Securing Data at the Application Layer

1
Securing Data at the Application Layer

• Planning Authenticity and Integrity of
  Transmitted Data
• Planning Encryption of Transmitted Data

2
Planning Authenticity and Integrity of
Transmitted Data

• Providing authenticity and integrity of
  transmitted data
• Planning Server Message Block (SMB) signing
• Planning digital signing

3
Two Methods That Provide Authenticity and
Integrity of Transmitted Data at the Application
Layer

• SMB signing
• Secure/Multipurpose Internet Mail Extensions
  (S/MIME) and Pretty Good Privacy (PGP)

4
Planning SMB Signing

• SMB signing is also known as Common Internet File
  System (CIFS).
• SMB signing ensures the authenticity and
  integrity of packets transmitted between a client
  and a server.
• Each packet is signed as it is transmitted and
  then verified at the recipient computer.
• SMB signing is implemented in high-security
  networks to prevent impersonation of clients and
  servers.
• SMB signing authenticates the user and the server
  hosting the data.
• If authentication fails on either side, data
  transmission will not take place.

5
SMB Signing Process
6
Message Digest v5 (MD5) Algorithm

• MD5 is used to create the key that is used to
  create the digest.
• The MD5 algorithm breaks the data into 512-bit
  blocks and produces a 128-bit message digest for
  each 512-bit block of the data.
• The key is computed from the session key
  established between the client and the server and
  the initial response sent by the client to the
  server's challenge.

7
When to Use SMB Signing

• Use SMB signing in networks that implement both
  Microsoft Windows 2000based clients and
  down-level Windows clients.
• IPSec Authentication Headers (AH) are supported
  only in a pure Windows 2000 network.
• SMB signing is supported by Windows 2000,
  Microsoft Windows NT 4.0 (Service Pack 3), and
  Microsoft Windows 98based clients.
• Windows 95based clients do not support SMB
  signing.

8
Deployment of SMB Signing
9
SMB Signing Windows 2000Based Clients

• Workgroup environment
• Deploy the security template file by using the
  Secedit command.
• Copy the completed security template locally to
  each computer.
• Create a batch file that calls the Secedit
  command, using the /configure option to apply the
  security template

10
SMB Signing Windows 2000Based Clients (Cont.)

• Domain environment

11
SMB Signing Windows 2000Based Clients (Cont.)

• Choosing domain or workgroup settings depends on
• The role of the Windows 2000based computer
• The security requirements for SMB signing defined
  for the network

12
SMB Signing Windows NT 4.0Based Clients

• Windows NT 4.0 introduced support for SMB signing
  in Service Pack 3 (SP3).
• Requires editing of the registry.
• Create a custom template file and apply the
  settings with the System Policy Editor.
• If Windows NT 4.0 is operating in a domain
  environment, apply the settings to a Ntconfig.pol
  configuration file.
• Registry key for clients functioning as a server
  HKEY_LOCAL_MACHINE \System\CurrentControlSet\Servi
  ces\LanManServer
• \Parameters
• Registry key for clients functioning as a client
  HKEY_LOCAL_MACHINE \System\CurrentControlSet\Servi
  ces\Rdr\Parameters

13
SMB Signing Windows 98Based Clients

• Windows 98 includes an updated version of the SMB
  protocol.
• Requires editing of the registry.
• Deploy these settings by e-mailing a .reg file
  containing the desired settings.
• Registry key for clients
  HKEY_LOCAL_MACHINE \System\CurrentControlSet\Servi
  ces\VxD\Vnetsup

14
Making the Decision Planning SMB Signing
Security

• Require that all communications to a server use
  SMB signing.
• Allow SMB signing to fall back to unsigned
  communications.
• Deploy SMB signing configuration for Windows
  2000based clients.
• Deploy SMB signing configuration for Windows NT
  4.0based clients.
• Deploy SMB signing configuration for Windows
  98based clients.

15
Applying the Decision Planning SMB Signing
Security for Fabrikam Inc.

• Implement SMB signing for the Radar System
  project, using different methods depending on the
  computer's OS.
• The HELIOS server
• Windows 2000 clients
• Windows NT 4.0 clients
• Windows 98 clients
• SMB signing is not required for the Sonar System
  project.

16
Applying the Decision Proposed OU Structure for
Windows 2000Based Clients for Fabrikam Inc.
17
Planning Digital Signing

• Digital signatures ensure the authenticity and
  integrity of e-mail messages between clients.
• Public Key Infrastructure (PKI) is required to
  deploy the necessary public/private key pairs to
  participating clients.
• Digital signatures function by applying a digest
  function to the contents of the message to create
  a message digest.
• If the contents of the message are modified, the
  message digest output will also change.

18
Digital Signature Process
19
Determining Protocol Choices for Digital Signing

• Two protocols provide digital signatures for
  e-mail applications
• S/MIME
• PGP
• Determine which protocol to use based on the
  e-mail application deployed.

20
Deploying Public Keys

• Ensure the availability of public keys when
  implementing digital signatures.
• Without a public key, the digest encrypted with
  the sender's private key cannot be decrypted to
  verify message integrity.
• The digital certificate must be issued by a
  Certificate Authority (CA) that the recipient
  trusts.
• The Certificate Revocation List (CRL) must be
  accessible to any recipients so the revocation
  status of the digital certificate can be
  verified.
• If the CRL cannot be accessed, the certificate is
  assumed to be revoked.

21
Ensuring the Availability of Public Keys

• Configure e-mail clients to include their
  certificate with all signed messages.
• Implement the Key Management Service (KMS) in
  Microsoft Exchange Server 5.5 or Microsoft
  Exchange 2000 Server.

22
Making the Decision Digital Signature Design

• Choose which protocol to use for digitally
  signing e-mail messages within the
  organization.
• Ensure that important messages are digitally
  signed.
• Ensure that digital signatures are validated.
• Limit which users can use digital signatures.

23
Applying the Decision Digital Signature Design
for Fabrikam Inc.

• Provide the ability to digitally sign messages.
• Defense Department price quotes
• The Radar System project
• The Sonar System project
• Determine which users need to acquire
  certificates for digitally signed e-mail.
• Determine whether the partners of the Defense
  Department and A. Datum Corporation use PGP or
  S/MIME for their e-mail packages.

24
Planning Encryption of Transmitted Data

• Planning secure e-mail encryption
• Planning application-level encryption with Secure
  Sockets Layer/Transport Layer Security (SSL/TLS)

25
Planning Secure E-Mail Encryption

• Contents of e-mail messages are vulnerable to
  inspection.
• Digital signing does not prevent someone from
  inspecting e-mail messages during transmission
  across the network.
• Simple Mail Transfer Protocol (SMTP) is the
  default protocol used for sending e-mail
  messages.
• SMTP does not include any extensions for the
  encryption of e-mail.

26
E-Mail Encryption Process
27
Encryption Levels for E-Mail

• Algorithms supported in Microsoft Outlook 2000
• Rivest's Cipher v2 (RC2)
• Data Encryption Standard (DES)
• Triple DES (3DES)
• Encryption import and export laws
• RC2 (128 bit) and 3DES require the Windows 2000
  High Encryption Pack to be installed.
• The Windows 2000 High Encryption Pack is subject
  to import and export laws.
• The United States allows the export of the high
  encryption to nonembargoed nations.

28
Protocol Choices for E-Mail Encryption

• Choose between S/MIME and PGP for the encryption
  protocol.
• Encryption protocols for e-mail cannot be mixed.

29
Making the Decision Deploying E-Mail Encryption

• Determine all approved e-mail applications that
  are in use.
• Determine who can use secure e-mail.
• Determine where the private/public keys will be
  acquired.
• Establish guidelines for the distribution of
  public keys to recipients outside the
  organization.
• Establish an external public point for CRLs if
  using an internal CA.
• Train users on when to encrypt messages.

30
Applying the Decision Deploying E-Mail
Encryption for Fabrikam Inc.

• Require encryption of e-mail sent to the Defense
  Department and between project members on the
  Sonar System project.
• The same infrastructure that is required for
  digitally signing e-mail messages works for
  encrypting e-mail messages.
• It is recommended that Mail certificates be
  acquired from a public CA, or ensure that the CAs
  have their CRLs available on the Internet.
• The users in the two projects should be trained
  on how to encrypt messages when the messages are
  sent to recipients in other companies.
• The process may require that a digitally signed
  message is first sent between the two users who
  require encrypted mail.
• The public key of the recipient is used to
  encrypt messages sent to that recipient.

31
Application-Level Encryption with SSL/TLS
32
Secure Sockets Layer (SSL)

• SSL provides encryption services by using public
  and private keys to encrypt data transmitted
  between a server and a client.
• SSL is commonly associated with Web browsers.
• The application must be programmed to support
  SSL.
• SSL is implemented between the TCP and
  application layer.
• SSL-enabled applications listen for client
  connections on a different port than the usual
  port.

33
SSL Provides Encryption Services to Other
Protocols

• Lightweight Directory Access Protocol (LDAP)
• Network News Transfer Protocol (NNTP)
• Post Office Protocol v3 (POP3)
• Internet Message Access Protocol v4 (IMAP4)

34
Transport Layer Security (TLS)

• Similar to SSL in that TLS provides
  communications privacy, authentication, and
  message integrity by using a combination of
  public key and symmetric encryption
• Uses different encryption algorithms than SSL
• Is an IETF draft standard
• Used by Windows 2000 to encrypt smart card
  authentication information transmitted when using
  Extended Authentication Protocol (EAP)
• Supports the option of reverting to SSL support
  if needed
• May replace SSL in the future

35
Deploying SSL and TLS

• The server hosting the application that uses SSL
  or TLS must acquire a private/public key pair for
  encrypting the data.
• The benefit of using application-level security
  is that the encryption requires no additional
  work by the user.
• The only noticeable change is https in the URL
  rather than http.

36
Encryption Process for Web-Based Applications
37
Making the Decision Designing Application-Level
Encryption Using SSL and TLS

• Enable secure Web communications.
• Enable secure Web communications for a public Web
  site.
• Enable secure communications for a private Web
  site.
• Secure authentication to a Web site and support
  any browser.
• Define the level of encryption to use for a Web
  site.
• Enable strong encryption at a Windows 2000 Web
  server.
• Enable strong encryption at a Windows client.
• Minimize reduction in performance due to
  encryption of transmitted data.

38
Applying the Decision Designing
Application-Level Encryption for Fabrikam Inc.

• Ensure that information entered into or
  downloaded from Web pages stored on the three
  separate Web sites is not compromised during
  transmission.
• Defense Department bidding Web site
• Sonar project time sheet Web site
• The Sonar System project server

39
Chapter Summary

• Providing authenticity and integrity of
  transmitted data
• Planning SMB signing
• Planning digital signing
• Planning secure e-mail encryption
• Planning application-level encryption with
  SSL/TLS