SSL/TLS

Transport Layer Security/ Secure Socket Layer. It works at the application layer which provide a standard security technology for authentication and establishing a secure session using certificates.

How TLS Handshake Works:

Step 1) Client Hello
Step 2) Server Hello
Step 3) Server send message to the client contains Certificates, Server encryption Key, and lastly Server Hello Done.
Step 4) Client responds to the server with encryption key, change cipher spec and Finished Message which contain the integrity check aka SHA Algo.
Step 5) Server sends Change cipher suits and the finished message which contain the integrity check.


How does it actually looks like! We will wireshark for analysis:

Client Hello:

Server Hello:

Server Hello Done:

Client Finished Message:

Server Finished Message:

TLS encryption is done by 3 steps: Key Exchange, Data Encryption and Handshake Integrity. 
Key exchange: Is a method where cryptographic keys are exchange between 2 systems, using a crypt algo like RSA, DH, ECDH.
Data Encryption: In TLS it's called as Ciphers. Eg., 3DES, AES algo(s).
Handshake Integrity: Uses SHA algorithm to provide integrity.

How public and private keys are exchange:

Step 1) Https client connect with the https sever
Step 2) Https server sends a certificate which contains 2 large prime numbers aka Public Keys.
Step 3) Https client choose a Private Key, generate Encryption key using Public Keys sent by https server.
Step 4) Server generate encryption key based on it's private key.
Now both share the same shared key.
Step 5) Now both send encrypted message with their shared secret key.

Certificate Chain:
1) First we need Certificate Authority Server (CA)
2) CA will generate a Root Certificate
3) Root Certificate will generate a Intermediate Certificate
4) We sign that Intermediate Certificate Which matched with the Root Certificate
5) After signed Certificate it will issue a Server Certificate, which contains the Domain name.
6) That Intermediate Certificate in uses by the browser.

When we type "Google.com" in the search bar of the browser and hit enter,
1) Server Sends a Certificate to the browser,
2) Browser will verifies the server certificate issues by the Intermediate Certificate
3) It will then checks whether it contains the "Google.com" domain name or not
4) If matches, it's a secure connection,
5) It it doesn't matches, then connection is not secure. There can be many reasons for error. Like: Expiration of Certificate or Invalid certificate.

Bad TLS Encryption Examples:
1) Browser using TLS version less then 1.2
2) Using 3DES algorithm

For Safe Encryption Examples:
1) TLS version more then 1.2
2) Using ECDHE key exchange algorithm
3) Using AES algo.
4) For message integrity using SHA algo, e.g., SHA1.

SMTP

Simple Mail Transport Protocol. It's a connection oriented text based protocol which works at the application layer of network model that allow message services over TCP connection. It is used for sending messages from a sender to an receiver mail server, in TCP Port 25.

Email Client
It's a computer program designed to read, organised and send electronic messages.
It use POP, IMAP, SMTP protocols for communication.

POP
Post Office Protocol POP is an internet standard that defines an email server and the way to retrieve mail from it. It is used to download mail from the server. And it can not send emails.
It has 3 versions: POP,  POP2 and  POP3. POP3 was designed for authentication purposes. It works by storing messages at a POP server, until the user logs in and download messages into their system.

IMAP
Internet Message Access Protocol which is also used to download mails from the server. It is designed to let us keep emails on the server. But it requires more disk space and cpu resources. Works on port 143.


How SMTP works:
Let us assume:
Host ID : me@sender.com
Host email Server: demo.com
Client Id: client@receiver.com
Client email Server: example.com

Step 1) We send an email from an demo.com host server to sender using their mail address, client@receiver.com.

Step 2) Then our e-mail server take senders mail address demo.com and connects to the SMTP sever.

Step 3) Host Mail server will provide the address information of sender's, receiver's mail address and content of the message to the SMTP server.

Step 4) SMTP server will take client's mail id client@receiver.com and divide it into client's name and the it's domain name.

Step 5) If the receiver have different domain name, SMTP server will send that email message to the POP3 server and then SMTP will communicate with that domain.

Step 6) SMTP server will then communicate with the DNS server to get to the client's mail server. DNS server will then provide the IP address of sender address to the SMTP server.

Step 7) SMTP server at the sender side will connect with the SMTP sever of the receiver server.

Step 8) After the connection has made, SMTP server will differentiate the domain name for client at receiver.com and transmit the message to the receiver's POP3 server and then email will reach to the clients mailbox.

If any trouble occurs between sending senders mail sever and the receiver mail sever, the message goes in sendmail queue. What it does is, it will send mail after some moment of time after troubleshooting the issue. And for some reason it did not works, sendmail queue will return back the message to the sender.

DNS

Domain Name System. It is used to resolve  host name (e.g., www.example.com) to an IP addresses (e.g., 205.60.368.111).

It works at the Application Layer which uses UDP and TCP.
A single UDP for request and get reply between client and server, primarily on port number 53 to serve request.
TCP is used when the response data size is more then 512 bytes or we have to perform Zone transfer.

Example:
Let us suppose, we can enter either  http://27.230.168.43/ or http://example.com/ in browser search bar to get us the results. But using a name instead of their IP is seems more easy way to remember. Here, DNS do that easy job for us.

However, IP address and DNS is not same. Here's why:
IP address is an identifier for a device on a TCP/IP network which is unique for individual device. Whereas, DNS, is to identify that IP address.


How DNS Works: 

1) DNS Query Request 
This is how a DNS Request query look wireshark.

2) DNS query Response 
This is how a DNS Response query look wireshark

1) DNS looks for the the request:
1) Local Machine
2) DNS Cache
3) DNS Server Service

When DNS response are not found locally then, 
1) Root Hints
2) Authoritative and Non Authoritative Response

DNS Cache:
It's recent memory of the DNS lookups that is stored in our system's operating system that it can quickly refer to when it is tying to figure out how to load a website.
This the first step a DNS do when a client issue a request.

Root Hints:
It contains the host information that is needed to resolve the name outside the authoritative DNS domains. It contains the name and the IP addresses of the root DNS servers.

2) Authoritative and Non Authoritative Response:
Authoritative Response are the response we get from the DNS, if the file we are searching for are on the same DNS zone.
Whereas, Non Authoritative Response, is when we get the IP address coming from the global server which is not our own.

Below are the step a DNS follows to get request response.

Step 1: Search Host File
When we issue an request "www.example.com", browser first search it in user system. Basically, it is all stored inside users windows file in their system. If it did not able to find, it'll ask the Router.

Step 2: Search Router
Router has cache to store recent DNS look ups, that our system can quickly refer to when it is trying to figure out how to load a website. If router, did not able to find the request it will ask ISP to look for it.

Step 3: Ask ISP
ISP or Internet Service Provider, look for that request location in it's DNS Cache. If it did not found, ISP will ask the IP to the Root DNS.

Step 4: Ask Root DNS
Root DNS will run a query to look for that request location in it's DNS Cache and if it did not find then, it will then give IP address of TLD to ISP.

Step 5: Ask TLD
Top Level Domain or TLD contains all the top level domains, e.g., .com or .org. It will search for that requested location. If it did not get the result it will IP address of Name server to ISP.

Step 6: Ask Name Server
ISP will then ask Name server, or Google name server for the IP address of the  www.example.com website. Name Server will have the IP location and it will retrieve that result to the ISP.

Step 7: ISP 
After getting the result, ISP will give IP address location to the Router.

Step 8: Router
Router will have the IP and it will give the IP to the browser and now browser will open the website for the user in their system.

HTTP

Hyper Text Transport Protocol, a text based request-response protocol which works at the application layer. It follow certain rules for which a client/browser and a server communicates.

It was designed for transmitting message back and froth between a web client/browser and a web server. When a user issue a URL in the browser, HTTP client (Web browser) then issue an HTTP request (URL - GET/POST) to a HTTP server (Apache Server), which will return a HTTP response (HTML/Text/Audio/Video) back to the HTTP client. Depending upon the request, a response contains the status of the request.


As HTTP is both Request (Header + Body )and Response(Header + Body), this is how HTTP Request (In RED) and Response (In Blue) look in wireshark.

How HTTP Works : 
Step 1) Client issue a request
Step 2) Server response to that request 

Step 1: Client/Browser perform a request:

HTTP request method:
GET Method, URL, protocol version.
It has the HTTP request

HTTP request header:
Content type, length, value.
It has the request

HTTP request body:
It has the message

HTTP Request Raw data:

HTTP Request [

Request-HEADER {

HTTP request method[GET/POST/PUT/DELETE/etc...], URL, protocol version

HOST

etc.

}

Request-BODY {

...

}

]

This is how it looks to the server when client use GET Header for Request:

The HTTP Request body is optional for an HTTP message, if it's available, then it will carry the entire body associate with the request or response which will contain Content Type and Length header a.k.a the actual HTTP request and response data.


HTTP Request Message Body would look like this:

Step 2: Server Response to the request:

Protocol and it's description:
POST Method
It has the HTTP response

HTTP response header:
Content type, length, value
It has the version server machine

HTTP response body:
It has the actual response

HTTP Response raw data:

HTTP Response [

Response-HEADER {

Status 200 OK, etc.

}

Response-BODY {

...

}

]

This is how it looks to the client when server use POST Header for Response:

 Response Body:

Some of the Request and Response Headers:

Request Headers: Accept, Cookie, Date, Host, Content Length, Content Type...

Response Headers: Allow, Connection, Content Encoding, Content Language, Content Type, Data.

TCP/IP Model

TCP/IP is a language or set of rules a system use in order to access the internet. It provide end-to-end connectivity depending upon the message specification like format, addressing, routing with respect to the receiving end.

TCP/IP Model:
1)Application Layer
2)Transport Layer
3) Internet Layer
4) Network Access Layer

Application Layer:
This layer is the combination of Session, Presentation and Application layer of OSI Model. It provide user services for exchanging application messages or data communication. HTTP is a protocol that was designed for transmitting messages back and forth between a web client or browser to a web server. Telnet, it's a protocol/client/server which allow to do TCP connection to any port that we specifies. FTP, is a clear text, a protocol without encryption, it gives us ability to send message back and forth between unix,. we can send message from sender to recipent using SMTP protocol. 
Some of the Protocols it use: HTTP, FTP, SMTP, DHCP, POP, TLS/SSL, Telnet

Example:
This is what application Layer look like in wireshark, containing HTTP Header details.

Transport Layer:
It handle end-to-end delivery using TCP/ UDP. TCP handles connection oriented communications where it guarantees delivery of message and also make sure, somebody on the other end is their to receive it. UDP is connection less communication channel, where it just send the message but not really care about receiver side acknowledgement.

Example:

This is what Transport Layer look like in wireshark.

Internet Layer:
This is same as the Network layer of the OSI model. It provide processing rules, which ensure the data transmission. It does identification, addressing and routing . Protocols uses: IP, ICMP, IGMP.

Example:


This is what Internet Layer look like in wireshark.

Network Access Layer:
This layer is the combination of Physical and Data link layer of OSI Model also called as Link Layer. It handles all the physical connection, error correction and control of physical device. In this layer, we can transmit messages between hosts in a same network and also to other network using tunneling or VPN.

Example:



This is what Network Layer look like in wireshark.

*Groundwork: 
Every piece of communication that goes across the internet is using the TCP/IP protocol suit. When we open a web application, it issue a series of TCP request in order to get all the content on that page to us. All these protocols are interconnected together. Generally, it issue an HTTP request, which gets encapsulated inside TCP which gets encapsulated inside IP, which again encapsulated inside an ethernet and then it sent across the communication channel wire or wireless, till it reach to another networking device and finally to the network provider.

TCP Flags: 
We need Flags in order to identify or to analyse the network traffic in a more efficient way. Here the the 9 types of TCP flags and see how it looks in wireshark :

1) SYN
SYN or Synchronization flag is a first step in establishing a a TCP 3-way Hand-shake between the hosts.

2) ACK
ACK or Acknowledgement flag is used in acknowledging the successful receipt of the packet.

3) FIN
FIN or Finish flag, is generally send from the user side, saying no more data to be send aka last packet.

4) PSH
PSH or Push flag, is used to send data, telling it to process instead of buffering. Similar to URG but may have chances to get avoided or drop of packets.

5) URG
URG or Urgent packet is similar to PSH flag, but for the data to be send over wire with URG flag set, makes TCP to create a separate segment for it. So that, data won't get drop.

6) RST
RST or Reset flag is used to send packet to a specific host, when that host is not accepting it.

7) ECE
 ECE or Explicit Congestion Notification, is an option flag used in tcp connection to notify about the packet drop to both sides, sender as well as to receiver side.

8) CWR 
CWR or Congestion Window Reduced is similar to ECE, used for notification purpose but it is used by sender only.

9) NS
NS or Nonce Sum is used to check and protect against the hidden malicious content in the packet send by sender. It is an experimental flag.

OSI Model

OSI model is a Modular Standard Communication Architecture which has layer approach for communication, where one layer speaks to another layer. 
Each layer adds a header when an message is sent over the network for encapsulation, then each layer goes through process of peeling the header in order to get the message to the other side.

OSI Model Layer Approach:

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer

(aka: All People Seems To Need Data Processing... Easy way to remember)

Application Layer:

In this layer application layer and user communicate directly based on software application. It identifies communication partner, and determine the resource availability in terms of HTTP, FTP, SMTP.

Presentation Layer:

It translate the application layer data to another frame. This layer is responsible to format data in terms of encrypting/decryption and then sent over in XML or JPEG.

Session Layer:
This layer is responsible for session management for encoding and decoding of data to send over. Where it create, specifies, establish, manages, control and terminate the connections. It allow IP between the applications using SSL/TLS or SSH or NetBios.

Transport Layer:
This layer is responsible for reliable end to end data services using ports TCP or UDP. As a message is sent across the network port for communication whether it is connection oriented or connection less.

Network Layer:
It will have packets, where it takes the data and route it back and forth across different network and do re-packaging to cover the gap between the layers. When we do not know about what type of physical connection is being used. It does logical addressing to ensure data reachability.

Data Link Layer:
It sends the data across the network in frames through physical medium. It does physical addressing or MAC Addressing.

Physical Layer

It handles all the physical definition of a data communication using coax, fiber, 4-pair wire where data are sent in raw bits, 0's and 1's.It has NIC and ports, HUBs works in this layer. It also handle error correction and detection on the physical medium.

Ground Work
Suppose we issues a web request, which gets originated at Application Layer for data transmission in HTTP or FTP or SMTP, then at Presentation Layer for data format in JPEG or XML then in Session Layer for encoding or decoding, then in Transport Layer we need to add any TLS communication then we add specific port of source and destination with respect to the mode of communication then in Network Layer we add IP address of the destination then we add ethernet header on top of it and then we sent it off. Each layer adds a header when an message is sent, goes through each layer over the network for encapsulation. When it reaches the other end it will actually repeats this process in reverse order, where each layer goes through the process of peeling the header in order to get the message to the other side.

Networking Basic

                                               


Networking:
" Sharing of information or transmission of data between 2 or more computers connected though a communication channel."
When a computer sends a piece of information to other computer, it sends using a communication medium, physical or wireless.

Physical:  Wire, Ethernet cables, Hubs, Switches, Routers.
Wireless:  Wi-Fi, Bluetooth, cellular data services.

History:
The first internet was designed between one host and one router in the year of 1967. And the year of 1969 they design the network using 4 node which is known as ARPANet. It was designed basically  for defence operation. The earlier protocol they used was NCP(Network Control Protocol). But to give more flexibility to the network they designed different set of NCP protocols called as IPs.

Devices:
Hub: It allow us to connect to computer using ethernet cables.
Switch: It allow to connect many devices to connect in a network.
Router: It's a device where it connect one local computer to another local computer.
Firewall: It's for network security where it monitor and control the network traffic.
Modem: It's device which modulate and demodulate electrical signals coming from cable lines.

Topology:
Topology is a arrangement of network elements via Physical or logically.

Point-to-Point:  Direct link between the two end points.
Bus:  Each node in the network are connected into a cable, where that cable is the centralized connection point.
Star:  Each network host is connected to a central Hub using Point-to-Point connection.
Ring:  It's like a bus topology where it form a ring like structure where data travels around the loop.
Mesh:  It's like ring but every node is connected with every other node in the loop network.
Hybrid: This uses two or more topology connection combine together to form a new connections.

IPv4  and IPv6:

IPv4: It's a Internet Protocol Version 4 which uses packets and switches to form a connection less network . It uses 32 bit addressing scheme divided in 4 octet, where each octet contain 8 bits in binary 0s and 1s.
Ex: 172.20.60.1

IPv6: It's a Internet Protocol Version 6 also uses packets and switches to form a connection but it provide end to end data transmission across the IP network. It's uses 128 bit addressing scheme divided in 8 groups each having 16 bits in hexadecimal values.
Ex: 2001:0db8:0000:0000:0000:ff00:0042:8329

CIDR:
As we know IP addresses consists of two parts, which determines the network and Host, which in tern CIDR define it whole using '/ ' and  "number". Using  '/ '  and  "number"  we can minimize the growth of routing table and can get it's IP address, routing prefix, or subnet mask.
Ex: 192.168.100.0/24, which will have:
IP: 192.168.100.0
Subnet: 255.255.255.0

Routing: 
It's a process of determining a path for data flow across the IP network. For that it uses many schemes like:
Unicast: Transmit message to only one node in a network.
Multicast: Transmit message to group of node who are expecting it to receive in a network.
Broadcast: It transmit message to every node inside the network.
Anycast: Send message to one node in a group of nodes.
Geocast: Transmit messages to a geographical areas.

Cloud:
Sharing of same data across geographical regions.
Service Models:
SaaS:  Software as a Service
PaaS: Platform as a Service
IaaS: Infrastructure as a Service