THE FIRST PART OF THE QUESTION IS TO GIVE YOU IDEA OF WHAT THE DISCUSSION IS ABOUT.YOUR ANSWER SHOULD BE BASED ON THE SECOND PART.YOU ARE RESPONDING TO THE PEERS POST BELOW ACCORDING TO THE SECOND PART OF THE QUESTION.2paragraphs for each response with intext citations and references

QUESTION: First, describe the public key infrastructure. What is it? What are its major components? Second, explain why an active attacker can break an SSL connection, but not an IPsec connection? 
in responding to your peers’ posts, discuss the advantages and disadvantages associated with IPsec and SSL connections. BELOW ARE FIVE PEER POST TO REPOND TO.

 1. HKY)Public key cryptography supports security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. However, to successfully implement these security mechanisms, you must carefully plan an infrastructure to manage them. A public key infrastructure (PKI) is a foundation on which other applications, system, and network security components are built. A PKI is an essential component of an overall security strategy that must work in concert with other security mechanisms, business practices, and risk management efforts. PKI is a broad subject matter and is constantly evolving to meet the growing demands of the business world. (Weise, 2001)

Coming to the major components the very first one in public key infrastructure starts with trust, have in the infrastructure will determine what the certificates can be used for. The Certification Authority, this is the service which is responsible for issuing and revoking certificates. Private Key and public key, the public key will be included in the certificate. The private key is the counterpart to the public key and is private to the entity that will use the certificate. Digital certificate and usage scenarios, digital certificates are a file placed on your computer and a certificate placed on a device such as a smart card. Maintain the security is also important in public key infrastructure environment. (Ogenstad, 2010)

According to the video, it says IPsec provide more security when compare to SSL security. IPsec protects the data, so that an attacker finds it extremely difficult or impossible to interpret it. The reason for why IPsec more difficult to attack for attacker, IPsec has a number of features that significantly reduce attacks. The Encapsulating Security Payload (ESP) protocol in IPsec provides data confidentiality by encrypting IP packets. IPsec uses cryptography based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. IPsec allows the exchange and verification of identities without exposing that information to interpretation by an attacker. IPsec combines mutual authentication with shared, cryptography based keys. IPsec uses filtering technology as the basis for determining whether communication is allowed, secured, or blocked, according to the IP address ranges and IP protocols. IPsec has IP layer protocol which is layer 3 and SSL has application layer protocol which is layer 7. (Protection against attacks: Internet Protocol Security (IPsec)., 2005)

2.FOM) A public key infrastructure enables users and computer devices to securely exchange data across internet networks. The emergence of public key infrastructure has addressed the concerns regarding public key cryptography where two keys namely a public and a private key are used to both encrypt and decrypt messages but however because two keys are used there are often uncertainties about authentication. (Rouse, M., 2014)

Public key infrastructure uses a trusted third part known as a certification authority which is made up of both hardware and software to ensure integrity, authentication, and ownership of a public key. The certification authority works by distributing an encrypted binary certificate which is signed, and also confirms the identity of the certificate and binds that identity to the public key contained in the certificate. The certification authority uses its own private key for the signature.

The components of a public key infrastructure includes

•    Certification authority

•    Registration authority

•    Certificate database

•    Certificate store

•    Key archival server

According to (Saxena, A., 2013), SSL is known to be built around web based applications. Web-based applications are known to be the playing grounds for attackers, for this reason, any attacker who obtains a valid certificate are able to pass the HTTPS protection stage. In 2011 attackers were able to breach a Dutch certificate authority by creating fake certificates for Yahoo, Google, WordPress and many other sites. (Gregg, M., 2013) 

Getting pass the HTTPS is not the only way to breach SSL, also, attackers use what is called the SSLStrip. What it does is that it strips the “S” off from the HTTPS presenting only HTTP to the user. So a user who does not identify the omission of the “S” in his browser can be breached by an attacker. (Gregg, M.) 

IPsec provides a high-level permanent protection connections for protocols, for instance, an encryptions between two end lines makes wiretaps on that line impossible. However, it must be noted that special configurations are required for IPsec to be very effective.

3. JC) The art of encrypting messages to keep prying eyes in the dark is as old as Julius Caesar, but it is only with the rise of computers that assymetric, or public-key, crytography became possible. Up until the 1970s, all cryptography was symmetric, that is, the same secret key was used for both encryption and decryption. Even Nazi Germany’s Enigma machine, with its ever-spinning rotors changing the key with each letter of plaintext, was fundamentally based on symmetric cryptography. The trouble with this approach is that should the secret key fall into enemy hands – as it well might considering that the key must be distributed among all users – then the enemy could simply use the key to decrypt the message and discover the target’s secrets. Many Enigma messages were broken this way.

By contrast, under assymetric cryptography, each correspondent is assigned their own set of two keys: a public key and a private key. The private key is never revealed to anyone except its owner, but the public key may be freely distributed to everyone who wishes to send that person an encrypted message. Even if the enemy were to intercept a message encrypted using a public key, they cannot then decrypt the message, as they do not know the private key. Public-key cryptography also plays a role in digital signatures, where the private key is used for encryption.

It is all well and good to ensure confidentiality of messages in transit, but how can one be sure that the public key belongs to whom it says it belongs to? Without a system in place for authenticating keys, what is to stop enemy from posing as a friendly correspondent and giving their own key in place of the friend’s? This is where public key infrastructures (PKI) come in.

Essentially, PKI involves a hierarchy of servers that act as authorities on the identities of public key owners. Called certification authorities (CAs), these servers create X.509 digital certificates, each of which contains information pertaining to a public key, including the owner’s name, address, organization, and so on. The CA then digitally signs the certificate using its own private key and passes it on to its subordinates, which in turn sign and pass it on. Requests by users for new certificates are handled by the registration authority (RA), a server designated by the root CA just for this task (Jacobs, 2016; Microsoft, n.d.). Under a well-designed CA hierarchy, it is impossible to forge an X.509 certificate (Jacobs, 2016).

 4. VP) The public key infrastructure “manages keys and certificates” (What is PKI?, 2017) which allows the network to understand which certificates are trustworthy. This is done by setting up roles policies, and procedures needed to create the certificates. There are five major components when dealing with the public key infrastructure: certification authority, registration authority, certificate database, certificate store, and key archival server. Certification authority “Acts as the root of trust in a public key infrastructure and provides services that authenticate the identity of individuals, computers, and other entities in a network.” (Public Key Infrastucture, 2017) Certification authorities also has the rights to revoke certificates. Registration authority “issue certificates for specific uses permitted by the root.” (Public Key Infrastucture, 2017) Next the certificate database save each certificate request whereas the certificate store saves the pending or rejected certificate requests. Finally, the key archival server “Saves encrypted private keys in the certificate database for recovery after loss.” (Public Key Infrastucture, 2017)

An active attacker can break an SSL connection but not an IPsec connection because with SSL clients are not required to authenticate themselves because the server is authenticated. Also, SSL connections use asymmetric operations meaning the same key can be used each time. For example, if Alice was placing an order online and had to walk away when she returned she could use the same key to pick up where she left off. Also, SSL connections can lead individuals to click on a bad certificate believing it is ok to proceed even if an error appears. Whereas an IPsec connection secures all traffic regardless of where it came from as well as provides encryption of all information.

5.BL) Public Key Infrastructure (PKI) is a framework for secure communications among disparate users through a process for creating trust relationships.  In short, PKI provides for the digital equivalent of a notary public, which provides assurance that users are who they purport to be.  Once a user has received its “stamp of approval”, the stamp is used to provide assurance for individual communications between users. An international standard X.509 has been issued with PKI framework requirements.  PKI consists of:

Parties:

> Certificate Authority (CA): A CA is a neutral organization that serves as the electronic notary. Examples of CA’s are Symantec and GoDaddy.  CA’s roles are to:

   > Enroll new users.  Users must prove their their identity to the CA.  

   > Issue digital certificates.  Once approved, users provide their public key and this is incorporated int the digital certificate.  The CA provides its private key to digitally sign 

      the certificate.  

   > Revoke digital certificates.  Certificates may need to be pulled if security has been compromised, critical information such as names have been changed, etc.  

> Users: Parties that want to securely communicate can provide their digital certificate or request one from the other party.  So, if Party A wants to communicate with a new party that A does not know, the CA acts as an intermediary so that the two can indirectly trust one another

Other: The X.509 standard does not specify a particular encryption protocol, so there is flexibility to upgrade as better protocols become available.  

Security services provided:  Authentication, confidentiality, integrity, and non-repudiation.(1) 

An active attacker can compromise an SSL connection because it is much more susceptible to a man-in-the-middle-attack (MITM) than IPSec.  In a MITM attack, the open session gets intercepted by spoofing or faking the other side of a communication. The session essentially gets hijacked and the sender may not even be aware of it.(2)   SSL sets up a temporary communication session and keeps it open until one party send the “FIN” packet to shut down.  As long as the session is open it is vulnerable to interception.  IPSec is set of protocols which includes an authentication Header (AH) and an Encapsulating Security Payload (ESP).  Both provide data integrity protection by creating checksums that can be used to see if messages are altered.  (3) IPSec encrypts messages at the packet level (both or either of the packet and headers can be encrypted).  So IPSec is more analogous to a permanent, hard-wired connection which limits the possibility for interceptions.  

PLEASE READ THIS.IT IS VERY IMPORTANT

Allow your discussion posts to be detailed and capable of sharing knowledge, ideas and points.  You must discuss the topic using your own words first.  Using your own words indicate you understand the topic of discussions.  Secondly, you must cite your sources in-text.  This is necessary to justify your points. Sources from several sources showed good research abilities.  Lastly, you must provide references at the bottom of your post.  A discussion post without justification with sources does not show proper research abilities. A terse and not detailed discussions represent post that would not provide enough sharing of knowledge or proper understanding of the topic. DO NOT just copy and paste a sentence from online with citation at the end as your own discussion. I have not asked for definitions, I asked for discussions and will not buy this.  You must show understanding of the discussion topic by using your own words to describe the topic and then justify that with sources.

www.citationmachine.net to format references into the APA style if necessary. Extremely important. Intext citations is very essential and highly needed as well.

use double spacing, 12-point Times New Roman font, and one-inch margins. Sources should be cited according to APA citation method (citation should be relevant and current). Page-length requirements: 2 PARAGRAPHS FOR EACH PROMPT ANSWER. Make sure you cite if you take a piece of someone’s work, very important and your reference should relate to your writing (don’t cite a reference because it relates to the course and not this very paper) at least 2 current and relevant academic references. No heavy paraphrasing of others work.