Cryptography

Cryptography (which means "hidden" and "writing") is the branch of

cryptology that deals with "hidden scripts", or methods to make a message
"blurred" so as not to be understandable or intelligible to unauthorized people
to read it. Such a message is commonly called cryptogram and the methods
used are called encryption techniques. In this way, the confidentiality of data
is guaranteed, which is one of the essential requirements in the field of IT
security, thus preventing the implementation of various types of IT attacks to
sensitive data (eg sniffing). The reverse approach of study aimed at breaking
a cryptographic mechanism is instead called cryptanalysis which represents
the other branch of cryptology. Crucial times are also necessary to
cryptanalysis for the decryption of the message: for different applications of
telecommunications and information technology a system can be considered
safe even if its encryption system is violable, but with implementation times
that would then make futile the subsequent attempts to direct attack. The
current cryptographic research, having solved the theoretical problem of the
guarantee of safety, is dedicated to overcoming the aforementioned strong
limits of use. We look for more comfortable methods but nevertheless
extremely safe that, if possible, they use short and reusable keys without
compromising their usefulness. At the moment there is no cryptographic
technique that can be defined in absolute sense, except the Vernam cipher: all
the other techniques make the data secure only for a certain period of time
and can not guarantee the duration of secrecy.
Substitution ciphers

A substitution cipher is an encryption method in which each unit of plaintext

is replaced with ciphertext according to a regular pattern; the "units" can be
single letters, pairs of letters, syllables, mixtures of them, and more. The
recipient decrypts the message by applying an inverted replacement. The
substitution ciphers are similar to the transposing ciphers with the difference
that they operate by recombining the units of the plaintext in a different order
and usually more complex but leaving them unaltered anyway. In substitution
ciphers, however, units of plain text are reallocated in the ciphertext in the
same sequence but are altered. There are several types of substitute ciphers: if
the cipher operates on single letters, it is called a simple substitution cipher; if
it operates on larger groups of letters it is called a polygraphic cipher. A
mono-alphabetic cipher uses fixed substitutions on the whole message while
a polyalphabetic cipher uses different substitution schemes instead and each
plaintext cipher is treated with a different alphabet according to a pattern
established by the secret key.

Caesar cipher

Caesar's cipher is one of the oldest cryptographic algorithms of which there is

a historical record. It is a mono-alphabetic substitution cipher in which each
letter of the plaintext is replaced in the ciphertext by the letter that there is a
certain number of positions later in the alphabet. These types of ciphers are
also called substitution ciphers or scroll ciphers because of their mode of
operation: substitution takes place letter by letter, scrolling the text from
beginning to end. Caesar used a displacement of 3 positions (the key was
therefore 3), according to the following scheme in the Latin alphabet with 26
characters. To encrypt a message, simply take each letter of the plain text and
replace it with the corresponding letter in the ciphertext line. To decipher,
vice versa. Encrypt (and decrypt) the text several times does not improve
security, since a rotation of A places followed by one of B places is
equivalent to one of A + B. Mathematically speaking, the encryption with the
various keys forms a group. The functioning of Caesar's code is possible
thanks to modular arithmetic:
f(x) = x + k (mod. m)
where m is the number of letters of the alphabet.

Monoalphabetic cipher

A monoalphabetic substitution cipher is a cryptographic system that uses an

alphabet for plain text and a permutation of the same for the ciphertext. The
permutation used is the key to the system. During the encryption, the
corresponding letter of the permuted alphabet is associated with each letter of
the plain text.

Polyalphabetic cipher

A polyalphabetic substitution cipher uses a larger or smaller number of

alphabets to replace the letters of the message, using a certain order that
constitutes the key. An example of a polyalphabetic cipher is Vigenère's
cipher. It is opposed to the mono-alpha type substitution ciphers such as the
Cesare cipher. The resistance to cryptanalysis of polyalphabetic ciphers, and
in particular to the analysis of frequencies, is linked to the number of distinct
alphabets used, ie the number n that identifies the length of the key, and its
randomness. Functioning:
 0. A key is used for the choice of the alphabet to be used for the
encryption of each plaintext letter
0. The available alphabets indicated by the coding key are used in
sequence
0. At the end of the key, it starts again from the beginning

Playfair cipher

The Playfair or Playfair square cipher is a manual symmetric encryption

technique based on a two-letter monoalphabetic cipher. The scheme was
invented in 1854 by the English physicist Sir Charles Wheatstone but takes
the name of his friend Lord Playfair Baron of St. Andrews, who tried to
disclose its use. The technique digit pairs of letters (digraphs), rather than a
single letter as in the simple cipher to replace Vigenère then in use. Playfair is
therefore significantly harder to force because the frequency analysis used for
simple replacement ciphers does not work with it. Frequency analysis can
still be undertaken, but 600 digraphs are possible instead of 26 monographs.
The analysis of the frequency of digraphs is possible, but considerably more
difficult. Furthermore, the relative frequencies of the individual letters have a
much wider range than the digraphs, making the analysis of the frequencies
further complicated. For these reasons, at the time, the Playfair code was
considered inviolable.

Vigenère cipher

Vigenère's cipher is the simplest of polyalphabetic ciphers. It is based on the

use of a verse to control the alternation of replacement alphabets, a concept
introduced for the first time by Giovan Battista Bellaso in 1553. The method
can be considered a generalization of Caesar's cipher; instead of always
moving the same number of seats the letter to be encrypted, this is moved by
a variable but repeated number of places, determined on the basis of a
keyword, to be agreed between the sender and receiver, and to be written
repeatedly under the message, character by character; the key was also called
worm, for the reason that, being generally much shorter than the message, it
must be repeated many times under this. The ciphertext is obtained by
moving the clear letter of a fixed number of characters, equal to the ordinal
number of the corresponding letter of the worm. In fact, an arithmetic sum is
executed between the ordinal of the clear ( A = 0, B = 1, C = 2 ... ) and that
of the worm; if we exceed the last letter, Z , we start again from A , according
to the logic of finite arithmetic. The advantage over monoalphabetic ciphers
(such as Caesar's ciphers or those for replacing letters with symbols / other
letters) is evident: the text is encrypted with n ciphers alphabets. In this way,
the same letter is encrypted (if repeated consecutively) n times; this makes
the cryptanalysis of the ciphertext more complex. Obviously, a mathematical
function can be used for encryption and decryption:
0. To encrypt: n = a + b (mod 26) "
0. To decrypt: n = c - b + 26
where
0. L = Length of the cipher = number of elements of the whole (26)
0. a = Number of the letter of the word in Clear (0-25)
0. b = Keyword number of the keyword Key / Worm (0-25)
0. c = Number of the letter of the word Encrypted (0-25)

Vernam cipher

The Vernam cipher is a cryptographic system based on Vigenère's cipher, to

which it adds the requirement that the encryption key is as long as the text
and not reusable (for this it is often called OTP, an acronym for One Time
Pad (OTP) ). Vernam's cipher is the only cryptographic system whose safety
is proven by a mathematical proof and for this reason it has earned the title of
"perfect cipher". The first demonstration of his inviolability was published in
1949 by Claude Shannon.
It’s easy to understand how inconvenient it is to securely distribute keys of
this size. Nevertheless, the Vernam cipher was used for communications with
spies, which were equipped with pad containing a long key for each page, to
be torn and thrown once used.
Transposition cipher

A transposition cipher is an encryption method in which the positions

occupied by plaintext units (which are usually letters or groups of them) are
changed according to a given pattern, so that the ciphertext constitutes a
permutation of plaintext. Mathematically speaking, a two-way matching
function is used on character positions during the coding operation and an
inverse function during the decoding one. The main ones are:
0. Fence cipher
0. Path cipher
0. Columnar transposition
0. Transposition of Myszkowski
0. Transposition disturbed
0. Grid cipher
The transposition is particularly efficient when it is combined with the
fractionation, that is a preliminary step that divides each symbol of the plain
text into several ciphertext symbols. For example, the plain text alphabet
could be transcribed into a grid in which each letter of the message could be
replaced by its coordinates. Another method of splitting is the simple
conversion of the message into Morse code, with a symbol for spaces, one for
points and one for lines.
Transposed cipher with substitution

This system includes, within its own cipher, the two previously proposed
systems. It therefore introduces greater security. Normally in a cryptographic
system multiple phases of these two systems are used. Obviously, both in
transmission and in reception it will be possible to read the plain text. For this
reason these processes must be reversible.
Symmetric cryptography

With symmetric cryptography, or private key cryptography, we mean an

encryption technique. It is a simple way to encrypt plaintext where the
encryption key is the same key for decryption, making the algorithm very
performing and simple to implement. However, it assumes that the two
parties already possess the keys, a request that does not make it possible to
exchange keys with this kind of algorithm. The exchange takes place through
algorithms with asymmetric or public key, generally more complex both to
implement and to execute but which allow this exchange in a secure way.
Then the communication will be encrypted using only symmetric key
algorithms to ensure a secure but fast communication. In this kind of
algorithms it is assumed that both parties already know the key to crypt and
decrypt the message. The sender has a P (PlainText or plain text) message.
The sender encrypts the message P with the key k using a symmetric
cryptographic algorithm called S . The resulting message will be C
(CypherText or encrypted message). In formulas it becomes:
S (P, k) = C
At this point the recipient arrives an encrypted message that is able to decrypt
because it is in possession of the private key. Now the receiver applies the
decryption algorithm D with the same key that used the sender to encrypt the
text. The formula becomes:
D (C, k) = P
The main algorithms and ciphers are:

Pro:
 0. Speed of operation, so you can use very long keys, since the
algorithms to encrypt or decrypt are very fast
Cons:
0. Problem of the exchange of the key and its distribution to users
0. Hypothesis of a single key for encryption and decryption (or anyway
easily deductible from one another)
0. Repeated use of the same key: several times it is used, the easier it is
to understand it
0. Reliability of the recipient: this could lose or give others
unauthorized their key

DES

Data Encryption Standard (DES) is an encryption algorithm chosen as a

standard by the Federal Information Processing Standard (FIPS) for the USA
in 1976 and later become internationally used. It is based on a symmetric key
algorithm with a 64-bit key (but only 56, since 8 are of control). This
algorithm initially aroused much discussion because of its short encryption
key and because of some design choices that were secreted. It was assumed
that behind these choices there was the National Security Agency (NSA) and
the insertion of a backdoor. Consequently, DES has been the subject of an
intense academic analysis which has contributed significantly to the
development of the knowledge that underlies modern ciphering algorithms
and modern cryptanalysis techniques. DES is currently considered insecure
for many applications. His insecurity comes from the key used to encrypt
messages, which is only 56 bits. In January 1999, distributed.net and
Electronic Frontier Foundation collaborated to publicly crack an encryption
key, and succeeded in 22 hours and 15 minutes. With the calculation powers
available in 2009, you can force a DES key in a few hours by examining all
the possible combinations. The algorithm is considered safe by reiterating it 3
times in the Triple DES, even if in theory it is exposed to some attacks. DES
is the archetypal block cipher, an algorithm that takes in input a fixed-length
string of plaintext and transforms it with a series of complex operations into
another string of ciphertext of the same length. In the case of DES, the block
size is 64 bits. The DES also uses a key to modify the transformation so that
the decryption operation can be performed only by knowing the key itself.
The key is 64 bits long but only 56 of these are actually used by the
algorithm. Eight bits are used only for parity checking and then discarded, so
the actual key length is reported as 56 bits. Like other block cipher
algorithms, DES must be used in an encryption mode when applied to
messages longer than 64 bits. FIPS-81 specifies different ways to use DES,
including authentication. There are 16 identical process steps called rounds,
or cycles. There are also an initial and a final permutation called IP and FP,
which are mutually inverse (IP "undo" the action of FP and vice versa). IP
and FP have no importance for encryption but have probably been added to
facilitate the loading of blocks on the typical hardware of the '70s; as a side
effect these phases cause a slowdown in DES software implementations.
Before the main cycle, the block is divided into two halves of 32 bits and
alternately processed; this crossing is called Feistel's network. Feistel's
network structure ensures that encryption and decryption are very similar
processes - the only difference is that the subkeys are applied in the reverse
order in the decryption phase. The rest of the algorithm remains the same.
This greatly simplifies the implementation, especially if performed directly
with a circuit since it is not necessary to have separate algorithms to encrypt
and decrypt. The symbol (+) denotes the operation of exclusive OR (XOR).
The Feistel function (F-function in the diagram) mixes half of the block with
a part of the key. The result of the Feistel function is then combined with the
other half of the block, and the two halves are exchanged before the next
cycle. After the final cycle, the halves are not exchanged to make the
encryption and decryption phases more similar.
The Feistel function operates on half a block (32 bits) at a time and consists
of 4 steps:
0. Expansion - the half block of 32 bits is expanded up to 48 bits using
the expansion permutation marked E in the scheme, which duplicates
some bits.
0. Key Mixing - the result is combined with a subkey using an XOR
operation. Sixteen 48-bit subkeys - one for each loop - are derived from
the master key using the key manager.
0. Replacement - after mixing with the subkey, the block is divided into
8 parts of 6 bits before processing with the S-boxes or substitution
boxes (replacement boxes). Each of the 8 S-boxes replaces 6 bits in
input with 4 bits in output through a non-linear transformation carried
out through a table. The S-boxes provide the heart of DES security -
without them, encryption would be linear and therefore easily violated.
0. Permutation - finally, the 32 bits resulting from the S-boxes are
reordered according to the fixed permutations of the P-box or
permutation box.
The alternation of substitutions by S-boxes, permutations with the P-box and
expansions provide the so-called confusion and diffusion, a concept
identified by Claude Shannon in the forties as a necessary condition to make
the encryption practical and secure.

Triple-DES

Triple DES is a block cipher based on repeating the Data Encryption

Standard (DES) three times. When it was discovered that the 56-bit key of
DES was not long enough to provide security against brute-force attacks, the
TDES was chosen as a simple way to increase the length of the key without
needing to change algorithm. The use of three steps is essential to prevent
meet-in-the-middle attacks that work against double DES encryption. Note
that DES is not a group; if it were, the TDES would be equivalent to the
single DES, and it would not be safer. The simplest variant of the TDES
operates as follows:
DES (k 3 ; DES (k 2 ; DES (k 1 ; M)))

where M is the message block to be encrypted and k1 , k2 and k3 are the

DES keys. This variant is commonly known as EEE because all three DES
operations encrypt it. To simplify interoperability between DES and TDES,
the central passage is usually replaced with a decryption (EDE mode):

DES (k 3 ; DES -1 (k 2 ; DES (k 1 ; M)))

and therefore a single DES encryption with the key k can be represented as
TDES-EDE with k 1 = k 2 = k 3 = k . The choice of decryption for the
central passage does not affect the security of the algorithm.
Encryption mode

Block cipher

A block cipher algorithm is a symmetric key algorithm operating on a group

of finite length bits organized in a block. Unlike flow algorithms that encrypt
a single element at a time, block algorithms encrypt a block of elements at the
same time. A block ciphering algorithm consists of two parts, one that digit,
E and another that deciphers E -1 . Many algorithms accept two inputs, N b
bit for the block to be encrypted and N k bit for the key to be used during
encryption. Obviously they return N b output bits. For some special cases,
decrypting the block is the inverse function of encryption

E k -1 (E k (m)) = m

for each block m and key k . For every input key k , E k is the number of
possible permutations of all types of inputs to be encrypted, which are (2 Nb )
! . The number of possible keys is usually less than the number of possible
inputs.

2 Nk <(2 Nb )!
The block size, N b , is typically 64 or 128 bits although some algorithms
accept blocks of variable size.
In summary:
0. Plain text is divided into n-bit blocks that are independently
encrypted
0. Each block of plaintext generates a block of the same length of
ciphertext
0. To make decryption possible, each block of plain text must produce
a block of unambiguous text
The most famous block ciphers are: Lucifer, 3-Way, AES, Camellia,
Blowfish, DES.

Stream cipher

A stream cipher (also called character cipher) is a symmetric cipher in which

the symbols (bits) encoding the plaintext are encrypted independently of each
other and in which the transformation of the successive symbols varies with
the progression encryption. Another term used for this cipher is a state cipher,
a term that recalls that the encryption of each symbol depends on a current
state. Typically in practice, the symbols are single bits or bytes. The stream
ciphers are an approach to symmetric encryption different from that of block
ciphers: these provide that a certain transformation that does not change from
block to block is carried out on successive large blocks of symbols. This
distinction is not always clear-cut: some operating modes of block ciphers
perform a primitive block cipher in such a way that its effect matches that of
a flow cipher. Typically, stream ciphers are executed at speeds greater than
those of block ciphers and use less complex hardware. On the other hand,
stream ciphers can be susceptible to serious security problems if they are not
used correctly.
Asymmetric cryptography

Asymmetric cryptography, also known as key-based cryptography, public /

private key cryptography or even public-key cryptography, is a type of
cryptography where, as can be seen from the name, each actor involved in
communication is associated with a couple of keys:
0. The public key, which must be distributed;
0. The private key, in fact personal and secret;
thus avoiding any problem connected to the need for a secure exchange of the
only key useful for encryption / decryption present instead in symmetric
cryptography. The mechanism is based on the fact that if one of the two keys
digit (or encodes) a message, then the latter will be decrypted only with the
other. There are two functions that can be implemented: use the public key to
authenticate a message sent by the owner with the associated private key; or
encrypt messages with the public key to ensure that only the private key
holder can decrypt it. In a public-key cryptosystem, anyone can encrypt a
message using the recipient's public key, but that message can only be
decrypted with the recipient's private key. To do this, it must be
computationally easy for a user to generate a public and private key pair to be
used to encrypt and decrypt. The strength of a public-key cryptosystem is
based on the difficulty of determining the private key corresponding to the
public key. Security therefore depends only on keeping the secret private key,
while the public key can be published without compromising security.
Public-key cryptography systems are often based on cryptographic
algorithms based on mathematical problems that currently do not admit any
particularly efficient solution, those involving the factoring of an integer, the
discrete logarithm and the relations of elliptic curves. Public key algorithms,
unlike symmetric key algorithms, do not require a secure channel for the
initial exchange of one (or more) secret keys between the parties. Because of
the computational weight of asymmetric cryptography, it is usually used only
for small blocks of data, typically the transfer of a symmetric encryption key
(for example, a session key). This symmetric key is used to encrypt long
messages. Symmetric encryption / decryption is based on simple algorithms
and is much faster. Message authentication includes hashing of the message
to produce a "digest" (result of the output of the hash algorithm), and
encrypting the digest with the private key to produce a digital signature. From
then on anyone can verify this signature:
0. calculating the hash of the message;
0. deciphering the hash of the message;
0. comparing the signature of the message.
The equality between the digests confirms that the message has not changed
since it was signed, and that the petitioner, and no one else, intentionally
carried out the signing operation, assuming that the petitioner's private key
remained secret. The security of this type of procedure depends on the hash
algorithm of this data quality that is computationally impossible to modify or
find a substituted message that produces the same digest, but studies have
shown that with the MD5 and SHA-1 algorithms, produce a altered or
replaced message is not impossible. The current hash standard for encryption
is SHA-2. The same message can be used instead of the digest. Public-key
algorithms are key ingredients in the security of cryptosystems, applications
and protocols. They are the basis of various Internet standards, such as
Transport Layer Security (TLS), S / MIME, PGP and GPG. Some public key
algorithms provide a key and secrecy distribution (for example, Diffie-
Hellman key exchange), some provide digital signatures (eg Digital Signature
Algorithm), others provide both (eg RSA). Public key cryptography finds
application in various fields, among others: in the field of information
security and information security. Information security deals with all aspects
of the protection of electronic information resources against security threats.
Public-key cryptography is used as a method of ensuring confidentiality,
authentication and non-repudiation of communications and data storage. The
basic idea of cryptography with a pair of keys becomes clearer if a postal
analogy is used, in which the sender is Alice and the recipient Bob, the locks
take the place of the public keys and the keys recite the part of the private
keys:
0. Alice asks Bob to send her the lock already open. But the key to it
will be jealously preserved by Bob;
 0. Alice receives Bob's lock and, with it, closes the package and sends
it to Bob;
0. Bob receives the package and can open it with the key of which he is
the sole owner.
If Bob now wants to send another package to Alice, he should do it by
closing it with Alice's lock (which she should have previously given to Bob)
that only she could open. It can be seen how to secure the contents of the
packages you need the recipient's lock, while to open them is used
exclusively their secret key, making the whole process of encryption /
decryption asymmetric (a key to encrypt and a different for decipher).
Anyone who intercepted the lock (open) or the closed message with the
padlock could not read its contents because it does not have the key. One of
the advantages of asymmetric cryptography lies in the fact that public keys
can also be exchanged using an insecure medium, such as the Internet. Using
another analogy we can say that the method is similar to that of a safe that
has two distinct keys, one used to open it (secret key), the other to close it
(public key). In symmetric cryptography, on the other hand, which bases
system security on the secrecy of the encryption / decryption key used, it is
necessary to use a secure channel for transmitting the key, since the
interception of the same by third parties would void the security of the system
itself.
Two of the most popular uses of asymmetric cryptography are:
0. public key cryptography, in which messages are encrypted with the
recipient's public key. The message can not be decrypted by someone
who does not have the corresponding private key, which is assumed to
be the owner of that key and the person associated with the public key.
This is used in an attempt to guarantee confidentiality;
0. digital signature, where a message is signed with the sender's private
key and can be verified by anyone with access to the sender's public
key. This verification shows that the sender has had access to the
private key and is therefore likely to be the person associated with the
public key. This also ensures that the message has not been tampered
with, any manipulation of the message will result in changes to the
 digest, which otherwise would remain unchanged between the sender
and receiver.
Pro:
0. Key exchange is no longer critical, as they can be considered public
0. The problem of the authenticity of the sender is solved, as only the
owner of that private key may have generated the message
corresponding to the corresponding public key
0. Solved the problem of confidentiality: since the algorithm is
symmetric from the point of view of the keys it is sufficient to encrypt
the message with the public key so that only the owner of the
corresponding private key can read it
Cons:
0. Numerous and complex calculations make their implementation less
efficient

RSA algorithm

RSA refers to an asymmetric cryptographic algorithm, invented in 1977 by

Ronald Rivest, Adi Shamir and Leonard Adleman that can be used to encrypt
or sign information. In 1976 Whitfield Diffie and Martin Hellman, American
cryptologists, were the first to publish a system based on the creation of an
"asymmetric" cipher composed of "public keys". The cryptography system is
based on the existence of two distinct keys, which are used to encrypt and
decrypt. If the first key is used for encryption, the latter must necessarily be
used for decryption and vice versa. The fundamental question is that,
although the two keys are dependent on each other, it is not possible to go
back from one to the other, so that even if one of the two keys is known, one
can not go back to the other, ensuring in this way the integrity of
cryptography. Taking a practical example, if Alice wants to send a message
to Bob and does not want anyone other than Bob to read it, Alice will look
for Bob's public key on the list and with that he can encrypt the message.
Since Bob is the only one to have the reverse key, he will also be the only
one who can decrypt the message, which will remain so secret to everyone
else, including Alice, who does not have the reverse key will not be able to
decipher the message from her same created. Obviously the success of this
system is based on the absolute necessity that Bob is the only one to have the
inverse key. Otherwise, having both keys, anyone could easily decipher the
message. With this encryption method it is also possible to guarantee the
origin of a message. Let's go back to the previous example: Alice this time,
before encrypting the message using Bob's public key, it will encrypt it using
its own reverse key and only later re-crypt it using Bob's public key. When
Bob receives the message and decrypts it using his reverse key, he will still
get an encrypted message. That message will then require Alice's public key
to be decrypted, thus ensuring that the message was sent only by Alice, the
only one to have the reverse key with which the message was encrypted.
More simply, using this method of encryption, Alice can send messages to
everyone, ensuring the origin. In fact, by encrypting the message with its
reverse key, anyone will be able to read the message, decrypting it with its
public key, thus ensuring that the sender is Alice's own.
Operation is as follows:
0. Bob chooses two very large prime numbers (for example 300 digits)
and multiplies them with his computer (using less than one second).
0. Bob sends the number he got to Alice; anyone can see this number.
0. Alice uses this number to encrypt the message.
0. Alice sends the encrypted message to Bob; anyone can see it, but do
not decipher it.
0. Bob receives the message and, using the two prime factors that only
he knew, deciphers him.
0. Alice and Bob took a few seconds to encrypt and decrypt, but anyone
who intercepted their communications would take too long to discover
the two prime factors needed to decipher the message.
In details:
0. random choice of two prime numbers (1024 bits) p , q
0. we calculate their product also called module: n = p * q and z = (p -
1) * (q - 1)
 0. now you need a number and with the property that z and e are prime
among them (no common factors)
0. the two numbers e and n are the public key.
0. finally one determines a random number k and a number d for which
e*d=1+k*z.
0. the numbers d and n constitute the private key.
Eventually you will have the public key ( e , n ), used for encryption, and the
private key ( d , n ), used to decrypt the encrypted message.
Digital signature

The digital signature is a mathematical scheme to demonstrate the

authenticity of a message or digital document sent through an insecure
channel: a valid digital signature guarantees the recipient that the sender of
the message is who he claims to be (authentication), that the sender can not
deny having sent it (not repudiation), and that the message has not been
altered along the path from the sender to the recipient (integrity). Digital
signatures are based on cryptographic protocols commonly used in software
distributions, financial transactions and in other cases where falsification or
alteration of the message is to be detected. The electronic signatures of an IT
document and in particular the advanced and qualified electronic signatures,
including the digital one, aim to satisfy three requirements that not all types
of electronic signature, however, satisfy:
0. that the recipient can verify the identity of the sender
(authentication);
0. that the sender can not disregard a document signed by him (not
repudiation);
0. that the recipient can not invent or modify a document signed by
someone else (integrity).
A typical electronic signature scheme based on public-key cryptography
consists of the following algorithms:
0. an algorithm for generating the key, which randomly selects a private
key from a set of possible values, and returns a key pair, the private key
with which the document is signed and the corresponding public
signature verification key;
0. a signature algorithm that, taken as input a message and the private
key, calculates the hash code of the message and encrypts it with the
private key, producing a signature;
0. a verification algorithm that, when input a message, the public key
and the signature, accepts or refuses the signature that appears in the
message.
The following two properties are required:
0. the authenticity of a signature generated by a fixed message and a
private key must be verified using the corresponding public key.
0. it should be computationally impossible to generate a valid signature
for a message without having the private key available.
Cryptographic hash function

A cryptographic hash function is a special class of hash functions that has

some properties that make it suitable for use in cryptography. This is a
mathematical algorithm that maps data of arbitrary length (message) in a
fixed-length binary string called a hash value, but is often also referred to as
the term message digest (or simply digest). This hash function is designed to
be unidirectional (one-way), which is a function that is difficult to reverse:
the only way to recreate the input data from the output of an ideal hash
function is to try a search for force- brute of possible input to see if there is a
match (match). Alternatively, you could use a rainbow table of matching
hashes. The cryptographic function of an ideal hash must have some
fundamental properties:
0. must uniquely identify the message, it is not possible that two
different messages, although similar, have the same value of hashes;
0. it must be deterministic, so that the same message always translates
into the same hash;
0. it must be simple and fast to calculate a hash value from any type of
data;
0. it must be very difficult or almost impossible to generate a message
from its hash value if not trying all the possible messages.
These features allow cryptographic hash functions to be widely used in the
areas of computer security, such as digital signatures, message authentication
codes (MACs) and other forms of authentication. They can also be used as
ordinary hash functions, to index data in hash tables, to detect fingerprints, to
detect duplicate data or to uniquely identify files and as checksums to detect
accidental data corruption. In fact, in computer security contexts,
cryptographic hash values are sometimes called fingerprints or checksums
even if all these terms have more general functions with rather different
properties and purposes.

MD5
The MD5 is a cryptographic hash function created by Ronald Rivest in 1991
and standardized with RFC 1321. It is a unidirectional function different from
encoding and encryption because it is irreversible. This function takes an
arbitrary length string into input and produces another 128-bit output. The
process takes place very quickly and the output (also known as "MD5
Checksum" or "MD5 Hash") returned is such that it is highly unlikely to get a
same hash value in output with two different input strings. To date, many
online resources are available that are likely to be able to decrypt coded
common words. To date, the availability of efficient algorithms capable of
generating strings that collide (that is, output in the same hash value) in a
reasonable time has made MD5 less favored than other hashing algorithms
(see WHIRLPOOL, SHA-1 or RIPEMD- 160), although its diffusion is still
very widespread (just think that the most frequent file integrity check is based
on MD5).

Example in PHP

<?php

//I assign to a variable the string that I want to encode with the MD5 algorithm
$my_var = 'This is the string I want to encode' ;

//Print on screen the MD5 encoding of the string stored in the variable
echo md5 ( $my_var );

// You can do the md5 of the result of another md5

echo md5 ( md5 ( $my_var ));

// You can add "salt" to the string to be encrypted, that is another string
$salt = "NaCl" ;
echo md5 ( $salt . "my_password" );

?>

SHA
SHA (Secure Hash Algorithm) refers to a family of five different
cryptographic hash functions developed since 1993 by the NSA and
published by NIST as a federal standard by the US government (FIPS PUB
180-4). Like any hash algorithm, the SHA produces a message digest, or
"footprint of the message", of fixed length starting from a message of
variable length. The security of a hash algorithm lies in the fact that the
function is not reversible (ie it is not possible to trace the original message
knowing only this data) and that it should never be possible to intentionally
create two different messages with the same digest. The family algorithms are
called SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512: the last 4
variants are often referred to generically as SHA-2, to distinguish them from
the first. The former produces a message digest of only 160 bits, while the
others produce digits of a length in bits equal to the number indicated in their
abbreviation (SHA-256 produces a 256-bit digest). The SHA-1 is the most
widespread algorithm of the SHA family and is used in many applications
and protocols despite being insecure and will soon be replaced by others,
more modern and efficient. The functioning of the SHA-1 is as follows:
0. Step 1 (Padding): "Padding" bits are added to the original message so
that the final length of the message is congruent to 448 module 512,
thus making the length of "message + padding" is equal to a 6 4bit
number smaller than a multiple of 512 bit.
0. Step 2 (Added Length): A 64 bit unsigned integer containing the
length of the original message is added to the bit sequence (message +
padding) created during step 1. At the end of these first two steps we
obtain a sequence of bits which is a multiple of 512.
0. Step 3 (Initialization of the MD buffer): A buffer of 160 bits divided
into 5 registers of 32 bits each is created for the memorization of some
intermediate steps.
0. Step 4 (Processing the 512 bit blocks): The bit sequence "message +
padding + message length" is divided into 512 bit blocks, which we
will identify with B n with n ranging from 0 to L . The fulcrum of the
SHA-1 algorithm is called compression function and consists of 4
cycles of 20 steps each. The cycles have a very similar structure among
them if not for the fact that they use a different primitive logic function.
Each block is taken as input parameter from all 4 cycles together with a
constant K and the values of the 5 registers. At the end of the
computation we will obtain new values for A, B, C, D, E that we will
use for the computation of the next block up to the final block F.
Authentication protocols

Authentication is the process through the computer system, a computer, a

software or a user, verifying the correct, or at least presumed, identity of
another computer, software or user who wants through an authorized
connection to the content service associated services. It is the system that
verifies, effectively, that an individual is who he claims to be. Authentication
is different from identification (recognition of a user's right to access system
resources based on their identity)
AAA protocol

The AAA protocol generically indicates a protocol that carries out the three
functions of authentication, authorization and accounting. The expression
AAA protocol does not refer to a protocol in particular, but to a family of
protocols that, even in different ways or with different implementations, offer
the services mentioned. AAA (authentication, authorization and accounting)
is mainly used in the field of corporate security. In fact, it protects access to
company data, physical access to the premises and the use of resources.

Authentication

Authentication is the process by which a user is recognized. Normally we use

a username, usually public, and a password.

Authorization

Authorization is a different process from the previous one because after

authentication, it is necessary to provide access to the user only to the
resources that compete.

Accounting

Accounting refers to all the actions that track or record, measure and
document the resources granted to a user during an access to a server or more
generally to an IT system.
Authentication based on a shared secret

C hallenge/response protocols

The challenge-response protocols are a family of protocols that allow the

authentication of entities through the following system:
0. One party (verifier) presents a question (challenge)
0. The party that wants to authenticate receives the question and
elaborates a response that it sends to the verifier
0. The verifier receives the response and evaluates whether the answer
correctly answers the question, and therefore the entity that sent the
response is authenticated, or not.
There are different methods for this in detail, which are based on this basic
principle: If one page (usually called Alice in cryptography) would want to
authenticate itself to another page (usually called Bob), Bob sends a random
number N (nonce) to Alice (Bob is the challenge). Alice adds this number N
to her password, applies a cryptographic hash function or encryption to this
combination and sends the result to Bob (thus providing the response). Bob,
who knows the random number as well as the shared secret (= the password
of Alice) and the hash function or encryption used, performs the same
calculation and compares its result with the response he receives from Alice.
If both data are identical, then Alice has successfully authenticated. The main
disadvantage is that all passwords are required in clear text on the server side;
for this, they must be in plain text or be decrypted as plain text. This makes it
possible that passwords can be tapped from third parties. When user data is
released, the password can be communicated in plain text without additional
effort. Another disadvantage is that even on the client side (Alice) the secret
must be in plain text, the client can pretend to be unauthorized as a user. This
can be remedied by calculating the response on a smart card, but then again
the problem is that you have to make sure that no unauthorized Alice 'chip
card used.
Diffie-Hellman key exchange

Key exchange Diffie-Hellman is a cryptographic protocol that allows two

entities to establish a shared and secret key using an insecure (public)
communication channel without the need for the two parties to exchange
information or have previously met. The key obtained by this protocol can
then be used to encrypt subsequent communications using a symmetric
cryptographic scheme. Although the algorithm itself is anonymous (ie
unauthenticated) it is the basis of numerous authenticated protocols and is
also used in some modes of operation of the TLS protocol. In the original
(and simpler) implementation of the protocol we initially consider a number g
, generator of the multiplicative group of the whole module p , where p is a
prime number. One of the two interlocutors, for example Alice, chooses a
random number " a " and calculates the value A = g a mod p (where mod
indicates the modulo operation, ie the rest of the whole division) and sends it
through the public channel to Bob (the other interlocutor), together with the
values g and p . Bob for his part chooses a random number " b ", calculates
B = g b mod p and sends it to Alice. At this point Alice calculates K A = B
a mod p , while Bob calculates K = A b mod p . The calculated values are
B
the same, as B a mod p = A b mod p . At this point the two interlocutors are
both in possession of the secret key and can begin to use it to encrypt the
subsequent communications. An attacker can hear all the exchange, but to
calculate the values a and b would need to solve the operation of the discrete
logarithm, which is computationally burdensome and takes a long time, as
sub-exponential (surely much more than the conversation time between the
two interlocutors).
Password

A password or access key is a sequence of alphanumeric characters used to

access exclusively an IT resource (ATM, computer, internet connection,
mailbox, networks, programs, databases, etc.) or to perform encryption
operations. We speak more properly of passphrase if the key is made up of a
sentence or a sufficiently long sequence of characters (not less than 20/30). A
password is usually associated with a specific user name (or user identifier),
in order to obtain a unique identification from the system to which access is
requested. The username / password pair provides access credentials to one
of the most common forms of authentication; typical its use in access or login
procedures. Given the purpose for which it is used, the password should
remain secret to those who are not authorized to access the resource in
question. It is not recommended that a password be made up of a meaningful
word.
Types of attacks

In cryptography, a type of attack (or attack mode) is a violation method

adopted by a cryptanalyst to try to retrieve as much information as possible
from an encrypted message. The following are the most common types of
attack:
0. Brute-force attack: The cryptanalyst tries to decrypt the text, testing
all the possible encryption keys. This attack is more effective with
increasing computing power. Its main positive factor is that it
theoretically always allows us to find the right solution, but on the other
hand it is always the slowest or most expensive solution; it is used as a
last resort both in cryptanalysis and in other parts of mathematics, but
only in those cases in which it is the only known procedure.
0. Attack with ciphertext only: the cryptanalyst has access only to the
ciphertext. This is the most frequent case and is the one that provides
less information to the attacker.
0. Attack with plain text known: the attacker has a set of coded texts of
which he knows the corresponding texts in plain text. At first glance it
may seem like an unlikely situation, but the cases in which the attacker
can know both plaintext and ciphertext are not uncommon: for
example, many e-mail messages start with recurring phrases or end
with predefined signatures.
0. Attack with clear text chosen: in this case the attacker can arbitrarily
choose the texts to be encrypted. Even this situation is not unlikely: in
asymmetric cryptography the public key is known to all and can be
used to encrypt as many messages as desired.
0. Attack with selected ciphertext (the correct name should be attack
with selected ciphertext and plaintext): the attacker can obtain plaintext
corresponding to an arbitrary set of encrypted texts. The unknown
information is in this case the cryptographic key.
Computational security

Unconditionally secure

The ciphertext does not contain sufficient information to uniquely determine

the plain text. A cryptosystem is said to be unconditionally secure, if it is not
violable, even using unlimited computing power.

Computationally secure

A cryptosystem, is considered computationally secure, if the best known

algorithm that allows the violation, has computational complexity superior to
a certain sufficiently large N limit. In the current state of knowledge, no
cryptosystem used in practice has been shown to be computationally safe.
Public key

A public key is a cryptographic key used in an asymmetric cryptosystem;

every public key is associated with a private key. The characteristic of
asymmetric cryptosystems is that each pair of keys is formed in such a way
that what is encoded with one can only be decrypted with the other. The two
keys are perfectly interchangeable, but generally one of them is called
"public" and a "private" because the ability to distribute one (and only one!).
The public keys can also be exchanged on an insecure channel (via e-mail,
via a key server, on a web page etc.), the important thing is to know that a
public key is not in itself associated with a "person", but exclusively to a
private key. In order to associate it to a person, a digital certificate is
generally used. The fingerprint is a hash (fixed length value) of 128 bits (32
hexadecimal digits) of the 1024 bit public key and identifies it uniquely.
When you get a person's public key, you can compare the fingerprint you
already know with the fingerprint obtained from your key: if they match, it is
a guarantee of authenticity.

Certificates

A digital certificate is an electronic document that attests to the univocal

association between a public key and the identity of a subject (a person, a
company, a computer, etc.) that declares to use it as part of the asymmetric
encryption procedures and / or authentication by digital signature. The digital
certificate contains information on the key, information on the identity of the
owner (named object) and the digital signature of an entity that has verified
the contents of the certificate (called the issuer). If the signature is valid and
the software examining the certificate relies on the issuer, then it can use this
key to communicate securely with the subject of the certificate. In email
encryption, code signing, and electronic signature systems, a certificate
subject is typically a person or an organization. This certificate, provided by a
trusted third party and recognized as a certification authority (CA), is in turn
authenticated to prevent falsification, always through digital signature or
encrypted with the private key of the association which then provides the
respective associated public key to verify it. The most common format for
public-key certificates is defined by X.509. Because X.509 is very general,
the format is further constrained by the profiles defined for some use cases,
such as the public key infrastructure (X.509) as defined in RFC 5280. The
digital certificate is impossible to duplicate or falsify and can be easily
verified online (or via mobile) by the possible buyer. The "marginal cost of
production" of the digital certificate is close to zero, which means that even
relatively low unit price objects could be protected.
IPsec

IPsec, short for IP Security, is a standard for packet networks that aims to
achieve secure connections over IP networks. Security is achieved through
authentication, encryption and integrity control of IP packets (datagrams).
The ability to provide security or security is then provided at the network
level (unlike HTTPS, SSL / TLS), which makes this protocol transparent to
the level of applications that should not therefore be modified. IPsec is
designed to secure both portal-to-portal and end-to-end communications. In
the first configuration the traffic is made "safe" to different computers (in
some cases to an entire LAN); in the second case only the peers that establish
the connection exchange protected packets. However the predominant use of
IPsec is the creation of VPN (virtual private network); to achieve this purpose
both methods previously exposed can be used. Psec is a collection of
protocols consisting of:
0. Protocols that implement key exchange to achieve encrypted flow.
0. Protocols that provide data stream encryption.
Currently there is only one protocol for the exchange of keys, the IKE
protocol. IPsec is an integral part of IPv6, while it is optional in IPv4. As a
result, it is expected that it will be most used when IPv6 will gain popularity.
The protocol is defined in RFCs 2401-2412. Since 2004, studies are
underway to update the protocols. Regarding the second aspect, there are two
protocols: Authentication Header (AH) and Encapsulating Security Payload
(ESP). AH provides authentication and message integrity, but does not offer
confidentiality and is the IP 51 protocol. ESP instead provides authentication,
confidentiality and integrity control of the message and is the IP 50 protocol.
For these reasons ESP is much more used than AH.
IPsec supports two modes of operation:
0. Transport mode
0. host-to-host connection;
0. used by end-points, not by gateways;
 0. in case of encryption, only the payload of the IP datagrams is
encrypted, not the header;
0. computationally light;
0. every host that wants to communicate must have all the
software necessary to implement IPsec;
0. only the IPsec header is added; the sender and receiver
addresses of the end-points are detectable.
0. Tunnel mode
0. gateway-to-gateway connection;
0. in case of encryption, the whole original IP package is
encrypted;
0. used to create VPNs;
0. computationally onerous;
0. only gateways must have IPsec software;
0. there are points of centralization, therefore single point of
failure;
0. it uses a double encapsulation, placing as a payload of the
communication between gateway addresses as it is obtained by
encrypting the union of sender and receiver addresses of the end-
points with the actual payload; adopting the Encapsulating
Security Payload protocol, the sender and recipient addresses of
the end-points are therefore no longer detectable (they remain
detectable by adopting AH).
The two modes are supported by both AH and ESP. IPsec can also be used
for connections between gateways and hosts.

Security Association

The concept of the Security Association (in short SA) is the basis of IPsec's
operation. An SA is a "contract" between the two entities involved in the
communication; in it are established the protection mechanisms and the keys
to be used during the subsequent data transfer. Within IPsec, establishing
security associations is the task of the IKE protocol, although it is also
possible to set them manually; obviously the manual procedure is not
recommended as it can introduce errors that weaken the tunnel. A peculiarity
of the SA is that they identify a one-way communication; therefore, during
the creation of the connection, the entities involved create and manage an SA
for each of the communication lines, so 2 SA identify a full-duplex channel.
In order to simplify the management of the SA, a special database called
SAD (Security Association Database) is used, where the active SA is tracked.
In particular, an SA consists of the following parameters:
0. The IP addresses of the peers involved in the communication;
0. The protocol that will be used for the tunnel (AH or ESP);
0. The encryption techniques used and the related keys;
0. A 32-bit integer called SPI, which stands for Security Parameter
Index.
By examining the parameters of an SA, all the information necessary to
establish the manner in which the traffic must be protected is deduced; the
next step is to define which traffic should be protected: the Security Policy
(in short SP) deals with this. An SP is a rule that determines what type of
traffic should be routed to the tunnel and then be covered by IPsec; in a
similar way to the SA, the SPs are contained in an SPD (Security Policy
Database). The security policy contains:
0. Source address and destination address of the package. This
information is already contained in the SA and therefore may seem
redundant. In reality this information makes sense when Tunnel mode
is used.
0. The protocol and its port to be routed in the tunnel. This option
depends on the implementation of the protocol and is not always
covered; if it is not available, all the traffic produced is conveyed to the
tunnel.
0. An identifier of the SA to be used to process the data.
Once the security association and the security policy have been established,
the communication that will exploit the AH protocol or the ESP protocol to
which the SPI parameter will be passed can begin, which will allow to go
back to the cryptographic techniques to be used for transmission.
IKE protocol

IKE is an acronym for Internet key exchange and is the protocol used to
establish a security association in the IPsec suite of protocols. This protocol is
defined in RFC 4306. It is an application layer protocol and uses the UDP
protocol as transport protocol; the port on which the connection is established
is 500. The goal of IKE is to establish a shared session secret, that is, a shared
key corresponding to the session to be established and to this end it uses the
Diffie-Hellman algorithm; from the shared secret are subsequently derived
the cryptographic keys that will be used for subsequent communication. In
order to authenticate the entities involved in the communication, symmetrical
key techniques or, alternatively, asymmetric key can be used; in the latter
case, use is made of public-key infrastructure (PKI) and the use of digital
certificates.

AH protocol

Authentication Header (abbreviated AH), is a protocol that is part of the

IPsec suite. Its task is to provide a package integrity check per package,
verification of the sender's authenticity and protection against replay attacks.
AH does not guarantee in any way the confidentiality of the message.
Authenticity is guaranteed through symmetric key hashing functions, ie via
the pre-shared keys mechanism. In order to communicate, two entities must
share the same key; this key is combined with the original message and then
the checksum is calculated using a cryptographic hash function (MD5 or
SHA). The message and the checksum are, finally, sent to the remote peer.
The remote peer receives the message; since this is clear, it can read it,
combine it with the key it knows about and calculate the checksum. If the
checksum matches the one sent, the message is authentic and is accepted
otherwise it is discarded as it has been modified in a way not allowed by the
standard. The AH protocol is designed to protect the entire IP packet sent;
however, it must be considered that some fields of the IP header, such as
TTL, vary during transmission; these changes must necessarily be allowed,
so before calculating the checksum, the fields allowed to vary are set to 0.
The structure of the AH package is shown below (each box represents 1
byte).

0. Next header: Indicates what type of protocol will come next.

0. Payload size (8 bit): The length of the AH in word (1 word = 32 bit)
minus 2. For example, 96 are the default bits of the Authentication Data
field, plus another 96 bits for the fixed length fields of AH make 6
words (96 + 96 = 192 bits, divided by 32 = 6). Subtracting 2 therefore
results in 4 the contained value of the standard payload size.
0. RESERVED: Space left for future developments. All bits in this field
are set to 0.
0. Security Parameter Index: This field identifies the security
parameters in combination with the IP address. It is generally a pseudo-
random number that identifies the security association to which this
package belongs.
0. Succession number: A succession of monotonically increasing
numbers. To prevent replay attacks, the sequence number when it
reaches the maximum value (2 32 -1) must not return to 0, but a new
SA must be created.
0. Data for authentication: It contains the Integrity Check Value (ICV)
and represents the HMAC calculated by the sender of the message. The
HMAC is calculated using the fields of the IP header (with the original
TTL), the fields of the AH header except for the authentication data (it
is considered at 0) and finally all the data of the upper level headers,
including those applications, which are not modified during transport.
AH natively supports both transport mode and tunnel mode. In transport
mode, only protocols above the network level (TCP, UDP, etc) are protected;
in tunnel mode the original IP packet is encapsulated in a new IP packet, after
being processed by AH. We explain its operation with the help of some
drawings. The benchmark is undoubtedly the original IP package; in the
presence of an IPsec-based connection, the package is obviously altered.
Original IP packet:

IP header TCP header Data

Depending on the IPsec mode of operation (tunnel mode or transport mode),

the original package is altered differently.
AH in transport mode:
IP header AH header TCP header Data

Authenticated data

AH in tunnel mode:
External IP header AH header IP header TCP header Data

Authenticated data

The dark gray line indicates the areas of the package that are authenticated.
From the point of view of protection, in both cases, the packages are
completely protected. Note that in the IP header, some fields vary during
network transit, such as TTL. These fields are set to 0 before the hash
function is calculated, which is necessary to protect the package. From what
has just been said, it is immediately clear that the AH protocol is
incompatible with the various NAT techniques; in fact if the address fields in
the IP header are altered (in both modes), the checksum immediately fails in
receipt.

ESP protocol

Encapsulating Security Payload, denoted by the acronym ESP, is a protocol

that is part of the IPsec suite. Its goal is to provide authenticity,
confidentiality and integrity control to communication. Contrary to what AH
does, the IP header is not covered by the controls. Like AH, however, it
supports both tunnel mode and transport mode.
The format of the ESP package is shown below (each box represents 1 byte).

0. Security Parameters Index (SPI): Like what happens in AH, this

field, in combination with the IP address, identifies the Security
Association to which the package belongs.
0. Sequence Number: A succession of monotonically increasing
numbers, which identifies the package within the Security Association
and prevents replay attacks.
0. Payload: The data to be transferred
0. Padding: It is a filling field. It is necessary because some encryption
codes work on blocks of fixed length. It is used to increase the size of
the data until it becomes a multiple of the block that the algorithm in
use is able to manage.
0. Pad Length: It represents, in octets, the size of the added padding
data.
0. Next Header: Identifies the protocol of the transferred data
0. Authentication Data: Contains the data used to authenticate the
package.
As can be seen from the package structure (but will be better illustrated later),
ESP "wraps" the data of the higher level protocols, contrary to what AH puts
before a header.
Being a protocol for data transfer of the IPsec suite, ESP supports both
Tunnel mode and Transport mode. Depending on the mode, the data is
treated differently. Before describing the encapsulation of the data we show
the original IP packet, which would pass on the network in the absence of
IPsec. Original IP packet:
IP header TCP header Data

ESP in Transport mode:

IP header ESP header TCP header Data ESP trailer ESP auth

Authenticated data

ESP in Tunnel mode:

IP header ESP header Internal IP TCP header Data ESP trailer ESP auth
header

Authenticated data

Dark gray lines subtend the part of the package that is checked for
authenticity and integrity; light gray zones indicate packet areas that are
protected by cryptographic algorithms. As far as encryption algorithms are
concerned, Data Encryption Standard (DES), 3DES, AES and Blowfish can
be used. The integrity and authenticity check is performed via HMAC (hash
functions); the hash is calculated using a hash function (MD5 or SHA1),
using a shared key; the hash obtained is attached to the message and sent. The
message integrity is checked in reception. As shown in the diagrams, the
outermost IP address is not covered by the integrity check. This option makes
the ESP protocol suitable for use in some types of NAT, especially in static
ones. However, there are ad-hoc solutions for the joint operation of IPsec and
NAT, such as NAT traversal.

NAT-T

NAT traversal (or more shortly NAT-T) is the name of a protocol that is part
of the IPsec suite and standardized in several RFCs, of which the official one
is RFC 3947. The goal of this protocol is to provide the possibility to
establish a tunnel IPsec even when one of the two peers involved undergoes a
NAT operation to reach the other entity involved in the communication. NAT
is a widely used technique for reusing IP addresses. However, hosts behind a
router (or firewall) performing NAT operations do not have end-to-end
connectivity. Although there are several types of NATs, the overall goal is to
alter the package headers. This behavior is in stark contrast to IPsec which
has among its objectives the control of the integrity of the package. In
particular, NAT is incompatible with AH both in tunnel mode and in
transport mode, as AH verifies the integrity of the whole IP package. ESP, on
the other hand, does not cover the IP header with controls of any sort either in
Tunnel mode or in Transport mode, so it is suitable in case the NAT executed
is of the SNAT type; in other words, the modification made by the router
must involve only the IP header and not the upper level port. NAT also
creates problems with IKE and especially with IKE in main mode. The main
mode used in conjunction with the preshared-keys method requires the
authentication of the hosts involved in the communication and this
authentication provides control over the IP addresses; therefore the alteration
of the address by a NAT device causes authentication to fail. Generally, in
the devices used to manage IPsec tunnels and VPN clients, NAT-T is not
enabled by default but must be set up by hand; however its use remains
optional: in fact during the creation of the security association, the peers
determine if one of the two undergoes NAT operations and only in this case
the NAT-T is used; this operation is done during the first phase of the IKE
negotiation. In the first instance, peers verify that both are able to support
NAT-T; this verification is performed in the very first phase of the IKE
protocol, by means of a package with a Vendor ID field, which contains a
known hash value. Once it is established that both support NAT-T, frames
are sent "NAT-Discovery" (NAT-D), in order to verify which of the two
undergo the NAT, or at the limit if they both suffer. Once the NAT user is
established, the communication moves to a new pair of UDP ports and the
"nat-tata" entity starts sending keepalive frames; these frames are used to
keep the communication ports fixed on the router and to prevent them from
reassigning them to a new communication.

ESP in Tunnel mode:

 IP header ESP header Internal IP TCP header Data ESP trailer ESP auth
header

ESP in Tunnel mode with UDP encapsulation for NAT-T:

IP header UDP NAT-T ESP Internal IP TCP Data ESP ESP auth
header header header header header trailer

The fields marked in dark gray are those related to the NAT-T; these fields
are inserted immediately after the external IP header, which is not altered,
just as the following fields are not altered. The inverse operation is performed
in reception.
Firewall

A firewall is a perimeter defense component of a computer network,

originally passive, which can also perform functions of connection between
two or more network segments, thus providing protection in terms of IT
security of the network.

Functionality

A firewall is a component of IT security with the purpose of controlling

access to the resources of a system by filtering all the traffic that the system
exchanges with the outside world. The system, which is supposedly safe and
reliable, protected by the firewall, can be a single computer or a computer
network (called an internal network or local network or private network)
while the external environment with which it interacts is typically a network
that is supposed to unknown, insecure and unreliable (said external network
or public network). A firewall filters traffic based on a set of rules, usually
called policies. There are two general criteria for the application of the
individual rules:
0. default-deny criterion: only what is explicitly allowed is allowed, the
rest is forbidden;
0. default-allow criterion: only what is explicitly forbidden is allowed,
the rest is allowed.
Firewalls normally use the default-deny policy because it provides greater
security and greater precision in defining rules than the default-allow policy,
even if it allows for a simpler configuration. The analysis of the packages that
make up traffic, according to the security criteria formalized by the rules,
translates into one of the following actions:
0. allow: the firewall passes the package;
0. deny: the firewall blocks the package and sends it back to the sender;
0. drop: the firewall blocks the package and discards it without sending
any signal to the sender.
Firewalls usually do not provide for blocking the package and sending it back
to the sender to avoid bandwidth. A firewall can be software or a hardware
device or a composition of hardware and software. It is defined as an
appliance in the case in which it is implemented as a hardware device with
integrated software capable of performing the function of a firewall.
Firewalls are divided into host-based and network-based depending on the
nature of the system they protect. A host-based firewall, also called personal
firewall or software firewall, is a software application that controls the
outgoing and incoming traffic of a single computer. In particular, it blocks
applications installed on the machine that is not allowed to connect to the
outside. A network-based firewall, also called network firewall or hardware
firewall, is a stand-alone hardware component that is placed on the border of
a network in order to filter all the traffic that it exchanges with the outside
(this is also called firewall perimeter). Hardware firewalls are machines that
are designed for the particular function they have to perform and can be
implemented with dedicated hardware and software or with a properly
configured server to run only a firewall. Since they are used to separate an
internal network from an external network, they are equipped with two
network cards and have a minimal operating system consisting only of
software essential for the execution of the firewall. For this reason, hardware
firewalls are safer and at the same time more difficult to configure than
software firewalls. Network firewalls are located on the LAN, WAN and
intranet gateway computers. These are software devices running on generic
hardware or hardware-based firewall computer devices. Firewall appliances
can also offer additional features to the internal network they protect, such as
a DHCP server or VPN for that network. Host-based firewalls are located on
the same network node and control network traffic coming in and out of those
machines. The host-based firewall can be a daemon or service as part of the
operating system or an agent application such as endpoint security or
protection. Everyone has advantages and disadvantages. However, everyone
has a role in multi-level security. Firewalls also vary depending on where the
communication comes from, where the communication status is intercepted
and traced.

Packet filter firewall

A packet filter firewall or stateless firewall analyzes each packet that passes
through it individually, without taking into account the packages that
preceded it. In this analysis are considered only some information contained
in the header of the package, in particular those belonging to the first three
levels of the OSI model plus some of the fourth. The information in question
is the IP address of the source, the IP address of the destination, the source
port, the destination port and the transport protocol. On these parameters are
built the rules that formalize the firewall policy and which establish which
packages to pass and which to block. This type of filtering is simple and light
but does not guarantee high safety. In fact, it is vulnerable to attacks of type
IP spoofing because it can not distinguish whether a package belongs or not
to an active connection. Therefore, due to the lack of status, the firewall also
lets pass through packets whose original source IP address, not allowed by
the firewall policy, is intentionally modified with an allowed address.
Furthermore, filtering, based only on the first level information of the OSI
model, does not allow the firewall to detect attacks based on vulnerabilities of
the upper levels. Few packet filter firewalls support basic logging and
reporting capabilities.

Stateful firewall

A stateful firewall or circuit-level gateway performs the same kind of

filtering of packet filter firewalls and moreover keeps track of connections
and their status. This feature, called stateful inspection, is implemented using
a table of the internal state of the firewall in which each TCP and UDP
connection is represented by two pairs consisting of IP address and port, one
for each communication endpoint. To keep track of the status of a TCP
connection, the sequence number, the acknowledgment number and the flags
indicating the start (SYN), the central part (ACK) and the end (FIN) are
stored. Thus a stateful firewall will block all packets that do not belong to an
active connection, unless they create a new one, or do not respect the normal
order of flags in communication. The ability to filter packets based on the
status of the connections prevents IP spoofing attacks but leads to greater
difficulty in the formulation of the rules. In addition, stateful firewalls do not
detect attacks in OSI levels above the fourth and are sensitive to DoS attacks
that saturate the state table. In general, compared to packet filter firewalls,
they offer greater security, better logging and better control over application
protocols that randomly choose the communication port (such as FTP) but are
heavier from a performance point of view.

Application firewall

An application firewall or proxy firewall or application gateway operates up

to level 7 of the OSI model, filtering all the traffic of a single application
based on the knowledge of its protocol. This type of firewall analyzes the
packets in its entirety considering their content (payload) and is therefore able
to distinguish the traffic of an application regardless of the communication
port that it uses. Another feature that sets it apart from a packet filter firewall
and a stateful firewall is the ability to break the connection between a host on
the protected network and a host on the external network. In fact in
communications plays the role of intermediary and is therefore the only point
in the network that communicates with the outside, thus hiding the other
hosts that belong to it. This type of firewall is able to detect intrusion
attempts through the exploitation of a protocol and to achieve logging and
reporting capabilities better than the previously described firewalls. Although
it increases the level of security, an application firewall is specific to each
application and is a bottleneck for network performance.

N ext-generation firewall

A next-generation firewall is a platform that brings together different security

technologies in one package. Among these are the firewall filtering
technologies presented previously: stateless filtering, stateful inspection,
application-level packet analysis (deep-packet introspection) and other
additional features such as NAT and VPN support. Some of the other typical
characteristics of a next-generation firewall are: intrusion detection and
prevention (IDS and IPS systems), the definition of specific policies for each
application, the integration of the user's identity [, the acquisition of data
supporting security from external sources, quality of service. The goal of this
firewall technology is to simplify the configuration and management of a
heterogeneous set of security tools while at the same time improving their
impact on the performance of the entire system.

Examples

Acceptance of connections to the web server:

0. Block all TCP SYN segments except the TCP SYN segments with
port = 80 and the Web server's destination IP address
0. Blocking all UDP traffic (audio / video streaming)
0. Block ICMP messages outgoing from the network (to hide the map
of internal IP addresses obtainable with traceroute)
Filtering based on the combination IP Address and TCP port:
0. A router could block all Telnet packets (port = 23) except for those
with IPs coming from a special list
0. Problems in the case of falsified IPs
TCP connection block:
0. Possibility of connecting internal users to connect to an external
server but blocking external clients to connect to servers inside the
corporate network. This condition is possible by observing the ACK bit
in the TCP segment (= 0 in the first connection). This is done by
deleting the segments with ACK = 0.
Filtering incoming traffic:
0. Block packages for services that you do not want to offer on the
internet.
0. Block addresses with illegal source, broadcast, loopback and
reserved sources.
0. If multicast is not used, block multicast addresses (224.0.0.0/4)
0. Block ICMP broadcast.
0. Block echo UDP.
 0. Block packages from outside with source address belonging to our
network.
Filtering of source addresses:
0. Illegal addresses (eg 0.0.0.0/8).
0. Broadcast addresses (eg 255.255.255.255/32).
0. Reserved addresses (eg 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
0. Loopback addresses (eg 127.0.0.1).
0. Multicast addresses (224.0.0.0) if not used

Access control list

An access control list (ACL) is an access control list. An ACL is an ordered

list of rules associated with the resources of an information system that
determines which users or processes can access it and perform the specified
operations (in short: permissions). Resources can also be information (data).
Each rule, called access control entry (ACE), expresses one or more
conditions or properties of the object to be evaluated (eg the source address
of an IP packet), and if these properties are checked it indicates which
decision to take (eg pass the package or discard it). The evaluation starts from
the first rule: if the set of the conditions / properties of this are verified, a pre-
established decision or policy of the ACL is applied, continuing then in the
same way with the following rules. If no rule is met, a default decision or
policy is applied. Differently the permissions can also be associated with the
processes / users, defining resources that can be accessed and how they can
be used, in a C list; in this case we talk about capabilities that will come to
constitute a privileged domain for the process / user, which will generally
take precedence over the permissions specified and associated to the same
objects.

Example on a GNU/Linux router

iptables—policy FORWARD DROP

iptables -A FORWARD—source 192.168.0.5 -j DROP
iptables -A FORWARD -p tcp -m tcp—destination-port 500—destination 192.168.4.1 -j ACCEPT
iptables -A FORWARD—source 10.0.5.0/24 -j DROP
iptables -A FORWARD—protocol ! TCP -j DROP

Example on a Cisco router

access-list 100 deny ip host 192.168.0.5 any

access-list 100 permit tcp any gt 500 host 192.168.4.1
access-list 100 deny ip any 10.0.5.0 0.0.0.255
access-list 100 deny tcp any any

access-list 100 deny ip any any implicit rule

DMZ

A demilitarized zone (DMZ) is an isolated, physical or logical subnet, which

contains the IT services offered by a company, accessible both from external
non-protected networks (WAN), and from workstations within the same
company (intranet) and whose purpose is to make use of these services as
safely as possible, without compromising the security of the company
network. In the military and territorial sense of the term the name used
derives from the term "demilitarized zone", an area between national states in
which no military operation is allowed, ie it is seen as a zone not belonging to
any neighboring part. This metaphorical concept is applicable in the
computer field, as a DMZ works like a small isolated network positioned
between the Internet and the internal network. The aim of the DMZ is to add
an additional level of security to a local business network, where a node
belonging to an external network can only access the services provided
without jeopardizing and compromising the security of the entire network. In
case one of the machines belonging to the DMZ is subjected to an IT attack,
this does not affect the rest of the network. For those who connect from
outside the organization, the DMZ is in fact a sort of "dead end street" or
"dead end street". The choice to place these hosts in an area such as DMZ is
because they are the ones that provide services to both internal and external
users of the local network and precisely because of the potential increase in
attacks on services such as e-mail servers, Web and Domain Name System
(DNS) that are inserted in this zone. A DMZ can be created by defining
distinct policies on one or more firewalls. Intermediate firewalls typically
control traffic between servers in the DMZ, internal and external clients. The
connections from external networks to the DMZ are usually controlled by a
type of NAT called "port forwarding" or "port mapping", implemented on the
system that acts as a firewall that typically are packet filter. A DMZ
configuration provides security from external attacks , but generally has no
effect on internal attacks such as sniffing communication via a packet
analyzer or spoofing attacks. Any network service that can be offered to
external and internal network users can be entered in the DMZ. The most
common of these services are:
0. Web server
0. Email Server
0. FTP server
0. DNS server
A DMZ can be designed in different ways depending on the needs and
network requirements desired, and is typically a solution adopted by large
companies. The two of the most common methods are the configurations:
with a single firewall, also known as a three-leg model, and with a double
firewall. These architectures can be expanded to create very complex
architectures depending on network requirements.

Single firewall

The network has a single firewall with at least 3 network interfaces, which
respectively provide a link to:
0. The external network, from which the Internet requests arrive via a
router (WAN).
0. The internal network in which there is the workstation (intranet).
0. The DMZ that contains the servers offered.
The firewall that manages everything becomes the only possible security flaw
for the entire network and must be able to handle all the traffic going to the
DMZ and the internal network. It represents an unsafe configuration due to
the presence of a single firewall.
Double firewall

A more secure approach is to use two firewalls to create a DMZ. The

configuration consists of using a first external firewall as the first line of
defense and must be configured to allow only traffic destined for the DMZ.
The second internal firewall that only allows traffic from the DMZ to the
internal network. The presence of two firewalls is an additional security for
the internal network because instead of a single security point we find two.
There is even more protection if the two firewalls used come from two
different vendors, because it makes it less likely that both devices suffer from
the same security vulnerabilities. One of the disadvantages of this
architecture is that it is more expensive, both to buy and to manage. The
practice of using different firewalls from different suppliers is sometimes
described as a component of a "defense in depth" security strategy. From a
topological point of view, there can be a further differentiation of this
structure, that is a "in line" double firewall configuration or T. In the first
case we have an external firewall and an internal firewall and in the zone
between the two there is the DMZ, while in the second case we have a first
external firewall connected to a switch from which two connections are
protected, each one protected by an internal firewall that act as a barrier to the
workstation and to an area in which the company data are present.
DMZ host

Some home routers incorrectly refer to the configuration of a host exposed as

"DMZ". You can specify the IP address of a computer in the internal network
to which all packets are forwarded from the Internet, which can not be
assigned to another recipient via the NAT table. This makes the host (even
for potential attackers) accessible from the Internet. Port forwarding of the
ports actually used is preferable if possible, and this is because everything
revolves around this concept, because it is the operation that allows to direct
the traffic generated by a network node to one or more router communication
ports, and these allows the user who connects from the outside to reach the
network resource associated with that port without the impediment of filters
that slow down the exchange of data or make complicated communication.
VPN

A VPN (virtual private network) is a private telecommunications network,

established between subjects that use, as transport technology, a public and
shared transmission protocol, such as the Internet. The purpose of VPNs is to
offer companies, at a lower cost, the same possibilities as private leased lines,
but exploiting public shared networks: you can therefore see a VPN as the
geographical extension of a local private network a secure company that
connects internal sites within the company itself spread over a wide territory,
exploiting the IP routing for transportation on a geographic scale and
realizing a WAN network, called "virtual" and "private", equivalent to a
physical network infrastructure (that is, with physical connections) dedicated.
The term VPN is a generic term that defines the idea and not a trademark or
standard; in particular, there is no entity that regulates the name of a product
as a VPN: therefore each producer can use the name as he likes. However,
there are a number of widely recognized independent bodies that certify
interoperability (the ability of a computer system or product to cooperate and
exchange information) and security of information systems such as ICSA
Labs. An apparatus or software, which bears the ICSA Labs trademark for
IPsec VPNs, has certainly passed a series of objective and replicable
examinations, which guarantee compatibility with all other certified
implementations and an adequate level of security. It is now common opinion
that a properly designed VPN has a comparable degree of security if not
greater than that of a dedicated network. By means of a VPN, using an
Internet connection (or even radio), it is for example possible to connect
remotely (ie from outside) to the IT network of your company. In simplified
terms: via a VPN connection you can "connect" from a client as if you were
physically (wired or wireless network) wired. The connection takes place
through a "virtual" tunnel (protected and secure) supported by the Internet
exactly like the usual physical cable. In this way you can use the usual
network resources: folders, management information systems, corporate e-
mail and so on. Apart from the company example, this applies to any
application where a remote network connection is required. By way of
example, a university institute can activate a VPN to allow its students to
consult home publications for which it has subscribed; as long as the user has
the VPN service activated, all his requests pass through the institute's servers,
as if the connection was made locally, thus obtaining access to reserved
subscription services; at the same time, the user is also subject to the
manager's policies which can for example encrypt the server-user connection
or inhibit certain protocols such as P2P or access to websites inserted in a
black list. VPNs can be implemented through common operating systems
(Windows, Linux, Android, iOS, MacOS and MS-DOS) or through third-
party software (example: Cisco VPN Client) that allows more complex and
manageable configurations. Generally a VPN includes two parts: an "external
to the private network", and therefore protected, which preserves
transmission, and a less reliable and secure one that is "internal to the
network", for example via the Internet. VPNs use connections that need
access in order to grant access only to authorized users; to ensure the security
that data sent over the Internet is not intercepted or used by others not
authorized, networks use coding systems. Therefore, secure VPN networks
adopt protocols that encrypt the traffic passing through the virtual network. In
addition to encryption, a secure VPN must include mechanisms in its
protocols that prevent security breaches, such as digital identity theft or
alteration of messages. In VPNs there is typically a firewall between the
employee's or client's computer and the network or server terminal. The
employee, for example, when establishing the connection with the firewall
must verify the data he wants to transmit, passing through an internal
authentication service. An authenticated user can be provided with special
privileges to access resources that are generally not accessible to all users.
Most client programs require all VPN IP traffic to pass through a "virtual
tunnel" between networks using the Internet as a means of connection. From
the user's point of view this means that, while the VPN connection is active,
all accesses outside the secure network must pass through the same firewall
as if the user were physically connected to the secure network. This reduces
the risk that external users can access the company's private network. The
most exploited tool in this sense is tunneling, that is, the transmission of data
through a privatized network, which means that the routing nodes of the
public network are not able to perceive that transmission is part of a hidden
network; it therefore allows the use of the public network to transport data on
behalf of clients authorized to access the private network, ensuring that end-
to-end communication between users remains at the logical level confined
within the private network itself. Generally, tunneling is created by
encapsulating the data and the protocol in the public network protocol, so that
the data passing through the tunnel are not understandable to third parties
who are possibly examining the transmitted data. The security of the VPN
connection is of paramount importance, because the network on which the
other computers are working may not be secure or only partially. The VPN
must therefore ensure a level of security that protects the computers of
employees who are working simultaneously on the same network, among
which one may have been infected by a virus, a worm or a Trojan.

User authentication

The nature of the VPN - making private data transit in public networks -
requires attention to potential threats to data and the impact of lost data. A
VPN worries about security threats, offering security services in the realm of
authentication, the process of making sure that a customer or system is
actually the person they claim to be. There are many authentication
mechanisms, but the most used are:
0. something you know: (an identifier, such as a password or PIN);
0. something you have: (a computer-readable symbol, like a smartcard);
0. something you are: (the retina or fingerprints).
Login and password are generally considered weak authentication, while
strong authentication is obtained by combining two different types of
authentication. The actual level of security obviously depends on the context,
because for example a smartcard can be stolen, while access credentials can
be difficult to detect. Stolen or lost security data may allow multiple attacks
and require multiple authentication schemes. No technique offers complete
authentication security, even biometric ones (fingerprints, vocal impressions
and retina mapping).

Benefits for companies

A well-structured VPN can offer great benefits to a company:
0. extend geographic connectivity;
0. improves security where data lines have not been encrypted;
0. reduces transaction costs;
0. reduces transit time and transportation costs for remote customers;
0. simplifies the network topology, at least in certain scenarios;
0. provides the possibility of global networks;
0. provides network support;
0. provides compatibility with broadband networks;
0. provides faster return on investment than traditional transport of
WAN (Wide Area Network) lines;
0. shows a good economy of scale.
Since the VPN has extended the "major network" with a wealth of devices
and devices, some security implementations require special attention:
0. the security towards the customer must be tightened and
strengthened (this was determined by the Central administration
administration and the Security policy enforcement), ie it is necessary
that a company that needs every employee to use their VPN outside the
offices, before everything installs a certified firewall (some
organizations with particularly sensitive data mean that employees use
two different WAN connections: one to work on sensitive data and the
other for all other uses);
0. the scale of access to the network goal must be limited;
0. registration policies must be evaluated and in most cases revised.
In situations where companies, or individuals, have legal obligations to keep
confidential information, there may be legal or criminal problems. Two
examples are the HIPAA regulations in the United States with regard to
secure data, and the European Union's general regulations that apply to all
commercial and accounting information and extend to those who share this
data.

Trusted VPN
The guarantee offered by the Trusted VPN network is the security that no
unauthorized third party can take advantage of the customer's circuit. This
implies that the customer has his own IP address and his own security policy.
The circuit travels through one or more communication "switches" that can
be compromised by those who want to disturb the network traffic. The
customer of a VPN then expects the VPN provider (provider) to maintain the
integrity of the circuit to prevent intruder access. Companies that use a
Trusted VPN want to be sure that their data moves through a series of paths
that have specific properties and are controlled by an ISP (Internet Service
Provider). The customer therefore believes that the paths through which these
data move are kept secure according to the criteria of a previous agreement,
even if the customer generally does not know what the paths used by the
Trusted VPN provider are. More recently, service providers have begun to
offer a new type of Trusted VPN, this time using the Internet instead of the
telephone network as a communication substrate. These new Trusted VPNs
do not offer security, but give customers a way to easily create large-scale
network segments (WANs). Trusted VPN segments can also be controlled
from a single place and often with a quality of service (QoS - quality of
service) from the provider.
Requirements:
0. No one outside the Trusted VPN provider can affect the creation or
modification of the VPN path.
0. No one outside the relationship of trust can change any part of the
VPN.
0. No one outside the Trusted VPN provider can change incoming or
deleted data from the VPN path.
0. The data travels within the various paths that are shared by multiple
customers of the provider, the path must then be specified by the VPN
and no one apart from the trusted provider can change the various data.
0. The path and address used in a Trusted VPN must be established
before the VPN is created.
0. The customer must know what is expected of the supplier, so that
both can plan and create the network for which they are collaborating.
Secure VPN

Since the Internet has spread and has become an important means of
communication, security is at the same time becoming increasingly
important, both for customers and for providers. Since the VPN did not offer
complete security, the connectivity providers began to create protocols that
allow the encryption of data from the network or from the source computer,
in order to be transported on the Internet like any other data, for then be
decrypted upon arrival in the company network or in the receiving computer.
This encrypted traffic acts as a "tunnel" between two networks: even if an
intruder tried to read the data, he could not decrypt the contents or modify
them, since any changes would be immediately detected by the recipient and
therefore rejected. Networks built using data encryption are called Secure
VPN. The main reason why companies use a Secure VPN is that they can
transmit sensitive information over the Internet without fear of being
intercepted. Secure VPNs are particularly useful for allowing remote access
by users connected to the Internet from areas not controlled by the network
administrator.
Requirements:
0. All traffic on a Secure VPN must be encrypted and authenticated.
0. Many of the protocols used to create Secure VPN allow the creation
of authenticated, but not encrypted, networks.
0. Even if such a network is more secure than a network without
authentication, it could not be considered a VPN because it does not
protect privacy.
0. The security properties of a VPN must be agreed by all parts of the
VPN.
0. Secure VPNs have one or more tunnels and each tunnel has two
ends.
0. Administrators at each end of each tunnel must be able to agree on
the tunnel's security properties.
0. No one outside the VPN can compromise the security properties of
the VPN.
 0. It must be impossible for an intruder to change the security
properties of one or more parts of the VPN, in order to weaken the
encryption or compromise the encryption keys used.

Hybrid VPN

A Secure VPN can be used as part of a Trusted VPN by creating a third type
of VPN, recently introduced on the market. The secure parts of a Hybrid
VPN can be controlled by a customer or by the same provider that provides
the trust part of the Hybrid VPN. Sometimes an entire Hybrid VPN is made
secure thanks to a secure VPN, but most commonly only a part of the Hybrid
VPN is secure. It is clear that Secure VPNs and Trusted VPNs have very
different properties:
0. Secure VPNs provide security, but do not secure routes;
0. Trusted VPNs ensure the properties of paths as QoS, but not
intrusion security.
Because of these strengths and weaknesses, the Hybrid VPNs have been
introduced. However, the usage scenarios are still evolving. A typical
situation for deploying a Hybrid VPN is when a company already has a
Trusted VPN and wants security on a part of the VPN. However, none of the
Trusted VPN technologies prevents the creation of Hybrid VPN and some
manufacturers are building systems that explicitly support the creation of
Hybrid VPN services.
Requirements:
0. The border addresses between the Secure VPN and the Trusted VPN
must be extremely clear.
0. In a Hybrid VPN the Secure VPN should be a subset of the Trusted
VPN. For each pair of data addresses in a Hybrid VPN the VPN
administrator must be able to know for sure whether the traffic between
the two addresses is part of the Secure VPN.
The protocols that implement a more secure VPN are:
0. IPsec (IP security), commonly used on IPv4 (mandatory part of
IPv6).
0. Point-to-point tunneling protocol (PPTP), developed by Microsoft.
0. SSL / TLS, used both for tunneling the entire network, as in the
OpenVPN project, and to make sure it is essentially a web proxy. SSL
is a framework, very often associated with electronic commerce, which
has proved to be very flexible and is therefore used as a security layer
for various (more or less standard) implementations of virtual private
networks.
0. VPN Quarantine: the machine of the VPN terminal client could be a
source of attack, which does not depend on the VPN project. There are
solutions that provide Quarantine VPN services that control the remote
computer. The customer is kept in quarantine until the infection has
been removed.
0. MPVPN (Multi Path Virtual Private Network), a registered
trademark owned by the Ragula System Development Company.
0. The ISPs now offers a VPN service for companies that want the
security and convenience of a VPN. In addition to providing remote
employees with secure access to the internal network, other security
and management services are sometimes included. These mechanisms
do not themselves implement a virtual network, but only a secure
conversation between two terminals. In these cases the virtual network
mechanism must be implemented by means of a special protocol which
is then encapsulated.
T SL protocol

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer
(SSL) are cryptographic presentation protocols that allow secure
communication from the source to the recipient (end-to-end) over TCP / IP
networks (such as the Internet) providing authentication, data integrity and
confidentiality operating above the transport level.
Several versions of the protocol are widely used in applications such as
browsers, e-mail, instant messaging and voice over IP. An example of
applying SSL / TLS is in the HTTPS protocol. The TLS protocol allows
client / server applications to communicate across a network in such a way as
to prevent tampering (tampering) of data, falsification and interception. It is a
standard IETF protocol that, in its latest version, is defined in RFC 5246,
developed on the basis of the previous SSL protocol by Netscape
Communications. In the typical use of a browser by an end user, TLS
authentication is one-sided: it is the only server that authenticates itself at the
client (ie, the client knows the identity of the server, but not vice versa the
client remains anonymous and not authenticated on the server). Server
authentication is very useful for navigation software and for the user. The
browser validates the server certificate by checking that the digital signature
of the server certificates is valid and recognized by a known certificate
authority using a public key encryption. After this authentication the browser
indicates a secure connection usually showing a lock icon. This
authentication, however, is not sufficient to ensure that the site with which
you are connected is the one required. To be sure it is necessary to analyze
the content of the certificate issued and check the certification chain. Sites
wishing to deceive the user can not use a site certificate that they want to
impersonate because they do not have the ability to effectively encrypt the
certificate, which includes the address, so that it is valid at the destination.
Only CAs can generate valid certificates with an embedded URL so that the
comparison between the apparent URL and that contained in the certificate
can provide a reliable method for identifying the site. Very often this
mechanism is not known to internet users and causes various frauds due to
incorrect use of the browser, not to a weakness of the TLS protocol. The TLS
protocol also allows for bilateral authentication, typically used in business
applications, in which both parties authenticate themselves securely by
exchanging their certificates. This authentication (called mutual
authentication) requires that the client also has its own digital certificate
which is very unlikely in a normal scenario. In the absence of a bilateral
authentication, the TLS-PSK or Secure remote password (SRP) protocols can
be used to ensure secure authentication in the absence of a certificate.

Functioning

The operation of the TLS protocol can be divided into three main phases:
0. Negotiation between the parts of the algorithm to be used
0. Key exchange and authentication
0. Symmetric encryption and message authentication
In the first step, the client and server negotiate the encryption protocol that
will be used in secure communication, the key exchange protocol and the
authentication algorithm as well as the Message authentication code (MAC).
The key exchange algorithm and the authentication algorithm are usually
public key algorithms or, as in the case of TLS-PSK, they use a pre-shared
key (Pre-Shared Key). The integrity of the messages is guaranteed by a hash
algorithm that uses an HMAC construct for the TLS protocol or a non-
standard pseudorandom function for the SSL protocol.
Within a session, the following protocols are typically used:
0. For key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK
0. For authentication: RSA, DSA, ECDSA
0. Symmetrical encryption: RC4, DES, Triple DES, AES, IDEA or
Camellia. In older versions of SSL the RC2 protocol was also used.
0. For cryptographic integrity functions, hash functions are usually
used: HMAC-MD5 or HMAC-SHA are used in TLS, while in SSL
MD5 and SHA. In older versions of SSL, MD2 and MD4 were also
used.
SSLv2 did not use RSA. There is a vulnerability in which an attacker can
repeatedly attempt to connect using SSLv2, each time obtaining some
cryptographic key information. Some clients, in addition to support for TLS,
have maintained support for the previous SSLv2 over the years, without
disabling it; IIS, the Microsoft web server, since version 7.0, and OpenSSL
since version 1.0.2g (March 2016) disable SSLv2 by default.

STARTTLS

STARTTLS is the evolution of the TLS, it differs in that it allows to encrypt

the connection also on the original or standard ports, ie 110, 143 and 25, in
this case the client that uses this protocol asks in the first instance to the
server the Establishing an encrypted connection, then the session starts "in
clear" and then becomes encrypted before any sensitive or potentially
information is transmitted.
HTTPS

The HyperText Transfer Protocol over Secure Socket Layer (HTTPS), (also
known as HTTP over TLS, HTTP over SSL and HTTP Secure) is a protocol
for secure communication through a computer network used on the Internet.
The port used in general (but not necessarily) is 443. This system was
designed by Netscape Communications Corporation, which deals with
authentication and encrypted communications and is widely used in the
World Wide Web for situations that require special security needs such as
payment of online transactions. In this case SSL guarantees the encryption of
data sent and received on the internet. HTTPS consists in the communication
through the HTTP protocol (HyperText Transfer Protocol) inside a
connection encrypted by the Transport Layer Security (TLS) or its
predecessor, Secure Sockets Layer (SSL ). The principle behind HTTPS is to
have:
0. authentication of the website visited
0. privacy protection
0. integrity of the data exchanged between the communicating parties.
It is the result of the application of an asymmetric cryptographic protocol to
the HTTP hypertext transfer protocol. It is used to guarantee confidential data
transfers on the web, in order to prevent the interception of contents. In its
popular operation on the Internet, HTTPS provides authentication of the
website and associated web server with which one of the parties is
communicating, protecting communication from known attacks through the
man in the middle technique. Moreover, HTTPS provides a bidirectional
encryption of communications between a client and a server, which protects it
against possible eavesdropping operations, (action by which the private
conversation between the parties is secretly listened to without their consent)
and tampering (literally tampering or alteration of the communication)
falsifying its contents. In practice, this mechanism provides a satisfactory
assurance that it is communicating exactly with the desired website (as
opposed to a fake site), as well as ensuring that the contents of
communications between the user and the website can not be intercepted. or
altered by third parties. Historically, HTTPS connections were used primarily
for payments in transactions on the World Wide Web, e-mail and for
sensitive transactions within corporate information systems. In the late 2000s
and early 2010s, HTTPS began to be widely used and widely used to protect
the authenticity of web pages, the security of user accounts and to maintain
private communications, identity and web browsing. 'user.

Description

In web browsers, the URI (Uniform Resource Identifier) which refers to this
technology has the name https scheme and is in all respects similar to the
URI http. However, HTTPS tells the browser to use the additional SSL / TLS
encryption layer to protect internet traffic. SSL / TLS is particularly suitable
for HTTP protocol, since it can provide some protection, even if only one of
the communicating parts is authenticated. This is the case with HTTP in
Internet transactions, where the server is typically the only party to be
authenticated, while the client examines the server's certificate. HTTPS takes
care of creating a secure communication channel through an unsafe computer
network. This ensures acceptable protection from eavesdropper (prying
listeners) and man-in-the-middle attacks, provided proper communication
encryption is used and that the server certificate is verified and trusted. The
HTTP protocol is based entirely on the operation of HTTPS, above the
Transport Layer Security; for this reason the latter can be completely
encrypted. The encryption of the HTTP protocol includes:
0. the URL request (the web page that was requested)
0. the query parameters
0. the headers of the connection (headers)
0. cookies (which often contain information on the user's identity)
However, because host IP addresses (websites) and port numbers are part of
the underlying TCP / IP protocols, HTTPS can not protect their disclosure. In
practice, it means that even if a web server is correctly configured, the
eavesdropper can deduce the IP address and the port number (sometimes
even the domain name, for example "www.example.org", but not the rest
URL) of the web server with which you are communicating, in addition to
the amount of data transferred and the duration of the communication
(session length), but not the content of the communication. Web browsers
know how to trust HTTPS websites based on authority certificates that come
pre-installed in their software. Certification authorities (such as Symantec,
Comodo, GoDaddy and GlobalSign) are trusted by web browser creators to
provide valid certificates for communication purposes. Therefore, a user
should trust an HTTPS connection to a website if and only if all the following
points are verified:
0. The user trusts that the browser software correctly implements the
HTTPS protocol with properly pre-installed authority certificates.
0. The user trusts the certification authority that only guarantees
legitimate websites.
0. The website provides a valid certificate, which means that it has been
signed by a trusted authority.
0. The certificate correctly identifies the website (for example, when
the browser visits "https://example.com", the certificate received is
appropriately the one related to "example.com" and not some other
entity).
0. The user trusts that the encryption level of the protocol (SSL / TLS)
is sufficiently secure against the possible operations of the
eavesdropper.
HTTPS is particularly important through insecure networks (such as public
WiFi access points), since anyone on the same local network can sniff out
packages and discover sensitive information that is not protected by HTTPS.
In addition, many are paid to engage in packet injection ("packet injection")
within wireless networks in order to provide a service for advertising on their
web pages, while others do it freely. However, this operation can be
maliciously exploited in many ways, like injecting malware onto web pages
and stealing private information from users. HTTPS is also very important
with connections on the Tor network (acronym of The Onion Router) to
preserve anonymity on the internet, as malicious Tor nodes can damage or
alter the contents that cross them insecurely and inject malware into the
connection. For this reason the Electronic Frontier Foundation (EFF) and the
Tor project have started the development of the HTTPS Everywhere protocol,
which is included in the Tor Browser package. Although more information is
being disseminated regarding mass global surveillance and theft of personal
information from hackers, the use of HTTPS for security on all websites is
becoming increasingly important, regardless of the type of internet
connection used. While the metadata of the individual pages that a user visits
are not sensitive information, when this information is combined together
they can reveal a lot about the user's identity and compromise the privacy
itself. The use of HTTPS also allows the use of the SPDY / HTTP / 2
protocols, which are new generations of the HTTP protocol, designed to
reduce loading times and web page latency. It is recommended to use HTTP
Strict Transport Security (HSTS) with HTTPS to protect users from man-in-
the-middle attacks, particularly SSL stripping. HTTPS should not be
confused with the little used Secure HTTP (S-HTTP) protocol described in
the RFC 2660 specification. Most browsers display a warning message if
they receive an invalid certificate from the server that serves as a certificate
authority. Older browsers, when they were connecting to a website with an
invalid certificate, showed the user a dialog message asking them if they
wanted to continue browsing. The most recent browsers, on the other hand,
display a warning message that covers the entire window, showing the safety
information of the visited site on the browser's address bar. In modern
browsers, extended certificate validation shows the address bar with a green
color. In addition, most browsers display a warning message to the user when
they are visiting a site that contains a mixture of encrypted and unencrypted
content. Firefox uses the HTTPS protocol for Google searches from version
14, with the aim of "protecting our users from the network infrastructure that
can collect data from users or modify / censor their search results". The
Electronic Frontier Foundation has expressed the opinion that: "In an ideal
world, every web request could be transformed by default into an HTTPS
request". For Google Chrome browser browsers, Mozilla Firefox (also on
Android) and Opera there is an add-on called "HTTPS Everywhere" which
enables the default HTTPS protocol for hundreds of websites.

Security
The security of HTTPS is guaranteed by the underlying TLS protocol, which
in practice uses long-term private and public keys to generate short-term
session keys. These keys are used later to encrypt the flow of data exchanged
between client and server. The certificates defined by the X.509 standard are
used to authenticate the server (sometimes even the client). As a result, the
certifying authorities and the public key certificates are necessary in order to
verify the relationship between the certificate and its owner, in addition to
generating the signature and managing the validity of the certificates. While
this may be more beneficial than verifying identities through a network of
trust, mass disclosures on surveillance in 2013 have drawn the certifying
authorities as a potential weak spot for man-in-the-middle attacks. An
important property in this context is forward secrecy, which ensures that
encrypted communications recorded in the past can not be recovered and
decrypted and long-term encryption keys or passwords are not compromised
in the future. Not all web servers provide forward secrecy. A website must be
totally hosted on the HTTPS protocol, without having some of its contents on
HTTP - for example, having scripts uploaded online in an insecure (clear) - or
the user will be vulnerable to certain attacks and subjected to surveillance.
Also having only a certain web page of a site that contains sensitive
information (such as a log-in page) under HTTPS protocol, but having the
rest of the website loaded on the HTTP protocol in plaintext, will expose the
user to possible attacks. On a website that has sensitive information
somewhere on it, whenever the site is accessed in HTTP instead of HTTPS,
the user and session will be exposed on the network. Likewise, cookies on an
active website using the HTTPS protocol must have the protection attribute
enabled.

Difference from HTTP

URLs of the HTTPS protocol start with https: // and use port 443 by default,
while HTTP URLs begin with http: // and use port 80. HTTP is not encrypted
and is vulnerable to man-in-the-attacks middle and eavesdropping, which can
allow attackers to gain access to sensitive website accounts and edit web
pages to inject malware or malicious advertising into them. HTTPS is
designed to withstand these attacks and is considered secure against them
(with the exception of the more deprecated and deprecated versions of the
SSL protocol).

Network levels

HTTPS operates at the highest level of the TCP / IP model, the application
level; as does the TLS security protocol (acting as a lower layer of the same
layer). In practice, between the TCP and HTTP interfaces (transparently to
the user) an encryption / authentication level such as the Secure Sockets
Layer (SSL) or the Transport Layer Security (TLS) which encrypts the HTTP
message before transmission and decrypts the message once arrived at its
destination. Basically, an encrypted communication channel is created
between the client and the server through an exchange of certificates; once
this channel is established, the HTTP protocol for communication is used
within it. Strictly speaking, HTTPS is not actually considered a protocol
separate from HTTP, but refers precisely to the use of the latter through an
SSL / TLS encrypted connection. This type of communication ensures that
only the client and the server are able to know the content of the
communication. Everything in the HTTPS message is encrypted, including
the headers and the request / response load of the message. With the
exception of the possible CCA cryptographic attack described in the next
"Limits" section, the attacker can only know that a connection between the
two communicating parties has occurred and can know their domain names
and IP addresses.

Acquisition of certificates

The authoritatively signed certificates can be free or cost between 8 and

70USD per year. Organizations may also adopt their own certification
authorities, particularly if they are responsible for configuring browsers to
access their sites (for example, sites on a corporate intranet, or major
universities). Such organizations can easily add copies of their certificate
signature to trusted certificates distributed with the web browser.
Furthermore, there are peer-to-peer certification authorities, such as CACert.
However, the latter is not included in the trusted root certificates of many
popular web browsers (e.g. Firefox, Chrome, Internet Explorer), which may
display warning messages to end users. A certification authority, "Let's
Encrypt" was launched towards the end of 2015 and provides automatic and
free SSL / TLS certificates for websites. According to the Electronic Frontier
Foundation, "Let's Encrypt" will switch from HTTP to HTTPS "as easily as
launching a command, or clicking on a button."

Access control

The system can also be used to authenticate the client in order to restrict
access to the web server to authorized users only. To do this, the site
administrator typically creates a certificate for each user, which is loaded into
the users browser. Normally, it contains the name and e-mail address of the
authorized user and is automatically checked by the server each time it is
reconnected to verify the user's identity, potentially without entering the
password.

Compromised private key

An important property in this context is the perfect forward secrecy (PFS).

Owning a long-term asymmetric secret private key used to establish an
HTTPS session should not make it easier to derive the short-term session key
and then decrypt the conversation, even at a later time. The exchange of
Diffie-Hellman (DHE) and Elliptic curve Diffie-Hellman (ECDHE) keys
have been the only known schemes since 2013 to have the perfect forward
secrecy property. Only 30% of the Firefox, Opera, and Chromium browser
sessions use that property and almost 0% of the sessions of Apple's Safari
browsers and Microsoft Internet Explorer. Among the largest internet
providers, only Google supports PFS since 2011. A certificate can be revoked
before it expires, for example because the privacy of the private key has been
compromised. The more modern versions of popular browsers such as
Firefox, Opera, and Internet Explorer on Windows Vista implement the
Online Certificate Status Protocol (OCSP) and the authority responds,
indicating to the browser whether the certificate is still valid or not.

Functioning

HTTPS is a protocol that integrates the HTTP protocol interaction through a

Transport Layer Security (SSL / TLS) encryption mechanism. This technique
increases the level of protection against attacks of the type man in the middle.
The default port for the HTTPS protocol is number 443 (for the HTTP
protocol it is number 80). To set up a web server to accept HTTPS
connections, the network administrator must create a digital certificate or
electronic document that associates a person's identity with a public key.
These certificates can be created from UNIX-based servers with the help of
tools such as ssl-ca from OpenSSL or using gensslcert from SuSE (TinyCA2,
CA.pl, Perl script). These certificates must be issued by a certified authority
or in any case by a system that ascertains the validity of the same in order to
define the true identity of the owner (the web browsers are created in order to
check their validity through a preset list). In particular situations (as for
example in the case of companies with a private intranet) it is possible to
have an own digital certificate that can be released to its users. This
technology can therefore also be used to allow limited access to a web server.
The administrator often creates certificates for each user that is uploaded to
their browsers containing information such as their name and e-mail address
in order to allow the server to recognize the user when the user attempts to
reconnect without enter the username and / or password. For a better degree
of protection of HTTPS connections in the face of man-in-the-middle attacks,
and in particular to cope with the "SSL stripping" technique, it is
recommended to use the HTTP Strict Transport Security, an additional
mechanism of security that forces the use of HTTPS.

Limitations

The SSL / TLS protocol is available with two options, simple and mutual. In
the simple version, only the server is responsible for ensuring the security of
communication. The mutual version is more secure, but requires the user to
install a personal client certificate within their browser in order to
authenticate itself. Whatever strategy is used (simple or mutual), the level of
protection strongly depends on the correctness of the implementation of the
web browser, the server software and the actual cryptographic algorithms
supported. SSL / TLS does not prevent the entire site from being indexed
using a web crawler, and in some cases the URI of the encrypted resource can
be inferred by knowing only the size of the intercepted request / response.
This allows an attacker to have access to the unformatted text (the publicly
accessible static content) and the ciphertext (the encrypted version of the
static content), allowing a cryptographic attack. Because TLS operates under
the HTTP protocol and has no knowledge of the higher-level protocols, TLS
servers can strictly present only one certificate for a particular combination of
port and IP address. This means that in most cases it is not possible to use
name-based virtual hosting with HTTPS. There is a solution called Server
Name Indication (SNI) that sends the host name to the server before
encrypting the connection, although many older browsers do not support this
extension. Support for SNI is available starting from: Firefox 2, Opera 8,
Safari 2.1, Google Chrome 6 and Internet Explorer 7 on Windows Vista.
From an architectural point of view:
0. An SSL / TLS connection is managed by the first visible machine
that starts the TLS connection. If, for some reason, (routing, traffic
optimization, etc.), this machine is not the application server and must
decrypt the data, solutions must be found to propagate the user
authentication information or the application server certificate, who
must know who is going to connect.
0. For the SSL / TLS version with mutual authentication, the SSL / TLS
session is managed by the first server that initiates the connection. In
situations where encryption needs to be propagated along a server
chain, managing session timeout becomes complicated to implement.
0. With the mutual version of SSL / TLS, security is maximum, but on
the client side there is no way to properly terminate the SSL / TLS
connection and disconnect the user, except wait until the server session
session expires or all connected client applications.
A sophisticated type of man-in-the-middle attack called SSL stripping was
presented at the 2009 Blackhat conference. This type of attack overcomes the
security provided by the HTTPS protocol by changing the link https: in an
http link: taking advantage of the fact that some Internet users actually type
"https" from their browser interface: they reach a secure site by clicking on a
link, and are therefore tricked into thinking about using HTTPS when they
are actually using HTTP. The attacker then communicates in clear with the
client. This led to the development of an HTTP countermeasure called HTTP
Strict Transport Security (HSTS). In May 2010, an article written by
researchers at Microsoft Research and the University of Indiana revealed that
detailed sensitive user data can be derived from side / marginal channels such
as packet size. More specifically, the researchers found that an eavesdropper
can deduce the diseases / medicines / user surgeries, their family income and
their investment secrets, despite the HTTPS protection present in the various
high profile and better web applications. in the field of health, taxation,
investment and web research. In June 2014, a team of researchers from the
University of California, Berkeley and Intel led by Brad Miller, demonstrated
a generalized approach to HTTPS traffic analysis based on machine learning.
The researchers demonstrated this attack applied to a range of websites,
including Mayo Clinic, Planned Parenthood and YouTube. The attack
assumes that the attacker is able to visit the victim's own web pages to collect
information on network traffic that acts as data training. The attacker
subsequently is able to identify similarities in the size and ordering of the
package between the victim's traffic and the data training traffic that allows
the attacker to frequently infer the exact webpage the victim is visiting. For
example, this attack could be used to determine if a user who is visiting the
Planned Parenthood website is looking for information on a preventive health
screening or an abortion. Note that the attack can not be used to find specific
user-specific values embedded in a web page. For example, many banks offer
web interfaces that allow users to view their current account balance. While
the attacker would be able to discover that the user is viewing a page
displaying the account balance, he would not be able to know the exact value
of the account balance or the account number of the users.
SSH

SSH (Secure SHell) is a protocol that allows to establish an encrypted remote

session via command line interface with another host of a computer network.
It is the protocol that replaced the analog, but insecure, Telnet. The SSH
client has a command line interface similar to that of telnet and rlogin, but the
whole communication (ie both authentication - mutual - and the work
session) takes place in an encrypted manner. For this reason, SSH has
become a de facto standard for remote administration of UNIX systems and
network devices, making the telnet protocol obsolete, considered too
dangerous for its lack of protection against eavesdropping. The client and the
SSH server are installed or installed on many versions of UNIX, GNU /
Linux, macOS and Microsoft Windows. It is also available as an
administration tool on some network devices. The Internet Assigned
Numbers Authority (IANA) has assigned the TCP and UDP port 22 to the
SSH service, although it is still possible to implement the SSH service on
other ports not defined by the IANA. The syntax on UNIX-like systems is as
follows:
$ ssh [options] username@host [command]
where with $ we mean the shell prompt used. The first version of the SSH
was completely open source, while the second version became commercial;
however, there is a free version called OpenSSH which is based on the first
version, but which provides support for the second version. The SSH protocol
is based on an architecture that can be represented in three distinct levels:
Transport Layer Protocol, User Authentication Protocol and Connection
Layer Protocol. The division into three independent levels guarantees an
extreme flexibility of the protocol: the logical independence of the levels
allows to modify the configuration of the connection without having to
modify the upper or lower levels of the protocol, for example the information
compression protocol can be modified without having to change the
encryption or system authentication protocol. It is important to specify that
the levels mentioned above have no relation to the ISO / OSI standard levels
being internal layers of the SSH protocol which in turn can be positioned
immediately above the ISO / OSI transport level. In fact, the levels within the
SSH protocol cover the last three levels of the ISO / OSI stack by applying a
different organization to that provided by the standard for networks.

Transport Layer Protocol

The Transport Layer Protocol is the first of the three levels of the SSH
protocol. It contains all the protocols and procedures used in the
establishment and creation of the encrypted client-server communication
channel. Within the Transport Layer server authentication, key exchange,
encryption, compression and integrity checking of packages are performed.
The level partly includes the session level and partly the level of presentation
of the ISO / OSI standard. The connection created normally uses the TCP / IP
protocol for communication at the network and transport level but is
theoretically independent of it. In the Transport Layer, the integrity of the
packets is checked, but the cases in which the packets of the connection are
lost are not handled, in such cases the session is terminated and must be
completely re-established. For these reasons, connection-oriented transport
protocols such as TCP are strongly recommended to prevent packet loss and
connection closure. Algorithm negotiation is one of the first steps in
establishing an SSH connection. In order to determine which algorithms to
use in the SSH connection, the client and server must exchange the list of
algorithms they support for the connection. The list contains all the available
algorithms in order of preference, the preference and the available algorithms
are determined by the configuration of the client and server software. Once
the list exchange is over, the protocols available on both machines are chosen
giving precedence to the higher algorithms in order of preference. If no
common algorithms are available between the machines, the connection is
terminated. After defining the algorithms to be used in the connection, one of
the most important steps is taken in establishing the secure communication
channel: the exchange of keys. In order to guarantee the security and privacy
of communication it is essential to establish algorithms for exchanging secure
keys, a security hole in the exchange of keys would compromise the entire
connection. Key negotiation takes place at the beginning of each connection,
to guarantee greater security the keys are generally renegotiated every hour or
every gigabyte of data transited in the connection. The most used key
exchange algorithms are:
0. Diffie-Hellman-group1-sha1
0. Diffie-Hellman-group14-sha1
The two algorithms used are variations of the Diffie-Hellman key exchange
algorithm in which a server certification system has been added using a host
key. Observing the algorithm identifier strings it is possible to deduce that
they only vary for the groupX term, this term defines the group used in
defining the Diffie-Hellman algorithm parameters, these groups are
documented in RFC3526. The Diffie-Hellman algorithm has been certified as
one of the safest key exchange methods on an unsafe communication channel
and is among the most used algorithms in the world. Due to the high number
of calculations necessary for the exchange of Diffie-Hellman keys, the RSA
algorithm can be used in older and less computational systems as well as
being less demanding in terms of computing power. Server authentication
serves to prevent a malicious user from "tampering" the server, by providing
the user credentials (spoofing from a man in the middle attack). For this
purpose, a pair of asymmetric keys is generated for each server. The private
key remains on the server. The public key must be known by the client, the
client can obtain the key of a server using public archives of the keys
available on the web or receiving it directly from the server during the first
connection. Authentication occurs during the exchange of Diffie-Hellman
keys, the server creates an encrypted message with its own private key and
sends it to the client, the client deciphers it with the server's public key
verifying the identity of the server, if decryption of the message, the client
proceeds with the establishment of the connection, otherwise it interrupts the
procedure. Since only the server should be aware of the private key, the client
is able to determine the identity of the server it is communicating with. Once
defined a secret key known exclusively by the client and the server, it is
possible to use a symmetric cryptographic protocol to encrypt the
communication between client and server. A symmetric cryptographic
algorithm allows the use of a single key to encrypt and decrypt information.
In a symmetric key algorithm the shared key must be defined before the
initialization of the connection using a method of communication of the
secure key that is performed using the Diffie-Hellman algorithm in the SSH.
The symmetric key algorithms guarantee a high standard of security and a
low cost in terms of computing power (unlike the asymmetric key algorithms
such as the RSA algorithm). The list of symmetric algorithms that can be
used by the SSH protocol includes:
0. 3des-cbc
0. blowfish-cbc
0. twofish256-cbc
0. twofish-cbc
0. twofish192-cbc
0. twofish128-cbc
0. aes256-cbc
0. AES192-cbc
0. aes128-cbc
0. serpent256-cbc
0. serpent192-cbc
0. serpent128-cbc
0. arcfour
0. idea-cbc
0. cast128-cbc
The most used algorithms are the AES and the 3DES present on practically
all the computers. It is possible to use a null encryption algorithm which in
fact does not perform any encryption operation, this choice is strongly
discouraged as it would make the whole communication insecure. After
having established the protocols to be used and after having exchanged keys
using the Diffie-Hellman protocol, it is possible to establish the encrypted
connection with the previously defined symmetric key algorithm. The SSH
protocol allows to apply algorithms of information compression to the flow
of data passing in the connection. Compression is now supported by the zlib
library. Information integrity checking is a process that verifies that the data
contained in a packet received from one of the two connection hosts matches
the data sent by the other machine. The process of control of the information
allows to identify possible errors in the sending phase and above all allows to
identify any replay attacks by computers outside the communication. The
MAC algorithms (Message Authentication Code) that can be used in the SSH
protocol are:
0. HMAC-sha1
0. HMAC-SHA1-96
0. HMAC-MD5
0. HMAC-MD5-96
The integrity check process is recommended but not required in an SSH
connection. The integrity check of the packets is carried out after defining the
secret key of the connection, before an integrity check can not be performed.

User Authentication Protocol

After creating a secure communication channel, the ssh protocol provides for
user authentication using methods defined in the User Authentication
Protocol. This level of the SSH protocol architecture includes the operations
required by the ISO / OSI standard for the session level. Public key
authentication is the most secure authentication method implemented in the
SSH protocol and must always be available on every server. This
authentication method is based on asymmetric cryptography. The asymmetric
cryptographic algorithm most used for key generation is RSA. To
authenticate, the client generates a public / private key pair using an
asymmetric encryption algorithm supported by the SSH protocol using the
ssh-keygen command. Generating the keys the user must transfer his public
key to the server where it is generally stored in a special file in the user's
home directory on the server; the private key is kept on the client and must
not be disclosed, to guarantee greater security it is possible to protect the
private key with a password (passphrase). The user can transfer his public
key to the server either through physical storage media or via the ssh-copy-id
command. The source server to verify the identity of the user exploits the
particular characteristics of the asymmetric cryptographic algorithms. During
the authentication phase the server generates a random string of 256 bits, the
digit using the user's public key and the encryption algorithm corresponding
to the key and sends it to the client. The client decrypts the message using its
private key and sends the hash of the received string to the server, if the client
string hash matches the hash of the server string the user is authenticated.
Only those who have the private key of the user are able to correctly decrypt
the encrypted server message, in this way the server is able to verify the
identity of the client. When authenticating with public keys, no password is
required for the user except when a passphrase has been applied to the private
key. Password authentication is the simplest authentication method supported
by the SSH protocol. The user provides a user name and password, the server
compares this data with the user database of the operating system. This
exchange takes place within an encrypted channel, so it is not at risk of
interception. Procedure:
A$ ⇒ B: SSH_MSG_USERAUTH_REQUEST, pappy, ssh-userauth,
keyboard-interactive
B$ ⇒ A: SSH_MSG_USERAUTH_INFO_REQUEST, pappy, password-
authentication, 1, "Enter Password"
A$ ⇒ B: SSH_MSG_USERAUTH_INFO_RESPONSE, 1, "love"
B$ ⇒ A: SSH_MSG_USERAUTH_SUCCESS.
To prevent brute force attacks, a DenyHosts or Fail2ban tool can be used.

Connection Layer Protocol

The Connection Layer is the highest level of the SSH protocol, allows the
establishment of interactive terminals, execution of remote commands,
forwarding of connections and forwarding of X11 graphic applications. The
Connection Layer manages these functionalities by using multiple
communication channels passing through the same encrypted tunnel of the
Transport Layer. Each open interactive terminal and each connection
forwarded through the SSH connection can occupy a communication
channel. Since it is possible to establish multiple channels each channel has
an identification number, this number is used to distinguish packages
belonging to different channels allowing the SSH application to reconstruct
the different open communications through the encrypted tunnel. The
opening of a channel occurs when both parties agree on its creation, if one of
the two parties refuses the channel is not created. As long as one of the hosts
has not yet confirmed the opening of the channel, no package is authorized to
use this channel. Thanks to the extreme flexibility of the SSH protocol it is
possible to create encrypted tunnels able to carry arbitrary TCP sessions
inside the encrypted connection, to protect unsafe protocols from
interception, or to avoid routing limitations. This feature is called port
forwarding, and allows you to open a TCP socket on the client SSH (local
port forwarding) or on the server (remote port forwarding). Connections
received on this port are forwarded from the other end of the SSH connection
to a specified host and port. For example, with this command you connect to
host1, by forwarding port 10022 of the machine where we launch the ssh
client to port 22 of host2 through a secure channel between client and host1:
ssh host1 -L 10022:host2:22
While this connection is active, connecting to client port 10022 is redirected
to port 22 of host2.

Example of use of port forwarding

Port forwarding is useful, for example, to provide remote assistance to

machines without a secure remote management system. You can create a
secure tunnel between a client port and a remote server port or any third
machine behind the remote server, as long as the server machine has enabled
forwarding. This is normally possible without installing any additional
packages. For example, in the following scenario
CLIENT - [secure network] -> ssh server - [insecure network] -> THIRD
MACHINE
If we want to use a remote desktop on the third machine, we just need to
connect to the ssh server including a tunnel between a local port of the
machine where we work and the 3389 of the THIRD MACHINE. After that,
just start the RDP client and connect to localhost: (port chosen). The local ssh
client will establish an encrypted connection with the server, create a tunnel
within this encrypted connection, and send the RDP connection to this tunnel.
The server will in turn establish a normal TCP session with the third machine
on the requested port. As a result, the RDP client will be put in
communication with the third machine. The connection between ssh server
and third machine will not be encrypted, so it is advisable that
communication between these two machines is not at risk of interception.
The third machine will see the TCP connection coming from the ssh server
instead of the client.

X forwarding

Port forwarding is also useful for transporting X Window applications

through an SSH connection. SSH also automatically sets the appropriate
environment variables, so that the X applications launched from a remote
terminal are shown on the display from which the connection was initiated.
Client-side X forwarding must be enabled by passing the "-X" option while
on the server side the / etc / ssh / sshd_config configuration file must be
modified by enabling the X11Forwarding directive (remember to reboot the
server once the change is made to the configuration file).

SSH File Transfer Protocol

The SSH File Transfer Protocol or SFTP is a network protocol that provides
data transfer and handling capabilities. It is typically used with the SSH-2
protocol that uses a secure file transfer, even if it is usable with any other
protocol. The SFTP protocol is different from SCP because the latter only
allows file transfer, while SFTP allows different operations on remote files.
Usually port 22 is used. It could therefore be considered as a remote file
system. The SFTP protocol itself does not provide either authentication or
security systems. The SSH version 2 protocol is therefore used as a SFTP
subsystem; the use of SSH version 1, together with SFTP, is not possible
because it does not support the concept of "subsystem". In fact, the client that
connects with SSH-1 must know the path of the SFTP server binaries. The
protocol has not yet become standard. However, the specifications for the
latest version of the protocol are documented, 6. The most used version,
however, is 3, which is implemented in the popular OpenSSH as SFTP
server.
Secure Copy Protocol

Secure Copy or SCP is a protocol for securely transferring a file between a

local computer and a remote host or between two remote hosts, using the
Secure Shell (SSH) protocol. The term SCP can refer to one of the following
two related things: the SCP protocol or the SCP program. The SCP protocol
is similar to the BSD rcp protocol, however unlike rcp, the data is encrypted
during the transfers, to avoid that information that can be used by the data
packets is extracted due to sniffing. The protocol itself does not provide
authentication and security, but relies on the underlying protocol, SSH, to
provide these characteristics. SCP can interactively ask for passwords or
passphrases required to establish a remote connection to a remote host, unlike
rcp that fails in this situation. The SCP protocol implements only file transfer.
It succeeds in connecting to the host using SSH and running a server SCP
(scp). The server's SCP program is typically the same SCP program as the
client. To perform uploads, the client provides the server with the files to be
sent, optionally including their basic attributes (permissions, timestamps).
This is an advantage over the common FTP protocol, which does not give the
final file on the server the attributes of the original file "original date /
timestamp". For downloads, the client sends a request for files or directories
to be downloaded. When a directory is downloaded, the server provides its
sub-directories and files to the client. The download is therefore server-
driven, which implies a security risk when you connect to a "malicious
server" (server that fraudulently replaces the one you want). In the
overwhelming majority of different uses, the SCP protocol is replaceable by
the more extensive SFTP protocol, which is also based on SSH. The SCP
program is a client application that implements the SCP protocol; it is
therefore a program to make secure copies. The most widely used SCP client
is the scp command line program, which is provided in most SSH
implementations. The scp program is the "safe" analog of the rcp command.
The scp program must be part of all the SSH servers that want to provide the
SCP service, both the scp functions and the SCP server. Some SSH
implementations provide the scp2 program, which uses the SFTP protocol
instead of SCP, but provides the exact same command line interface as scp.
scp is therefore typically a symbolic link to scp2. Typically, the syntax of the
scp program is like the syntax of cp:
scp FileSource userName@host:directory/DestinationFile
scp userName@host:directory/SourceFile DestinationFile
Since the SCP protocol implements only file transfer, SCP graphical clients
(GUIs) are rare, since additional features are required to implement them (at
least directory listing). For example, WinSCP by default uses the SFTP
protocol. Even when operating in SCP mode, clients such as WinSCP are not
pure SCP clients, since they must use other means to implement additional
features (such as the ls command). This in turn leads to problems of
"platform dependency". For this reason it may not be possible to work with a
particular SCP server using an SCP GUI client, even if it is possible to work
with the same server using a traditional command line client. The most
complete tools for checking files with SSH are SFTP clients.