Note :- There are going to be no notes for lecture 20. In lecture 20 Prof. Yee talked about the common mistakes made by the students in the midterm. Try to be careful that you dont do similar mistakes in the final.
This lecture is a continuation of the previous lectures, lecture 17 & lecture 18.
In this lecture we will talk about why firewalls cannot block all user level ports , vitual private networks and introduction to RSA
Firewalls cannot block all user level ports
We recommend you to go and look into the file /etc/services (contains a long list of network services). The services file contains information regarding the known services available in the DARPA Internet. For each service, a single line should be present with the following information:
official_service_name port_number protocol_name
aliases
example:-
finger 79/tcp
smtp
25/tcp mail
To understand why firewalls cannot block all user level ports we will take the example of SUN RPC. When a programmer create a remote service, she needs a port on which she can provide the service to the client. In SUN RPC, things are a bit more dynamic. The programmer assigns a service number to the service they create, then they need to go and register that service with the appropriate daemon.
A standard piece of binding software supplied with Sun RPC is the portmapper. The portmapper is itself an RPC service (program number 100000,version 2) that listens on a well known port (port 111 for TCP and UDP). When RPC server programs start, they register their existence with the portmapper.
In the local case, the caller knows which procedure it is using as they were bound together at compile time. In a remote procedure call, the caller must find the process providing the service it desires. Client programs tell the portmapper what program number, version and protocol (TCP or UDP) they want, and the portmapper replies with the port number that the server is listening on. The client can then use the protocol specified to contact that port. So, we cannot have our firewall block all ports that are not in the /etc/services, especially in the academics.
The desire to use the Internet for business and the the risk factors associated with doing so have given rise to a new technology niche: Virtual Private Networks (VPN). VPNs typically are IP-based networks (usually the public Internet) that use encryption and tunneling to achieve one or more of the following goals:
Looking at the design goals for a VPN, security is the focus of most solutions available today, and we therefore begin with approaches to ensuring Confidentiality, Integrity and Authentication .
Confidentiality
Confidentiality protects the privacy of information being exchanged between communicating parties. Towards this end, every VPN solution provides encryption of some sort . The two primary cryptographic systems in use today are
To encrypt data, enter the data ("plaintext") and an encryption key to the encryption portion of the algorithm. To decrypt the "ciphertext," a proper decryption key is used at the decryption portion of the algorithm. Those keys, which contains simply a string of numbers, are called public key and private key, respectively. For example, suppose Alice intends to send e-mail to Bob. Through a public-key directory, she finds his public key. Then, she encrypts her message using the key and send it to Bob. This public key, however, will not decrypt the ciphertext. Knowledge of Bob's public key will not help an eavesdropper. In order for Bob to decrypt his ciphertext, he must use his private key. If Bob wants to respond to Alice, he encrypts his message using her public key.
Here's the relatively easy to understand math behind RSA public key encryption.
1. Find P and Q, two large (e.g., 1024-bit) prime numbers.
2. Choose E such that E is greater than 1, E is less than PQ, and such that E and (P-1)(Q-1) are relatively prime, which means they have no prime factors in common. E does not have to be prime, but it must be odd. (P-1)(Q-1) can't be prime because it's an even number.
3. Compute D such that (DE - 1) is evenly divisible by (P-1)(Q-1). Mathematicians write this as DE = 1 (mod (P-1)(Q-1)), and they call D the multiplicative inverse of E. This is easy to do -- simply find an integer X which causes D = (X(P-1)(Q-1) + 1)/E to be an integer, then use that value of D.
4. The encryption function is C = (T^E) mod PQ, where C is the ciphertext (a positive integer), T is the plaintext (a positive integer), and ^ indicates exponentiation. The message being encrypted, T, must be less than the modulus, PQ.
5. The decryption function is T = (C^D) mod PQ, where C is the ciphertext (a positive integer), T is the plaintext (a positive integer), and ^ indicates exponentiation.
Your public key is the pair (PQ, E). Your private key is the number
D (reveal it to no one). The product PQ is the modulus (often called N
in the literature). E is the public exponent. D is the secret exponent.