application layer

Content:

The Application Layer.

It is the last of the layers of the OSI model. The application layer contains the user programs, in this layer support protocols are also needed that allow the operation of real applications. These protocols are: the network security area, the DNS, and the protocol for network administration. This layer not only has protocols but also has various applications which are: email, USENET, World Wide Web, and Multimedia.

Application Layer Protocols.

NETWORK SECURITY

Security is concerned with ensuring that prying eyes cannot read or modify messages addressed to other recipients; cares about people trying to access unauthorized remote services. Security also deals with the problem of capturing and replaying legitimate messages and people trying to deny that they sent certain messages.

Network security issues can be divided into 4 interrelated areas: secrecy, identification validation, non-repudiation, and integrity control.

  • Secrecy and integrity is about keeping information out of the hands of unauthorized users.
  • Identification validation is responsible for determining who you are talking to before revealing sensitive information or making a business deal.
  • Non-repudiation takes care of signatures: How can you make sure that a received message was actually sent, and not some adversary modified their own account along the way?

To attack these problems, solutions must be implemented in this layer. These can be:

Traditional Encryption: The messages to be encrypted, known as normal text, are transformed by means of a function parameterized by a key. The output of the encryption process is known as the ciphertext, which is transmitted after many times by messenger or radio.

The key consists of a short string that selects one of many ciphers. To prevent your email from being read, 64-bit keys are sufficient, to keep powerful governments at bay, keys of up to 256 bits are required.

Cipher models fall into 2 categories: substitution ciphers and transposition ciphers.

Ciphers by Substitution: Each letter or group of letters is replaced by another letter or group of letters to decipher it. One of the well-known old ciphers is the Caesar cipher. In this method a becomes D, b becomes E, ................ and z becomes C For example the word attack becomes DWDTXH.

Improvements were then made so that each of the 26 letters of the alphabet has some correspondence with some other letter. For example:

  • Normal Text:abcdefghijklmnopqrstu vwxyz
  • Ciphertext:QWERTYUIOPASDFGHJKLZX CVBNM

This general system is called monoalphabetic substitution. For the previous key, the word attack would be transformed into the ciphertext QZQJXT.

Transposition Ciphers: Transposition ciphers rearrange the letters but do not disguise them. The following graph presents a common transposition cipher:

layerP_and_layerS

The encryption key is a word or phrase that does not contain repeated letters. In this example it is MEGABUCK. The purpose of the key is to number the columns. Column 1 being under the key letter closest to the beginning of the alphabet. Normal text is written horizontally in rows. The ciphertext is read by columns, starting with the column whose key letter is the lowest.

Two Fundamental Cryptographic Principles: The first principle is that all encrypted messages must contain redundancy, that is, information not necessary to understand the message.>

The second cryptographic principle is that some measures must be taken to prevent intruders from replaying old messages. One of the measures is the inclusion in each message of a timestamp valid for say 5 minutes. Then in receiver you can save the messages about 5 minutes, to compare them with new messages and filter duplicates. Messages older than 5 minutes can be discarded.

One-time padding: The construction of an inviolable message is as follows: first a random bit string is chosen as the key, then the normal text is converted into a bit string, finally the exclusive OR of these is calculated. two strings bit by bit ; But it has several practical disadvantages: The key cannot be memorized, the total amount of data that can be transmitted is limited by the amount of key available.

Due to this, modern encryption algorithms have been created that can process large amounts of normal text, these are:

Secret Key Algorithms: Transpositions and substitutions can be implemented using simple circuits. The following graphic shows a device known as a P-Box (permutation) that is used to perform a transposition of an 8-bit input. For example if the 8 bits from top to bottom are designated 01234567, the output in this box is 36071245.

Secret_Key_Algorithms

Substitutions are carried by Box S (substitution), the 8-bit input selects one of the 8 output lines of the first stage and sets it to 1 the other lines are 0; the second stage is a P-Box and the third stage re-binaries the selected input line.

OFF: DES is a data encryption standard; in which plaintext is encrypted in 64-bit blocks, producing 64-bit ciphertext.

There are also other algorithms such as: IDEA(International Data Encryption Algorithm), public key algorithms, RSA algorithm.

Identification Validation Protocols: Identification validation is the technique by which a process verifies that its communication partner is who it is supposed to be and not an impostor.

The general model that all validation protocols use is as follows: a user1 wants to establish a secure connection with user2. User1 begins by sending a message to user2 or to a key distribution center (KDC). Once the protocol is complete, user1 is sure that he is talking to user2 and vice versa. In most protocols the 2 will have established a secret session key to use during the next conversation. The goal of using a new session key for each new connection is to reduce the amount of ciphertext an attacker can obtain and to minimize the damage caused by a process crash.

Identification Validation using a Key Distribution Center.

At first, to speak to n people, n keys were required. Then a different way was created which is to introduce a trusted key distribution center (KDC). In this model each user has a single shared key with the KDC. Identification validation and session key management now go through the KDC.

In addition there are other protocols such as: identification validation based on a shared secret key, identification validation using public key cryptography.>

As stated above, non-repudiation is responsible for the signatures, these can be:

Digital Signatures.

Validation of many legal, financial, and other documents is determined by the presence or absence of an authorized handwritten form. For computerized systems to replace the physical transportation of paper and ink; it basically requires a system whereby one party can send a "signed" message to another party such that:

  1. The receiver can verify the claimed identity of the transmitter.
  2. The sender cannot later repudiate the content of the message.
  3. The receiver has not been able to make the message himself.

The first requirement is necessary, for example in financial systems. When a customer's computer orders a bank's computer to buy a ton of gold, the bank's computer needs to make sure that the ordering computer actually belongs to the company to be debited. The second requirement is necessary to protect the bank against fraud. The third requirement is necessary to protect the client in the event that the price of gold rises too high and the bank tries to forge a signed message in which the client requested a gold bar instead of a ton.

Secret Key signatures.

One approach to digital signatures would be to have a central authority that knows everything and is trusted by all, a Big Brother. Each user then chooses a secret key and takes it personally to the Big Brother offices. Therefore only the user and Big Brother know the secret key of that user, etc.