Thursday, July 21, 2016

How do Proxy Servers work ?


If not redirected, please click here https://www.thesecuritybuddy.com/network-security/what-is-a-proxy-server-and-how-does-it-work/
 
If you are a frequent internet user, it is very much likely that you have used or heard of Proxy Servers. Some of us might also have heard the terms Forward Proxy Servers and Reverse Proxy Servers. But, what are they actually ? How do they work ? And, how are they different from each other ?

Let’s understand that in details.


What are Proxy Servers ?


A Proxy Server is a server that works as an intermediary between a client requesting for a connection or service and a server that provides the resources. All requests from the client as well as the responses from the server pass through the Proxy Server providing an administrative control over the contents being relayed and hiding the IP address of the host behind the Proxy Server at the same time.

We will understand this in details.


Types of Proxy Servers


Depending on how the Proxy server function, there are three main types of Proxy Server :

  • Forward Proxy Server
  • Reverse Proxy Server
  • Open Proxy Server



Forward Proxy Server





A Forward Proxy Server is a proxy server that provides proxy services to a group of clients that are mostly part of an internal network. When one of the clients in the internal network makes a connection request, the request passes through the Forward Proxy Server. The Forward Proxy Server looks at the request and decides on whether the connection should proceed. And, based on that a connection is made to the requested server providing the resources. The requested server cannot see the IP address of the requesting client in the internal network. It will view the connection as coming from the Forward Proxy Server. The requested server will send a response to the Forward Proxy Server and the proxy server will then forward the response to the requesting client inside the internal network.


When is a Forward Proxy Server used ?


There are a number of reasons of using a Forward Proxy Server :

  • A Forward Proxy Server typically works with a firewall. So, it can control the traffic originating from a client in the internal network and ensure security of the internal network.
  • A Forward Proxy Server acts as a single point of access and control of the clients in the internal network. As it can provide administrative control over the contents being relayed, it is easier to enforce security policies using a Forward Proxy Server.
  • A Forward Proxy Server helps in hiding the IP addresses of the clients in the internal network providing security to the internal clients.



Reverse Proxy Server





When a group of servers provide resources to external clients, we can use another type of proxy server called Reverse Proxy Server to ensure security of the group of servers providing services. In case of a Reverse Proxy Server, when an external client makes a request to one of the servers in the internal network, the request passes through the Reverse Proxy Server. If the connection should be allowed, the internal server sends the response through the Reverse Proxy Server. The external client cannot see the IP address of the internal server. It would view the connection as coming from the Reverse Proxy Server. So, while a Forward Proxy Server hides the IP addresses of the internal clients requesting for services, a Reverse Proxy Server helps in hiding the IP addresses of the internal servers providing services.



When is a Reverse Proxy Server used ?


There are a number of reasons for using a Reverse Proxy Server :

  • As a Reverse Proxy Server hides the IP addresses of the internal servers, it creates much inconvenience for the attackers to make an attack to the internal servers for the purpose of stealing data or making even more attacks.
  • A Reverse Proxy Server also works along with a firewall. As it works as a single point of access and control to the internal servers, it can have administrative control over the contents being relayed and enforce security to the internal servers.
  • A Reverse Proxy Server can also act as a load balancer to the group of internal servers behind it. When a Reverse Proxy Server receives a large volume of incoming requests, it can perform load balancing and distribute the incoming traffic to the cluster of servers that provide same kind of service. For example, a Reverse Proxy Server can perform load balancing for a cluster of FTP servers behind it.
  • If more than one servers in the internal network provides SSL encryption, a Reverse Proxy Server can be used to do the SSL encryption using SSL acceleration hardware. The internal servers can use a single SSL proxy to provide SSL encryption, thus eliminating the need of using separate SSL certificates for the internal servers.
  • A Reverse Proxy server can cache static contents of the internal web servers behind it and thus reducing the load to the web servers.
  • A Reverse Proxy Server can also provide optimization and compression of contents to reduce the load time of the service.
  • If the requesting external clients are very slow, a Reverse Proxy Server can cache the contents from the internal servers behind it and slowly feed them to the slow external clients.


So, to summarize, for a Forward Proxy Server, connection requests come from a group of internal clients behind the proxy server and passes through the prxy server hiding the IP address of the requesting internal client. And, for a Reverse Proxy Server, connection requests come from external clients to a group of internal servers behind the proxy server and the connections pass through the proxy server hiding the IP addresses of the internal servers.



Open Proxy Server


An Open Proxy Server is a proxy server that is accessible by any internet user. If an internet user uses an Open Proxy Server, all the connection requests as well as the responses will pass through the Open Proxy Server, hiding the IP address of the internet user. So, using an Open Proxy Server a user can hide his IP address against the requested web servers or internet content providers.



Why to use an Open Proxy Server ?


An Open Proxy Server can help the user in hiding his IP address against the requested internet content provider servers. But, please note that anonymity or extensive internet security might not be achieved by using an Open Proxy Server alone.


Proxy vs NAT


The main difference between a proxy and a NAT lies in the layers in the OSI Reference Model in which they operate. A proxy works mostly in layer 7 of the OSI Reference Model. And, a NAT works in layer 3. As they operate in two different layers in the OSI Reference Model, their configuration also differs.

For NAT, configuring the gateway is sufficient. But, for a proxy, the destination of each packet that the requesting client generates must be changed to the proxy server, so one has to take care of that.

Thursday, July 7, 2016

What is Identity Based Encryption ?

If not redirected, please click here https://www.thesecuritybuddy.com/encryption/what-is-identity-based-encryption/

Encryption technology like DSA, RSA etc use public key cryptography. Every user gets his own public-private keypair using which anyone can start encrypted communication with the user. But, there is a major drawback in these technologies. They mostly depend on public key distribution infrastructure. Every user gets his keypair from a trusted Certificate Authority. And, anyone who wants to start an encrypted communication, has to obtain the public key certificate from the user and verify it with the Certificate Authority before the encrypted communication starts. This process is time consuming, error-prone and causes much inconvenience at times. Identity Based Encryption or IBE is an encryption technology which is developed to reduce these barriers up to a great extent and yet provide secure communications.

Identity Based Encryption or IBE is a type of public key encryption, in which the public key of a user is some unique information based on the identity of the user, such as an email address. Anyone who wants to send an encrypted message to the user, can encrypt it with the text value of the identity based public key, such as the text value of an email address, and send it across. The user can decrypt the message using the private key associated with the identity based public key.


How does Identity Based Encryption work ?






IBE works in the following way :

  • A trusted third party called Private Key Generator or PKG first generates his own public-private keypair. It published its public key, called Master Public Key and keeps the private key, called Master Private Key or Master key secret to itself.
  • A user who wants to generate a IBE keypair, first obtains the public key of the PKG. The user then combines his identity value, such as his email address, with the Master Public Key and generates the actual public key.
  • The user then contacts the PKG with the public key. The PKG combines the user’s public key along with its own Master Private Key to generate the private key of the user.
  • Anyone who wants to send an encrypted message to the user can encrypt it with the identity based public key, for example his email address. The user can decrypt it using his private key obtained from the PKG.


Can a user expire his Identity Based Encryption Keys?


Technically, one user can expire his IBE keys.

Suppose, a user named Bob wants to expire his IBE keys every year and he wants to use his email address bob@example.com for that purpose. To do that, Bob can append the current year with his email address, i.e. he can use ‘ bob@example.com | <current year> ‘ as the identity based public key, based upon which the PKG will generate his private key. The private key will be valid for that current year only. After the end of the year, Bob can again change the value of the current year in the identity based public key and obtain the corresponding new private key from the PKG.

Please note that, even if Bob changes his private key, a sender who wants to send encrypted message to Bob need not worry much. He will just change the value of the current year in the identity based public key, here ‘bob@example.com | <current year>’ and encrypt the message with that. Once a user gets his private key from the PKG, neither the user nor the sender need to communicate with the PKG further. And, this is one of the most significant advantages that IBE has.


What if a user’s Identity Based Encryption Keys are lost or stolen ?


Well, this problem also can be handled.

A user can append the current date instead of the current year with his identity, for example email address, to obtain his identity based public key and corresponding private key, as described above.

Now, suppose the user stores his private keys in his laptop and the laptop gets lost for three days. In that case, the private keys corresponding to those three days only will be compromised. The fourth day onwards, he can keep obtaining his new private keys from the PKG as usual and continue with normal operations.


Advantages of Identity Based Encryption


IBE has several advantages :

  • If a user Alice wants to send an encrypted message to Bob, who has an email address bob@example.com, she does not need to obtain Bob’s public key certificate or verify it with any Certificate Authority. She can just encrypt the message using the text value of Bob’s email address bob@example.com and send it across. It is much more simple, convenient and less time consuming than any public key encryption technology based on Public Key Infrastructure.
  • IBE eliminates the need of Public Key Infrastructure. Authenticity of the public key is implicit as an identity based value is used for that purpose.
  • As IBE eliminates the need of certificates, it removes the hurdles of PKI, certificate lookup, key life cycle management, certificate revocation or cross-certification issues. It makes the security system much more dynamic, lightweight and scalable.
  • An organization can maintain its own PKG very efficiently. It can issue a private key to every employee based on his corporate email address. And, when an employee leaves the organization, it can simply instruct the PKG not to generate any private keys for that user anymore.
  • IBE can be efficiently used in some complex use case scenarios also. For example, suppose an employee has several assistants like purchasing, HR etc, who can read a number of emails if they fall within their responsibilities. In that case, a user can send the encrypted emails using the employee’s email address as well as a subject line indicating the appropriate assistant who would read the email. The PKG can generate a separate private key for each assistant based on the employee’s email address appended with the appropriate assistant and distribute it. As a result, an assistant can read the emails which fall within his responsibility, but not those of the others. And, it will be convenient for the sender also.


Drawbacks of Identity Based Encryption


IBE has a couple of drawbacks. The major ones are given below :

  • If a PKG gets compromised, the messages protected by the Master Private Key will also be compromised.
  • A PKG generates private keys of all the users using its own Master Private Key. So, technically it can sign or decrypt any message of its users without authorization. But as said earlier, an organization can have its own PKG and trust its administrators to counter this problem.