 By internet security, I mean we want to secure our communications when we're using applications in the internet We've spent some time going through one very common example of secure communications in the internet and that was HTTPS secure web browsing But web browsing is just one application in the internet. There are many other applications that don't use HTTP But we still want to secure Tell me some applications in the internet that don't use web browsing or don't use HTTP What's one application? FTP so file transfer you contact with an FTP client an FTP server to download files Normally unsecure the files are downloaded in the clear. What's another application? An application we use in the internet an application or a protocol SMTP what would do you would do you wear? Why would we use SMTP for? What application? Sending messages and those messages we call emails All right, SMTP is a protocol used for email So email is an application that of course doesn't necessarily use HTTP. It uses SMTP I map pop another protocols some others Instant messaging so line What's up and all those applications and in the old days MSN and all those applications that allow instantaneous communications? Don't necessarily use HTTP. They may use their own protocols so that between the applications They communicate with their own protocols instant messaging voice applications Talking to someone across the internet Game applications your game client talks to a game server not necessarily using HTTP, but its own protocol Many business applications, so many companies will have this applications develop for them that talk between clients and service So when we talk about internet security, we don't just care about web security, but also the security of other applications the problem is That most of those applications we just mentioned in the original design did not have any security mechanisms FTP does not secure any data SMTP for email does not encrypt the emails most game applications by default would not use any security But if we want security, we need some extra features That's what we'll mention here So many of the internet protocols were designed assuming that the network is trustworthy We can trust the people running the devices we can trust the people who access the links and That was true when the internet started maybe 40 years ago because it was just for communication between academics researchers But of course as it grew and more people used it and especially for commercial services There started to be malicious users involved and you could no longer trust the links Maybe summon intercepted data on a link. So we needed some security mechanisms But none of those original protocols had any built-in IP does not encrypt the IP datagram TCP does not to encrypt the The data in the segment nor does UDP. We know HTTP has no security mechanisms Email and many other protocols which we commonly use and still use do not have inbuilt security so what happened is as As the internet grew and people realized we need some security mechanisms. They often added some extensions Some optional extras to those protocols For example for IP there's an extension called IP sec That you could use to encrypt your IP datagrams With TCP that are extension called transport layer security TLS again used to encrypt and your TCP packets and For SMTP and other applications there are extensions to encrypt emails and the different types of data traffic What we'll do in this topic very briefly is compare that the the approaches for where we can Use these extensions to provide security and We'll look at it from a layered perspective and we'll look at four for approaches as When we use a normal Internet stack using an application layer transport layer network data link and physical We'll look at well Where could we add this security extension at which layer and we'll cover four cases of application transport network and link and we'll compare the advantages and disadvantages of using each To compare them and to illustrate them. We'll use this Simple example topology and and set of stacks for devices. So let's explain it first This is an example where let's say host a wants to communicate with host B on the internet How would host a identify host B on the internet? What would host a need to to identify host B any idea? You've all spent last semester studying networking another course or two courses this semester How do we identify hosts on the internet? IP addresses so we assume that host a and host B have IP addresses and Host a has an application running that wants to communicate with an application on host B we assume that host a knows the IP address of host B and We'll look at the devices in detail in a moment But in this scenario, let's say we've got a case where host a say my laptop Uses Wi-Fi to talk to a wireless LAN access point like the device at the back of the room So there's a wireless link here Then that Wi-Fi access point has a LAN cable plugged into it and that LAN cable goes Eventually into a router if we consider SIT. It's my laptop wirelessly connected the access point in the back of the room and Then a LAN cable coming from that access point into a router Maybe downstairs on the third floor our computer center in this building and That router router X in this diagram has a cable going into another router Maybe a router at rung SIT campus and That has a cable going into another router that covers to you and it keeps going and that forms our internet Or our routers connected together And eventually let's say our host B is in another country We get to router Y So note where I draw between router X and router Y. I say the internet. There may be many other devices in between We just simplify by drawing a tube, but there may be multiple in between And eventually router Y has a cable going into host B some server computer Somewhere else in the internet and that so that's our topology for this example And we'll assume a and B want to communicate the applications want to communicate and They want to communicate securely So we'll talk about what security they can provide Now if we look in the details of the devices What are the five layers from top to bottom? First layer at the top. What's the name? top layer application second layer TTT The layer name transport then third layer network fourth layer D There's a hint there DL data link and at the bottom Physical layer. Okay, so they're our five general layers to simplify our devices so In this diagram I show the stacks for our example devices in the topology Sometimes I give specific Technologies at those layers. Sometimes I don't give the details. So let's see So our host a at the application layer has some application layer protocol What are some examples of the application layer protocol that we could use here? Yell them out and I'll write some down What could we use as an application layer protocol tell me one example anyone It's alright. We have four lectures. I can wait We can even have a makeup lecture if we need Maybe Thursday next week on our holiday One application layer protocol again Almost you've got the first letter. Did you what's the obvious one we use? HTTP so SMTP for email We have Also for email, we have things like pop. You don't need to write these down just giving an example So I map for email you may have seen they figured Instant messaging Applications often have their own protocol and old one there was MSN when when you use Windows instant messenger Was a protocol. There are many voice protocols voice over IP And many many other application level protocols For this example, we're not being specific. We're saying we've got some application level protocol that wants to talk to this one It may be our own Maybe you've been tasked to write an application For a company that communicates with a server and you define your own protocol at the transport layer I've given the two common ones at the transport layer. We primarily use TCP Sometimes we use UDP. There are a few others which are very infrequently used TCP primarily used because we need reliability in many applications and TCP provides reliability UDP is very simple and mainly used for Real-time applications multi-media applications like streaming streaming video and voice So that's the transport layer at the network layer. We center around IP the internet protocol At the data link layer. What are some examples or for this host a what? Standard or protocol is used at the data link layer My laptop host a What technology I'm using to communicate at the data link layer? There's a hint on the picture At the data link layer from my host a the laptop in this case what technology am I using to communicate across the link? Yeah, it's something about the network interface card. What am I using what my what is my network interface card? Using to communicate what the common name or the official name of that technology Start with a simple name. Well the general name wireless LAN. What's the more common name? Wi-Fi sometimes we call it. It's the marketing name for wireless LAN technologies Wi-Fi The actual standard is referred as IEEE 802 dot 11 So that's the the standard that defines the protocol to use at the data link layer and also at the physical layer So there's a standard for Wi-Fi They define. How do you communicate at the physical and data link layer? On this pitch. I don't show their names I just say data link and physical but we assume that it's a Wi-Fi technology IEEE 802 dot 11 The access point on The left interface Those at the back look at the access point. How many interfaces does it have in use? How many give me a number? How many interfaces do you think it has in use maybe? 0 1 2 or 3 Everyone in the class that access point everyone can see you've got four options 0 1 2 or 3. How many interfaces are in use now? 0 hands up Okay, good 1 1 interface a few people. So everyone else thinks 2 or 3. All right Those were wrong. So here's your chance to be correct 2 interfaces hands up. All right, we've got one Two correct people when one put her hand up just after everyone else did three interfaces No, so the answer is 2 why 2? Ethernet and Wi-Fi if you look closely, there's the two antennas providing the wireless access Plus if you look very closely, there's a Ethernet cable plugged into it. Is there? You see it's attached to the wall. I think there an Ethernet cable Okay, so there are two interfaces using a Wi-Fi access point We have the Wi-Fi interface the wireless LAN interface on our picture on the left side and On the right side the wired interface the Ethernet interface the answer is here too So That device implements two Sets of data link physical layer pairs There's a data link and physical layer protocol for communicating across the wireless the Wi-Fi Technology and a separate one for communicating across the Ethernet link So that's why I draw in the stack that there's a data link layer and the physical layer for Wi-Fi and and similar here bridge It just means that's that the term for how they those two are connected together That's the role of the access point similar for the routers This router X has an Ethernet cable plugged in so it has a data link layer and physical layer for Ethernet and Another data link layer and physical layer for the other cable and in this diagram We don't specify what the technology is in this other cable. Maybe it's a DSL. Maybe it's Ethernet it's an optical fiber technology. We don't know we don't really care in this example But importantly that router implements IP Because in a router this is the device that's connecting our internal network to outside So just be careful the Wi-Fi access point does not implement IP in this case. It is not a router Sometimes we may refer to it as a wireless router but the way that it's used in the SIT is simply as an access point where it receives a Wi-Fi packet and sends it to the real router using Ethernet and Subsequent routers across the internet all involved in the IP Forwarding process and then we receive a host B which is identical to host A Before we get onto the security part Where are these layers implemented starting from The bottom Where would you find the implementation of the physical layer? You have your laptop your Apple Mac. Don't be embarrassed for using an Apple computer. It's all right So where is the physical layer implemented in your computer? It's somewhere in there All those layers are somewhere if your host A is somewhere in your computer. Where are they? Where's the physical layer? If I ask you find me where the source code or the hardware is of the physical layer Where would you point me to? specifically name the part of your laptop that implements the physical layer Or for your phone anyone can help her I Think we know that the bottom layers of physical layers about getting signals out and Even the data link layers about getting the data across a link They usually go together and a general name may be a network interface card. It's the hardware That provides that technology say in your laptops case, it's the Wi-Fi chip So if you open up your laptop You look inside and on board the motherboard. There'll be a chip which is For implements Wi-Fi it actually implements the physical layer and the data link layer So usually it's a separate chip on side them on the motherboard or in some old computers It would be in a USB device. You'd plug into your laptop That would implement the physical and data link layer in general. We refer to that as a network interface card sometimes But here we would you know that the bottom two layers are commonly in in hardware. I'll just say hw That's usually a hardware implementation. We have a device Embedded our computer that does that sometimes called a network interface card. Where's IP in your laptop Where is it? Where is the software? IP is a protocol. It's implemented and he or I've given you the part of the answer It's implemented as software not hardware. Whereas the Wi-Fi Technologies data link layer and physical layer implemented in hardware normally is it on a as code on a chip IP is implemented as just some software. Maybe someone wrote some code and Compiled or to get the IP software. Where would you find that software on your laptop or how did it get there? How did it get on there? That's how you get your IP address from DHCP But the IP software that not just handles the IP address But when you get an IP packet looks at it and sends it on where is that code or the Executable that does that? Where would you find it in your computer? We need to know this so we can compare the different solutions Did anyone install something called IP when you installed your computer? Do you remember installing a piece of software called the internet protocol probably not so Trust me. It's there if you can use the internet. There is some software for IP on your computer. How did it get there? When did you install the IP software? Or what did it come with? Did it come with Firefox when you installed that? Did it come with the line application when you installed that on your phone? No, no, so what did it come with? What else do you think? the driver Sometimes you install drivers why for the network interface card normally the drivers the drivers are really just a way for interfacing that The software to the hardware so no it's not in the drivers There's one other big piece of software on our computer. What's the name of that software that runs our computer? You've had a whole subject on it your operating system When you installed Or when someone installed Android on your phone, maybe not you when the supplier or you installed the OS X on your laptop or you installed Windows or Linux or whatever operating system you have One part of the operating system is the IP software It's not normally installed by Independ independently by you it usually comes as a feature of the operating system as Does the transport layer the same with TCP and UDP? There's some additional software that implements TCP and that also comes with your OS So it's important to distinguish that We have a rough split here that your OS covers these two layers these two layers data link and physical layer are part of the network interface card and implemented in hardware We often use drivers is The name of the software that allows our operating system to interface with the hardware So sometimes you buy a new network interface card and it doesn't work So you need to update or install the drivers which allow your OS to talk to that new piece of hardware The OS includes the software for IP TCP UDP and other protocols in these layers Where do the application protocols? Where are they implemented? Well in the application themselves usually You install your web browser part of the code of the web browser implements HTTP You install line Part of the code of line implements the protocol that line uses to talk to the server So the application layer protocols come with the application that you install this has a the separation here between application OS and hardware has an impact upon How convenient it is to use some different security solutions Which one is it easiest for you to modify on your computer or on someone else's computer? Which one's easiest to modify application OS or hardware? application Can you modify the hardware? Well, not very easily. Can you program the hardware? Usually you need a lot of resources to do that Sometimes can you modify the operating system? You can change the settings. Can you change the source code of your operating system? Get it to something else With Windows probably not with Linux you could because it's open source You could find the source code change and recompile, but it's not easy All right, so we don't normally change the operating system functionality. We may change settings the application We could many applications if we have access to the source code. It's not so hard to modify Recompile and now we have a modified application. So that has an impact on where we may implement the security mechanisms So that's about our layered stacks now. Let's use this example topology and Looking at the individual devices and see where we can implement the different security mechanisms and the first approach The general approach will refer to as application level security What I mean by that is that the security mechanisms are Implemented in the applications So we want to communicate securely from host a to host b the application on host a Include some source code which implements our security mechanisms What security mechanisms or the one obvious thing encryption? I Have some data to send from host a to host b. We need to encrypt that So the application Includes some code to encrypt data How could we write some code to encrypt data? What would you do? What algorithm could you use to encrypt data from some of our very first lectures? What are some algorithms or ciphers we can use to encrypt data? AES is one a symmetric key cipher RSA is a public key cipher normally for data We use a symmetric key cipher AES. There are others as well So you're if you're an application developer what you could do is implement the source code for AES and include it in your application Let's say you want to create a new Alternative to line or an instant messaging application and it needs to talk from host a to host b And you want it to be secure communications So what you could do is implement your application the graphical user interface all the functionality Plus have a feature that encrypts everything that you send encrypts every message. That's what we mean by application layer security the security mechanisms are included in the application Not just encryption, but if we're going to use AES What's another thing we need to do? How do we get a key from a to b? You can't expect the users sometimes to to type in the key at computer a and the key at computer b There are techniques for exchanging keys securely across the network handling certificates for example so Not just encryption, but other security mechanisms checking hash check sums or hashes or Message authentication is all implemented in the application Now what I show in this picture this red line is saying if we implement our Security mechanisms in the application both at host a and host b The user generates some data the application has that data and this I denote the app sec block block this functionality say encrypts that data and then sends that data to the transport layer and What is sent to the transport layer is encrypted so from a packet perspective the packet? we can say as Here's my packet that's created by the application it contains some data and An application layer header So just a shorthand for the packet structure the packet format to blocks here but what the application does Is it sends that to the transport layer TCP or UDP depending on what the application needs and It can send that encrypted to the transport layer So what TCP does for example the transport layer may attach a header I'll say we use TCP in this example and We have the inside the TCP packet the application layer header and the data But all of that is encrypted so I'm trying to show the packet formats we can draw them as rectangles At the different layers in our stack The application generates some data To send to host B the application encrypts that packet Sends it to TCP if we're using TCP as an example or alternatively UDP and From TCP's perspective it attaches a header follows its protocol rules, but everything inside the TCP packet is encrypted Because the application security block encrypted it before it sent to TCP TCP sends all of that to IP So then IP datagram has an IP header a TCP header The application layer header and some data But still the application layer header and data are encrypted That IP datagram is sent to the data link layer your Wi-Fi card Which attaches a header and eventually sends it across the Wi-Fi link? So we'll just draw that At the bottom The packet that's sent I'll not draw the data link layer and physical layer separately. I'll just denote them as Wi-Fi Wi-Fi header IP TCP But the application layer header and data is still encrypted So this is the structure of the packet sent across our wireless link From my laptop to the access point Any questions on what I'm drawing there and why I drew it that way? We want to see what is encrypted if we're using encryption for our data What gets encrypted and we'll compare it to some other approaches if someone intercepts that packet I Send it from my laptop to the access point You are running your laptop and you're running some software to capture the wireless packets You intercept it What can you see? What could you learn from intercepting this packet? What would you learn if you saw that packet using TCP dump and wire shark for example? What would you learn or what would you not learn from intercepting that packet? What would you not learn? You would not learn the data the data of the application is encrypted You would not learn the application layer header Because that is also encrypted So that's the idea here nothing about that is revealed to a someone who intercepts because it's encrypted But what do you learn in this case? What could be useful for an attacker if you intercept this packet? Any ideas have a look at the packet Look at what's encrypted and what's not What could you learn from the unencrypted information? look what's Unencrypted and what could the attacker learn from that? Just look at the packet look what fields are unencrypted Can you know the IP address? Yes, the IP address is in the IP header There's a source and a destination address field the IP header is not encrypted here So an attacker knows who sent it and knows who received it So that is not kept confidential. It's only the data inside that's kept confidential What else can be learned? Does the attacker know the type of application being used? You capture this packet and I ask you tell me the type of application being used. Can you find the answer? You say no, why not? Because the application layer is header is encrypted, but there's another way How would you find the type of application? Don't worry about your other courses. You worry about passing this course This is my last semester SIT. So I can make the exam as hard as I like And give as many F's as I like as well so the question How would you determine the application type? The IP tells you about the computers communicating. What can tell you about the application type? What other type of address do we have that tells us something about applications? How would you know if a packet belongs is going to a web server? Port number 80 So port numbers server port numbers commonly identify the type of application and where is the port number stored? It's stored in the TCP header So there would be a destination port number in the TCP header if the destination port number was 80 I would know this is for web browsing if it was for port number 25 I know that's for an email server and I generally can find out given a port number what type of application it is So we don't necessarily hide that but we do hide the data in the application This packet is sent across the internet in the normal way the IP packets are sent across the internet the source address Be detailed here the source address in the IP header Identifies host a the IP address of host a and the destination identifies be and And the source port would identify the application here whichever one we're using and the destination port but I don't identify the application at be Let's say the server application That is revealed to anyone who intercepts along the way But at any point between host a and host be at any point along this red line If someone intercepts this packet they cannot see the application layer header or the data So this is a good form of security and it's called end-to-end security or host-to-host security because Between the two endpoints the two hosts Everything is encrypted all along the way. We'll see some alternatives where it's not the case So that's an advantage of using application security a disadvantage is That the person who created the application must also implement the security mechanisms Again coming back to an example you you have a new idea to create an instant messaging application an alternative to line you develop it for your mobile phone or for Android and You decide to use application layer security So then it's your responsibility to implement those security mechanisms. So if you implement a yes and It works good, but if you maybe make a mistake in your code and a yes is insecure Then your whole application is insecure So one of the disadvantages of application security is that it's the responsibility of the application developer To implement those security mechanisms and it's very hard to get them correct So it's very easy to make mistakes and lead to flaws If you don't want to implement them yourself, what could you do? You don't want to implement a yes or RSA What could you do as a software developer? Any ideas? I give you a homework task to implement an application which encrypts data What approach could you use to make your life easy? If you don't want to implement a yes yourself You can go and find some library or some framework that already implements it for you and use their code and That's common that there are many libraries available that will implement different encryption algorithms So you could use someone else's code and hopefully someone else's code has been tested a lot and Is found to be secure under as many cases as possible? So that's a more common approach. You don't implement it yourself. You use a well-known Library to implement the security mechanisms So application level security is the first approach we can use to secure our communications in the Internet some examples Secure shell which I think you've used to log into other computers is an example of application level security It's implemented in the application If you want to have security mechanisms for email, you can add enable features that encrypt your email messages open pgp s-mime Our examples of application level security DNS sec is for DNS Securing DNS and there are others as well for many different applications The very good thing about application level security is it provides encryption from the source host All the way through to the destination host We don't depend upon the operating system Our application Security mechanisms aren't depend upon the security mechanisms of the operating system So it should be possible to implement for different operating systems The problem is that each application must implement security mechanisms For example every application that does this must implement a yes. I developed my new Insta-messaging application and implement a yes myself you do a different application and then you go and re-implement a yes So it seems to be a waste of resources to have every different application to implement the same encryption cypher and There's a high chance of making mistakes when you implement that cypher. So that's the first approach the next approach Rather than have the application developer implement the security mechanisms leave it to the operating system and Let the opera operating system implement a yes RSA and others and the application simply use those features and The first way that we do that is using transport level security and there are There's a protocol that we use for transport level security commonly called TLS Which actually means transport level security and the old name was secure sockets layer SSL. So in this example Slightly different We want encryption from application to application Instead of doing it inside the application We do it inside the transport layer and The distinguishing point here is the transport layer is inside the operating system Remember that whether the split between the OS was Here's the application. Here's the OS Here's the hardware. We drew this before So the first approach implements security mechanisms in your application the second approach Use the operating system provided security mechanisms Therefore, you don't need to do it as the application developer and a very common way That that's used when we use TCP as a transport protocol the protocol available is TLS or also called SSL Very similar to before We will not draw the entire packet but the application may have a header and data and then TCP Attaches its header What is encrypted here again? It's what the application sends to TCP So in fact all of it can be encrypted Which is the same structure as with application level security. So very similar here The main difference is where are the security mechanisms implemented either in the application or in this case the operating system TCP passes the IP and the same packet is sent across the wireless LAN actually maybe I've Drawn that slightly wrong and I will not fix it here. I Missed out something here. We added another header to be precise What we do inside our Wi-Fi packet. We have our normal IP datagram Inside that a TCP datagram or segment But we introduce a new header for the specific protocol being used here TLS in particular And that is not encrypted and then we have the application header and data Encrypted inside that so it's slightly different from the previous case, but the same information is encrypted Still the application information is encrypted Still an attacker knows the source IP and the destination IP Source a destination be they know the protocol the port number so they can still see Whether it's going to destination port 80 port 25 or some other port and identify the type of application So that's similar to the previous case So very similar to application level security. The key difference is That in this case, we don't need to implement the security mechanisms like AES RSA certificate verification we let the operating system do that or Even if it's not included in the operating system, we let a separate piece of software that implements TLS do that What are some implementations of TLS? Name me one and this is an easy exam exam question to to answer One implementation of TLS or secure sockets layer is the old name SSL Name me the the the program or the code that implements it. You've used it before You've used it in some homeworks note that TLS is the The name of the transport layer security used by TCP the old name was SSL secure sockets layer What's the name of it of? An implementation of them. Can you remember your homeworks? Maybe before maybe one of the first or the second ones What's command line program did you use? to generate keys What was it called? Genp key was the option But the the word before that option was what open SSL, right? The software you used in your homeworks was open SSL open SSL is just an implementation of SSL SSL is the old name TLS is the new name. That's all so open SSL is Some software that implements TLS. So what we could do you write your normal application You don't implement RSA AS you don't care about certificates you then communicate with open SSL which does all the security stuff for you and Then open SSL sends to TCP which is part of the operating system So there are some common or or widely used implementations of transport layer security open SSL is one of them in in Windows Windows provides something called s-channel In Mac the OS X provides. I think it's called secure transport is the name of the software There's GNU TLS and there are some other implementations of Transport layer security. So there are some widely used ones the important thing is that the application developer doesn't have to deal with those Implementations they just use someone else's So again, we have end-to-end security or host-to-host security. That's good We have host-to-host encryption It makes applications easier an application development easier the application developer doesn't have to worry about the Encryption or the implementation of it someone else does it for them less chance for them making mistakes and leading to security flaws The problem is that Usually the transport layer security only works for one transport protocol TLS works just for TCP If you want to use UDP you need a separate solution. There's D TLS, but it's not so widely used now yet So it's only specific for transport protocols Your applications must be modified to use these Features in the operating system. So if your application did not use security But now you want it to use security you'll need to change some of the code in your application to support those security features Which is not too hard nowadays So this is a good solution and the examples of where it's used For TCP based applications the name of the technology is TLS or SSL and we know HTTPS HTTPS is simply HTTPS using TLS and There's similar ones for IMAP for email for FTP file transfer They're just the normal protocols IMAP and FTP, but they use the transport layer security and SMTP and others This is a widely used solution for Web browsing of course HTTPS, but also some other applications Both are very similar with respect to security But differ with respect to how easy it is to develop the application Using transport layer security is generally easier Let's consider a third approach Network level security at the network layer In particular with IP we encrypt the IP data grams and Send them encrypted across the internet So your application doesn't do anything special for security TCP doesn't have to do anything special or UDP, but when the data gets to IP IP uses an extra feature called IP sec that it Encrypts the datagram and then it's sent across the internet and then received at host B So let's draw that and see how that compares to the previous two. I will not draw the entire packet I'll draw the each layer will draw the final packet in this case we have the Wi-Fi header added by the data link layer and combine with the physical layer and We have a special We have the IP header and we also include IP sec in there Introduce a new header then the normal TCP The application layer header and the data This is the packet sent across our wireless link as an example and one approach is that we encrypt everything from the transport layer up This is all encrypted so the source address is Still computer a the destination IP address is still computer B But what other security we provided here that the other two didn't What if we encrypted that we didn't encrypt with the previous two solutions and what do we hide from an attacker? What's hidden from the attacker in this case? Compared to this one What's different? The port numbers are hidden. That is the TCP header or the transport layer header is encrypted and Inside that is the source port and destination port So if someone intercepts this packet, they don't know whether it's going to a web server an Email server instant messaging Program or whatever they can't see the port numbers and that provides some additional confidentiality that may be as useful in some cases They just know it's an IP packet. They don't know what's inside So that's a a one difference between the this IP sec and the previous systems still the application data is encrypted We still have end-to-end encryption if we're using IP sec on host a and host B then Anywhere in between they cannot see the Transport layer header application or data What's the problem with this? So good security compared to the other two or good security similar to the other two end-to-end security Even a little bit more in that the transport layer is encrypted. So a little bit better than the other two Why is it not so good? Does anyone use IP sec? IP sec look in your phone and go to VPN settings Yeah, I think you'll find your VPN settings on your phone find VPN settings and There should be some options for how to set up the VPN maybe add a new configuration Down the bottom What can you choose from what types of VPNs? PPTP What else? You can choose from PPTP The type L2 TP and IP sec The main ones there's like variations So I think if you look into the details of your VPN connections on your phone usually both Android and and iOS They allow you to choose between three main approaches One's called PPTP one's called L2 TP and the others called IP sec Do you see IP sec? Yeah Okay, so Have you ever used it? No, not many of us use IP sec It is widely used if you want to use a VPN But we haven't talked about VPNs just yet. We will But it's not commonly used for end-to-end encryption in this case the reason being Set up your VPN What do you need to do? What are all the things you need to fill in when you set up the VPN? You don't know how to set up the VPN because for most users. There's some detailed technical information that you need to provide So the problem with IP sec is the end user The user of the computer needs to do some manual configuration and that's hard for many people Everyone in this class. I know you can set it up But in the general population Asking them to set up IP sec is complex It's hard to get them to do that. Whereas with the previous two solutions With transport layer security and application level security. It was automatic The end user didn't have to do anything to set it up and that's a big problem with IP sec IP sec Works for all applications and all transport protocols. It doesn't matter TCP UDP HTTP Align application anything. It works for all of them It can be used host to host from one endpoint to another which is good But the main problem it requires some manual configuration usually in the operating system As you see on your phone when you go to the VPN settings and IP sec you need to enter in some details Same if you wanted to use IP sec on your computer. You need to set it up some details But with transport layer security and application level security. You don't need to configure anything. It just works So it's not so widely used At least it's not widely used for host to host encryption As you see it's on your phone under VPN settings. It's used in VPNs which is in a different mode called tunneling mode, but VPNs tunneling We'll cover next week and we'll see how they relate to privacy as well so These other two variations of IP sec will cover when we look at VPNs and tunneling. We'll finish today with one last example So we'll come back to tunneling and VPNs. The last example is link level security You do the encryption just across a single link and The common one that we use is Wi-Fi encryption So it's not supported in SIT, but if you've got a home Wi-Fi access point you should be using it There are different variations of Wi-Fi encryption. One of them is called Wi-Fi protected access I think version two So WPA2 is usually the setting you want to choose. There's an older one called WEP WEP which is insecure, but WPA is the recommended one Of course link level encryption applies just across a link For example with Wi-Fi encryption All of the data sent from your laptop to the access point would be encrypted if we draw our packet So this was IP seg The entire TCP packet was encrypted if we consider As an example of link level encryption WPA or Wi-Fi encryption What's encrypted? We have the Wi-Fi header It actually has some WPA options. We have the IP header TCP for example application and data That's our original packet The encryption happens in Performed by the Wi-Fi network interface card. So what's encrypted is all of the data passed to the Wi-Fi layer All of this So this is sent from host A to their access point The IP header is encrypted Someone who intercepts this doesn't know about host B We know the IP header will include the source address of A and the destination address of B But since it's encrypted someone who intercepts this packet cannot see those addresses So that's the additional level of security this provides But the problem being is it's only applicable for this link once your access points for us access point receives this packet it decrypts and Sends the original packet across the next link with no encryption So what is sent across the Ethernet link and the other links in this topology From the access point to the router from router X to the next one and eventually from router Y to host B The packet looks like this the header here may be Wi-Fi ethernet. It may be different values But nothing's encrypted The red line finishes here and that's the main problem with link-level encryption. It applies just to one link If we want to be secure from host A to host B We must use link-level encryption across the Wi-Fi link and Across the next Ethernet link and across the next link and across all links in the path For that to work we must trust everyone in the path as well. We must trust the devices Because the access point decrypts the data and then encrypts again across the second link So we must trust the access point not to intercept our data So the problem with link-level encryption is we don't have end-to-end or host-to-host encryption Does anyone use Wi-Fi encryption? At home maybe use WPA on an access point or in some Wi-Fi access points anyone used at hands up One person so everyone else fails too Surely you've used it in some cases Especially if you set up your own access point at home. You should have it turned on why if it doesn't provide end-to-end encryption What's the benefit here? So someone on the internet can still intercept your packet. So what why would you use it the benefit is that in practice It's very very easy for someone to intercept a packet sent across Wi-Fi It's very easy for someone to sit outside of your room and Use their laptop to intercept the packets, which you're sending to the Wi-Fi access point It's much harder for someone to intercept the packets sent from your access point to your router Because it's across a cable and that cables in your room That need to physically come into your room and attach to that cable to intercept But with Wi-Fi because of the broadcast nature. It's easy for someone to be remote and to intercept So that's why it's important to use encryption across wireless links because it's much much easier for someone into intercept They don't need physical access to the link So it's recommended to use WPA especially for Wi-Fi access points But not suitable if you want encryption from host to host We would generally combine that with one of the other solutions so WP is an example of link-level encryption Bluetooth has encryption other wireless technologies as well GSM has encryption and 3g technologies It applies to everything sent across the link, but it only applies across that link. That's the problem and It requires some configuration of both endpoints if you do set up Wi-Fi encryption You need to program in a password at your laptop and your access point. So it requires some manual configuration What we'll do in the next lecture is we'll come back to tunneling IP sec and we'll see what on your mobile phone the VPN option means and we'll talk about that in this topic And also the next topic on the internet privacy