In 1995, Netscape Communications Corporation introduced Secure Socket Layer (SSL) version 3. After series of improvement and Internet standardization, Transport Layer Security (TLS) working group was formed to develop the initial version of this new security protocol. Its very first version is very compatible with that of SSLv 3. Initially, it provided communication privacy and data integrity of information exchange between two parties over the Internet. Many of the applications using TLS ensures the confidentiality of information via strong encryption technologies. Very fast encryption and decryption for data were later on developed and used in TLS connections.
Transport Layer Protocol is an Internet security protocol that is used for point-to-point connections, particularly in client-server connections. It protects this connection from eavesdropping, tampering, and forgery. With TLS, clients and servers are able to authenticate each other; thus establishing a secure link to protect whatever information is transmitted via the Internet. Unlike SSL, TLS is able to drop down to the SSL protocol in the initial negotiations with that of the SSL client.
The protection provided by TLS can be described under two properties: privacy and reliability. With TLS, the connection becomes private when symmetric cryptography initiates data encryption. This is made possible by an encryption uniquely generated for each connection and is based on a secret negotiation with another protocol. On the other hand, the reliability of TLS is brought about by message transport with message integrity with secure hash functions. Figure 1 shows the TLS operation.
Client-server Connection via TLS
Transport Layer Protocol has two layers: Record Protocol and TLS Handshake Protocol. Record Protocol is the layer of TLS which provides the mechanism for message exchanges with authentication and encryption over TCP connections. On the other hand, TLS Handshake Protocol provides data encryption and data authentication operations in the TCP connections. These processes may also include data compression.
Internet Protocol Security (IPsec)
IPsec is one of the leading standards for cryptographically based authentication including integrity and confidentiality services at the IP datagram layer. It ensures the low-level IP packets are continuously transferred between the server and the client with authenticity and privacy and without alteration. It was designed to provide packet-level security, unlike TLS which provide security only in two connections. It is framework used for open standards protecting the communication via Internet Protocol (IP) networks by implementing cryptographic security services. Hence, it provides network-level protection by ensuring data origin authentication, data integrity, and data confidentiality.
Like TLS, IPsec also has two layers in protecting transmitted data: Authentication Header (AH) and Encapsulating Security Payload (ESP). The first authenticate protection towards the transmitted data by assigning the digital packet to ensure that these packets will not be modified along its way and that the originator of the data will be identified. Security associations within this layer are useful when integrity is the requirement and not confidentiality. AH, computer digital signatures across the packets and the receiver computer compare its own signature with that of the header’s and if the two signatures matched, the packet is assumed to be not modified.
IPsec is a series of service protocols that providing complete security for an IP network. It has modes that are related to its architecture and implementation. These are Transport Mode and Tunnel Mode. These modes are related to the functions of the two protocols mentioned earlier. In the Transport Mode, the protocol protects the message passed from the IP to the transport layer. This message is then processed by AH and ESP and add the appropriate header to the transport header. In this mode, two phases authenticate each other and establish the traffic and encryption parameters. This same mode ensures that data transmitted between two computers (server and client) remain tamper-free and private. It does not create new packets and rather, secure existing ones. On the other hand, this mode is used when there is a need to encapsulate the entire IP datagram. The IPsec headers appear in front of the original IP header and added new IP header in the IPsec headers. The tunnel mode is intended to secure site-to-site communications over an unknown and untrusted network.
The kinds of protection services ensured by IPsec can simply be classified as encryption of data for privacy, authentication for data integrity, protection against external security attacks, enabling the devices to negotiate the security algorithms and keys to meet security needs, and provision of network needs of two security modes.
IPsec operation of creating two kinds of security associations. In phase 1 or main mode, the peers authenticate each other to establish trust between the two. In the second phase or quick mode, the computers negotiate on the security associations including digital assignments and encryption of traffic between them. Packet signing ensures that the data will not be tampered and will not be vulnerable to eavesdropping. Some of its authentication methods are pre-shared keys, digital certificates, and keberos v5.
LS versus IPsec
Transport Layer Security operates at the transport layer and network layer where IPsec operates. It operates in between two applications that may not need to be on the same network because it can secure two separate applications. Hence, this makes its security implementation procedures simpler. On the other hand, IPsec is more complicated as it secures low-level network packets to create a secure network over untrusted channels. Moreover, data confidentiality is more assured via TLS. Furthermore, IPsec oftentimes has difficulties in passing through network address translators while TLS encrypts only at the application level, and thus can traverse easily among network address translators.
IPsec, on the other hand, is of advantage over TLS because of the fact that it provides security in the entire network. Hence, it implements stronger encryption and makes the data transmitted maintain integrity and privacy. Whereas with the use of TLS, network packets are not secured, an external entity or a hacker may be, can extract information about the communication undergoing the connection. If the security of the network is assured only by TLS, an interceptor can have access to the information and can extract more information or even the entire data being transmitted. This can lead to other computer-aided frauds such as identity theft, credit card scams, password and username theft and other frauds over the Internet.
Check this video to know more about TLP – its Fundamental concepts, functions and error detection technique checksum.