10 Protocols

in 20 Minutes

 

By Jon “The Nice Guy” Spriggs

https://jon.sprig.gs/blog

10 Protocols

in 20 Minutes… ish

 

By Jon “The Nice Guy” Spriggs

https://jon.sprig.gs/blog

Section 1

Host-to-host

Protocol 1: IP

Internet Protocol

Protocol 1: IP

What is it for?

  • Ties your MAC address to a routable address
  • Finds other devices in your subnet via broadcasts
  • Defines how two hosts connect together
    • IP Protocol
    • Source IP Address and Port
    • Destination IP Address and Port
    • Routing
  • Abstracts underlying network capabilities

Protocol 1: IP

How does it work? 1/2

  • The packet has a header explaining where it’s come from, where it’s going to, and how long it’s got to go before it abandons it’s try.
  • Any node on the route can rewrite the packet to hide the source or destination address (NAT) or port (PAT)
  • If the packet’s “Time To Live” expires, an ICMP message is sent back to the source

Protocol 1: IP

How does it work? 2/2

  • To route a packet from one network to another, each host has a routing table specifying the next hop gateway
  • Each step through the network resolves the MAC address of it’s gateway via an ARP request broadcast
  • When the address arrives at it’s destination, it follows a return path using the same method

Protocol 2: ICMP

Internet Control Message Protocol

Protocol 2: ICMP

What is it for?

  • Used to indicate routing and TCP/UDP issues
  • TTL counter in ICMP is misused by traceroute
  • Can notify you that a port or host is not responding
    • Useful in LANs, not useful publicly

Protocol 3: TCP

Transmission Control Protocol

Protocol 3: TCP

What is it for?

  • Sending messages which guarantee acknowledgement
    • Three Way Handshake (Syn, SynAck, Ack)
    • Usually “Clean” termination (Reset or Fin, Ack)

Protocol 3: TCP

Where might I see it used?

  • HTTP/HTTPS
  • SSH
  • FTP
  • SMTP/POP3/IMAP
  • XMPP
  • IRC

Protocol 4: UDP

User Datagram Protocol

Protocol 4: UDP

What is it for?

  • Sending low latency, non-guaranteed messages

Protocol 4: UDP

Where might I see it used?

  • VoIP
  • Skype
  • Bittorrent
  • SIP
  • Syslog
  • DNS

Section 2

Client-to-Server Communications

Protocol 5: DNS

Domain Name System

Protocol 5: DNS

What is it for?

  • Used to resolve “Names” to IP Addresses
  • www.example.org -> 192.0.2.1
  • Also used to identify resources provided by that domain name
    • A = IPv4 Address, AAAA = IPv6 Address
    • CNAME = Alias, TXT = Other text
    • MX records = Mail, NS = Responsible name server

Protocol 5: DNS

How does it work?

  • Your machine has a list of DNS servers it talks to
  • It asks all those servers to retrieve the record for a given name
  • If that DNS server doesn’t know it, it asks the root servers for the TLD NS
  • It then asks the TLD NS for the domain name NS
  • It then asks the domain name NS for the subdomain NS or record etc.

Protocol 6: HTTP

Hyper Text Transfer Protocol

Protocol 6: HTTP

What is it for?

  • Originally used to transfer Hyper Text Markup Language files to clients, now used as a general purpose transfer protocol for:
    • HTML, Text, Images, Javascript
    • JSON, XML, VPNs…
    • Also provides Cats, Memes, more cats, LOLcats

Protocol 6: HTTP

How does it work? 1/2

  • The HTTP request sends several headers:
    • Host, User Agent, Encodings, Cookies, Last successful request of that page and an “etag”for it.
  • Then a VERB request
    • GET, PUT, POST, DELETE
  • Then the URI it wants

Protocol 6: HTTP

How does it work? 2/2

  • Server replies with headers of it’s own
    • Response code (200, 404, etc), Length of response, last modified, etag for the page
  • Then the content of the URI, or verbose errors
    • 404 File not found
    • 302/307 redirect
    • 401 authentication required

Protocol 7: TLS

Transport Layer Security

Protocol 7: TLS

What is it for?

  • Previous versions were called SSL. This is now depreciated.
  • TLS provides you with an encrypted tunnel over which you can pass lots of TCP or UDP protocols
  • These tunnels can be authenticated by the use of Certificate Authorities, or Trust On First Use (TOFU)

Protocol 7: TLS

Where will I see it?

  • Most commonly as the “S” in HTTPS
  • FTP/S
  • OpenVPN
  • Tor
  • SIP (using DTLS)

Protocol 7: TLS

How does it work? 1/3

  • Client starts by sending the highest version of TLS it supports, a random number, ciphers it supports
  • Server replies confirming the TLS version it supports, a random number, and says which cipher it picked from the list supplied by the client
  • It also sends it’s certificate.

Protocol 7: TLS

How does it work? 2/3

  • Assuming the server and client agree, and the certificate is acceptable then…
  • Client encrypts a Pre-Master-Secret with the Server’s public key, which was in the Certificate
  • Client and Server use `CRYPTOGRAPHY` to create the Master Secret from the data exchanged already

Protocol 7: TLS

How does it work? 3/3

  • Client encrypts the FINISHED message with the Master Secret, hashes the result and signs the hash
  • Server decrypts this, returns it’s own encrypted, signed and hashed FINISHED message.
  • Data is now sent encrypted using whatever new protocol they want to layer over the top.

Abridged version of: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake

Protocol 8: SSH

Secure Shell

Protocol 8: SSH

What is it for?

  • Originally designed as a secure replacement for the existing remote shell tools (rsh, telnet)
  • It now also permits file transfers, port forwarding, carrying forward keys for onward connections and even has a built-in VPN!
  • You can mount an SFTP location into your Linux File System with SSHFS

Protocol 8: SSH

How does it work?

  • Transport layer establishes a TOFU TLS-Like tunnel, without a CA chain
  • User authentication layer confirms credentials
  • Password (also referred to as keyboard-interactive)
  • Public Key (RSA/DSA/EC/x509)
  • Connection Layer provides the shell, port forwarding and execution of any commands

Protocol 9: IPsec

Internet Protocol Security

Protocol 9: IPsec

What is it for?

  • To provide an authenticated tunnel between
    • Network-to-Network
    • Host-to-Network
  • Optionally, also to encrypt that tunnel

Protocol 9: IPsec

How does it work? 1/3

  • There are technically two modes, AH and ESP
    • AH (Authentication Header) provides authentication of origin and prevents replay attacks
    • ESP (Encapsulation Security Payloads) adds encryption to the tunnel.
  • These both rely on IKE (Internet Key Exchange) to define the SA (Security Association) that the AH or ESP modes use

Protocol 9: IPsec

How does it work? 2/3

  • IKE operates on UDP 500 or 4500 and starts by initializing a Diffie-Hellman key exchange to create a shared key
  • This key is used to create the Phase 1 SA, that is then authenticated with either a shared secret or x509 Certificates
  • The SA is also encrypted with a designated cipher and hashing algorithm

Protocol 9: IPsec

How does it work? 3/3

  • Create Phase 2 SA for AH or ESP using Phase 1 SA
  • AH adds a sequence number to the IP packet, with the Phase 2 SA and Destination IP
  • ESP encrypts the entire IPv4 or IPv6 packet using the values from the IKE Phase 2 SA, adds the ESP headers and a hash to confirm it’s not been modified in transit

Abridged version of: https://en.wikipedia.org/wiki/Internet_Key_Exchange and https://en.wikipedia.org/wiki/IPsec

Section 3

Authentication

Protocol 10: TOTP

Time-Based One Time Password

Protocol 10: TOTP

What is it for?

  • Provides simple authentication using non-token authenticators

Protocol 10: TOTP

Where will I see it?

Protocol 10: TOTP

How does it work?

  • Take a shared secret key, add the current unix epoch timestamp divided by the “timestep”, SHA1 both, truncate it to 4 bytes (6 digits), compare to the server
  • If you’ve already seen that TOTP value or it isn’t more recent than the last known timestamp, reject it as used.
  • The server calculates a number of “windows” either side of the current timestamp, if it matches one of those, store that timestamp as the last used.

That was..

10 Protocols in 20 Minutes?

 

By @JonTheNiceGuy
https://jon.sprig.gs/blog