next up previous contents
Next: 8.4.2 IP level security Up: 8.4 Internet TCP/IP security Previous: 8.4 Internet TCP/IP security

8.4.1 TCP level security

SSL (Secure Sockets Layer) was originally developed by Netscape and is now in the process of being standardized by the IETF as TLS (Transport Layer Security). It operates over TCP connections in the transport layer immediately above the IP layer. Applications that can make use of SSL include HTTP (web browser - server connections), Telnet and FTP. SSL is itself a client of the TCP layer. As TCP is connection oriented, connections always exist in specific states that have to be set up beforehand (cf. security associations supra).

SSL requires a server to authenticate itself to the client and optionally allows clients to authenticate to the server. TCP payload is encrypted to provide data confidentiality. Message authentication codes are generated to detect tampering with the communication and to prevent man-in-the-middle-attacks. The current version of SSL is v3 (TLSv1) and supports hash functions (used for integrity checking) MD5 and SHA-1 and encryption using RC4, RC2, IDEA, DES and 3DES (some of them in export weakened 40-bit versions only!). For authentication purposes RSA/X.509v3 and Diffie-Hellman certificates can be used.

A toolkit (SSLeay) exists and is available at FTP-sites to create both host and client resident proxies. In this way commercial export-weakened clients can connect to the proxy using weakened encryption, while the freeware proxies connect over the Internet with full strength encryption enabled.


next up previous contents
Next: 8.4.2 IP level security Up: 8.4 Internet TCP/IP security Previous: 8.4 Internet TCP/IP security
(c) 1998, Filip Schepers