SSH, SSL, HTTPS, IPSec OSI model layer

SSH, is an OSI model application layer protocol use cryptographic to allow remote login and other network services to operate securely over an unsecured network.  SSL runs inside TCP and encrypts the data inside the TCP packets. IPsec replaces IP with an encrypted version of the IP layer.

An example linux command line program that implement ssh protocol is ssh, an example linux command line program that implement tls/ssl protocol is openssl. IPsec protocol is usually implemented in kernel as library and exposed to programs as API library, there is no famous linux command line program implementing IPSec protocol.

In practice, SSL and SSH are typically used for different purposes: SSH is most often used for remote log-in, SSL for encrypted web access. On the other hand, IPsec is predominately used in VPNs. When used in application-level security or routing security, IPsec is not a complete solution and must be coupled with other security measures to be effective, hindering its deployment in these domains.

SSL and SSH are two protocols with very similar functionality -- they both provide the cryptographic elements to build a tunnel for confidential data transport with checked integrity. They differ on the things which are around the tunnel. SSL traditionally uses X.509 certificates for announcing server and client public keys; SSH has its own format. Also, SSH comes with a set of application layer feature for what goes inside the tunnel such as multiplexing several transfers, performing password-based authentication within the tunnel, terminal management..., while there is no such thing in SSL.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols that provide communications security over a computer network. SSL is a layer that fits in between HTTP and TCP. A normal TCP connection is made and then a key exchange is negotiated within that layer. After the key exchange, all traffic inside the TCP layer is encrypted so that only the intended recipient can decrypt it. SSL also encompasses a system of trust that allows you to verify that you are actually communicating with who they claim to be in the form of SSL certificates that are signed by one of several central authorities. Although SSL can be used to secure any protocol that runs above TCP, the most common application of it is in HTTPS. 

The S in HTTPS stands for "secure." HTTPS uses SSL to encrypt HTTP requests and responses. Before normal HTTP request and response are carried by TCP layer, SSL will encrypt the HTTP request and response content via SSL Handshake. The server side has a private and public key pair. Only the server know its private key, and the public key is given to the world. The client use the server's public key to establish trust -- the server's key is signed by a reputable certificate authority (CA), and the client know the CA, thus trust the server. Then the client generate a secret (called session key) and use the server's public key to encrypt the secret and send to the server, since only the server has the private key, only the server is able to decrypt the secret the client generate. Now both server and client know a secret only they share, so they can use that secret to encrypt the normal HTTP traffic. Thus the normal HTTP traffic carried by the TCP are in encrypted format, which only the server/client pair is able to decrypt with their shared secrets. Anyone who intercepts communications can only see a random string of characters, not the plaintext HTTP Request Response. This is an overview of SSL handshake, SSL handshake is a protocol, which involves server/client agree upon the key exchange algorithm and encryption algorithm.


ssl handshake
ssh handshake

HTTPS = HTTP + SSL


SFTP, for another example, uses similar SSL handshake to establish a shared session key between server/client pair, so that the FTP protocol carried by TCP are in encrypted form.

IPsec is a layer that fits in between TCP and the physical layer. It enhances the IP layer by adding encryption to the data inside it, including the TCP layer if that is what is being sent in the IP packets. IPsec also allows for authentication of both parties communicating and provides methods for secure key exchange. IPsec support is a mandatory part of IPv6


Compare to TLS/SSL and SSH which operate in the upper layers (between application layer and transport layer), only IPsec protects all application traffic over an IP network. Applications can be automatically secured by IPsec at the IP layer.



No comments:

Post a Comment