IPSec vs SSL
Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) are used to ensure secure data transmission between computers. The Secure Sockets Layer (SSL) protocol is used mainly in authenticating web transactions between web servers and web browsers. Main concern in developing SSL was to provide security for transactions like financial transaction, online banking, stock trading, etc. On the other hand, Internet Protocol Security (IPSec) is working on the third layer in OSI model, which is a framework for multiple services, algorithms and granularities. One of the main reasons for introducing IPSec was the trouble of changing all applications to have end-to-end (in the application layer) security, encryption and integrity checks.
Simply SSL is all about maintaining secure connections in web. Earlier, web used only static pages and security was not a big issue. However, with time, companies needed to do transactions that involved very important data. Therefore, a company called Netscape Communications Corp introduced SSL, to enhance secure connection. SSL is introduced into a new layer between the application layer and the transport layer. Main functionality in this layer is to compress and encrypt data. In addition, it has mechanisms for automatically determining whether the data has been altered in transit. Most commonly, SSL is used in web browsers, but it can be used in other applications, as well. When HTML is used with SSL, it is called HTTPS. SSL uses two sub protocols:
- One for establishing a secure connection
- Other one for using it
Briefly, this is what happens in establishing the connection between A and B:
- A sends a request specifying the version of SSL and algorithms to be used, along with a random number, which will be used later.
- B sends its public key and a generated random number and requests for A’s public key.
- A send a public key encrypted with a random number (pre-master key). Session key used to encrypt is generated from pre-master keys and above generated random numbers.
- Both, A and B, can compute the session key. B change cipher as requested from A
- Both parties acknowledge the establishment of the sub-protocol
Secondly, the second sub-protocol is used in actual transportation. This is done by breaking and compressing the browser message and adding a MAC (Message Authentication Code) to each fragment using hashing algorithms.
IPSec operates at the Network Layer by extending the IP packet header. IPSec is a framework for multiple services (Secrecy, Data integrity etc.), algorithms and granularities. IPSec uses multiple algorithms to make sure that in case if one algorithm fails to secure anymore, there are other options as backup. Multiple granularities are used to protect a single TCP connection. An end-to-end connection in IPSec is called a Security Association (SA), which involves security identifiers. SA can operate in two main modes:
- Transport Mode
- Tunnel Mode
In the transport mode, a header is attached after the IP header. This new header includes the SA identifier, sequence number, integrity check and other security information. In the tunnel mode, IP packet, header and all are encapsulated to form a new IP packet with a new IP header. Tunnel mode can be useful in jamming up traffic analysis for intruders. In contrast to transport mode, tunnel mode adds an extra IP header; therefore, increases the packet size. Two headers namely used in IPSec are
- Authentication Header
- Provides integrity checks and anti-replay threats
- Encapsulating Security Payload
- Provides secrecy
What is the difference between IPSec and SSL?
• Internet security is a great deal, and people have come up with various ways to make sure that a third party does not retrieve their data. SSL and IPSec both ensure security in different levels.
• In IPSec, encryption is done at the network level, whereas SSL is done on the higher levels.
• IPSec introduces headers to ensure security, whereas SSL uses two sub-protocols to communicate.
• SSL is chosen over IPSec in internet web-type transactions because of its simplicity over IPSec.