52 Things: Number 49: Describe the basic ideas behind IPSec and TLS.
52 Things: Number 49: Describe the basic ideas behind IPSec and TLS.
52 Things: Number 49: Describe the basic ideas behind IPSec and TLS.
52件事:第49件:描述IPSec和TLS背后的基本思想。This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This week we discuss the basic ideas behind IPSec and TLS.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周我们将讨论IPSec和TLS背后的基本思想。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周我们将讨论IPSec和TLS背后的基本思想。
Internet Protocol Security (IPsec) and Transport Layer Security (TLS) both aim to create a secure communication channel between two parties over an insecure network. In general, both use some mechanism to establish a private session key (either pre-shared or via a key negotiation protocol) and use symmetric key cryptography for the bulk of the communication. There are some further details with regards to authentication but I'll skip over that. Although these two ultimately have similar goals, they differ considerably in their implementation.
互联网协议安全性(IPsec)和传输层安全性(TLS)都旨在通过不安全的网络在双方之间创建一个安全的通信通道。通常,两者都使用某种机制来建立专用会话密钥(预共享或通过密钥协商协议),并在大部分通信中使用对称密钥加密。还有一些关于身份验证的进一步细节,但我将跳过这些。尽管这两者最终有着相似的目标,但在实施方面却有很大的不同。
互联网协议安全性(IPsec)和传输层安全性(TLS)都旨在通过不安全的网络在双方之间创建一个安全的通信通道。通常,两者都使用某种机制来建立专用会话密钥(预共享或通过密钥协商协议),并在大部分通信中使用对称密钥加密。还有一些关于身份验证的进一步细节,但我将跳过这些。尽管这两者最终有着相似的目标,但在实施方面却有很大的不同。
IPSec sits on the network layer of the OSI model and aims to provide integrity, authenticity and confidentiality between two end points. As it sits on network layer, it blindly encrypts, MACs and packages up the data from the above layers before sending it down the line. This effectively creates a virtual network link between the two end-points without the need to ensure the end-point application has secured the data appropriately. This is often deployed for enterprise VPN solutions as it is a fast solution for remote access to an enterprise network. The downside however is that once a connection is up, it is tricky to restrict applications from using the connection once it is up.
IPSec位于OSI模型的网络层,旨在提供两个端点之间的完整性、真实性和机密性。当它位于网络层时,它会盲目地加密、MAC并打包来自上述层的数据,然后再将其发送到网络层。这有效地在两个端点之间创建了虚拟网络链路,而无需确保端点应用程序适当地保护了数据。这通常用于企业VPN解决方案,因为它是远程访问企业网络的快速解决方案。然而,缺点是,一旦连接启动,就很难限制应用程序在连接启动后使用该连接。
IPSec位于OSI模型的网络层,旨在提供两个端点之间的完整性、真实性和机密性。当它位于网络层时,它会盲目地加密、MAC并打包来自上述层的数据,然后再将其发送到网络层。这有效地在两个端点之间创建了虚拟网络链路,而无需确保端点应用程序适当地保护了数据。这通常用于企业VPN解决方案,因为它是远程访问企业网络的快速解决方案。然而,缺点是,一旦连接启动,就很难限制应用程序在连接启动后使用该连接。
TLS on the other hand establishes a secure connection at the application layer of the OSI model. We see TLS heavily used for securing web protocols such as HTTPS, STARTTLS etc. and as a consequence, each connection/application will negotiate/set up a secure connection independently. From a security perspective, this is quite attractive as a single compromised channel *should* have no bearing on the remaining channels. Whilst TLS can be viewed as a more flexible approach, it does incur some overhead over IPSec for a large number of connections between two nodes.
另一方面,TLS在OSI模型的应用层建立安全连接。我们看到TLS被大量用于保护HTTPS、STARTTLS等网络协议的安全,因此,每个连接/应用程序都将独立协商/设置安全连接。从安全角度来看,这是非常有吸引力的,因为单个受损通道*应该*与其余通道无关。虽然TLS可以被视为一种更灵活的方法,但对于两个节点之间的大量连接,它确实会在IPSec上产生一些开销。
另一方面,TLS在OSI模型的应用层建立安全连接。我们看到TLS被大量用于保护HTTPS、STARTTLS等网络协议的安全,因此,每个连接/应用程序都将独立协商/设置安全连接。从安全角度来看,这是非常有吸引力的,因为单个受损通道*应该*与其余通道无关。虽然TLS可以被视为一种更灵活的方法,但对于两个节点之间的大量连接,它确实会在IPSec上产生一些开销。
It's easy to get into very fine details but I think that should cover the 'basic' ideas of the two.
很容易进入非常精细的细节,但我认为这应该涵盖两者的“基本”想法。
很容易进入非常精细的细节,但我认为这应该涵盖两者的“基本”想法。
本文来自博客园,作者:3cH0_Nu1L,转载请注明原文链接:https://www.cnblogs.com/3cH0-Nu1L/p/18107551
