Nowadays, government institutions, companies and individuals rely increasingly on computer networks, systems, and other connected devices to store, communicate, and exchange information. The storage and communication tools, mostly computer or smartphone applications, are built on top of this web of interconnected devices. This background constitutes the complexity of security challenges in cyberspace. Legacy systems and hardware can have exploitable penetration points for malicious attackers. The interconnectedness of computer systems and applications makes it urgent that cybersecurity professionals learn and evaluate their threats beyond one single dimension. Many information technology professionals might start their career in a particular specialist field such as software development, cryptography, or database management. As their career progresses, the challenges that they have to confront will undoubtedly expand and diversify. In this context, the certified information systems security professional (CISSP) offers the authoritative interdisciplinary training for the information technology workforce. It educates security officers to think outside the box and acquire further competencies to enhance the management of cybersecurity for their institution. Communication and network security is one of the eight training domains in the CISSP certification.
The scope of communication and network technology expands rapidly. Online payment, virtual conferencing, and remote working are some of the notable examples that demand stable, secure, and trustworthy communication channels. Disrupted Internet connection and network eavesdropping are common cyberattacks that can generate considerable damage for both institutions and individuals. The former might lose trade secrets like intellectual property (IP) to their competitors; the latter might have their bank and social network accounts compromised. The communication tools and software developed atop insecure communication and network mechanisms can be worrisome not only for the developer, but also for users. Hence, it is important to understand the ways that information and data are transmitted and communicated through computer networks. The communications and network security domain of the CISSP covers the fundamentals of security concerns in the network channels. Secure communication can be approached via two underlying mechanisms in computer communications: the secure communication protocols and the authentication protocols. Candidates preparing for the CISSP can approach the subject from these two essential directions.
An Overview of Secure Communication Protocols
There are hundreds of communication protocols that define rules for different machines exchanging information. These rules can be the syntax, semantics and error detection of the data packets. They ensure the successful transmission of data between multiple entities (computers/servers/networks). The parties involved in the communication process have to agree with each other so that the message can pass through from one entity to another. The different hardware, software, and other devices used in this communication chain make it a sophisticated mission to coordinate issues ranging from interoperability and multi-vendor support to logical addressing. The open systems interconnection (OSI) model was initially developed to break down the problems and assign the duties to seven different layers in network communication (physical, datalink, network, transport, session, presentation, and application). The OSI model paved the way to the creation of the four-layered transmission control protocol and Internet protocol (TCP/IP) model (network access, Internet, transport, and application). The TCP/IP model is the foundation of practical and workable protocols for computers and networks to interact.
The TCP/IP model is the industry standard today with over 30 years of history. All operation systems support and operate with TCP/IP protocols nowadays. The TCP/IP protocol combination is therefore known as “the language of the Internet.” As the user population of the Internet grows, the need for secure communication rises greatly. Government institutions and companies increasingly adopt online communication systems to facilitate activities such as payment, identification, and application, to name a few. Communication protocols between two computers are thus indispensable to safeguard computer networks for these digital activities. The following protocols are several key examples developed for secure communication on the transport layer of both the OSI and the TCP/IP models:
Secure Sockets Layer (SSL)
Nowadays, computer servers and networks are required to handle more and more complex online activities. The data during the transmission pathway can risk cyberattacks such as wiretapping and spoofing. If the user sends sensitive information such as a credit card number and the connection between the sender and receiver is intercepted, the attacker can seize this information and use it. One effective method to protect this data delivery process is encryption. SSL is a popular encryption solution that provides session and live connection security between two or more parties. It has three objectives: privacy protection, identity authentication, and reliability. In order to achieve them, SSL adopts a hybrid encryption methodology (symmetric and asymmetric) to secure the communication between two computers based on the RSA, Diffie-Hellman, or Fortezza/DMS cryptography approach. Firstly, the web browser delivers a request for identification to the web server using asymmetric encryption. The web server replies with a certified authority (CA) digital certificate. In this process, both sides exchange several messages to negotiate the exchange of keys. Once the web browser recognizes the identity of the web server via the CA, they will establish a symmetric encrypted connection to exchange information. Secure HTTP or HTTPS is an application example of SSL. The address bar of the web browser provides hints, such as a lock icon or green bar, to inform the users about the security connection status. A similar protocol to SSL is the simple key-management for internet protocol (SKIP). The difference between SKIP and SSL is that the former uses an established static secret table to calculate the keys to directly set up the subsequent secure connection while the latter requires prior communication to generate the key. SKIP was developed by Sun Microsystems in 1995.
Transport Layer Security (TLS)
TLS always goes hand in hand with SSL in the form of SSL/TLS. In fact, TLS is the successor of SSL. The framework of TLS remains substantially the same as SSL, but with several key differences. First, TLS operates on the application layer of the OSI model and the transport layer of TCP/IP model. Second, the final version of SSL stops at SSL v.3.0 and the following upgrade is renamed TLS v.1.0. It is important to bear these two issues in mind when it comes to debug and troubleshoot encryption problems related to TLS. In addition, TLS adopts the keyed-hash message authentication code (HMAC) encryption standard to generate the key and authenticate messages. Fortezza encryption used in SSL is no longer supported in TLS. In addition, there are more alert messages in TLS than SSL. TLS has 23 alert descriptions while SSL has 12. Most important, TLS introduces the TLS handshake protocol, which permits the client and server to authenticate each other before exchanging any data.
swIPe IP Security Protocol (swIPe)
The protocol of swIPe is an experimental internet protocol security (IPsec) suggested in 1993. It is developed to provide end-to-end data communication. It encapsulates each IP datagram in the communication with a swIPe packet protocol 53 to enhance the cryptography strength. The objectives of swIPe were to ensure authentication, integrity, and confidentiality of IP datagrams on the network layer. It was not developed to manage keys and other policies that occur in the communication process. Another protocol with the same datagram encryption purpose is the encapsulating security payload (ESP).
Secure Remote Procedure Call (S-RPC)
S-RPC is a secure client-server protocol operating on the application layer of the OSI and TCP/IP models. Many computer applications perform interactively on the basis of request and response between the client and server on the network. For example, the program on the client side requests a service, data, and other resources from the program on the server side. Then the server answers the request of the client and a synchronous interaction is established for both parties. This interactive operation is the remote procedure call (RPC). The client-server operation suspends when the runtime is over. In a RPC implementation scenario, instead of encrypting the data traffic, effectively authenticating the client is more important. Hence, the principle of S-RPC is to produce public and private keys to clients and servers for authentication. The key generation is based on Diffie-Hellman.
Secure Electronic Transaction (SET)
SET is a set of protocols specifically developed to secure online financial transaction. It primarily protects credit card transactions among purchasers, merchants, and banks. The early supporters of SET were financial and web browser service providers such as Mastercard, Visa, Microsoft, and Netscape. SET provides a digital certificate as a sort of digital wallet for each party to ensure the transaction confidentiality. Each certificate has a unique public key for their identity verification. All the data communicated via SET among the three parties are encrypted so none of them can access the sensitive information. SET is highly popular for e-commerce today. The fact that Set is endorsed by Mastercard and Visa further augments its credibility.
There are hundreds of protocols working on various levels of the OSI and TCP/IP network model. SSL, TLS, SET, SKIP, swipe, and S-RPC are some of the key protocols that can facilitate the understanding of other communication protocols.
An Overview of Authentication Protocols
The mechanism of secure communication protocols has a substantial emphasis on the process of authentication. It is important not to mix up authentication with authorization. The former identifies the individual or organization via username, password, and other devices. The later refers to the access right of the identified individual. Authentication is a decisive step above all else. Terabytes of accurate and credible information about individuals and financial transactions circulate on the Internet every second these days. Identity theft and forging authentication information in cyberspace can generate considerable impact to the victim. Thus, authentication protocols play the role of guardian in denying access to malicious actors. The following three examples are point-to-point (PPP) authentication protocols:
Password Authentication Protocol (PAP)
PAP is an old and static secure communication protocol using plain-text passwords without encryption. It establishes the client/server connection at the beginning of communication. The security level of PAP is the lowest compared to the other two authentication protocols because it uses plain-text passwords. PAP is also incapable of changing the password during authentication once it expires. It is used in situations and systems where encrypted passwords are now supported; for example, some non-Windows operation systems and serial line internet protocol (SLIP) servers. It is vulnerable against the most elementary attacks like man-in-the-middle (MiM).
CHAP is a superior authentication protocol vis-à-vis PAP. It adopts a three-way handshake verification approach to implement encrypted authentication. Moreover, the authentication is encrypted by the MD5 hashing industry standard. The authenticating side begins the process by delivering a challenge string to the client side. The latter then generates a one-way hash value on the challenge. The authentication is acknowledged accordingly by the authenticating side. CHAP repeats again the same authentication steps regularly with a different challenge value. In this way, this mechanism can successfully protect the authentication process against playback attacks.
Extensible Authentication Protocol (EAP)
EAP can be applied beyond PPP to wireless networks. The user requests a connection through an access point on a wireless network. The identity of the user is examined and transmitted to the authentication server. Upon receiving the information, the authentication server asks the access point to provide proof of the user’s identity. As long as the access point can respond to the authentication server with the proof, the user will be connected to the network. EAP is an effective client-server authentication framework. Therefore, there are many versions of EAP, depending on the authentication method. Some examples of EAP method are EAP-MD5, EAP-TLS and EAP-TTLS. It also supports multiple authentication mechanisms ranging from token cards, smartcards, and one-time passwords to public key authentication. It permits third-party vendors to create custom authentication schemes. Some concrete examples are retina scans, voice recognition, and fingerprint identification. The challenges of authentication require better and more exhaustive encryption approaches.
These key concepts provide a wide-ranging overview of secure communication protocols in the CISSP examination. To a large extent, network security is the frontier defending communication mechanisms built on top of networks. The communication protocols define the cybersecurity level of the entire institution. Having a solid understanding of their development history, interoperability, strengths, and vulnerabilities can further develop the competencies of a network security professional. The CISSP training therefore upgrades professionals to veterans.