Application Layer Security
|
|
| Application Layer Security The implementation of security at the application layer is more feasible and simpler, particularly when the Internet communication involves only two parties, as in the case of email and TELNET. |
|
| The sender and the receiver can agree to use the same protocol and to use any type of security services they desire. |
|
| In this section, we discuss one protocol used at the application layer to provide security: PGP. |
|
| Pretty Good Privacy (PGP) was invented by Phil Zimmermann to provide all four aspects of security (privacy, integrity, authentication, and nonrepudiation) in the sending of email. |
|
| PGP uses digital signature (a combination of hashing and public-key encryption) to provide integrity, authentication, and nonrepudiation. |
|
| It uses a combination of secret-key and public-key encryption to provide privacy. Specifically, it uses one hash function, one secret key, and two private-public key pairs. |
|
| The email message is hashed to create a digest. The digest is encrypted (signed) using Sender’s private key. The message and the digest are encrypted using the one-time secret key created by sender. |
|
| The secret key is encrypted using receivers public key and is sent together with the encrypted combination of message and digest. |
|
| The combination of encrypted secret key and message plus digest is received. |
|
| The encrypted secret key first is decrypted (using Receiver’s private key) to get the one-time secret key created by sender. |
|
| The secret key then is used to decrypt the combination of the message plus digest. |