BN305 Virtual Private Networks

Answer:

Introduction 

Over the recent past technological boom has result into a drastic change in the way business is conducted. Information integrity and confidentiality has intensified as malicious users have sought to steal valuable and personal information through online means. This report discusses security technologies being used to ensure access to bank accounts online through a web browser is safe and secure.  

Aunthentication Process

How browser ensures that it is communicating with the right server

When a user types a URL into a browser the DNS (Domain Name System) then looks up its IP address. In this case the IP address is of the server that the browser is requesting access to. DNS can thus be said to be a database containing a list of URLS and their corresponding IP addresses [1].

DNS information is stored/cached at different levels by different devices and applications to speed up the process of looking up corresponding IP addresses to URLs.  The browser first queries its own cache for websites previously visited although the information stored here is only available for a fixed duration of time. If the DNS record is not in the browser cache. The operating system cache is then queried since the OS also maintains a cache of DNS records. If the DNS record is not in the OS cache, it then queries the router cache. If the DNS record is not in our local caches, the browser then queries its recursive DNS server (the ISP cache).

But the information required might still not be available at the ISP cache. The query then moves on to root DNS servers which provide access to the next layer of DNS severs. The root name servers then direct the browser request to top level domain servers

Domain names (for example those ending with a .com or .gov) have their own servers. The root name server then directs the browser query to the corresponding domain name server that will find the matching IP address of the URL the user keyed in [1]. if found its then returned to the DNS recursor then back to the browser. The browser only initiates a connection when it receives the correct IP address of the server else it displays a failed error message.

The browser then initiates a connection with the server after receiving it IP address using internet protocols. A TCP/IP three way handshake process is then initiated and a connection is only established when the browser and the sever exchange synchronize and acknowledge data packets [1].

The browser sends a synchronize data packet to the server requesting if it is open for a new connection. The server then responds acknowledging that it has open ports. On receiving these data packets the browser then replies by sending its own acknowledge packets and the TCP connection is established. If either of this process fails the browser displays an error message since it might not be in communication with the right server 

The role of Digital Signatures in this process. 

Digital signatures ensure that the integrity of the data in transmission is not compromised [2]. Since only the sender has information about the private key, they prove the origin of the message [3]. thus if the digital signature is verified, the receiver of the message not only knows that the message is authentic and was not modified during transmission but also proves that the message originated from the right source that claims to have sent it [2]. 

How server ensures that it is communicating to the right account owner

The server can ensures that it’s communicating with the right account owner using cooking session’s management. When a user enters their username and ID on a web page the browser sends his/her credentials to the server. The server receive the request, and gets the user ID and password from the data packer sent. It then compares the User ID against the stored password in its database. In the case where the server stores a hashed password it compared the value of the password.

If the passwords match the server creates a token so that the client will not have to send the user and password again in every request. This is done by adding a response header set cookie and an html document that the user requested for. If they do not match the server sends an error message back to the browser. The token is then put against the user credentials in the server’s database. The token is then sent to the client.

The user is now logged in and can access different services in the account. The browser sends these requests by setting them to the request header cookie. The server receives these requests and extracts the access token from each cookie, it then matches that token to the user credentials keeping the user logged in and providing user specific information as requested. If the token doesn’t match the server redirects the user back to the login page.  

Other techniques that servers can use to authenticate clients

One time passwords

Here, when a user enters a username and password, the server and the browser generate a onetime password with a shared secret. These application rely on two factor authentication where the one time password has either the current time or a counter as a shared secret.

Signatures

When a user signs in, an API, using a private key, creates a hash for the request. The API and the server that the request is made to need to have the same key. This signature is then added in query strings or header along with a date

HTTP Basic authentication

This is a method where the client provides a username and password. They are not encrypted making it the easiest way to exercise some access control. The username and password is sent with every request header. The lack of encryption exposes them to attackers. There also no way to log out the user nor does their credentials expire other than when they change their passwords.   

Practical Tasks

Open your browser, visit your online banking website and verify:

1. Where has the bank acquired its SSL certificate from?   

the website uses a security certificate issued by Verizon Public SureServer CA G14-SHA2

1. What information is embedded inside the SSL certificate presented by the server?

The SSL certificate contains; the name of the name of the insurer (Verizon Public SureServer CA G14-SHA2), the name to whom the certificate is issued to (online.standardchartered.com) and the duration within which the certificate is valid  

1. Which companies have issues certificates installed as the trusted root certificates on your computer? Describe the purpose of the trusted root certificates   

Root certificates verify that the software or website owner is indeed who they represent themselves to be. This is important in this day and age since the number of people with malicious intent online is on the rise. Root certificates are issued by a certified authority putting them on the front lines of security on the internet.

Figures 5 and 6 shows that Installed root certificates on my computer are issued by a couple of companies including; Baltimore CyberTrust Root, Centum CA, GlobalSign, Microsoft Root Authority, Microsoft Root Certificate Authority, Microsoft Root Certificate Authority 2010, Microsoft Root Certificate Authority 2011, SecureTrust CA, VeriSign Class 3 Public Primary Certification among others. 

Confidentiality and Intengrity Process

How the server and the browser agree on which cipher suit to use

Network connection secured by SSL/TLS e.g. HTTPS, FTPS and SMTP use cipher suites [4]. During a SSL handshake a server and browser (client) agree on a set of algorithms to secure the connection. The browser sends packets to the server with information about cipher suits it supports. On receiving this information the server compares them with cipher suits it supports (those enabled on its side). If a match is found it sends that information to the client and the chosen cipher suites are used.

Symmetrical secret key for encryption and hashing algorithm agreement process between server and browser

During the SSL handshake the clients sends "Client Hello" message to the server [1]. This message contains cipher suites it supports. On its side the server sends a "Server Hello" message containing the cipher suite that the server and client will use. It also a certificate which holds it public key. Depending on the cipher suite selected by the server, the client creates a symmetric key. Using the server’s public key, it encrypts it before sending it back to the server. With its private key the server decrypts the message and receives the symmetric key. Now both the server and client have a symmetric key that is then used for all communication [5].  

Practical Tasks:  

1. Which version of the SSL/TLS protocol is being used?   

1. What encryption algorithm is being used for confidentiality? 

1. What hashing algorithm is being used for integrity?    

Protection Against  Replay Attacks

Protection against replay attacks between server and browser

Replay attacks are a form on man in the middle attacks where an intruder steals packets moving in a network and forwards the packets as if they originated form him/her. In the scenario where the data packets are used to authenticate and get access, the intruder can get access to resources and data they shouldn’t have.

Windows uses Kerberos authentication protocol. The Kerberos authenticator is contained in the Kerberos protocol exchanges and hold authentication information including the ticket lifetime and the client’s timestamp. Kerberos logic works by checking the authenticator’s timestamp. If it’s earlier or at the same time as the previous authenticator, the Kerberos logic on the server will reject the packet. Similarly it rejects the message if the timestamp on the authenticator is not within 5 minutes of the local time server since the message was sent. This duration can be altered within windows to a preferred duration.  

Conclusion

The changing business environment coupled with technological advancement has seen more and more business conducted online. This has opened up businesses to threats that were not a problem to them before. The report touches on a minor area within the online security realm. A lot more needs to be done to secure communication protocols and channels against malicious attacks.  

References

[1] M. Wijesinghe (2017, April.).What happens when you type an URL in the browser and press enter? [Blog]. Available:https://medium.com/@maneesha.wijesinghe1/what-happens-when-you-type-an-url-in-the-browser-and-press-enter-bb0aa2449c1a

[2] IBM Knowledge Center. (2018, Aug.).Digital signatures in SSL and TLS [Online]. Available: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10520_.htm

[3] IBM Knowledge Center. (2018, Aug.).How SSL and TLS provide identification, authentication, confidentiality, and integrity [Online]. Available:https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009940_.htm

[4] IBM Knowledge Center. (2018, Aug.). An overview of the SSL or TLS handshake. [Online]. Available: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm

[5] John Carl Villanueva (2018, May.). Managed File Transfer and Network Solutions [Blog]. Available: https://www.jscape.com/blog/cipher-suites