Subject Name: Computer Networks Unit No: 06 Unit Name: Application Layer Faculty Name : Mrs. Puja Padiya Index 2 Lecture 1 DNS 2 Lecture 2 HTTP 4 Lecture 3 , SMTP 5 Lecture 4 Telnet 6 Lecture 5 FTP 8 Lecture 6 Security SSH PGP 2 Unit No: 6 Unit name: Application Layer Lecture No: 1 DNS OBJECTIVES: TCP/IP Protocol Suite4 To describe the purpose of DNS. To define the concept of domains and domain name space. To describe the distribution of name spaces and define zones. To discuss the use of DNS in the Internet and describe three categories of domains: generic, country, and reverse. To discuss name-address resolution and show the two resolution methods: recursive and iterative. To show the format of DNS message and how they can be compressed. To discuss DDNS and DNSSEC.. TCP/IP Protocol Suite5 Chapter Outline 19.1 Need for DNS 19.2 Name Spaces 19.3 DNS in the Internet 19.4 Resolution DNS Messages Types of Records Compression Encapsulation Registrars Security of DNS DDNS TCP/IP Protocol Suite NEED FOR DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the connection of a host to the Internet. However, people prefer to use names instead of numeric addresses. Therefore, we need a system that can map a name to an address or an address to a name. TCP/IP Protocol Suite7 Figure 19.1 Purpose of DNS TCP/IP Protocol Suite NAME SPACE To be unambiguous, the names assigned to machines must be carefully selected from a name space with complete control over the binding between the names and IP addresses. In other words, the names must be unique because the addresses are unique. A name space that maps each address to a unique name can be organized in two ways: flat or hierarchical. TCP/IP Protocol Suite9 Topics Discussed in the Section Flat Name Space Hierarchical Name Space Domain Name Space Domain Distribution of Name Space TCP/IP Protocol Suite10 Figure 19.2 Domain name space TCP/IP Protocol Suite11 Figure 19.3 Domain names and labels TCP/IP Protocol Suite12 Figure 19.4 FQDN and PQDN TCP/IP Protocol Suite13 Figure 19.5 Domains TCP/IP Protocol Suite14 Figure 19.6 Hierarchy of name servers TCP/IP Protocol Suite15 Figure 19.7 Zones and domains TCP/IP Protocol Suite16 A primary server loads all information from the disk file; the secondary server loads all information from the primary server. When the secondary downloads information from the primary, it is called zone transfer. Note TCP/IP Protocol Suite DNS IN THE INTERNET DNS is a protocol that can be used in different platforms. In the Internet, the domain name space (tree) is divided into three different sections: generic domains, country domains, and the inverse domain (see Figure 19.8). TCP/IP Protocol Suite18 Topics Discussed in the Section Generic Domains Country Domains Inverse Domain Registrar TCP/IP Protocol Suite19 Figure 19.8 DNS used in the Internet TCP/IP Protocol Suite20 Figure 19.9 Generic domains TCP/IP Protocol Suite21 TCP/IP Protocol Suite22 Figure Country domains TCP/IP Protocol Suite23 Figure Inverse domain TCP/IP Protocol Suite RESOLUTION Mapping a name to an address or an address to a name is called name-address resolution. TCP/IP Protocol Suite25 Topics Discussed in the Section Resolver Mapping Names to Addresses Mapping Addresses to Names Recursive Resolution Iterative Resolution Caching TCP/IP Protocol Suite26 Figure Recursive resolution TCP/IP Protocol Suite27 Figure Iterative resolution TCP/IP Protocol Suite DNS MESSAGES DNS has two types of messages: query and response. Both types have the same format. The query message consists of a header and question records; the response message consists of a header, question records, answer records, authoritative records, and additional records (see Figure 19.14). TCP/IP Protocol Suite29 Topics Discussed in the Section Header TCP/IP Protocol Suite30 Figure Query and response messages TCP/IP Protocol Suite31 Figure Header format TCP/IP Protocol Suite ENCAPSULATION DNS can use either UDP or TCP. In both cases the well-known port used by the server is port 53. UDP is used when the size of the response message is less than 512 bytes because most UDP packages have a 512-byte packet size limit. If the size of the response message is more than 512 bytes, a TCP connection is used. In that case, one of two scenarios can occur: TCP/IP Protocol Suite REGISTRARS How are new domains added to DNS? This is done through a registrar, a commercial entity accredited by ICANN. A registrar first verifies that the requested domain name is unique and then enters it into the DNS database. A fee is charged. TCP/IP Protocol Suite DDNS When the DNS was designed, no one predicted that there would be so many address changes. In DNS, when there is a change, such as adding a new host, removing a host, or changing an IP address, the change must be made to the DNS master file. The DNS master file must be updated dynamically. The Dynamic Domain Name System (DDNS) therefore was devised to respond to this need. TCP/IP Protocol Suite SECURITY OF DNS DNS is one of the most important systems in the Internet infrastructure; it provides crucial services to the Internet users. Applications such as Web access or e- mail are heavily dependent on the proper operation of DNS. DNS can be attacked in several Ways. To protect DNS, IETF has devised a technology named DNS Security (DNSSEC) that provides the message origin authentication and message integrity using a security service called digital signature (See Chapter 29). Unit No: 6 Unit name: Application Layer Lecture No: 2 HTTP HyperText Transfer Protocol (HTTP) HTTP is the protocol that supports communication between web browsers and web servers. A Web Server is a HTTP server Most clients/servers today speak version 1.1, but 1.0 is also in use. RFC 1945 (HTTP 1.0) RFC 2616 (HTTP 1.1) HTTP37 From the RFC HTTP is an application-level protocol with the lightness and speed necessary for distributed, hypermedia information systems. Transport Independence The HTTP protocol generally takes place over a TCP connection, but the protocol itself is not dependent on a specific transport layer. HTTP38 Request - Response HTTP has a simple structure: client sends a request server returns a reply. HTTP can support multiple request-reply exchanges over a single TCP connection. The well known TCP port for HTTP servers is port 80. Other ports can be used as well... HTTP39 HTTP 1.0+ Request Lines of text (ASCII). Lines end with CRLF \r\n First line is called Request-Line Request-Line Headers. Content... blank line HTTP40 Request Line Method URI HTTP-Version\r\n The request line contains 3 tokens (words). space characters separate the tokens. Newline (\n) seems to work by itself but the protocol requires CRLF HTTP41 Request Method The Request Method can be: GETHEAD DELETE PUT POST TRACE OPTIONS future expansion is supported GET, HEAD and POST are supported everywhere (including Lab 2!). HTTP 1.1 servers often support PUT, DELETE, OPTIONS & TRACE. HTTP42 Methods GET: retrieve information identified by the URI. Typically used to retrieve an HTML document HEAD: retrieve meta-information about the URI. used to find out if a document has changed POST: send information to a URI and retrieve result. used to submit a form HTTP43 More Methods PUT: Store information in location named by URI. DELETE:remove entity identified by URI. TRACE: used to trace HTTP forwarding through proxies, tunnels, etc. OPTIONS: used to determine the capabilities of the server, or characteristics of a named resource. HTTP44 URI: Universal Resource Identifier URIs defined in RFC Absolute URI: scheme://hostname[:port]/path pe401 Relative URI: /path /blah/foo No server mentioned HTTP45 URI Usage When dealing with a HTTP 1.1 server, only a path is used (no scheme or hostname). HTTP 1.1 servers are required to be capable of handling an absolute URI, but there are still some out there that wont When dealing with a proxy HTTP server, an absolute URI is used. client has to tell the proxy where to get the document! more on proxy servers in a bit. HTTP46 HTTP Version Number HTTP/1.0 or HTTP/1.1 Starting with HTTP 1.0 the version number is part of every request. Client tells the server what version it can talk (what options are supported, etc). HTTP 0.9 did not include a version number in a request line. If a server gets a request line with no HTTP version number, it assumes 0.9 HTTP 0.9 was used for many years. HTTP47 The Header Lines Request Headers provide information to the server about the client what kind of client what kind of content will be accepted who is making the request Each header line contains an attribute name followed by a : followed by a space and the attribute value. There can be 0 headers (HTTP 1.0) HTTP 1.1 requires a Host: header HTTP48 Example HTTP Headers Accept: text/html Host:From: User-Agent: Mozilla/4.0 Referer:HTTP49 End of the Headers Each header ends with a CRLF ( \r\n ) The end of the header section is marked with a blank line. just CRLF For GET and HEAD requests, the end of the headers is the end of the request! HTTP50 POST A POST request includes some content (some data) after the headers (after the blank line). There is no format for the data (just raw bytes). A POST request must include a Content-Length line in the headers: Content-length: 267 HTTP51 Example POST Request POST /~mgunes/cpe401/grades.cgi HTTP/1.1 Accept: */* Host:User-Agent: SecretAgent V2.3 Content-Length: 35 Referer:stuid= &item=test1&grade=99 HTTP52 Example GET Request GET /~mgunes/cpe401/lab1.htm HTTP/1.1 Accept: */* Host:User-Agent: Internet Explorer From: Referer:There is a blank line here! HTTP53 HTTP Response ASCII Status Line Headers Section Content can be anything (not just text) typically an HTML document or some kind of image. Status-Line Headers. Content... blank line HTTP54 Response Status Line HTTP-Version Status-Code Message Status Code is 3 digit number (for computers) 1xx Informational 2xx Success 3xx Redirection 4xx Client Error 5xx Server Error Message is text (for humans) HTTP55 Example Status Lines HTTP/ OK HTTP/ Moved Permanently HTTP/ Bad Request HTTP/ Internal Server Error HTTP56 Response Headers Provide the client with information about the returned entity (document). what kind of document how big the document is how the document is encoded when the document was last modified Response headers end with blank line HTTP57 Response Header Examples Date: Wed, 30 Jan :48:17 EST Server: Apache/1.17 Content-Type: text/html Content-Length: 1756 Content-Encoding: gzip HTTP58 Content Content can be anything (sequence of raw bytes). Content-Length header is required for any response that includes content. Content-Type header also required. HTTP59 Single Request/Reply The client sends a complete request. The server sends back the entire reply. The server closes its socket. If the client needs another document it must open a new connection. This was the default for HTTP 1.0 HTTP60 Persistent Connections HTTP 1.1 supports persistent connections (this is the default). Multiple requests can be handled over a single TCP connection. The Connection: header is used to exchange information about persistence (HTTP/1.1) 1.0 Clients used a Keep-alive: header HTTP61 Try it with telnet > telnet80 GET / HTTP/1.0 HTTP/ OK Server: Apache... Response Request-line Blank Line (end of headers) HTTP62 Try it with telnet (persistent) > telnet80 GET / HTTP/1.1 Host:HTTP/ OK Server: Apache... Required! HTTP63 HTTP Proxy Server HTTP Server Browser Proxy HTTP64 Network Lab #2 HTTP Proxy You need to write a proxy server. Must be able to handle GET, HEAD and POST requests. Filtering: Your proxy will be given a list of domain names on the command line, you should refuse to forward requests to any server whose name is within a specified domain. send back status line: 403 Forbidden. Lab #265 The code you need Proxy is both a client and a server Parsing the HTTP request is needed. You need to understand HTTP You will need to parse headers. need to look at Content-length, Connection, etc. 66Lab #2 Testing Tell your browser to use a proxy Edit preferences/options. Interrupt a long transfer (press stop). Fill out a form (probably uses POST). Test it with a browser. Test it with telnet Write an abusive client and a rude server! 67Lab #2 What is expected We should be able to surf through your proxy! Proxy should print some info about each request (print the request line). No memory leaks! Check every system call for errors! We should not be able to kill your proxy by sending a bad request. using a server that sends bad replies. No crashes, no matter what kind of nonsense we send your proxy. 68Lab #2 HTTP V1.1 Details The RFC is 114 pages! we dont expect you to read it all or to support every nitty-gritty detail. work on creating a working proxy (one you can use through a browser). performance is not a big deal (but it shouldnt be horribly worse than without your proxy). Dont worry about persistence, pipelining, chunking, etc. you need to turn off persistence if you don't want to handle it. 69Lab #2 HTTP Headers You will need to look at the Content-Length header in a POST. you need to know how many bytes to read after the end of the headers. You will need to either look at Connection ( Proxy-Connection ) headers or (at a minimum) to force Connection: close as a request header. 70Lab #2 Unit No: 6 Unit name: Application Layer Lecture No: 3, SMTP OBJECTIVES: TCP/IP Protocol Suite72 To explain the architecture of electronic mail using four scenarios. To explain the user agent (UA), services provided by it, and two types of user agents. To explain the mechanism of sending and receivings. To introduce the role of a message transfer agent and Simple Mail Transfer Protocol (SMTP) as the formal protocol that handles MTA. To explaintransfer phases. To discuss two message access agents (MAAs): POP and IMAP. OBJECTIVES (continued): TCP/IP Protocol Suite73 To discuss MIME as a set of software functions that transforms non- ASCII data to ASCII data and vice versa. To discuss the idea of Web-based. To explain the security of thesystem. TCP/IP Protocol Suite74 Chapter Outline 23.1 Architecture 23.2 User Agent 23.3 Message Transfer Agent 23.4 Message Access Agent 23.5 MIME 23.6 Web-Based Mail 23.7 Electronic Mail Security TCP/IP Protocol Suite ARCHITECTURE To explain the architecture of, we give four scenarios. We begin with the simplest situation and add complexity as we proceed. The fourth scenario is the most common in the exchange of. TCP/IP Protocol Suite76 Topics Discussed in the Section First Scenario Second Scenario Third Scenario Fourth Scenario TCP/IP Protocol Suite77 Figure 23.1 First scenario TCP/IP Protocol Suite78 When the sender and the receiver of an e- mail are on the same mail server, we need only two user agents. Note TCP/IP Protocol Suite79 Figure 23.2 Second scenario TCP/IP Protocol Suite80 When the sender and the receiver of an e- mail are on different mail servers, we need two UAs and a pair of MTAs (client and server). Note TCP/IP Protocol Suite81 Figure 23.3 Third scenario TCP/IP Protocol Suite82 When the sender is connected to the mail server via a LAN or a WAN, we need two UAs and two pairs of MTAs (client and server). Note TCP/IP Protocol Suite83 Figure 23.4 Fourth scenario TCP/IP Protocol Suite84 When both sender and receiver are connected to the mail server via a LAN or a WAN, we need two UAs, two pairs of MTAs (client and server), and a pair of MAAs (client and server). This is the most common situation today. Note TCP/IP Protocol Suite85 Figure 23.5 Push versus pull TCP/IP Protocol Suite USER AGENT The first component of an electronic mail system is the user agent (UA). It provides service to the user to make the process of sending and receiving a message easier. TCP/IP Protocol Suite87 Topics Discussed in the Section Services Provided by a User Agent User Agent Types Sending Mail Receiving Mail Addresses Mailing List or Group List TCP/IP Protocol Suite88 Some examples of command-driven user agents are mail, pine, and elm. Note TCP/IP Protocol Suite89 Some examples of GUI-based user agents are Eudora, Outlook, And Netscape. Note TCP/IP Protocol Suite90 Figure 23.6 Format of an TCP/IP Protocol Suite91 Figure address TCP/IP Protocol Suite MESSAGE TRANSFER AGENT The actual mail transfer is done through message transfer agents (MTAs). To send mail, a system must have the client MTA, and to receive mail, a system must have a server MTA. The formal protocol that defines the MTA client and server in the Internet is called Simple Mail Transfer Protocol (SMTP). As we said before, two pairs of MTA client-server programs are used in the most common situation (fourth scenario). Figure 23.8 shows the range of the SMTP protocol in this scenario. TCP/IP Protocol Suite93 Topics Discussed in the Section Commands and Responses Mail Transfer Phases TCP/IP Protocol Suite94 Figure 23.8 SMTP range TCP/IP Protocol Suite95 Figure 23.9 Commands and responses TCP/IP Protocol Suite96 TCP/IP Protocol Suite97 TCP/IP Protocol Suite98 Figure Connection establishment TCP/IP Protocol Suite99 Figure Message transfer TCP/IP Protocol Suite100 Figure Connection termination TCP/IP Protocol Suite101 Let us see how we can directly use SMTP to send anand simulate the commands and responses we described in this section. We use TELNET to log into port 25 (the well-known port for SMTP). We then use the commands directly to send an. In this example, is sending anto himself. The first few lines show TELNET trying to connect to the adelphia mail server. Example Example 23.1 After connection, we can type the SMTP commands and then receive the responses as shown below. We have shown the commands in black and the responses in color. Note that we have added for clarification some comment lines, designated by the = sign. These lines are not part of theprocedure. TCP/IP Protocol Suite102 Example Example 19.1 Continued TCP/IP Protocol Suite MESSAGE ACCESS AGENT The first and the second stages of mail delivery use SMTP. However, SMTP is not involved in the third stage because SMTP is a push protocol; it pushes the message from the client to the server. In other words, the direction of the bulk data (messages) is from the client to the server. On the other hand, the third stage needs a pull protocol; the client must pull messages from the server. The direction of the bulk data are from the server to the client. The third stage uses a message access agent. TCP/IP Protocol Suite WEB-BASED MAILis such a common application that some websites today provide this service to anyone who accesses the site. Three common sites are Hotmail, Yahoo, and Google. The idea is very simple. Let us go through two cases: TCP/IP Protocol Suite105 Topics Discussed in the Section Case I Case II TCP/IP Protocol Suite106 Figure Web-based, case 1 TCP/IP Protocol Suite107 Figure Web-based, case 2 TCP/IP Protocol Suite SECURITY The protocol discussed in this chapter does not provide any security provisions per se. However, e- mail exchanges can be secured using two application-layer securities designed in particular forsystems. Two of these protocols, Pretty Good Privacy (PGP) and Secure MIME (SMIME) are discussed in Chapter 30 after we have discussed the basic network security. Unit No: 6 Unit name: Application Layer Lecture No: 4 Telnet 110 TELNET vs. telnet TELNET is a protocol that provides a general, bi-directional, eight-bit byte oriented communications facility. telnet is a program that supports the TELNET protocol over TCP. Many application protocols are built upon the TELNET protocol. TELNET 111 The TELNET Protocol Reference: RFC 854 TCP connection data and control over the same connection. Network Virtual Terminal intermediate representation of a generic terminal. provides a standard language for communication of terminal control functions. TELNET 112 Network Virtual Terminal NVT Server Process TCP TELNET 113 Negotiated Options All NVTs support a minimal set of capabilities. Some terminals have more capabilities than the minimal set. The set of options is not part of the TELNET protocol, so that new terminal features can be incorporated without changing the TELNET protocol. Two endpoints negotiate a set of mutually acceptable options Line mode vs. character mode echo modes character set (EBCDIC vs. ASCII) TELNET 114 Control Functions TELNET includes support for a series of control functions commonly supported by servers. This provides a uniform mechanism for communication of (the supported) control functions. TELNET 115 Control Functions Interrupt Process (IP) suspend/abort process. Abort Output (AO) send no more output to users terminal. Are You There (AYT) check to see if system is still running. Erase Character (EC) delete last character sent Erase Line (EL) delete all input in current line. TELNET 116 Command Structure All TELNET commands and data flow through the same TCP connection. Commands start with a special character called the Interpret as Command escape character The IAC code is 255. If a 255 is sent as data - it must be followed by another 255. If IAC is found and the next byte is IAC a single byte is presented to application/terminal If IAC is followed by any other code the TELNET layer interprets this as a command. TELNET 117 Playing with TELNET You can use the telnet program to play with the TELNET protocol. telnet is a generic TCP client. Sends whatever you type to the TCP socket. Prints whatever comes back through the TCP socket Useful for testing TCP servers (ASCII based protocols). Many Unix systems have these servers running (by default): echo port 7 discard port 9 daytime port 13 chargen port 19 TELNET 118 telnet hostname port > telnet amele-2.cse.unr.edu 7 Trying Connected to amele- 2.cse.unr.edu ( ). Escape character is '^]'. Hi mehmet stop it ^] telnet> quit Connection closed. TELNET 119 telnet vs. TCP Not all TCP servers talk TELNET (most don't) You can use the telnet program to play with these servers, but the fancy commands won't do anything. type ^], then "help" for a list of fancy TELNET stuff you can do in telnet. TELNET Unit No: 6 Unit name: Application Layer Lecture No: 5 FTP TCP/IP Protocol Suite FTP File Transfer Protocol (FTP) is the standard mechanism provided by TCP/IP for copying a file from one host to another. Although transferring files from one system to another seems simple and straightforward, some problems must be dealt with first. For example, two systems may use different file name conventions. Two systems may have different ways to represent text and data. Two systems may have different directory structures. All of these problems have been solved by FTP in a very simple and elegant approach. TCP/IP Protocol Suite122 Topics Discussed in the Section Connections Communication Command Processing File Transfer Anonymous FTP Security for FTP The sftp Program TCP/IP Protocol Suite123 FTP uses the services of TCP. It needs two TCP connections. The well- known port 21 is used for the control connection and the well-known port 20 for the data connection. Note TCP/IP Protocol Suite124 Figure 21.1 FTP TCP/IP Protocol Suite125 Figure 21.2 Opening the control connection TCP/IP Protocol Suite126 Figure 21.3 Creating the data connection TCP/IP Protocol Suite127 Figure 21.4 Using the control connection TCP/IP Protocol Suite128 Figure 21.5 Using the data connection TCP/IP Protocol Suite129 Figure 21.6 Command processing TCP/IP Protocol Suite130 TCP/IP Protocol Suite131 TCP/IP Protocol Suite132 TCP/IP Protocol Suite133 TCP/IP Protocol Suite134 TCP/IP Protocol Suite135 TCP/IP Protocol Suite136 TCP/IP Protocol Suite137 TCP/IP Protocol Suite138 Figure 21.7 File transfer TCP/IP Protocol Suite139 Figure 21.8 shows an example of using FTP for retrieving a list of items in a directory. Example Example 21.1 TCP/IP Protocol Suite140 Figure 21.8 Example 21.1 TCP/IP Protocol Suite141 The following shows an actual FTP session that parallels Example The colored lines show the responses from the server control connection; the black lines show the commands sent by the client. The lines in white with black background show data transfer. Example Example 21.2 TCP/IP Protocol Suite142 Figure 21.9 shows an example of how an image (binary) file is stored. Example Example 21.3 TCP/IP Protocol Suite143 Figure 21.9 Example 21.3 TCP/IP Protocol Suite144 We show an example of anonymous FTP. We assume that some public data are available at internic.net. Example Example 21.4 Unit No: 6 Unit name: Application Layer Lecture No: 6 Security SSH PGP Outline Introduction Brief History What is Secure Shell ? Features of Secure Shell Security Mechanism of Secure Shell SSH1 vs. SSH2 Conclusion Widely used utilities to login through a network in Unix environment are telnet and rlogin Problem - user's login name and password transmitted as clear text Data transmission after login - also in clear text ! SSH, the Secure Shell is a powerful, software- based approach to network security that provides a secure channel for data transmission through a network Introduction Developed by Tatu Ylonen, Helsinki University of Technology, Finland in 1995 to prevent network attack against University network Published the protocol SSH-1 as an IETF (Internet Engineering Task Force) draft Founded SSH communications security Ltd., in late 1995 (http://www.ssh.com) Later released SSH-2 History What is Secure Shell ? Powerful, convenient approach to protecting communications on a computer network Provides a secure channel for data transmission Not a command interpreter Provides a secure pipe to open up a command interpreter Supports secure remote logins, secure remote command execution, secure file transfers Has a client server architecture SSH server program and client program What is Secure Shell ? (Contd..) Privacy : via strong end-to-end encryption- DES, IDEA, Blowfish Integrity : via 32 bit Cyclic Redundancy Check (CRC-32) Authentication : server via servers host key, client usually via password or public key Authorization : controlled at a server wide level or per account basis Forwarding : encapsulating another TCP based service such as Telnet within an SSH session Features Establishing the Secure Connection The client initiates the connection by sending a request to the TCP port of the SSH server Server reveals it's SSH protocol version to the client If the client and server decide their versions are compatible, the connection proceeds Security Mechanism SSH server sends the following to the client - host key, the server key, a list of supported encryption, compression and authentication methods, and a sequence of eight random bytes Client checks identity of server by using the host key against known hosts database Client generates a session key and double encrypts it using the host key & server key Client sends encrypted session key along with check bytes and acceptable algorithm Establishing the Secure Connection (Contd..) Server then decrypts the encrypted session key it received Server sends a confirmation encrypted with this session key Client receives confirmation, confirms server authentication Client Authentication usually either by Password Authentication or Public key Authentication Authentication Server confirms client authorization Generates a 256 bit random challenge, encrypts it with clients public key, and sends to client Client decrypts challenge, generates a hash value with a session identifier (commonly generated random string at beginning of session), and sends to server Server generates hash, if both match, session is authenticated Authentication (Contd..) SSH2 has separate transport, authentication, and connection protocols.SSH1 has one monolithic protocol SSH2 has strong cryptographic integrity check using MAC, SSH1 has weak checking using CRC-32 SSH2 supports any number of session channels per connection (including none),SSH1 exactly one Servers running SSH-2 can also run SSH-1 to take care of clients running SSH-1 SSH2 allows more than one form of authentication per session, SSH1 allows only one. SSH2 vs. SSH1 SSH provides a secure channel for data transmission Provides a secure pipe to open up a command interpreter Latest version of SSH SSH3 Conclusion Threats toLoss of confidentiality. s are sent in clear over open networks. s stored on potentially insecure clients and mail servers. Loss of integrity. No integrity protection ons; anybody be altered in transit or on mail server. Lack of data origin authentication. Is thisreally from the person named in the From:field? Lack of non-repudiation. Can I rely and act on the content? (integrity) If so, can the sender later deny having sent it? Who is liable if I have acted? Threats to Lack of notification of receipt. Has the intended recipient received myand acted on it? A message locally marked as sent may not have been delivered. Threats to What are the Options? Secure the server to client connections (easy thing first) https access to webmail Protection against insecure wireless access Secure the end-to-enddelivery The PGPs of the world Practical in an enterprise intra-network environmentsecurity based Attacks Active content attack Clean up at the server Buffer over-flow attack Fix the code Trojan Horse Attack Web bugs (for tracking) Mangle the image at the mail serversecurity Software for encryptingmessages has been widely available for more than 15 years, but the-using public has failed to adopt secure messaging. This failure can be explained through a combination of: technical, community, and usability factors Why Dont People UseSecurity? I dont because I dont care. I doubt any of my usual recipients would understand the significance of the signature. Never had the need to send these kinds ofs. I dont think its necessary to encrypt my. its just another step & something else I dont have timesecurity SecureStandards and Products Other now defunct standards: PEM (privacy enhanced mail), X.400. S/MIME. We focus on PGPsecurity PGP (Pretty Good Privacy) Freeware: Open PGP and variants: Open PGP specified in RFC 2440 and defined by IETF Open PGP working group. Available as plug-in for popularclients, can also be used as stand-alone software. If all the personal computers in the world260 millionwere put to work on a single PGP encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message. PGP (Pretty Good Privacy) PGP is ansecurity program written by Phil Zimmermann, based on the IDEA algorithm for encryption of plaintext and uses the RSA Public Key algorithm for encryption of the private key. PGP incorporates tools for developing a public-key trust model and public-key certificate management. PGP (Pretty Good Privacy) PGP is an open-source freely available software package forsecurity. It provides authentication; confidentiality; compression;compatibility; and segmentation and reassembly. PGP Algorithms Symmetric encryption: DES, 3DES, AES and others. Public key encryption of session keys: RSA or ElGamal. Hashing: SHA-1, MD-5 and others. Signature: RSA, DSS, ECDSA and others. PGP (Pretty Good Privacy) PGP use: public keys for encrypting session keys / verifying signatures. private keys for decrypting session keys / creating signatures. Security of PGP There are many known attacks against PGP. Attacks against cryptoalgorithms are not the main threat IDEA is considered strong, and while cryptoanalysis advances, it should be strong still for some time. RSA may or may not be strong. There are recent rumors of possible fast factorization algorithms.. The main threats are much more simple. PGP (Pretty Good Privacy) An attacker may socially engineer himself into a web of trust, or some trustable person may change. Then he could falsify public keys. This breaks most of the security. PGP binaries can be corrupted when they are obtained. The PGP binaries can be modified in the computer. The passphrase can be obtained by a Trojan. Weak passphrases can be cracked. On multiuser system, access to the secret key can be obtained. PGP (Pretty Good Privacy) Header of Introduction Slider (Heading Font: minion pro, Size:20) Knowledge is the soul of the universe, as life is to the body. Without one the other is inanimate, savage and a colossal hunk of void matter. A mind that lacks knowledge is like a speeding asteroid floating in space; idle, dead, hazardous and potentially fatal. Knowledge gives the free floating mind an orbit to follow, life to sustain, a sun to circle and a purpose in the universe. It is the rein of order and freedom to imagine. It is time itself, for the mind writes the future, as every action is first a thought and later a reality. It is the force that fuels the mechanics of life, the machinery of progress. We at D. Y. Patil University uphold knowledge with such adulation; we worship it as a deity with great reverie. We hold it supreme. (Body Copy Font: Source sans pro, Size:18) Lecture 1 Sub Topic Name174 Mr. Krishnamurti Nair Chancellor Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ex quo, id quod omnes expetunt, beate vivendi ratio inveniri et comparari potest. Virtutis, magnitudinis animi, patientiae, fortitudinis fomentis dolor mitigari solet. Hoc loco discipulos quaerere videtur, ut, qui asoti esse velint, philosophi ante fiant. (Body Copy Font: Source sans pro, Size:18) Lecture 1 Topic Name175 Example 1 for Slide with Picture Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cum praesertim illa perdiscere ludus esset. Item de contrariis. (Body Copy Font: Source sans pro, Size:18), 176 Example 2 for Slide with Picture Lecture 1 Topic Name Thank You