Security in transit
Editor's note: This article, third in a series of articles on the basics of electronic security, looks at security in transit. The author explains how to assess the “chain” that links the various parts of a network message path and how to ensure that data is secure. The first two articles in this series are
Part 1: What does security really mean? and Part 2: Tampering with easy targets.
There is one way to absolutely, positively guarantee that someone will receive a message intact, unadulterated, authenticated, and observed by no unauthorized party. Just copy the message to a physical medium, lock it in a sturdy briefcase, handcuff the briefcase to your own wrist, and board a plane. Best of luck at the security gate.
When you arrive at your destination, remove the briefcase from your wrist, unlock it, and present the message to your intended recipient. You can be assured that nobody else has seen it. Your recipient can be assured that the message is authentic. While you are there, find a comfortable meeting room and discuss the contents of the message, the weather, Italian restaurants—whatever you like. You have a little time before your flight home.
Use any other method for transmitting a message, and your message is at risk. Someone may intercept it and discover its contents. Or intercept your message and substitute it with one of their own. Or, intercept your message and block its transmission.
These three threats—disclosure of a secret message, alteration in transit, or blocking its transmission entirely—are the primary threats to any secure system. Protecting against these threats form what is known as the “CIA Triad.” The term has nothing to do with the U.S. Central Intelligence Agency. Instead, the letters stand for Confidentiality, Integrity, and Availability. Any secure messaging system must protect confidentiality, provide integrity, and always be available when needed.
The problem is this: any time you employ a medium to transmit your message, you lose control, however temporarily, of that message. Write a letter, send an email, make a phone call. As soon as the message leaves you, you have relinquished control of it. We understand in theory that someone might intervene to take our message, but do we really care?
We now know that many of our electronic messages are at risk of routine, low-level snooping. And it is not just governments that do this. Businesses are archiving email messages, and some are routinely scanning inbound and outbound email to ensure that corporate secrets remain secret. Even if it is surprising, none of this is necessarily a nefarious thing.
But the time will come when each of us has news that we want to keep private. It is then and there that we care strongly about security. But in fact, the time to think about security is before you need it.
This article is the third part in a series on electronic security. In Part 1 we discussed the basic definition of security, when physical locks are less important than logical and virtual “fences.” In Part 2 we dissected the meaning and processes of tampering.
In this article we do not look at the specific cryptographic algorithms involved in electronic security. We assume, until proven wrong, that properly implemented instances of (for example) AES for encryption and ECDSA for signatures are sufficiently robust to deter essentially all potential opponents.
Instead, here we examine security in transit; we assess the “chain” that links the various parts of a secure message path.
Understanding the networking model
Before we delve into system security, we need to understand the network itself.
In the early 1980s, standards organizations created what became known as the Open Systems Interconnection Reference Model (the “OSI Model”). In this model, data networks were seen as a collection of seven layers, ranging from the physical layer of wires and radio signals at the bottom to the user application at the top. The concepts embodied in the model have proven extremely useful and help us understand what is happening at any point in the journey that a message takes from sender to recipient.
To simplify the discussion, we can condense the seven layers into just four, ranked from bottom to top:
- The physical and data link layer. This layer is how a network-connected device talks and listens over the physical medium. For example, in a digital radio system this layer would control when the station can transmit; what transmit power, frequencies, and modulation schemes may be used; what packet structure must be used; and how to address other stations that can be directly contacted.
- The network layer. This layer is concerned with how one system talks to another system on the network. Systems on the network may not all be the same; some are connected by wireless links, some by wired Ethernet, and others by modems or other, older technology. These distinctions do not matter to the network layer. The network layer provides a consistent addressing scheme that gives every system running on it a unique network address. The most widely used network layer protocol today is the Internet Protocol (IP).
- The transport layer. This layer is the first to ‘understand’ the concept of a connection. The network layer just sends and receives packets. The data link layer takes the data and transmits it over the physical medium without any analysis. But the transport layer is the first to ‘make sense’ of the set of packets, and arrange them as though they belong to a group. The most widely used transport layer protocol today is the Transmission Control Protocol, or TCP, and it provides the concept of a ‘connection.’ Thus, the software asks TCP to make a connection to a port on a remote machine. (The web, for example, operates on TCP port 80.) Its companion protocol, the User Datagram Protocol (UDP) is similar, but simply passes packets individually through to the higher layers without regard to an established connection. UDP is termed connectionless for that reason.
- The application layer. This protocol layer is the workhorse that accomplishes the task intended by the user. If the user requests a webpage, it is transmitted over the Hypertext Transport Protocol (HTTP). If the user sends an email, it may be carried over the Simple Mail Transfer Protocol (SMTP). Everything that one might wish to do on the network is mediated by an application layer protocol.
When, for example, a user requests a webpage, the request makes its way over the network until, finally, it lands on the router connected, probably by an Ethernet cable, to the web server. The Ethernet card receives the packet and unwraps the first layer (the data link layer), thereby terminating that layer. The Ethernet interface passes the data contained therein to the computer. Network software running on the computer unpacks the IP header and extracts the destination address (“Yes, it is for me!”) and the source address (“Oh, so that computer is calling!”) and determines the transport protocol (“It is TCP.”). The software terminates the network layer and passes the payload to the transport layer.
The transport layer verifies that the packet is transmitted in the proper sequence and that it is bound for a port which some software task has claimed. If the requested port is port 80, the packet is destined for the web server task. The code running the transport layer removes the transport information, terminating the transport layer, and passes what is (most likely) HTTP data to the web server.
So now you know the network model…in an abbreviated way. The important thing here is that, from end to end, only the application layer remains intact. The message may originate on a cell phone with a wireless physical/link layer. It may pass through message handlers that terminate and reestablish the network and transport layers; and finally, it may terminate the message on a desktop computer with a wired connection. While each segment of the journey may (or may not) be encrypted, at the borders between segments, unless you take specific action, your message can be read by anyone with access to those segment breaks.
Figure 1. The application information may pass through many different transport, network, link, and physical layers before reaching its destination.
“But I thought the network was safe!”
Figure 1 shows how application data (i.e., the blue pipe) proceeds from the originator of the message to the receiver, even though different physical media, different types of networks, and different transport mechanisms carry the message. Each concentric cylinder represents a network protocol. Where each cylinder begins and ends represents the points at which one protocol layer is established and another terminated.
Now, assume that you are using a Wi-Fi connection to send a message. You are not concerned about security, because the Wi-Fi connection is secure. You are using WPA2 encryption, so no one can snoop on your message. How far does that security actually extend?
The answer is, not very far (Figure 2). Because WPA2 is part of the link layer protocol, as soon as the packets are received at the wireless access point, the encryption envelope is terminated. Hopefully, the other network elements will, in turn, encrypt the network traffic. But when dealing with security, we cannot depend on hope.
Well, what about the Secure Sockets Layer, or Transport Layer Security (SSL/TLS)? Most of us have seen the little lock in the browser window when we are doing sensitive work, like online banking. We have been trained to interpret this lock icon as secure; it means that the transaction is secure and the information encrypted so that nobody can access the information except the intended recipient. So, how far does that security extend?