10 Protocols

in 20 Minutes

By Jon “The Nice Guy” Spriggs

https://jon.sprig.gs/blog

10 Protocols

in 20 Minutes… ish

By Jon “The Nice Guy” Spriggs

https://jon.sprig.gs/blog

Section 1

Host-to-host

Protocol 1: IP

Internet Protocol

Protocol 1: IP

What is it for?

Ties your MAC address to a routable address
Finds other devices in your subnet via broadcasts
Defines how two hosts connect together
- IP Protocol
- Source IP Address and Port
- Destination IP Address and Port
- Routing
Abstracts underlying network capabilities

Protocol 1: IP

How does it work? 1/2

The packet has a header explaining where it’s come from, where it’s going to, and how long it’s got to go before it abandons it’s try.
Any node on the route can rewrite the packet to hide the source or destination address (NAT) or port (PAT)
If the packet’s “Time To Live” expires, an ICMP message is sent back to the source

Protocol 1: IP

How does it work? 2/2

To route a packet from one network to another, each host has a routing table specifying the next hop gateway
Each step through the network resolves the MAC address of it’s gateway via an ARP request broadcast
When the address arrives at it’s destination, it follows a return path using the same method

Protocol 2: ICMP

Internet Control Message Protocol

Protocol 2: ICMP

What is it for?

Used to indicate routing and TCP/UDP issues
TTL counter in ICMP is misused by traceroute
Can notify you that a port or host is not responding
- Useful in LANs, not useful publicly

Protocol 3: TCP

Transmission Control Protocol

Protocol 3: TCP

What is it for?

Sending messages which guarantee acknowledgement
- Three Way Handshake (Syn, SynAck, Ack)
- Usually “Clean” termination (Reset or Fin, Ack)

Protocol 3: TCP

Where might I see it used?

HTTP/HTTPS
SSH
FTP
SMTP/POP3/IMAP
XMPP
IRC

Protocol 4: UDP

User Datagram Protocol

Protocol 4: UDP

What is it for?

Sending low latency, non-guaranteed messages

Protocol 4: UDP

Where might I see it used?

VoIP
Skype
Bittorrent
SIP
Syslog
DNS

Section 2

Client-to-Server Communications

Protocol 5: DNS

Domain Name System

Protocol 5: DNS

What is it for?

Used to resolve “Names” to IP Addresses
www.example.org -> 192.0.2.1
Also used to identify resources provided by that domain name
- A = IPv4 Address, AAAA = IPv6 Address
- CNAME = Alias, TXT = Other text
- MX records = Mail, NS = Responsible name server

Protocol 5: DNS

How does it work?

Your machine has a list of DNS servers it talks to
It asks all those servers to retrieve the record for a given name
If that DNS server doesn’t know it, it asks the root servers for the TLD NS
It then asks the TLD NS for the domain name NS
It then asks the domain name NS for the subdomain NS or record etc.

Protocol 6: HTTP

Hyper Text Transfer Protocol

Protocol 6: HTTP

What is it for?

Originally used to transfer Hyper Text Markup Language files to clients, now used as a general purpose transfer protocol for:
- HTML, Text, Images, Javascript
- JSON, XML, VPNs…
- Also provides Cats, Memes, more cats, LOLcats

Protocol 6: HTTP

How does it work? 1/2

The HTTP request sends several headers:
- Host, User Agent, Encodings, Cookies, Last successful request of that page and an “etag”for it.
Then a VERB request
- GET, PUT, POST, DELETE
Then the URI it wants

Protocol 6: HTTP

How does it work? 2/2

Server replies with headers of it’s own
- Response code (200, 404, etc), Length of response, last modified, etag for the page
Then the content of the URI, or verbose errors
- 404 File not found
- 302/307 redirect
- 401 authentication required

Protocol 7: TLS

Transport Layer Security

Protocol 7: TLS

What is it for?

Previous versions were called SSL. This is now depreciated.
TLS provides you with an encrypted tunnel over which you can pass lots of TCP or UDP protocols
These tunnels can be authenticated by the use of Certificate Authorities, or Trust On First Use (TOFU)

Protocol 7: TLS

Where will I see it?

Most commonly as the “S” in HTTPS
FTP/S
OpenVPN
Tor
SIP (using DTLS)

Protocol 7: TLS

How does it work? 1/3

Client starts by sending the highest version of TLS it supports, a random number, ciphers it supports
Server replies confirming the TLS version it supports, a random number, and says which cipher it picked from the list supplied by the client
It also sends it’s certificate.

Protocol 7: TLS

How does it work? 2/3

Assuming the server and client agree, and the certificate is acceptable then…
Client encrypts a Pre-Master-Secret with the Server’s public key, which was in the Certificate
Client and Server use `CRYPTOGRAPHY` to create the Master Secret from the data exchanged already

Protocol 7: TLS

How does it work? 3/3

Client encrypts the FINISHED message with the Master Secret, hashes the result and signs the hash
Server decrypts this, returns it’s own encrypted, signed and hashed FINISHED message.
Data is now sent encrypted using whatever new protocol they want to layer over the top.

Abridged version of: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

Protocol 8: SSH

Secure Shell

Protocol 8: SSH

What is it for?

Originally designed as a secure replacement for the existing remote shell tools (rsh, telnet)
It now also permits file transfers, port forwarding, carrying forward keys for onward connections and even has a built-in VPN!
You can mount an SFTP location into your Linux File System with SSHFS

Protocol 8: SSH

How does it work?

Transport layer establishes a TOFU TLS-Like tunnel, without a CA chain
User authentication layer confirms credentials
Password (also referred to as keyboard-interactive)
Public Key (RSA/DSA/EC/x509)
Connection Layer provides the shell, port forwarding and execution of any commands

Protocol 9: IPsec

Internet Protocol Security

Protocol 9: IPsec

What is it for?

To provide an authenticated tunnel between
- Network-to-Network
- Host-to-Network
Optionally, also to encrypt that tunnel

Protocol 9: IPsec

How does it work? 1/3

There are technically two modes, AH and ESP
- AH (Authentication Header) provides authentication of origin and prevents replay attacks
- ESP (Encapsulation Security Payloads) adds encryption to the tunnel.
These both rely on IKE (Internet Key Exchange) to define the SA (Security Association) that the AH or ESP modes use

Protocol 9: IPsec

How does it work? 2/3

IKE operates on UDP 500 or 4500 and starts by initializing a Diffie-Hellman key exchange to create a shared key
This key is used to create the Phase 1 SA, that is then authenticated with either a shared secret or x509 Certificates
The SA is also encrypted with a designated cipher and hashing algorithm

Protocol 9: IPsec

How does it work? 3/3

Create Phase 2 SA for AH or ESP using Phase 1 SA
AH adds a sequence number to the IP packet, with the Phase 2 SA and Destination IP
ESP encrypts the entire IPv4 or IPv6 packet using the values from the IKE Phase 2 SA, adds the ESP headers and a hash to confirm it’s not been modified in transit

Abridged version of: https://en.wikipedia.org/wiki/Internet_Key_Exchange and https://en.wikipedia.org/wiki/IPsec

Section 3

Authentication

Protocol 10: TOTP

Time-Based One Time Password

Protocol 10: TOTP

What is it for?

Provides simple authentication using non-token authenticators

Protocol 10: TOTP

Where will I see it?

Google Authenticator
- Google, Facebook, Microsoft, Twitter
- Github, GitLab, Dropbox
And lots, lots, lots more (https://www.turnon2fa.com/tutorials/)

Protocol 10: TOTP

How does it work?

Take a shared secret key, add the current unix epoch timestamp divided by the “timestep”, SHA1 both, truncate it to 4 bytes (6 digits), compare to the server
If you’ve already seen that TOTP value or it isn’t more recent than the last known timestamp, reject it as used.
The server calculates a number of “windows” either side of the current timestamp, if it matches one of those, store that timestamp as the last used.

That was..

10 Protocols in 20 Minutes?

By @JonTheNiceGuy
https://jon.sprig.gs/blog