4 Jan 2015 SE 428: Advanced Computer Networks 1
Email, SNMP, Securing the
Web: SSL
Topics for Today
• Email (SMTP, POP)
• Network Management (SNMP)
– ASN.1
• Application Level Protocol (like HTTP)
• Distinguish
1. User interface (mail reader: Thunderbird, Outlook) 2. Message transfer protocol (SMTP, POP, IMAP)
3. Companion protocol (message formatting: RFC 822, MIME)
4 Jan 2015 SE 428: Advanced Computer Networks 3
sender’s mail server
SMTP SMTP mail access protocol
Simple Mail Transfer Protocol
• Used to move mail from sender to server and server to server
– Request/Reply conversation style (codes for replies) – Authentication possible (password, SSL/TLS)
Steps:
1. Greeting (HELO, EHLO) with name 2. Envelope headers
– RCPT TO – MAIL FROM
3. Data
– Formatted according to rules in RFC or MIME – Ends with a single period (.) on a line
SMTP Trace
SMTP Misc
• Verify mail address exists:
VRFY
– Can refuse to answer
– Can answer only locally or even check globally
– May be disabled for security
• Expand name: EXPN
– Expands a mailing list name to its full list of users
– Often disabled for security
• Only a few common
implementations
Post Office Protocol - POP
• Download emails from
server
– Can delete after
• USER
• PASS
• LIST
• RETR
• STAT
• DELE
• UIDL
Internet Message Access
Protocol - IMAP
• Designed to leave
messages on server
– Internal folders
– Move messages across folders
– Search folders
• More flexible retrieval
– Just mail headers
– Just single attachments
• Much more complicated
4 Jan 2015 SE 428: Advanced Computer Networks 7
POP Trace
RFC 5322 (822)
• Header lines
– From – To – Subject – Received – Date• All mail is encoded in
ASCII (7bits)
Multipurpose Internet Mail
Extensions (MIME)
• Header lines: – Content-Description – Content-Type • image/gif • image/png • text/plain • text/richtext • application/postscript • application/msword – Content-Transfer-Encoding • ASCII or base64 • Encoding scheme– Everything in ASCII characters – Use 64 values (A-Za-z0-9+/) – Encode 3B 4 chars in base64
MIME Example
So Far
• Email (SMTP, POP)
• Network Management (SNMP)
– ASN.1
• Secure Sockets Layer
Network Management
• When you have hundreds of servers and routers, it’s hard to
manage them all manually remote protocol
– Lets network admin track status
• Simple Network Management Protocol (SNMP)
– Request/Reply protocol (GET/SET)
• Requests from network nodes information types (Management
Information Base – MIB):
– System: General parameters
– Interfaces: Physical addresses, packets sent on each interface – Address translation: ARP and translation tables
– IP: Routing table, number of successfully routed packets, reassembly, drops
Used to build dashboards
Abstract Syntax Notation
(ASN.1)
• Basic Encoding Rules (BER)
• Data items in the form: <tag, length, value>
– Tag: 8 bit field (can be multibyte) – Length: how many bytes follow
• Less than 127 B, length has the length • >127B, length has how many B in the
length
– Value can nest other data items
ASN.1 in SNMP
• Variables listed in dot
notation
– 1.3.6.1.2.1.4.3: IP field called ipInReceives
(number of IP datagrams received)
– 1.3.6.1.2.1: all MIB fields – 4 is the IP group
– 3 is the ipInReceives field
So Far
• Email (SMTP, POP)
• Network Management (SNMP)
– ASN.1
• Secure Sockets Layer
Secure Sockets Layer
• Secure Sockets Layer (SSL) for securing the Web
– Official Name: Transport Layer Security (TLS) Protocol
• Designed by Netscape in 1996
– Adapted by IETF
– Now in RFC 5246 – TLS 1.2 in Aug 2008 – Many extensions and outside applications
• Most important use is on the web (HTTP)
– Commonly called HTTPS
4 Jan 2015 SE 428: Advanced Computer Networks 19
Secure Sockets Layer
Main goal: Establish a secure communication channel between two computers
• Engineering security
– Different operating systems (easy)
– Different cryptographic services (harder) – Different versions (harder)
– No Trusted Third Party (?)
– One side may not have any authentication tokens (harder) • Also:
– It must be efficient – Must be flexible
Secure Sockets Layer
• Solution: Add another layer in the protocol stack on top of
TCP
4 Jan 2015 SE 428: Advanced Computer Networks 21
Sessions and Connections
• Setting up a secure conversation involves online
negotiation
– Expensive! 2 RTTs minimum…
• Web content is sent in a series of Requests
– Each request (connection) gets 1 item – HTTP 1.1 changes this a bit
– That shouldn’t mean we negotiate for each request!
• Solution: Long running
Sessions
and short lived
Connections
– Do the negotiation once for the session
The SSL Protocols
• SSL Record Protocol – Move data
• SSL Handshake Protocol – Negotiate security decisions • SSL Change Cipher Spec
– Activate the negotiated security decisions
4 Jan 2015 SE 428: Advanced Computer Networks 23
SSL Record Protocol
1. Fragment packets into 214 bytes or less (16,384) 2. Compress (if you want)
3. Message Authentication Code • (Keyed) Hash
4. Encrypt
5. Append Header
• Content Type (Protocol)
SSL Handshake Protocol
•
Does the negotiation
•
Four phases:
1. Establish client security capabilities 2. Establish server security tokens 3. Establish client security tokens
4 Jan 2015 SE 428: Advanced Computer Networks 25
SSL Handshake Protocol
• Phase 1: Client Starts – (Highest) SSL Version – Client Nonce: 𝑛𝑐
– Session Id
• If it’s 0 – a new session
• If it’s not – continue a session
– Cipher Suite
• List of crypto algorithms supported
• In order of preference
– Compression Method
• List of supported methods
SSL Handshake Protocol
• Phase 1: Server Responds – Chosen SSL Version
– Server nonce: 𝑛𝑠 – Session Id
• Old one if continuing
– Chosen Cipher Suite
– Chosen Compression Method • Phase 2: Server tokens
– Server Certificate
– (Optional) Request Client Certificate
4 Jan 2015 SE 428: Advanced Computer Networks 27
SSL Handshake Protocol
• Phase 3: Client tokens – Client verifies certificate
– Client sends security tokens • Certificate (Optional)
– Signs previous messages with Certificate private key (Client Verify)
• If no certificate: Pre-master secret (48 bits)
SSL Handshake Protocol
• Phase 4: Implement
– Client sends: Change Cipher Spec
– Server sends: Change Cipher Spec
4 Jan 2015 SE 428: Advanced Computer Networks 30
SSL Change Cipher Spec
• Simple protocol: 1 message with 1 byte of data
– Byte set to 1
SSL Alert Protocol
• Two bytes of data
• Byte 1: Severity of alert
– = 1: Warning
– = 2: Fatal (terminates connection)
• Byte 2: Alert Codes
4 Jan 2015 SE 428: Advanced Computer Networks 32
Reflection: SSL
• Enables secure communication over the internet
• Works even if only one side has a certificate (more on this later) – Client authentication must be done some other way
• Main application for certificates and PKI
– Has helped sell many certificates (more on this later)
• Secures the communication channel
– But not the data stored on the other side
Conclusion
• Email (SMTP, POP)
• Network Management (SNMP)
– ASN.1