Communication Networks

1
Communication Networks

• Recitation 11
• Security

2
RSA The problem

• A wants to send B a message, but
• A and B cannot meet so cannot decide on a common
  key

3
RSA The solution

• B sends A a public key eB. The public key can be
  used to encrypt, but not to decrypt
• A encrypts the message m with the public key and
  sends eB(m) to B
• B uses his own private key dB to decrypt
  dB(eB(m))m

4
RSA obtaining keys

• Choose two large prime numbers p, q.
• Compute n pq ? give to others.
• Calculate z(p-1)(q-1). Destroy p,q.
• Choose 1lteltn that has no common factors with z ?
  give to others.
• Compute d such that (de-1) is evenly divisible by
  z. Find an integer K which causes d (Kz 1)/e
  to be integer, and use d ? keep secret. Destroy
  z.
• Public key (n,e). Private key (n,d).

5
RSA example

• p 61, q 53
• n 3233
• z3120
• 7, 11, 17 will do. We choose e17.
• d2753 (3120K1)/17 integer ? K15.
• Public key (3233,17).Private key (3233,2753).

6
RSA encryption/decryption

• Encryption c me mod n
• Decryption m cd mod n

7
RSA encryption/decryption example

• encrypt(m) m17 mod 3233
• Encrpyt(123) 12317 mod 3233 855
• decrypt(c) c2753 mod 3233
• Decrpyt(855) 8552753 mod 3233 123

8
RSA with a pocket calculator

• 2753 101011000001 base 2
• 2753 1 26 27 29 211 1 64 128
  512 2048
• 8551 855 (mod 3233)
• 8552 367 (mod 3233)
• 8554 3672 (mod 3233) 2136 (mod 3233)
• 8558 21362 (mod 3233) 733 (mod 3233)
• 85516 7332 (mod 3233) 611 (mod 3233)
• 85532 6112 (mod 3233) 1526 (mod 3233)
• 85564 15262 (mod 3233) 916 (mod 3233)
• 855128 9162 (mod 3233) 1709 (mod 3233)
• 855256 17092 (mod 3233) 1282 (mod 3233)
• 855512 12822 (mod 3233) 1160 (mod 3233)
• 8551024 11602 (mod 3233) 672 (mod 3233)
• 8552048 6722 (mod 3233) 2197 (mod 3233)

9

• 8552753 (mod 3233) 855(1 64 128 512
  2048) (mod 3233)
• 8551 85564 855128 855512 8552048 (mod
  3233)
• 855 916 1709 1160 2197 (mod 3233)
• 794 1709 1160 2197 (mod 3233)
• 2319 1160 2197 (mod 3233)
• 184 2197 (mod 3233)
• 123 (mod 3233)
• 123

10
RSA Signatures

• How can B know the message was from A?
• A produces a hash H(m)
• A encrypts with his private key dA(H(m)) and
  sends with m.
• B produces H(m), decrypts dA(H(m)) with As
  public key eA eA(dA(H(m)))H(m) and compares
  them.

11
RSA Signature example

• A wants to send This is a very important
  message.
• p5, q7 ? n 35, z 24
• e 5 d 29
• Public key (35, 5) Private key (35, 29)
• H(This is a very important message)26
• 2629 mod 35 31
• A sends This is a very important message, 31
• B gets private key 5, 315 mod 35 26.
• Compares to H(This is a very important
  message)26

12
RSA Authorization

• How can B know this is really the A he knows?
• Certification Authority has public key eCA and
  private key dCA
• A proves to CA that he is A using some identity
  proof, and gets dCA(eA)
• B can now use eCA(dCA(eA))eA

13
RSA Authorization example

• A wants to send This is a very important
  message.
• ...
• CA has Public key (3337, 79), Private key (3337,
  1019)
• B gets As authorized public key 51019 mod 3337
  199
• B uses 19979 mod 3337 5

14
Firewall

• Isolates organizations internal net from larger
  Internet, allowing some packets to pass, blocking
  others
• Firewall is usually implemented as a router
• Router filters packets, based on
• source IP address
• destination IP address
• TCP/UDP source and destination port numbers
• ICMP message type
• TCP SYN and ACK bits
• Smart filtering

15
Example firewall rules

• Allow outgoing traffic only on ports HTTP,
  HTTPS, FTP and TELNET
• Used in a work place to make sure people arent
  using dangerous/illegal sharing
• Too wide
• Do not allow incomingng traffic on port TCP/4661
  (edonkey)
• Too narrow

16
More rules

• Allow incoming traffic only on port HTTP/HTTPS
• Is it blocking enough?
• What other applications?
• Do not allow traffic from bezeqint.net
• Sad but true

17
Firewalls prevented SYN DDOS attack

• An external host sends a syn packet.
• Firewall responds with a synack to the external
  host (at this point, the internal server doesnt
  even know that there is something going on like
  this).
• If the external hosts sends an ack packet, then
  the firewall creates a new session by syn to ack
  to the internal server.
• Then it connects them together so that the
  communication works.
• Can this be circumvented? What else can the
  firewall do?