Advanced Computer Networks CS716 Advanced Computer Networks By Dr. Amir Qayyum 1

Lecture No. 41

Message Integrity Protocols Digital signature using RSA Special case of a message integrity where the code can only have been generated by one participant Compute signature with private key and verify with public key

Message Integrity Protocols Keyed MD5 Sender: m + MD5 (m + k) + E(E(k, rcv-pub), private) Receiver recovers random key using the sender’s public key applies MD5 to the concatenation of this random key message

Message Integrity Protocols MD5 with RSA signature Sender: m + E(MD5(m), private) Receiver Decrypts signature with sender’s public key Compares result with MD5 checksum sent with message

Authentication

Session Key Communication

Session Key Communication

Key Distribution Center

Kerberos

Man-in-the-Middle Attack in Diffie-Hellman

Key Distribution Certificate Special type of digitally signed document: “I certify that the public key in this document belongs to the entity named in this document, signed X.” The name of the entity being certified The public key of the entity The name of the certification authority A digital signature

Certification Authority (CA) Key Distribution Certification Authority (CA) Administrative entity that issues certificates Useful only to someone that already holds the CA’s public key.

Tree-structured CA Hierarchy

Key Distribution (cont) Chain of Trust If X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z Someone that wants to verify Z’s public key has to know X’s public key and follow the chain Certificate Revocation List

PGP Message Integrity and Authentication Sender identity and message integrity confirmed if checksums match Calculate MD5 checksum on received message and compare against received value Calculate MD5 checksum over message contents Sign checksum using RSA with sender‘s private key Decrypt signed checksum with sender‘s private key Transmitted message

PGP Message Encryption Original message Create a random secret key k Encrypt message using DES with secret key k Decrypt message using DES with secret key k Encrypt k using RSA with recipient s public key Decrypt E(k) using RSA with my private key k Encode message + E(k) in ASCII for transmission Convert ASCII message Transmitted message

Example (PGP)

SSH Port Forwarding

Secure Transport Layer Application (e.g. HTTP) Secure transport layer TCP IP Subnet

TLS Handshake Protocol Client Server Hello [Certificate] Keys [Cert. Verify] Finished Finished Data

TLS Handshake Protocol

IPSEC Authentication Header

IPSEC ESP Header

ESP Packet

Firewalls

Firewalls Filter-Based Solution Example Rest of the Internet Local site Filter-Based Solution Example ( 192.12.13.14, 1234, 128.7.6.5, 80 ) (*,*, 128.7.6.5, 80 ) Default: forward or not forward? How dynamic?

Proxy-Based Firewalls Problem: complex policy Example: web server Remote Company User Firewall Web Server Internet Company net Random External User

Proxy-Based Firewalls Solution: proxy Design: transparent vs classical Limitations: Internal attacks Firewall External Client Local Server Proxy External HTTP/TCP connection Internal HTTP/TCP connection

Simple Proxy Scenario S R P

Denial of Service Attacks on end hosts Attacks on routers SYN attack Attacks on routers Christmas tree packets Pollute route cache Authentication attacks Distributed DoS attacks