22.4 TRANSPORT LAYER SECURITY

22.4 TRANSPORT LAYER SECURITY

The TCP/IP stack does not provide the necessary security features—and security has become the most important issue, particularly when the Internet has to be used for e-commerce transactions. Users type in their credit card numbers, bank account numbers, and other confidential personal information. This data can be stolen and misused. When confidential documents are transmitted over the Internet, it has to be ensured that unauthorized persons do not receive them. To achieve the desired security, a special layer software runs on the TCP to provide privacy and confidentiality of the data over the Internet. This layer is known as transport layer security (or Secure Socket Layer).

TLS consists of two sublayers—TLS record protocol, which runs above the TCP, and TLS handshake protocol, which runs above the TLS record protocol. TLS record protocol provides connection security using cryptographic techniques such as DES (Data Encryption Standard), proposed by the U.S. Department of Defense. For each session, a unique key is generated, and all the data is encrypted using the chosen algorithm. The key is valid only for that session. For a new session, a new key has to be generated. The key is negotiated between the two systems (for exmaple, client and server) using TLS handshake protocol.

The process for providing secure communication is as follows: When a client and server have to exchange information using a secure communication link, the TLS handshake protocol enables the client and the server to authenticate each other and negotiate the encryption algorithm and encryption keys before the application process transmits or receives the first byte of data. Once the client and the server agree on the algorithm and the keys, the TLS protocol encrypts the data with the TLS record protocol and passes the encrypted data to the transport layer.

Above the transport layer protocol (TCP or UDP), the application layer protocol will be running. We will discuss various application layer protocols in the next chapter.

To provide security while transferring the data, a layer called transport layer security (TLS) is introduced between the transport layer and the application layer. TLS consists of two sublayers: TLS record protocol and TLS handshake protocol.

Summary

This chapter presented the details of the transport layer protocols used on the Internet. The transport layer is an end-to-end protocol—it is the responsibility of the transport layer to ensure that all the packets are put in sequence, to retransmit the packets if there are errors, and to report the status information. The Transmission Control Protocol (TCP) is a transport layer protocol that provides connection-oriented service. Between two end systems, a virtual connection is established by specifying the IP address and the port address. After the connection is established, data transfer takes place, and then the connection is removed. To provide the necessary security features, transport layer security (TLS) is another layer of software that can be run to provide the necessary encryption of data. The user datagram protocol (UDP) provides a connectionless service. The UDP datagram can contain only the source address, destination address, message length, and message. As a result, the UDP is a very light-weight protocol, and high processing power is not required to analyze the UDP header. Hence, UDP is used for applications such as real-time voice/video communication. The formats of TCP segment and UDP datagram are also presented in this chapter.

References

• W.R. Stevens. TCP/IP Illustrated, Vol. I; The Protocols. Addison Wesley, Reading, MA, 1994. This book gives a complete description of TCP and its implementation in Berkeley Unix.

• D. E. Comer and D.L. Stevens. Internetworking with TCP/IP Vol. III: Client/Server Programming and Applications. BSD Socket Version, Prentice Hall Inc., Englewood Cliffs, 1993.

• http://www.ietf.org IETF home page. You can obtain the Requests for Comments (RFCs) that give the complete details of the protocols from this site.

Questions

1. Explain the services of the transport layer protocol.

2. Describe the TCP segment format.

3. Describe the UDP datagram format.

4. Explain the differences between TCP and UDP.

5. Explain the transport layer security mechanism.

6. Explain why TCP is not well suited for real-time communication.

Exercises

Answers

1.	The open source for TCP/IP protocol stack is available with the Linux operating system.
2.	The Java code for implementation of UDP server and UDP client are given in Listing C.6 and Listing C.7, respectively. The server software is used to transfer a file to the client. The server divides the file into UDP datagrams and sends it. The client will receive each datagram and assemble the file. This code can be tested on a LAN environment. Listing C.6: UDP server software. import java.net.*; public class UDPServer { public static DatagramSocket ds; public static int buffer_size=10; public static int serverport=555; public static int clientport=444; public static byte buffer[]=new byte[buffer_size]; public static void Server() throws Exception { int pos=0; byte b[] = { 'H','e','l','l','o'}; ds.send(new DatagramPacket (b, b.length, InetAddress.getLocalHost(), clientport)); } public static void main(String args[]) { try{ System.out.println("Server is ready"); ds=new DatagramSocket(serverport); Server(); }catch(Exception e){ } } } Listing C.7: UDP Client software. import java.net.*; public class UDPClient { public static DatagramSocket ds; public static int buffer_size=5; public static int serverport=555; public static int clientport=444; public static byte buffer[]=new byte[buffer_size]; public static void Client() throws Exception { while(true) { DatagramPacket dp = new DatagramPacket(buffer, buffer.length); ds.receive(dp); byte b[] = dp.getData(); for(int i=0;i<=b.length;i++) System.out.print((char)b[i] + " "); } } public static void main(String args[]) { try{ System.out.println("Client is ready"); ds=new DatagramSocket(clientport); Client(); }catch(Exception e){ } } }
3.	In sliding window protocol used in TCP, the receiver must advertise its window size. Receiver may advertise a small window size due to various reasons such as buffer full. In such a case, the sender has to transmit small segments. This results in inefficient utilization of the bandwidth. To avoid this problem, the receiver may delay advertising a new window size, or the sender may delay sending the data when the window size is small.
4.	In a satellite communication system, if the VSATs are receive only, it is not possible for VSAT to send an acknowledgement to the server located at the hub. In such a case, the server at the hub has to use the UDP as the transport layer to transmit the file. The server software will divide the file into UDP segments and broadcast each datagram. The datagram contains the VSAT address as the destination address. The VSAT will receive the datagarams and assemble the file.
5.	In sliding window protocol used in the TCP layer, the receiver has to advertise the window size, and the sender must adhere to this size. This may cause the silly window syndrome.

Projects

1. Using open source TCP/IP software, develop a LAN analyzer. The LAN analyzer has to capture each packet that is broadcast by the nodes and calculate the number of packets transmitted per second. It also has to display the traffic matrix, which indicates the number of packets transmitted from one node to another node. You need to analyze each packet for its source address and destination address.

2. Write software that captures the packets being transmitted on the LAN and checks whether the user data portion of the packet contains a keyword. The GUI should facilitate giving a keyword. For instance, if the keyword is specified as "Professor," the software has to check whether the word "Professor" is present in the user data portion of the packet.