Lecture 20: PGP, IPSec, SSL/TLS, and Tor Protocols. After studying this chapter you will be able to understand: PGP: A case study in email security, key management issues in PGP, packet-level security with IPSec, transport Layer Security with SSL/TLS, heartbeat extension to the SSL/TLS protocol, the tor protocol for anonymized routing. | Lecture 20: PGP, IPSec, SSL/TLS, and Tor Protocols Lecture Notes on “Computer and Network Security” by Avi Kak (kak@) March 29, 2016 4:00pm c 2016 Avinash Kak, Purdue University Goals: • PGP: A case study in email security • Key management issues in PGP • Packet-level security with IPSec • Transport Layer Security with SSL/TLS • Heartbeat Extension to the SSL/TLS protocol • The Tor protocol for anonymized routing CONTENTS Section Title Page Providing Security for Internet Applications 3 Application Layer Security — PGP for Email Security 8 Key Management Issues in PGP and PGP’s Web of Trust IPSec – Providing Security at the Packet Layer 15 25 IPv4 and IPv6 Packet Headers 30 IPSec: Authentication Header (AH) 33 IPSec: Encapsulating Security Payload (ESP) and Its Header 40 IPSec Key Exchange 47 SSL/TLS for Transport Layer Security 50 The Twin Concepts of “SSL Connection” and “SSL Session” 56 The SSL Record Protocol 60 The SSL Handshake Protocol 63 The Heartbeat Extension to the SSL/TLS Protocol 68 The Tor Protocol for Anonymized Routing 72 Homework Problems 86 2 Computer and Network Security by Avi Kak Lecture 20 : PROVIDING SECURITY FOR INTERNET APPLICATIONS • As described in detail in my previous lectures, there are three fundamental aspects to providing information security in internet applications: – authentication – confidentiality – key management • As shown in Figure 1, information security may be provided at different layers in the internet suite of communication protocols: – We can provide security services in the Network Layer by using, say, the IPSec protocol, as shown in part (a) of Figure 1. While eliminating (or reducing) the need for higher level protocols to provide security, this approach, if solely relied upon, makes it difficult to customize the security policies to specific applications. It .