slides32 Flashcards
examples of vpn implementations
- Crypto IP Encapsulation (CIPE). A lightweight point-to-point protocol that layers over UDP
- ssh. This remote login protocol also has a VPN mode, but it layers over TCP
- OpenVPN (discussed later) tunnels over the transport layer SSL/TLS
pptp
Point-to-Point Tunneling Protocol
The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues. PPTP uses a TCP control channel and a Generic Routing Encapsulation tunnel to encapsulate PPP packets.
pptp vulnerabilities
MS-CHAP-v1 is fundamentally insecure. Tools exist to trivially extract the NT Password hashes from a captured MSCHAP-v1 exchange.[6]
When using MS-CHAP-v1, MPPE uses the same RC4 session key for encryption in both directions of the communication flow. This can be cryptanalysed with standard methods by XORing the streams from each direction together.[7]
MS-CHAP-v2 is vulnerable to dictionary attacks on the captured challenge response packets. Tools exist to perform this process rapidly.[8]
In 2012, it was demonstrated that the complexity of a brute-force attack on a MS-CHAP-v2 key is equivalent to a brute-force attack on a single DES key. An online service was also demonstrated which is capable of decrypting a MS-CHAP-v2 MD4 passphrase in 23 hours.[9][10]
MPPE uses the RC4 stream cipher for encryption. There is no method for authentication of the ciphertext stream and therefore the ciphertext is vulnerable to a bit-flipping attack. An attacker could modify the stream in transit and adjust single bits to change the output stream without possibility of detection. These bit flips may be detected by the protocols themselves through checksums or other means.[6]
wat implements security over the transport layer
The Secure Socket Layer (SSL) and its evolution Transport Layer Security (TLS)
You should only use TLS
wjere does tls sit in the model
between app and trans
how is tls used by other secure protocols
Many protocols can layer over TLS (instead of TCP) to give a secure version
This is a relatively easy way of making secure protocols from insecure ones: just find the parts of code that read and write from IP sockets and change them to use TLS
HTTPS and SHTTP
HTTPS and SHTTP both are not same. However, both offer enhanced security over HTTP.
SHTTP (Secure Hypertext Transmission Protocol) is more advanced version of HTTP that provide security through encryption.
HTTPS (Hypertext Transmission Protocol Secure) is normal HTTP over SSL/TLS.
SHTTP encrypt data transfer, but does not authentic client. The responsibility remains with the website for authentication.
HTTPS protect communication between web server and web browser and keep communication or data secure and private.
HTTP/2
HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google.[1] HTTP/2[2] was developed by the Hypertext Transfer Protocol working group httpbis (where bis means “second”) of the Internet Engineering Task Force.[3] HTTP/2 is the first new version of HTTP since HTTP 1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to IESG for consideration as a Proposed Standard in December 2014,[4][5] and IESG approved it to publish as Proposed Standard on February 17, 2015.[6][7] The HTTP/2 specification was published as RFC 7540 in May 2015.[8]
STARTTLS
STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
Traffic analysis
watching where u go in the web
where are accesses to sub-sites trackable
So accesses to such sub-sites are trackable: • in the DNS lookup of the sub-site name
• in the HTTPS SNI handshake that contains the name of the sub-site
DNS over HTTPS
In addition to improving security, another goal of DNS over HTTPS is to improve performance: testing of ISP DNS resolvers has shown that they have surprisingly slow response times in many cases, a problem that can be multiplied further by the need to resolve many addresses to deliver a single service such as a web page load.[1]
DNS over TLS
DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
costs of TLS
• A one-off overhead of (re)writing the application code to use TLS
• A per-connection overhead of TLS setup messages and the associated computation for checking certificates
• A per-packet overhead of data expansion in the encryption
• A per-packet overhead in the computation required to
encrypt or decrypt the data
how does TLS goes through the layering twice
The encapsulated data then goes down through the normal transport and network layers and is transmitted over the real physical layer
At the receiving end, the real transport layer hands the data to OpenVPN which decrypts and passes the resulting IP packets to the OS to pass up the rest of the stack
Of course, it is layering that allows all this to work! There is a cost of about 10% overhead in practice
