advanced computer networks - cs716 power point slides lecture 41

7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41

1/31

11

CS716

Advanced Computer Networks

By Dr. Amir Qayyum


2/31

2

Lecture No. 41


3/31

3

Message Integrity Protocols

Digital signature using RSA

Special case of a message integrity wherethe code can only have been generated byone participant

Compute signature with private key andverify with public key


4/31

4


Keyed MD5

Sender: m + MD5 (m + k) +

E(E(k, rcv-pub), private)Receiver recovers random key using the

senders public key

applies MD5 to the concatenation ofthis random key message


5/31

5


MD5 with RSA signatureSender: m + E(MD5(m), private)

Receiver Decrypts signature with senderspublic key

Compares result with MD5 checksum

sent with message


6/31

6

Authentication


7/31

7

Session Key Communication


8/31

8

Session Key Communication


9/31

9

Key

DistributionCenter


10/31

10

Kerberos


11/31

11

Man-in-the-Middle Attack

in Diffie-Hellman


12/31


13/31

13

Key Distribution

Certification Authority (CA)

Administrative entity that issues

certificatesUseful only to someone that already

holds the CAs public key.


14/31

14

Tree-structured CA Hierarchy


15/31

15

Key Distribution (cont)

Chain of Trust

IfXcertifies that a certain public keybelongs to Y, and Ycertifies that another

public key belongs toZ, then there existsa chain of certificates fromXtoZ

Someone that wants to verifyZs public

key has to knowXs public key andfollow the chain

Certificate Revocation List


16/31

16

PGP Message Integrity and

Authentication

Sender identity and message

integrity confirmed

if checksums match

Calculate MD5 checksum on

received message and compare

against received value

Decrypt signed checksumwith senders private key

Calculate MD5 checksum

over message contents

Sign checksum using RSAwith senders private key

Transmitted message


17/31

17

PGP Message Encryption

Decrypt message usingDES with secret key k

Decrypt E(k) using RSA with

my private key k

Convert ASCII message

Encrypt kusing RSA with

recipient s public key

Encode message + E(k)

in ASCII for transmission

Encrypt message usingDES with secret key k

Original message

Transmitted message

Create a random secret key k


18/31

18

Example (PGP)


19/31

19

SSH Port Forwarding


20/31

20

Secure Transport Layer

Application (e.g. HTTP)

Secure transport layerTCP

IP

Subnet


21/31

21

TLS Handshake ProtocolClient Server


22/31

22

TLS

HandshakeProtocol


23/31

23

IPSEC Authentication Header

NextHdr PayloadLength Reserved

SPI

SeqNum

AuthenticationData


24/31

24

IPSEC ESP Header


25/31

25

ESP Packet


26/31

26

Firewalls


27/31

27

Firewalls

Filter-Based Solution

Example

( 192.12.13.14, 1234, 128.7.6.5, 80 )

(*,*, 128.7.6.5, 80 )

Default: forward or not forward?

How dynamic?

Rest of the Internet Local site

Firewall


28/31

28

Proxy-Based Firewalls

Problem: complex policy Example: web server

Company netWeb

Server

Remote

CompanyUser

Internet

Firewall

Random

ExternalUser


29/31

29

Proxy-Based Firewalls

Solution: proxy

Design: transparent vs classical

Limitations: Internal attacks

Firewall

External

Client

External HTTP/TCP connection

Proxy

Internal HTTP/TCP connection

Local

Server


30/31

30

Simple Proxy Scenario

S RP


31/31

31

Denial of Service

Attacks on end hosts

SYN attack

Attacks on routers Christmas tree packets

Pollute route cache

Authentication attacks

Distributed DoS attacks

advanced computer networks - cs716 power point slides lecture 41

Documents