***
Extra

Network stack:
1: Application
2: Transport
3: Network/internet
4: data link/link
5: Physical

End Extra
******
Who are we talking to?
    how do we know we are talking to the correct host/client
        not pretending
        man in the middle (some1 re-routing packets elsewhere and recording its content

    requests are intercepted and some1 returns a malicious response

    A request containing login information is intercepted and saved by the malicious part and then forwarded to the true location

Is somebody else listening?
   How to make sure some1 unauthorized is not listening, next to impossible


How to protect from eavesdropers exploiting communication?
    What if packets are modifed in transit
         e.g. bank transfers where a malicious part modifies the recipent bank account on the wire.

    What if they are saving the packets and sending them again?
         A so called replay attack, where some1 saves the packets sent and then resend them at a later time.

**************
SSL/TLS (Secure Socket Layer / Transport Layer Security)
**************
TLS = SSL v3 with updates, later versions are not compatible SSL

Placed between the application and transport layer in the network stack. It can support multiple application layer protocols (HTTP, FTP, Telnet, etc.)
More or less de facto way for securing network communication.
     Strong encryption
     integrity protection (protection against tampering)
     Mutual authentication (both parties authenticate)

A TLS session is a long-lived association between two communicating hosts, a session may span many connections. This saves time from creating new sessions.


1. The client first sends a message that contains which SSL/TLS version to use, as well as which encryption algorithm is perfered. 
2. The client receives a certificate from the server which needs to be certified by a trusted certificate authority. This certificate contains the public key of the server.
3. The client chooses a key for symmetric encryption which it sends to the server, encrypted with the servers public key.
   Communication can now be done encrypted with symetric encryption using this symetric key.

Integrity checks done with HMAC

***************
certificates
***************
A certificate is an electronic document containing public information about an entity (a server, person or similar)

If the certifcate is used for secure communications, then usually a public key is made available through the certificate.
   Pro: Send data encrypted.
   issue: how to guarantee that the certificate is valid? What if I create a certificate which says I am Google with my public key. 

The certificate needs to be verified. Special certified authorities (CAs) issue certificates that are signed with their private key.
We can verify the signature by using the CAs public key.
   issue: how do we get the CAs public key?
          distributed with the OS or web browser (firefox)
          
*************
IPSEC - Network Layer
*************

IPSEC (Transport and Tunneling, for tunneling think OpenVPN but with an RFC standard)

Two modes, Transport and tunneling.
    Transport - between two peers, add the AH/ESP headers which protects the data between the two peers

    Tunnel - Existing IP packets are encapsulated in new IP headers. Peers communicate as normal,
             but gateways add and remove the IPSec headers - Designed for implementing VPN (Virtual Private Network)