IP Security (IPSec) is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the network level
IPSec operates in the transport mode or the tunnel mode.
In the transport mode, IPSec protects information delivered from the transport layer to the network layer. IPSec in the transport mode does not protect the IP header. The transport mode is normally used when we need host-to-host (end-to-end) protection of data.
In the tunnel mode, IPSec protects the whole IP packet, including the original IP header.
IPSec defines two protocols-Authentication Header (AH) Protocol and Encapsulating Security Payload (ESP) Protocol-to provide authentication or encryption or both for packets at the IP level.
IPSec requires a logical relationship between two hosts called a security association (SA). IPSec uses a set of SAs called the security association database or SADB.
The Internet Key Exchange (IKE) is the protocol designed to create security associations, both inbound and outbound. IKE creates SAs for IPSec.
IKE is a complex protocol based on three other protocols: Oakley, SKEME, and ISAKMP.
A private network is used inside an organization.
An intranet is a private network that uses the Internet model. An extranet is an intranet that allows authorized access from outside users.
The Internet authorities have reserved addresses for private networks. [] A virtual private network (VPN) provides privacy for LANs that must communicate through the global Internet.
A transport layer security protocol provides end-to-end security services for applications that use the services of a reliable transport layer protocol such as TCP.
Two protocols are dominant today for providing security at the transport layer: Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The second is actually an IETF version of the first.
SSL is designed to provide security and compression services to data generated from the application layer. Typically, SSL can receive application data from any application layer protocol, but the protocol is normally HTTP.
SSL provides services such as fragmentation, compression, message integrity, confidentiality, and framing on data received from the application layer.
The combination of key exchange, hash, and encryption algorithms defines a cipher suite for each SSL session. The name of each suite is descriptive of the combination.
In e-mail, the cryptographic algorithms and secrets are sent with the message.
One security protocol for the e-mail system is Pretty Good Privacy (PGP). PGP was invented by Phil Zimmerman to provide privacy, integrity, and authentication in e-mail.
To exchange e-mail messages, a user needs a ring of public keys; one public key is
needed for each e-mail correspondent.
POP has also specified a ring of private/public key pairs to allow a user to change
her pair of keys from time to time. POP also allows each user to have different user
IDs (e-mail addresses) for different groups of people.
POP certification is different from X509. In X509, there is a single path from the
fully trusted authority to any certificate. In POP, there can be multiple paths from
fully or partially trusted authorities.
pap uses the idea of certificate trust levels.
When a user receives a certificate from an introducer, it stores the certificate under
the name of the subject (certified entity). It assigns a level of trust to this certificate.
