CSE 127: Lecture 21

Note :- There are going to be no notes for lecture 20. In lecture 20 Prof. Yee talked about the common mistakes  made by the students in the midterm. Try to be careful that you dont do similar mistakes in the final.

This lecture is a continuation of the previous lectures, lecture 17 & lecture 18.

In this lecture we will talk about why firewalls cannot block all user level ports , vitual private networks and introduction to RSA

Firewalls cannot block all user level ports

We recommend you to go and look into the file /etc/services (contains a long list of network services). The services file contains information regarding the known services available in the DARPA Internet. For each service, a single line should be present with the following information:

official_service_name  port_number  protocol_name  aliases
example:-
finger          79/tcp
smtp            25/tcp          mail

To understand why firewalls cannot block all user level ports we will take the example of SUN RPC. When a programmer create a remote service, she needs a port on which she can provide the service to the client. In SUN RPC, things are a bit more  dynamic. The programmer assigns a service number to the service they create, then they need to go and register that service with the appropriate daemon.

A standard piece of binding software supplied with Sun RPC is the portmapper. The portmapper is itself an RPC service (program number 100000,version 2) that listens on a well known port (port 111 for TCP and UDP). When RPC server programs start, they register their existence with the portmapper.

In the local case, the caller knows which procedure it is using as they were bound together at compile time. In a remote procedure call, the caller must find the process providing the service it desires. Client programs tell the portmapper what program number, version and protocol (TCP or UDP) they want, and the portmapper replies with the port number that the server is listening on. The client can then use the protocol specified to contact that port.  So, we cannot have our firewall block all ports that are not in the /etc/services, especially in the academics.

Virtual Private Networks

The desire to use the Internet for business and the the risk factors associated with doing so have given rise to a new technology niche: Virtual Private Networks (VPN). VPNs typically are IP-based networks (usually the public Internet) that use encryption and tunneling to achieve one or more of the following goals:

The idea is to extend trust relationships across an economical public network without sacrificing security. Ideally, a VPN should behave similarly to a private network; it should be secure, highly available and have predictable performance.

Looking at the design goals for a VPN, security is the focus of most solutions available today, and we therefore begin with approaches to ensuring Confidentiality, Integrity and Authentication .

Confidentiality

Confidentiality protects the privacy of information being exchanged between communicating parties. Towards this end, every VPN solution provides encryption of some sort . The two primary cryptographic systems in use today are

Secret (or private) key cryptography uses a shared key which is used to encrypt and decrypt messages. The major problem with private key cryptography is key exchange. Sending secret keys across the Internet unencrypted is not an option for obvious reasons. This is where public key cryptography can help. Public key cryptography uses a mathematically linked key pair for each communicating party. This means that data encrypted with one key can be decrypted with the other key in the pair. A sender can encrypt a message with the recipient's public key, which as the name implies is publicly available (on a server, for example). The recipient can then decrypt the message using his or her own private key.

Introduction to RSA

To encrypt data, enter the data ("plaintext") and an encryption key to the encryption portion of the algorithm. To decrypt the "ciphertext," a proper decryption key is used at the decryption portion of the algorithm. Those keys, which contains simply a string of numbers, are called public key and private key, respectively. For example, suppose Alice intends to send e-mail to Bob. Through a public-key directory, she finds his public key. Then, she encrypts her message using the key and send it to Bob. This public key, however, will not decrypt the ciphertext. Knowledge of Bob's public key will not help an eavesdropper. In order for Bob to decrypt his ciphertext, he must use his private key. If Bob wants to respond to Alice, he encrypts his message using her public key.

Here's the relatively easy to understand math behind RSA public key encryption.

   1. Find P and Q, two large (e.g., 1024-bit) prime numbers.

   2. Choose E such that E is greater than 1, E is less than PQ, and such that E and (P-1)(Q-1) are relatively prime, which means they have no prime factors in common. E does not have to be prime, but it must be odd. (P-1)(Q-1) can't be prime because it's an even number.

   3. Compute D such that (DE - 1) is evenly divisible by (P-1)(Q-1). Mathematicians write this as DE = 1 (mod (P-1)(Q-1)), and they call D the      multiplicative inverse of E. This is easy to do -- simply find an integer X which causes D = (X(P-1)(Q-1) + 1)/E to be an integer, then use that value of D.

   4. The encryption function is C = (T^E) mod PQ, where C is the ciphertext (a positive integer), T is the plaintext (a positive integer), and ^ indicates exponentiation. The message being encrypted, T, must be less than the modulus, PQ.

   5. The decryption function is T = (C^D) mod PQ, where C is the ciphertext (a positive integer), T is the plaintext (a positive integer), and ^ indicates exponentiation.

Your public key is the pair (PQ, E). Your private key is the number D (reveal it to no one). The product PQ is the modulus (often called N in the literature). E is the public exponent. D is the secret exponent.