SOCKS

SOCKS protocol can be used in situations where hosts on one side of the network needs to access hosts on the other side without direct IP reachability.

The main components are SOCKS client and SOCKS Proxy Server.

SOCKS Client works in the layer between Application layer and Transport Layer. SOCKS Proxy Server works in the application layer.

It works in this way:

• SOCKS client makes connection request and sends the authentication methods supported
• SOCKS Proxy Server selects the authentication method
• SOCKS client gets authenticated with server
  
• It sends SOCKS CONNECT request for setting up Proxy circuits
• Relays Application Data

SOCKS protocol is traditionally used for hosts to traverse a firewall from inside to access Servers outside. But it is also used in VPN like scenarious where a client from outside uses SOCKS to communicate to the servers inside the network.

Please go throught this good site which details SOCKS overview, control flow, references - Socks Permeo

HTTP CONNECT

HTTP Connect is used for proxying HTTPS traffic. It tells the proxy that it should not interfere with the traffic, but merely forward the data to the destination. The proxy does not interfere with the HTTPS traffic as it would violate the SSL/TLS end-to-end security.

So proxy does not verify that the traffic being spoken is HTTPS itself. This introduces vulnerability that someone can take advantage of:

More details can be obtained at:
Hypertext Transfer Protocol -- HTTP/1.1
Tunneling TCP based protocols through Web proxy servers
HTTP proxy default configurations allow arbitrary TCP connections

I just got interested in this as I saw in some code that allows another protocol traffic through Proxy by using HTTP CONNECT. So I was wondering why Proxy is not looking for HTTPS headers in the packets. But this explains my query.

Client authentication - SSL Handshake

Client authentication is an optional step in SSL Handshake.

If client authentication is requested, then after verifying Server certificate, Client sends "Client Certificate" along with the encrypted pre-master secret ( encrypted using public key from Server Certificate).

One more info is send by client along with this request. Client encrypts a "data" which is known to both Client and Server using Client's private key. When Server receives the request it can validate the public key of client by decrypting this.

Then Server proceeds further by authenticating the Client Certificate. This is done as follows:
1. validity (expiration date) of client certificate is checked.
2. Is the issuing authority of the certificate is a trusted CA by Server. If not.., Server checks whether any CA in the certificate chain of the client certificate is among the trusted CA of server.
3. Then it validates the integrity of the certificate. This is done by hashing the Certificate Message and comparing it with the hash obtained by decrypting the digital signature by CA's public key. Both should be same.

The Client is now authenticated. Now it can check for the resources which client is authorised to access by checking the ACL ( access control lists).

SSL - Secure Sockets Layer

As a part of study, wanted to dig into one protocol which uses Certificates for hanshake. Selected SSL. SSL works above transport layer. Protocols like HTTPS uses HTTP over SSL for secure communications. VPNs like OpenVPN also uses SSL as the underlying protocol.

SSL uses
stage 1. Assymetric encrption for intial handshake - authentication and privacy
stage 2. and later moves to faster symmetric encryption for further communication using the Master Key generated during the first stage.

Brief Idea on how the protocol works is:
1. Client sends HELLO to Server ( and details like Cipher suites, session data etc)
2. Server sends back ACK ( Session specific data and Cipher Suites and SERVER CERTIFICATE)

3. Now Client verifies the Server Certificate... Only if it is ok the client proceeds further.

4. Now client sends data encrypted by Server's PUBLIC Key. Client sends the pre-master secret key to the Server.

5. Now the mystery part ( Its still a mystery to me). Client and Server uses the pre-master secret to generate a master secret. Using Master Secret Client and Server generates Session Keys...

6. Now Client sends an encrypted message to Server saying that hanshake is completed. Server also sends a similar message to the client..

7. Now on all data between client and server is encrypted by the session keys..

In the default mode, only Server is authenticated. But Client side certification can also be given. In this case, client will also send its certificate in the step 4 mentioned and Server verifies it.

Assymetric algorithms used are : RSA, Diffie Hellman
Symmetric Ciphers: Triple DES, RC4, RC2, DES

Contents of a Digital Certificate

I was trying to study what all info a digital certificate contains.. I decided to look at the site I freqeuently visit for buying movie tickets - Sathyam Cinemas.

The Certificate shows it was issued by Verisign. It is issued to "tickets.sathyamcinemas.com. But the name of their site is "thecinema.in". So it gives some warnings to the user.



I went to look at the contents. It says in detail - Issuer, Issued to, Validity Period, Algorithm used etc etc. Also we can see that the "Public Key" of Sathyam Cinemas is send along with the Certificate.

Further Details:

The certificate chain shown here. Who is the signing authority of the certificate can be seen here

The digital certificate will contain the digital certificate. It is the encrypted hashed value of the message. It is encrypted using Issuing Authority's private key.

Usage of Digital signature

I would like to refine the "case example" i said in previous post.

There are cases where the full privacy of message is important that we have to fully encrypt the message.

In some other scenarious the importance will be on several other factors. say;
1. Authentication
2. Non-repudiation
3. Integrity

Authentication: When Anoop sends a message to Biju. Biju should be able to verify that it is send by Anoop. He can do that by decrypting with Anoop's public key.

Non-repudiation: Nobody has Anoop's private key. So there will be no chance that anybody else will use Anoop's private key. So Anoop cannot deny that he has not send the message.

Integrity: The integrity of the message has to be validated. If somebody alters the message in between, the recepient should be able to detect it.
This is done by using digital signature: what it does is -> The sender will take the message contents, and will hash the message. This message will be encrypted by issuing authority's private key. The encrypted hash message is called digital signature.
On Receiving side: The recepient will take the message and hash it. Also he will take the encrypted hash and decrypt it with issuing authority's public key. The two hashes obtained can be compared and if same the message is ok for "integrity"

!!!
Disclaimer: Hi.., my readers. Better will be to read wikipedia. I am still learning the concepts!

Public key cryptography

Usually we close our doors with a key and then we can open that back only with the same key...

In Public key cryptography there are two keys - key1 and key2. If we close with key1, then we can open only with key2. And if we close with key2, we can open with only key1. Nice assymetry!

One key we dont disclose and keep it as secret - its Private key as name denotes, other key we can give to Public, and hence named Public key..

Some examples where i can use:
case1: say i want to send a mail to biju and i want only Biju to read that mail. So i can encrypt with Biju's public key and send. Only Biju will be able to decrypt the message (with his privatekey).

case2: in another case, i want to send a message, but i want Biju to be sure that its me who has send this message. Then i can encrypt with my private key. Biju will be able to properly decrypt that only(with my Public key).

So Biju and me are happy!

Hubs, Bridges and Routers

Hubs or Repeaters, are devices which are used to extend a single LAN. It acts like an amplifier. Whatever noise and signals arrives at, it amplifies and forwards to the rest of nodes. It just extends the network.

Bridges, can be used to connect two LANs together to make it a single LAN. The most important point of a Bridge is that it separates collision domain ( in case of Ethernet). Collisions occur when two hosts talk at the same time. But two hosts separated by a Bridge can talk at the same time, as Bridge separates the "electric part".

Routers, connects multiple LANs together. Routers acts as the boundary for broadcast domain. A broadcast should reach all machines in the LAN, but not beyond. Routers thus significantly increases bandwidth.

A Hub or Repeater, is a physical layer device.
A Bridge is a data link layer (L2) device.
A Router is a network layer (L3) device.

NAT ( Network Address Translation )

NAT is network address translation – It is used for better address utilization and also for security. If we use only one IP to the external world and all the machines in the local network use internal IP addresses, then it saves lot of address usage. Also it improves security as internal machines are not exposed to the outside world.

How does NAT works ? NAT has many different varieties of implementation. Of this popular is PAT(Port address translation).

How does NAT works ?
Assume 200.100.100.100 is the global IP available and internal IPs are in the range 10.x.x.x. Say if i try to have a HTTP connection to 203.179.222.22 from my machine ( which is 10.1.1.4) - the initial packet may look like this ( src Ip - 10.1.1.4, src port - say 1000, dest ip - 203.179.222.22 dest port - 80). The packet reaches the gateway, where NATing will take place transparent to the user. For each connection a mapping will be made - in this case for (10.1.1.4, 1000) a corresponding entry may be (200.100.100.100, 5000) where 200.100.100.100 is the public IP and 5000 is a free port selected from the available list.
So the entry is fo (10.1.1.4,1000) port is 5000. The packet will be modified and send to the outside world. The packet will become [ src IP - 200.100.100.100, src port -5000 and dest ip - 203.179.222.22 and dest port 80]. So the destination 203.179.222.22 is aware only of source 200.100.100.100 and will respond to that. When it reaches 200.100.100.100 it will look at the dest port - that is 5000 and will look for an entry in NAT table. In this case it will find that the entry is (10.1.1.4,1000) and will replace the destip, dest port with that and forward to the internal network.

The full process of NATing happens transparent to the user. Also NATing is assymetrical - it is used to access only outside world, from outside you cannot access inside machines. Administrators usually configure which all networks have to be NATed. All packets from other networks are simply forwarded.

NATing happens in layer 3/ Layer4. People sometimes confuses NATing with Proxying. Proxy is in application layer – some application sitting in the middle is proxying for the client as well as the server. It is not transparent, the client has to know about the proxy.

Strong host routing

Strong host routing is an interesting concept. This is of interest in multi-homed ( having two or more network addresses) hosts. How to route a given packet to the network is done not only based on the "destination address", but also based on the "source address". Strong host model is mentioned in RFC 1122. This adds more security as packets cannot be sent out with a source address that does not belong to an interface in the host.

On Receive side,when a unicast packet arrives at a host, a weak host model will accept the packet if the destination address matches any of the local IP addresses of the host. But in strong host model it will accept the packet only if destination address matches the IP address of the interface in which it receives. It thus prevents any multi-home based network attacks.

Net Generation TCP/IP stack in Microsoft Vista supports strong host routing by default.

Debugging Outlook :)

My colleague Mr.X sitting next to me was configuring mail in his new laptop..

Mr.X - Anoop, tell me the outlook configurations..

Anoop - Give this IP to SMTP, POP etc.. Give username/pwd etc etc

Mr.X did configurations and some more debugging.. still he is not able to download mails.

I looked into my own configurations again.., and started googling also... could not find anything..

I peeped into his desk... it was a shocking scene.. cables are not connected yet :)

Being in a networking ODC, we even forget to plug in the network cables..!

Layer n device

When does we call something a layer 3 or layer 2 device ?

A router is a layer 3 device because it takes forwarding and routing decisions depending on the Layer 3 header. Also Layer 2 header addresses gets changed when it passes through a router.

So whether we can call a Switch - who can create VLANs based on IP addresses a Layer 3 device ? May be or may not. Although it looks into the IP headers, the Layer 2 addresses remain unchanged even after it goes through a VLAN switch. So its still a Layer 2 device.

Disclaimer: I am just understanding networking and discussing myself. My interpretations may be wrong.

Feedbacks I received on this from a networking expert:
A device is in l2, if it does l2 fn, i.e., bridging
device is l3, if it routes
if a switch routes packets, it is a router

TCP/IP socket - in a multi-homed host

In a multi-homed host ( host having two more network addresses), how does a TCP/IP socket connection behave ?

How does it find the interface through which packet has to be forwarded ? It depends on the entries in the forward information table.. ( or route table - ).. if there are more than one interface to the same destination it looks for the lowest Metric value.. or if it does not find an entry it forwards through the default route gateway interface..

Then how does it determines through which interface it should listen for the reply ? If "bind" is not explicitly called, the TCP/IP socket will listen on the interface through which the packet was forwarded..!

Using "bind" before "connect", we can explicitly bind a interface, if needed..