CS716 Advanced Computer Networks

By Dr. Amir Qayyum

1

Lecture No. 41

Message Integrity Protocols

Digital signature using RSA
Special case of a message integrity where the code can only have been generated by one participant Compute signature with private key and verify with public key

Message Integrity Protocols

Keyed MD5 Sender: m + MD5 (m + k) + E(E(k, rcv-pub), private)
Receiver recovers random key using the senders public key applies MD5 to the concatenation of this random key message
4

Message Integrity Protocols

MD5 with RSA signature Sender: m + E(MD5(m), private)
Receiver Decrypts signature with senders public key Compares result with MD5 checksum sent with message

Authentication

Session Key Communication

Session Key Communication

Key Distribution Center

Kerberos

10

Man-in-the-Middle Attack in Diffie-Hellman

11

Key Distribution
Certificate
Special type of digitally signed document:
I certify that the public key in this document belongs to the entity named in this document, signed X.

The name of the entity being certified The public key of the entity The name of the certification authority A digital signature
12

Key Distribution Certification Authority (CA)

Administrative entity that issues certificates Useful only to someone that already holds the CAs public key.

13

Tree-structured CA Hierarchy

14

Key Distribution (cont)

Chain of Trust
If X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z Someone that wants to verify Zs public key has to know Xs public key and follow the chain

Certificate Revocation List

15

PGP Message Integrity and Authentication

Sender identity and message integrity confirmed if checksums match

Calculate MD5 checksum over message contents

Calculate MD5 checksum on received message and compare against received value

Sign checksum using RSA with senders private key

Decrypt signed checksum with senders private key

Transmitted message
16

PGP Message Encryption

Create a random secret key k

Original message

Encrypt message using DES with secret key k

Decrypt message using DES with secret key k

Encrypt k using RSA with recipient s public key

Decrypt E(k) using RSA with my private key k

Encode message + E(k) in ASCII for transmission

Convert ASCII message

Transmitted message
17

Example (PGP)

18

SSH Port Forwarding

19

Secure Transport Layer

Application (e.g. HTTP) Secure transport layer TCP IP Subnet

20

TLS Handshake Protocol

Client Server

21

TLS Handshake Protocol

22

IPSEC Authentication Header

NextHdr

PayloadLength SPI SeqNum AuthenticationData

Reserved

23

IPSEC ESP Header

24

ESP Packet

25

Firewalls

26

Firewalls
Firewall Rest of the Internet Local site

Filter-Based Solution
Example
( 192.12.13.14, 1234, 128.7.6.5, 80 ) (*,*, 128.7.6.5, 80 )

Default: forward or not forward? How dynamic?

27

Proxy-Based Firewalls
Problem: complex policy Example: web server
Remote Company User Internet Random External User

Firewall
Company net

Web Server

28

Proxy-Based Firewalls
Solution: proxy
Firewall
External Client Local Server

Proxy

External HTTP/TCP connection Internal HTTP/TCP connection

Design: transparent vs classical Limitations: Internal attacks

29

Simple Proxy Scenario

P S R

30

Denial of Service
Attacks on end hosts
SYN attack

Attacks on routers
Christmas tree packets Pollute route cache

Authentication attacks Distributed DoS attacks

31