March R. Smith - University of St Thomas - Minnesota QMCS Class Today Homework due TodayHomework due Today LAN and Internet AddressesLAN and Internet Addresses Finish up FirewallsFinish up Firewalls Routing ExerciseRouting Exercise Secret Key ManagementSecret Key Management WiresharkWireshark

March R. Smith - University of St Thomas - Minnesota LAN and Internet Addresses Let’s try to ‘map’ everyones’ addressesLet’s try to ‘map’ everyones’ addresses

March R. Smith - University of St Thomas - Minnesota Network Address Translation Original purpose: more hosts & addressesOriginal purpose: more hosts & addresses –Let “insiders” use restricted addresses –Translate them on the way out A ‘multiplexing’ mechanismA ‘multiplexing’ mechanism –Users share a “real” Internet address

March R. Smith - University of St Thomas - Minnesota Firewalls and LAN support Provide a few standard LAN servicesProvide a few standard LAN services –Router connection –DHCP

March R. Smith - University of St Thomas - Minnesota Routing Exercise Identify some ‘routers’Identify some ‘routers’ The rest are ‘hosts’The rest are ‘hosts’

March R. Smith - University of St Thomas - Minnesota Secret Key Management Two elementsTwo elements –How do you assign individual keys –How do you update keys Assignment – how many keys do we need?Assignment – how many keys do we need? –“One Big Cryptonet” –Pairwise user-user –Pairwise user-server (“key distribution center) Updating – given the assignment strategiesUpdating – given the assignment strategies –Manual –Automatic

March R. Smith - University of St Thomas - Minnesota Automatic key updating How do we get the new key?How do we get the new key? –Internal update use a ‘pseudo random number generator’use a ‘pseudo random number generator’ “Forward secrecy” problem“Forward secrecy” problem –Random update Use a new, randomly generated keyUse a new, randomly generated key Share with the cryptonetShare with the cryptonet How do we transmit random keys?How do we transmit random keys? –Chained update Send it using the existing crypto keySend it using the existing crypto key “Forward secrecy” problem“Forward secrecy” problem –KEK-based update Use a separate “key encrypting key”Use a separate “key encrypting key” Data is only sent with “data keys” or “session keys”Data is only sent with “data keys” or “session keys” Only use KEK to send newly generated sessionOnly use KEK to send newly generated session

March R. Smith - University of St Thomas - Minnesota Key Distribution Center (KDC) Each user has a unique personal keyEach user has a unique personal key –Contacts KDC to get a session key –KDC sends keys encrypted with users’ personal keys ExampleExample –Bob wants to talk to Alice –Bob contacts KDC, says “I want to talk to Alice” –KDC sends two copies of the session key One encrypted with Bob’s personal keyOne encrypted with Bob’s personal key One encrypted with Alice’s personal keyOne encrypted with Alice’s personal key This is the basis of KerberosThis is the basis of Kerberos –Encrypted keys are called “tickets”

March R. Smith - University of St Thomas - Minnesota Wireshark – to the lab!

March R. Smith - University of St Thomas - Minnesota That’s it Questions?Questions? Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.