advanced computer networks - cs716 power point slides lecture 41
TRANSCRIPT
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
1/31
11
CS716
Advanced Computer Networks
By Dr. Amir Qayyum
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
2/31
2
Lecture No. 41
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
3/31
3
Message Integrity Protocols
Digital signature using RSA
Special case of a message integrity wherethe code can only have been generated byone participant
Compute signature with private key andverify with public key
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
4/31
4
Message Integrity Protocols
Keyed MD5
Sender: m + MD5 (m + k) +
E(E(k, rcv-pub), private)Receiver recovers random key using the
senders public key
applies MD5 to the concatenation ofthis random key message
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
5/31
5
Message Integrity Protocols
MD5 with RSA signatureSender: m + E(MD5(m), private)
Receiver Decrypts signature with senderspublic key
Compares result with MD5 checksum
sent with message
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
6/31
6
Authentication
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
7/31
7
Session Key Communication
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
8/31
8
Session Key Communication
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
9/31
9
Key
DistributionCenter
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
10/31
10
Kerberos
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
11/31
11
Man-in-the-Middle Attack
in Diffie-Hellman
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
12/31
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
13/31
13
Key Distribution
Certification Authority (CA)
Administrative entity that issues
certificatesUseful only to someone that already
holds the CAs public key.
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
14/31
14
Tree-structured CA Hierarchy
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
15/31
15
Key Distribution (cont)
Chain of Trust
IfXcertifies that a certain public keybelongs to Y, and Ycertifies that another
public key belongs toZ, then there existsa chain of certificates fromXtoZ
Someone that wants to verifyZs public
key has to knowXs public key andfollow the chain
Certificate Revocation List
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
16/31
16
PGP Message Integrity and
Authentication
Sender identity and message
integrity confirmed
if checksums match
Calculate MD5 checksum on
received message and compare
against received value
Decrypt signed checksumwith senders private key
Calculate MD5 checksum
over message contents
Sign checksum using RSAwith senders private key
Transmitted message
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
17/31
17
PGP Message Encryption
Decrypt message usingDES with secret key k
Decrypt E(k) using RSA with
my private key k
Convert ASCII message
Encrypt kusing RSA with
recipient s public key
Encode message + E(k)
in ASCII for transmission
Encrypt message usingDES with secret key k
Original message
Transmitted message
Create a random secret key k
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
18/31
18
Example (PGP)
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
19/31
19
SSH Port Forwarding
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
20/31
20
Secure Transport Layer
Application (e.g. HTTP)
Secure transport layerTCP
IP
Subnet
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
21/31
21
TLS Handshake ProtocolClient Server
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
22/31
22
TLS
HandshakeProtocol
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
23/31
23
IPSEC Authentication Header
NextHdr PayloadLength Reserved
SPI
SeqNum
AuthenticationData
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
24/31
24
IPSEC ESP Header
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
25/31
25
ESP Packet
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
26/31
26
Firewalls
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
27/31
27
Firewalls
Filter-Based Solution
Example
( 192.12.13.14, 1234, 128.7.6.5, 80 )
(*,*, 128.7.6.5, 80 )
Default: forward or not forward?
How dynamic?
Rest of the Internet Local site
Firewall
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
28/31
28
Proxy-Based Firewalls
Problem: complex policy Example: web server
Company netWeb
Server
Remote
CompanyUser
Internet
Firewall
Random
ExternalUser
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
29/31
29
Proxy-Based Firewalls
Solution: proxy
Design: transparent vs classical
Limitations: Internal attacks
Firewall
External
Client
External HTTP/TCP connection
Proxy
Internal HTTP/TCP connection
Local
Server
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
30/31
30
Simple Proxy Scenario
S RP
-
7/27/2019 Advanced Computer Networks - CS716 Power Point Slides Lecture 41
31/31
31
Denial of Service
Attacks on end hosts
SYN attack
Attacks on routers Christmas tree packets
Pollute route cache
Authentication attacks
Distributed DoS attacks