IPSec, S/MIME and XMLDSig
Throw this module’s weeks; we have seen that security can operate at different levels and that we should consider it and its possible consequences seriously. We have all heard about some spectacular attacks that caused to companies and banks lot of money. Securing systems and data requires a lot of work and cannot be obvious as the Internet provided lot of ways to interact and accessing data. Some of the methods used for data security are: Encryption, data signing, usage of firewalls, anti viruses, anti spams, IDS …etc. This is just a wide overview of how and at which level data could be secured. Regardless the protection at these levels (incoming and outgoing traffic, encrypting sensitive data, protecting against known viruses and attacks). Some security experts have looked on ways and methods to include additional security layers at the ISO and communication frameworks. Nowadays, most of the communications are done over the Internet, which are all based upon IP (internet protocol), though it is worth looking at methods to secure at TCP IP protocol’s level.
One of these methods is IPSec (Internet Protocol Security), developed by IETF and defined in RFC 2401, it aims to support secure exchange of packets at the IP layer. IPSec “Provides a means by which to ensure the authenticity, integrity and confidentiality of data at the network layer of the open system interconnection OSI” (Carmouche, 2006). IPSec operates at the network layer and does not affect in anyway the upper layers. The lower layers are in charge of the connectivity and are not affected by the implementation IPSec, which applies specific security mechanisms on the communication’s streams by applying encryption methods or modes (transport or tunnel).
The transport mode encrypts the content of packets and leaves the header clear (payload encryption), whereas the tunnel mode encrypts both header and contents of packets. A public key sharing is required by both sender and receiver in order to enable IPSec.
IPSec has widely been applied to Virtual Private Networks.
Figure1: IPSec application at the network layer.
The OSI model is a theoretical device used to help explain how the network and Internet functions. When we secure Web communications using SSL, we’re using a single layer of the OSI model since SSL works at the transport layer. But for more advanced security applications we can build security systems in a single layer.
S/MIME (Secure/ Multipurpose Internet Mail Extensions) is also an IETF standard used public key encryption and signing of MIME data, originally developed by RSA Data Security and provides couple of cryptographic security services (authentication, integrity, non-repudiation, privacy and data security), it requires a certificate from a certificate authority (CA) which will be used to generate public keys for signing and encrypting messages. S/MIME has been defined as “a secure method of sending e-mail that uses the Rivest-Shamir-Adleman encryption system.” S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. S/MIME operates at the 6th layer of the OSI model (the presentation level) (Tiller, 2000).
XML signature, also known as XMLDSig has been defined by the W3C and can be compared to the PCKS#7, it was designed for web technologies and signing XML documents. Nowadays, XML has been adopted and recognized as the web standard, and most of the web applications have been developed in a way to exchange data in XML format such SOAP and SAML.
The encryption used for XML documents is a bit more complicate than a normal encryption of data; this difficulty is due to the XML format. The XML document can have one or more serialized representation. The XML digital signature can be considered in some situations better and more flexible compared to the digital signature (binary data) (Doraswamy & Harkins, 2003).
We’ve seen that there are different methods and mechanisms to secure data and at different levels, so I personally think that it can be possible to combine these technics. Especially the IPSec with either S/MIME or XMLDSig. As mentioned earlier, IPSec does not affect the other layers and operates only at the Network level, it can be combined with the S/MIME or XMLDSig methods and it might be better to combine these technics in addition to other ones.
References
– James S. Tiller (2000). A Technical Guide to IPSec Virtual Private Networks. CRC Press, 2000. ISBN: 9780203997499.
– Naganand Doraswamy, Dan Harkins (2003). IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks. Prentice Hall Professional, 2003, ISBN: 9780130461896.
– James Henry Carmouche (2006). IPSec Virtual Private Network Fundamentals. Pearson Education, 2006. ISBN: 9780132796682
Throw this module’s weeks; we have seen that security can operate at different levels and that we should consider it and its possible consequences seriously. We have all heard about some spectacular attacks that caused to companies and banks lot of money. Securing systems and data requires a lot of work and cannot be obvious as the Internet provided lot of ways to interact and accessing data. Some of the methods used for data security are: Encryption, data signing, usage of firewalls, anti viruses, anti spams, IDS …etc. This is just a wide overview of how and at which level data could be secured. Regardless the protection at these levels (incoming and outgoing traffic, encrypting sensitive data, protecting against known viruses and attacks). Some security experts have looked on ways and methods to include additional security layers at the ISO and communication frameworks. Nowadays, most of the communications are done over the Internet, which are all based upon IP (internet protocol), though it is worth looking at methods to secure at TCP IP protocol’s level.
One of these methods is IPSec (Internet Protocol Security), developed by IETF and defined in RFC 2401, it aims to support secure exchange of packets at the IP layer. IPSec “Provides a means by which to ensure the authenticity, integrity and confidentiality of data at the network layer of the open system interconnection OSI” (Carmouche, 2006). IPSec operates at the network layer and does not affect in anyway the upper layers. The lower layers are in charge of the connectivity and are not affected by the implementation IPSec, which applies specific security mechanisms on the communication’s streams by applying encryption methods or modes (transport or tunnel).
The transport mode encrypts the content of packets and leaves the header clear (payload encryption), whereas the tunnel mode encrypts both header and contents of packets. A public key sharing is required by both sender and receiver in order to enable IPSec.
IPSec has widely been applied to Virtual Private Networks.
Figure1: IPSec application at the network layer.
The OSI model is a theoretical device used to help explain how the network and Internet functions. When we secure Web communications using SSL, we’re using a single layer of the OSI model since SSL works at the transport layer. But for more advanced security applications we can build security systems in a single layer.
S/MIME (Secure/ Multipurpose Internet Mail Extensions) is also an IETF standard used public key encryption and signing of MIME data, originally developed by RSA Data Security and provides couple of cryptographic security services (authentication, integrity, non-repudiation, privacy and data security), it requires a certificate from a certificate authority (CA) which will be used to generate public keys for signing and encrypting messages. S/MIME has been defined as “a secure method of sending e-mail that uses the Rivest-Shamir-Adleman encryption system.” S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. S/MIME operates at the 6th layer of the OSI model (the presentation level) (Tiller, 2000).
XML signature, also known as XMLDSig has been defined by the W3C and can be compared to the PCKS#7, it was designed for web technologies and signing XML documents. Nowadays, XML has been adopted and recognized as the web standard, and most of the web applications have been developed in a way to exchange data in XML format such SOAP and SAML.
The encryption used for XML documents is a bit more complicate than a normal encryption of data; this difficulty is due to the XML format. The XML document can have one or more serialized representation. The XML digital signature can be considered in some situations better and more flexible compared to the digital signature (binary data) (Doraswamy & Harkins, 2003).
We’ve seen that there are different methods and mechanisms to secure data and at different levels, so I personally think that it can be possible to combine these technics. Especially the IPSec with either S/MIME or XMLDSig. As mentioned earlier, IPSec does not affect the other layers and operates only at the Network level, it can be combined with the S/MIME or XMLDSig methods and it might be better to combine these technics in addition to other ones.
References
– James S. Tiller (2000). A Technical Guide to IPSec Virtual Private Networks. CRC Press, 2000. ISBN: 9780203997499.
– Naganand Doraswamy, Dan Harkins (2003). IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks. Prentice Hall Professional, 2003, ISBN: 9780130461896.
– James Henry Carmouche (2006). IPSec Virtual Private Network Fundamentals. Pearson Education, 2006. ISBN: 9780132796682
