Secure services and protocols

Secure Services and Protocols – SSCP Cryptography Domain Guide

Why Secure Services and Protocols Are Important

In modern networks, data in transit is vulnerable to interception, modification, and replay attacks. Secure services and protocols use cryptographic mechanisms to ensure confidentiality, integrity, and authentication of communications. Understanding these protocols is essential for any security professional because they form the backbone of secure communication across the internet and within enterprise environments. A misconfigured or outdated protocol can expose an entire organization to devastating breaches.

What Are Secure Services and Protocols?

Secure services and protocols are communication standards that incorporate encryption, hashing, and authentication to protect data as it moves between systems. They replace or enhance older, insecure protocols that transmitted data in cleartext. Key examples include:

1. TLS/SSL (Transport Layer Security / Secure Sockets Layer)
TLS is the successor to SSL and provides encrypted communication between clients and servers. It operates at the Transport layer and is used to secure web traffic (HTTPS), email, VoIP, and more. TLS uses a handshake process involving asymmetric encryption for key exchange, followed by symmetric encryption for bulk data transfer. SSL versions (including SSLv3) are considered deprecated and insecure.

2. IPsec (Internet Protocol Security)
IPsec operates at the Network layer and secures IP communications by authenticating and encrypting each IP packet. It has two main modes:
- Transport Mode: Encrypts only the payload of the IP packet; used for end-to-end communication.
- Tunnel Mode: Encrypts the entire IP packet and encapsulates it in a new packet; used for VPN connections.
IPsec uses two core protocols: AH (Authentication Header) for integrity and authentication, and ESP (Encapsulating Security Payload) for confidentiality, integrity, and authentication. Key exchange is handled by IKE (Internet Key Exchange).

3. SSH (Secure Shell)
SSH provides encrypted remote access to systems, replacing insecure Telnet. It operates on TCP port 22 and supports secure file transfers (SCP, SFTP), port forwarding, and tunneling. SSH uses public key authentication and symmetric encryption for session data.

4. S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME provides authentication, message integrity, non-repudiation, and confidentiality for email. It uses digital certificates (X.509) and supports both digital signatures and encryption of email content.

5. HTTPS (HTTP Secure)
HTTPS is HTTP running over TLS on port 443. It encrypts web traffic between browsers and servers, protecting sensitive data such as login credentials and payment information.

6. DNSSEC (Domain Name System Security Extensions)
DNSSEC adds authentication to DNS responses using digital signatures, protecting against DNS spoofing and cache poisoning attacks. It does not encrypt DNS queries but ensures the integrity and authenticity of DNS data.

7. FTPS and SFTP
- FTPS: FTP secured with TLS/SSL. It uses ports 989/990.
- SFTP: File transfer over SSH. It uses port 22. These replace the insecure FTP protocol which transmits credentials in cleartext.

8. SNMPv3 (Simple Network Management Protocol version 3)
SNMPv3 adds authentication, integrity, and encryption to network management communications. Earlier versions (v1 and v2) used community strings transmitted in cleartext.

9. LDAPS (Lightweight Directory Access Protocol Secure)
LDAPS is LDAP over TLS/SSL, providing encrypted directory queries on port 636 instead of the standard LDAP port 389.

10. Kerberos
Kerberos is a network authentication protocol that uses symmetric key cryptography and a trusted third party (Key Distribution Center) to authenticate users and services. It uses tickets to prove identity and operates on port 88.

How Secure Services and Protocols Work

Most secure protocols follow a similar pattern:

Step 1 – Negotiation: The client and server agree on supported cryptographic algorithms (cipher suites).

Step 2 – Authentication: One or both parties prove their identity, typically using digital certificates or pre-shared keys.

Step 3 – Key Exchange: A session key is established using asymmetric cryptography (e.g., Diffie-Hellman or RSA key exchange).

Step 4 – Secure Communication: Data is encrypted using symmetric encryption with the session key, and integrity is verified using hashing algorithms (e.g., HMAC-SHA256).

Step 5 – Termination: The session is closed securely, and session keys are discarded.

Insecure vs. Secure Protocol Mapping

Understanding which secure protocol replaces which insecure one is critical:
- Telnet → SSH
- HTTP → HTTPS
- FTP → SFTP or FTPS
- SNMPv1/v2 → SNMPv3
- LDAP → LDAPS
- DNS → DNSSEC
- SMTP → SMTP over TLS (STARTTLS)
- Rlogin/Rsh → SSH

Exam Tips: Answering Questions on Secure Services and Protocols

1. Know Your Port Numbers: Exam questions frequently test your knowledge of ports. Memorize: SSH (22), HTTPS (443), LDAPS (636), FTPS (989/990), SFTP (22), Kerberos (88), SNMP (161/162), and IPsec IKE (500).

2. Understand the OSI Layer Each Protocol Operates On: IPsec works at Layer 3 (Network), TLS works at Layer 4-5 (Transport/Session), and application-level protocols like S/MIME work at Layer 7. Questions may reference OSI layers to test your understanding.

3. Differentiate Between AH and ESP in IPsec: AH provides integrity and authentication but not confidentiality (no encryption). ESP provides confidentiality, integrity, and authentication. If a question asks about encrypting data in IPsec, the answer is ESP.

4. Transport Mode vs. Tunnel Mode: Transport mode encrypts only the payload and is used for host-to-host communication. Tunnel mode encrypts the entire original packet and is used for site-to-site VPNs. If the scenario describes a VPN gateway, think Tunnel mode.

5. TLS vs. SSL: Always prefer TLS in exam answers. SSL (all versions) is deprecated. If a question presents SSL 3.0 as an option alongside TLS 1.2 or TLS 1.3, choose TLS.

6. Read Scenarios Carefully: Many questions present a scenario where data needs to be protected in a specific way. Match the requirement (confidentiality, integrity, authentication, non-repudiation) to the correct protocol. For example, if non-repudiation of email is required, think S/MIME with digital signatures.

7. Kerberos Details Matter: Know that Kerberos uses a KDC (Key Distribution Center) composed of an Authentication Server (AS) and a Ticket Granting Server (TGS). It issues Ticket Granting Tickets (TGTs) and service tickets. It relies on synchronized clocks (timestamps) to prevent replay attacks.

8. DNSSEC Does Not Encrypt: A common trick question involves DNSSEC. Remember it provides authentication and integrity for DNS records via digital signatures, but it does not provide confidentiality. DNS over HTTPS (DoH) or DNS over TLS (DoT) provide encryption for DNS queries.

9. Eliminate Insecure Options First: If a question lists Telnet, FTP, HTTP, or SNMPv1 as possible answers for securing a service, eliminate them. They are always the wrong choice when security is the goal.

10. Focus on the "Best" or "Most Appropriate" Answer: SSCP exam questions often have multiple seemingly correct answers. Choose the one that best fits the specific scenario. For instance, both SFTP and FTPS secure file transfers, but if the scenario mentions leveraging an existing SSH infrastructure, SFTP is the better answer.

11. Understand Perfect Forward Secrecy (PFS): PFS ensures that if a long-term key is compromised, past session keys remain secure. Protocols using ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) provide PFS. This is increasingly tested in modern exam questions.

12. Practice Protocol Comparison Questions: Be prepared for questions that ask you to compare two protocols or choose between them based on a given scenario. Understand the strengths, weaknesses, and appropriate use cases of each protocol covered in this guide.