Standards and Protocols

Unless achieving the Security+ certification is but one step in your ultimate goal of becoming a security related software developer, you will most likely be using the readily available tools that have become standard. The evolution of cryptography began long before the computer came around but the digital family of techniques is by far the most effective to date. This family has some old-timers that are still employed as well as the many newcomers that are constantly changing the way we share our secrets. There are numerous security related protocols that are an integral part of this family.

A protocol contains a set of instructions for transmitting data from point A to point B. Applications and hardware devices are developed to take advantage of the benefits that a given protocol offers. This is as true in the field of security as it is in the online gaming world where the need for speed determines which protocols are used. In cryptography, speed is considered but ultimately, the strength of the cipher is what counts most. Some protocols are faster than others. Some are free to use while some are not. Some have superb encryption capabilities while others are merely acceptable.

Let’s take a closer look at the security-flavored, protocol-enriched alphabet soup that you’ll likely get a mouthful of while sitting at the exam.

Secure Hypertext Transfer Protocols (Secure HTTP)

SHTTP (Secure HTTP) is a message-oriented communications protocol developed for use alongside HTTP. Its developers sought to offer a protocol that would work naturally with HTTP applications, emulating HTTP’s methods and language rules.

SHTTP can support many different key management schemes, trust models, algorithms, and encapsulation techniques. Its flexibility makes it well suited for client/server-based Web applications such as online purchases that require sensitive data to be entered into forms. Because SHTTP supports end-to-end secure transmissions, sensitive data is encrypted from the moment it leaves a user’s screen. This distinguishes it from older HTTP security schemes where the client had to first send data in plain text and be denied access before any encryption was in effect. Multiple cryptographic formatting techniques can be integrated into SHTTP clients and servers such as PKCS-7 and MOSS.

SSL (Secure Sockets Layer)

The Secure Sockets Layer protocol, developed by Netscape Communications Corporation, is the industry-standard technique for securing browser-based transmissions. It’s what’s being implemented behind the scenes when you visit a site whose URL begins with https://. Because it’s built into all major Web servers and browsers alike, SSL stands ready for operation once a digital certificate is installed on the server.

Utilizing public-key cryptography, SSL supports 128-bit session keys providing strong encryption for events such as Web-based purchases. When you request an SSL secured URL, the Web server responds by sending out its digital certificate, thus authenticating itself. Your browser generates a unique session key, encrypted with the server’s public key, which encodes all communications with the Web server. This method ensures that the Web server you are communicating with is the only machine that will be able to decipher your transmissions. Once a SSL session has been established, you might see the telltale padlock appear in your browser’s window, indicating that a secure session has been established.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Modeled after the Internet MIME standard, S/MIME provides the ability to transfer secure MIME data. Originally conceived by RSA Data Security, Inc., S/MIME creates messages in the PKCS #7 data format and follows the X.509v3 format for digital certificates. S/MIME is simply a version of MIME that adds public-key encryption for secure e-mail transmissions. Almost all corporate e-mail software developers have embraced S/MIME and provided products that support it. S/MIME presents us with a secure e-mail standard that provides authentication, encryption, message integrity, and proof of origin using Digital Signatures. Although Internet messaging is where S/MIME is most widely used, it can also be put to use by any method that supports MIME data—for example, HTTP transfers.

Secure Shell (SSH)

SSH is a standard protocol for securing remote connections over the Internet. SSH is used widely for the encryption of all data transferred between two configured ports. SSH runs at the Application layer of the TCP/IP stack and is broken into three major parts.

First, the Transport layer protocol (SSH-TRANS) provides server authentication and can also provide data compression. Secondly, there is the user authentication protocol (SSH-USERAUTH), which authenticates the client to the server. Finally, the connection protocol (SSH-CONN) handles the tunneling of the data stream in an efficient manner.

SSH can support a variety of public-key and symmetric algorithms including DSA, RSA, DES, Blowfish, Twofish, and more. SSH is used also in remote management solutions where an administrator needs a secure path to a server across the Internet. It is even touted as a total replacement for the FTP and Telnet protocols as it provides all of their functionality while enabling strong encryption.

Domain Name System Security (DNSSEC)

When the DNS system was conceived, security was not part of the plan. Because almost every Web-based transmission relies on this vital hierarchical database of sever names and IP addresses, it became clear that a method of securing this vulnerable system was needed. DNSSEC addresses this concern by using public-key technology to generate a Digital Signature on the zone data contained within a DNS server. The security concern is that if DNS data were altered by an unauthorized person, a user might be led to a masquerading Web site upon entering a trusted URL. This could result in the inadvertent release of information (such as a credit card number), or a rouge competitor actually stealing customers.

To ensure that DNS data is authentic, DNSSEC (which is actually multiple extensions to the DNS protocol) offers a way for administrators to create a hash value of the DNS data and then encrypt it using a private key. Web surfers essentially present the public key of the key pair used in order to decrypt the hash. If there is a match, then the data is considered good. The added amount of data required by the DNSSEC enabled DNS server could occupy almost 10 times as much space, making the price tag potentially high for secure DNS.

Additional security-related protocols are discussed in Chapters 2, 3, and 4. A few that should be reviewed include PAP, CHAP, TACACS, RADIUS, IPSec, and Kerberos.