Secure Network Programming

Last updated

Secure Network Programming (SNP) is a prototype of the first Secure Sockets Layer, designed and built in 1993 by the Networking Research Laboratory at the University of Texas at Austin, led by Simon S. Lam. This work was published in the 1994 USENIX Summer Technical Conference. [1] [2] For this project, the authors won the 2004 ACM Software System Award.

Simon S. Lam was inducted into the Internet Hall of Fame (2023) for "inventing secure sockets in 1991 and implementing the first secure sockets layer, named SNP, in 1993." [3]

This work began in 1991 as a theoretical investigation by the Networking Research Laboratory on the formal meaning of a protocol layer satisfying an upper interface specification as a service provider and a lower interface specification as a service consumer. [4] A case study of adding a security layer between the application and network layers was presented. [5]

The Networking Research Laboratory received a grant from the National Security Agency in June 1991 to investigate how to apply their theory of modules and interfaces to security verification. [6] At that time, there were three well-known authentication systems built (MIT's Kerberos) or being developed (DEC's SPX and IBM's KryptoKnight). All of these systems suffered from a common drawback; namely, they did not export a clean and easy-to-use interface that could be readily used by Internet applications. For example, it would take a tremendous amount of effort to "kerberize" an existing distributed application.

Toward the goal of "secure network programming for the masses", the inventors of SNP conceived secure sockets as a high-level abstraction suitable for securing Internet applications. In 1993, they designed and built a prototype of SNP. Designed as an application sublayer on top of sockets, SNP provides a user interface closely resembling sockets. This resemblance was by design so that security could be retrofitted into existing socket programs with only minor modifications. Also, with such a sublayer carefully designed and its implementation thoroughly debugged, it can be easily used by any Internet application that uses sockets for end-to-end communications. This is a natural idea in hindsight but, in 1993, it was novel and a major departure from mainstream network security research at that time.

SNP's secure sockets support both stream and datagram semantics with security guarantees (i.e., data origin authenticity, data destination authenticity, data integrity, and data confidentiality). Many of the ideas and design choices in SNP can be found in subsequent secure sockets layers, including: placing authenticated communication endpoints in the application layer, use of public-key cryptography for authentication, a handshake protocol for establishing session state including a shared secret, use of symmetric-key cryptography for data confidentiality, and managing contexts and credentials in the secure sockets layer.

The paper presented on June 8, 1994 at the USENIX Summer Technical Conference [1] includes the system design together with performance measurement results from the prototype implementation to clearly demonstrate the practicality of a secure sockets layer.

SNP pioneered secure sockets for Internet applications in general, independently and concurrently with the design and development of the HTTP protocol for the world-wide web which was still in its infancy in 1993. Subsequent secure socket layers (SSL by Netscape and TLS by IETF), implemented several years later using the architecture and key ideas first presented in SNP, enabled secure e-commerce between browsers and servers. Today, many other Internet applications (including email) use HTTPS, which consists of HTTP running over a secure sockets layer.

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

In software engineering, multitier architecture is a client–server architecture in which presentation, application processing and data management functions are physically separated. The most widespread use of multitier architecture is the three-tier architecture.

<span class="mw-page-title-main">Protocol stack</span> Comprehensive computer networking implementation

The protocol stack or network stack is an implementation of a computer networking protocol suite or protocol family. Some of these terms are used interchangeably but strictly speaking, the suite is the definition of the communication protocols, and the stack is the software implementation of them.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

An application layer is an abstraction layer that specifies the shared communication protocols and interface methods used by hosts in a communications network. An application layer abstraction is specified in both the Internet Protocol Suite (TCP/IP) and the OSI model. Although both models use the same term for their respective highest-level layer, the detailed definitions and purposes are different.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computing, the Windows Sockets API (WSA), later shortened to Winsock, is an application programming interface (API) that defines how Windows network application software should access network services, especially TCP/IP. It defines a standard interface between a Windows TCP/IP client application and the underlying TCP/IP protocol stack. The nomenclature is based on the Berkeley sockets API used in BSD for communications between programs.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In computer networking, STREAMS is the native framework in Unix System V for implementing character device drivers, network protocols, and inter-process communication. In this framework, a stream is a chain of coroutines that pass messages between a program and a device driver. STREAMS originated in Version 8 Research Unix, as Streams.

<span class="mw-page-title-main">Simon S. Lam</span> American computer scientist and academic (born 1947)

Simon S. Lam is an American computer scientist. He retired in 2018 from The University of Texas at Austin as Professor Emeritus and Regents' Chair Emeritus in Computer Science #1. He made seminal and important contributions to transport layer security, packet network verification, as well as network protocol design, verification, and performance analysis.

SAP NetWeaver Application Server or SAP Web Application Server is a component of SAP NetWeaver which works as a web application server for SAP products. All ABAP application servers including the message server represent the application layer of the multitier architecture of an ABAP-based SAP system. These application servers execute ABAP applications and communicate with the presentation components, the database, and also with each other, using the message server.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

The Parallel Virtual File System (PVFS) is an open-source parallel file system. A parallel file system is a type of distributed file system that distributes file data across multiple servers and provides for concurrent access by multiple tasks of a parallel application. PVFS was designed for use in large scale cluster computing. PVFS focuses on high performance access to large data sets. It consists of a server process and a client library, both of which are written entirely of user-level code. A Linux kernel module and pvfs-client process allow the file system to be mounted and used with standard utilities. The client library provides for high performance access via the message passing interface (MPI). PVFS is being jointly developed between The Parallel Architecture Research Laboratory at Clemson University and the Mathematics and Computer Science Division at Argonne National Laboratory, and the Ohio Supercomputer Center. PVFS development has been funded by NASA Goddard Space Flight Center, The DOE Office of Science Advanced Scientific Computing Research program, NSF PACI and HECURA programs, and other government and private agencies. PVFS is now known as OrangeFS in its newest development branch.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics, and synchronization of communication and possible error recovery methods. Protocols may be implemented by hardware, software, or a combination of both.

References

As of 2023-05-10, this article is derived in whole or in part from Networking Research Laboratory. The copyright holder has licensed the content in a manner that permits reuse under CC BY-SA 3.0 and GFDL. All relevant terms must be followed.The original text was at "A brief history of the first secure sockets layer"

  1. 1 2 Woo, Thomas; Bindignavle, Raghuram; Su, Shaowen; Lam, Simon (June 1994). "SNP: An Interface for Secure Network Programming" (PDF). Proceedings USENIX Summer Technical Conference. Retrieved 21 July 2019.
  2. "1994 USENIX Summer Technical Conference Program, Boston, 6-10 June 1994".
  3. "Simon S. Lam, Regents Chair Emeritus in Computer Science, inducted into the Internet Hall of Fame". "Simon S. Lam, 2023 Internet Hall of Fame inductee".
  4. Lam, Simon; Shankar, Udaya (January 1994). "A Theory of Interfaces and Modules I — Composition Theorem". IEEE Transactions on Software Engineering. 20: 55–71. doi:10.1109/32.263755 . Retrieved 21 July 2019.
  5. Lam, Simon; Shankar, Udaya; Woo, Thomas (May 1991). "Applying a theory of modules and interfaces to security verification" (PDF). Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy. pp. 136–154. doi:10.1109/RISP.1991.130782. ISBN   0-8186-2168-0. S2CID   18581606 . Retrieved 5 January 2021.
  6. Simon S. Lam (PI/PD), "Applying a Theory of Modules and Interfaces to Security Verification", NSA INFOSEC University Research Program grant no. MDA 904-91-C-7046, 6/28/91 to 6/27/93.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.