R2, and R3); the privacy is ensured as follows −

  • The sender and all recipients have their own pair of private-public keys. The Exploder Server has a pair of personal-public key for every e mailing list (ListPUB, ListPVT) maintained through it.
  • The sender generates a secret symmetric key Ks and then encrypts the message with this key.
  • The sender then encrypts KS with the public key related to the list, obtains ListPUB(KS).
  • The sender sends encrypted message and ListPUB(KS). The exploder MTA decrypts ListPUB(KS) using ListPVT and obtains KS.
  • The exploder encrypts KS with as many public keys as there are members in the list.
  • The Exploder forwards the obtained encrypted message and corresponding encrypted KS to all recipients in the list. for instance, the Exploder forwards the encrypted message and R1PUB(KS) to recipient 1 and so on.

Network Security – Application Layer

For presenting the message integrity, authentication, and non-repudiation the steps to be followed are similar as given in case of one-to-one e-mail scenario.

Interestingly, af e-mail program using above protection technique for securing e-mail is expected to work for all the possible scenarios mentioned above. most of the above protection mechanisms for e-mail are provided via two popular schemes, pretty good privacy (PGP) and S/MIME. We speak each in the following sections.

PGP

Pretty Good Privacy (PGP) is an e-mail encryption scheme. It has become the de-facto preferred for providing security services for e-mail communication.

As mentioned above, it uses public key cryptography, symmetric key cryptography, hash feature, and digital signature. It provides −

  • Privacy
  • Sender Authentication
  • Message Integrity
  • Non-repudiation

Along with those security services, it also presents records compression and key control help. PGP uses present cryptographic algorithms along with RSA, concept, MD5, etc., instead of inventing the new ones.

Working of PGP

Network Security – Application Layer

  • Hash of the message is calculated. (MD5 algorithm)
  • Resultant 128 bit hash is signed using the private key of the sender (RSA algorithm).
  • The digital signature is concatenated to message, and the result is compressed.
  • A 128-bit symmetric key, KS is generated and used to encrypt the compressed message with concept.
  • KS is encrypted using the public key of the recipient the use of RSA algorithm and the result is appended to the encrypted message.

The layout of PGP message is shown within the following diagram. The IDs suggest which key is used to encrypt KS and which key is for use to confirm the signature on the hash.

Network Security – Application Layer


In PGP scheme, a message in signed and encrypted, after which MIME is encoded before transmission.

PGP Certificate

PGP key certificate is usually installed through a chain of consider. for example, A’s public key is signed through B using his public key and B’s public key is signed through C the use of his public key. As this method goes on, it establishes a web of consider.

In a PGP environment, any user can act as a certifying authority. Any PGP user can certify some other PGP person's public key. however, this kind of certificate is simplest valid to another user if the user recognizes the certifier as a trusted introducer.

Several problems exist with this kind of certification technique. it may be difficult to find a chain leading from a recognized and relied on public key to desired key. also, there might be multiple chains that may cause unique keys for preferred person.

PGP can also use the PKI infrastructure with certification authority and public keys may be certified through CA (X.509 certificate).

S / MIME

S/MIME stands for secure Multipurpose net Mail Extension. S/MIME is a secure e-mail preferred. it is based on an earlier non-at ease e-e-mailing popular known as MIME.

Working of S/MIME

S/MIME method is just like PGP. It also uses public key cryptography, symmetric key cryptography, hash functions, and digital signatures. It presents similar protection services as PGP for e-mail communication.

The most common symmetric ciphers used in S/MIME are RC2 and TripleDES. the usual public key technique is RSA, and the hashing algorithm is SHA-1 or MD5.

S/MIME specifies the additional MIME type, including “application/pkcs7-mime”, for information enveloping after encrypting. The entire MIME entity is encrypted and packed into an object. S/MIME has standardized cryptographic message formats (specific from PGP). In reality, MIME is extended with a few keywords to identify the encrypted and/or signed components in the message.

S/MIME relies on X.509 certificates for public key distribution. It wishes top-down hierarchical PKI for certification help.

Employability of S/MIME

Due to the requirement of a certificates from certification authority for implementation, not all users can take advantage of S/MIME, as some may wish to encrypt a message, with a public/private key pair. for example, without the involvement or administrative overhead of certificates.

In practice, although most e-e-mailing programs implement S/MIME, the certificates enrollment method is complex. instead PGP guide usually requires adding a plug-in and that plug-in comes with all this is needed to manage keys. The web of trust isn't actually used. people exchange their public keys over another medium. as soon as received, they preserve a copy of public keys of those with whom e-emails are usually exchanged.

Implementation layer in network architecture for PGP and S/MIME schemes is proven in the following image. each these schemes offer application level security of for e-mail communication.

Network Security – Application Layer


One of the schemes, both PGP or S/MIME, is used depending on the environment. A secure e-e-mail communication in a captive network can be provided by adapting to PGP. For e-mail security over internet, where e-mails are exchanged with new unknown users very often, S/MIME is considered as a great option.

DNS Security

In the first chapter, we have referred to that an attacker can use DNS Cache Poisoning to carry out an attack at the target user. Domain NameSystem Security Extensions (DNSSEC) is an internet preferred which can foil such attacks.

Vulnerability of standard DNS

In a standard DNS scheme, whenever the person wants to connect to any domain call, his computer contacts the DNS server and looks up the related IP address for that area name. once IP address is received, the computer then connects to that IP address.

in this scheme, there is no verification technique involved at all. A computer asks its DNS server for the address related to a website, the DNS server responds with an IP address, and your computer certainly accepts it as legitimate reaction and connects to that website.

A DNS research really happens in numerous levels. for example, while a computer asks for “www.wisdomjobs.com”, a DNS research is achieved in several levels −

  • The computer first asks the local DNS server (ISP provided). If ISP has this name in its cache, it responds else forwards the query to “root zone directory” where it may find “.com.” and root area replies.
  • Based at the reply, the computer then asks the “.com” directory where it is able to find “wisdomjobs.com.”
  • Based on the records received, the computer inquires “wisdomjobs.com” where it could locate www. wisdomjobs.com.

Network Security – Application Layer

DNSSEC Defined

DNS research, when finished the use of DNSSEC, includes signing of replies through the responding entity. DNSSEC is based on public-key cryptography.

In DNSSEC standard, every DNS region has a public/private key pair. All data sent through a DNS server is signed with the originating region’s personal key for ensuring authenticity. DNS clients need to recognise the region’s public keys to test the signatures. clients may be preconfigured with the public keys of all the top-level domains, or root DNS.

With DNSSEC, the lookup technique goes as follows −

  • While your computer is going to ask the root region in which it can locate .com, the reply is signed through the root zone server.
  • Computer checks the root region’s signing key and confirms that it is the valid root zone with true information.
  • In the reply, the root region presents the information on the signing key of .com zone server and its location, allowing the computer to contact the .com listing and ensuring it is valid.
  • The .com directory then presents the signing key and information for wisdomjobs.com, permitting it to contact google.com and verify that you are connected to the real wisdomjobs.com, as showed by the zones above it.
  • The records sent is in the form of resource file Set (RRSets). the example of RRSet for domain “wisdomjobs.com” in top-level “.com” server is proven in the following table.

Domain Name

Time to live

Type

Value

wisdomjobs.com

86400

NS

dns.wisdomjobs.com

dns.wisdomjobs.com

86400

A

36..1.2.3

wisdomjobs.com

86400

KEY

3682793A7B73F731029CE2737D...

wisdomjobs.com

86400

SIG

86947503A8B848F5272E53930C...

  • The key report is a public key of “wisdomjobs.com”.
  • The SIG file is the top-level .com server's signed hash of the fields NS, A, and KEY data to verify their authenticity. Its value is Kcompvt(H(NS,A,KEY)).

Therefore, it is considered that when DNSSEC is completely rolled out, the user’s computer is able to verify that DNS responses are valid and true, and avoid DNS assaults released through DNS cache poisoning.

Summary

The method of securing e-e mails ensures the end-to-end security of the communique. It presents security services of confidentiality, sender authentication, message integrity, and non-repudiation.

Two schemes were developed for e-mail security: PGP and S/MIME. each those schemes use secret-key and public-key cryptography.

Standard DNS research is vulnerable to the assaults including DNS spoofing/cache poisoning. Securing DNS lookup is feasible through using DNSSEC which employs the public-key cryptography.

On this chapter, we discussed the mechanisms used at utility layer to provide network security for end-to-end communication.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Network Security Topics