## Introduction to Network Security – Part 10

NOTIFICATION: These examples are provided for educational purposes. The use of this code and/or information is under your own responsibility and risk. The information and/or code is given ‘as is’. I do not take responsibilities of how they are used. You are welcome to point out any mistakes in my posting and/or leave a comment.

RSA Algorithm

RSA is an algorithm for public-key cryptography. The signals R.S.A. come from the last name of Ron Rivest, Adi Shamir, and Leonard Adleman who where the first to describe this algorithm. This algorithm is famous for being the first suitable algorithm for signing as well as encryption.

RSA algorithm allow to choose which key should be use for encryption and decryption.

1. Public key for encryption, private key for decryption or,
2. Private key for encryption, public key for decryption.

Generate the Pair Key (Public and Private Key)

1. Choose two random prime numbers p and q.
p = 17
q = 11

For better security, you can use the Primality Test to obtain to obtain these two random prime number. They should be of similar bit-length.
2. Compute n = p*q in which n is the modulus used for both the private and public keys.
n = p * q = 17 * 11 = 187
3. Compute Euler Totient Function ø(n)
ø(n) = ø(187) = (p – 1) * (q – 1) = 16 * 10 = 160
4. Select a public key exponent e number where 1 < e < ø(n) and gcd(e, ø(n)) = 1
If we choose e = 7 then gcd(e, ø(n)) = gcd(7, 160) = 1
5. Determine the multiplicative inverse d:

1. d must be less than ø(n): d < 160
2. if d * e mod ø(n) = d * 7 mod ø(187) = d * 7 mod 160 = 1 then
3. let d = 23 in this way d * e = 23 * 7 = 161 = (160 + 1)
d * 7 mod 160 = 23 * 7 mod 160 = 1
6. The public key will be:
PU = {e, n} = {7, 187}
7. The private key will be:
PR = {d, n} = {23, 187}

Encryption

1. Sender must obtain the public key PU = {e, n} to the recipient, where PU is the public key, n for modulus, and e for public exponent (also known as public encryption).
PU = {e, n} = {7, 187}
2. The message M (also known as the plaintext) must be turn into an integer m by using a padding scheme (an reversible protocol) in which 0 < m < n.
Lets assume the message is m = 88 where 0 < m < n so 0 < 88 < 187.
3. Then the sender must compute the ciphertext.

Where c is the ciphertext, m is the integer message , e is the public exponent, and n i for modulus.

Decryption

1. The recipient must use the private key to decrypt the ciphertext PR = {d, n} where PR is the private key, d is the private key exponent, n for modulus.
PR = {d, n} = {23, 187}
2. Compute the message.

Where m is the integer message, c is the ciphertext, n for modulus.
3. Then turn back the original message M by using  integer message m with the reverse padding scheme.

Encryption / Decryption Example

Algorithm Requirements

1. There should be able to find values for e, d, and n so for all values of m where 0 < M < n
2. and should be easy to calculate for all valus of m where 0 < m < n.
3. It should be very hard for an attacker to determine d given e and n

Possible Attacks to RSA

1. Brute Attack
2. Mathematical attacks
1. Determine d directly
2. Determine the Euler Totient Function ø(n) without using the prime numbers p and q
3. Factorising n into the correct prime factors p and q

Key Distribution

One of the important aspects is how to distribute the keys between the sender and the receiver. For example, one way is to use the public-key encryption to distribute the keys.

For doing that there are three different methods of distributions that can be used:

1. Public announcement,
2. Public-key authority, and
3. Public-key certificates

Public Annoucement

One way to distribute the public keys is having the sender to distribute the public key to the recipient; however, this have the disadvantage that an attacker could create a key claiming to be the sender. This disadvantage is known as forgery.

A solution is to create a public-key autority.

Public Key Authority

A public key authority is a central authority that maintain a dynamic directory of public keys for all the users. Example: {name, public-key}

1. In a secure way (in person), each user register a public key in this directory authority.
2. It is required that the user known the public key for the directory.
3. Only the authority known the corresponding private key
4. Users interact with the directory in order to obtain the public key securely

Steps:

1. User A send  a timestamped message to the public key authority.
This message contain a request for the public key of user B.
2. The public-key authority responds to user A returning an encrypted message using it’s private key. This message contains:
1. The original request so it can be use to match with the request
2. The original timestamp so it can be determined if the message is not from the public-key authority.
3. The public key of user B.
3. User A store the public-key of user B and use this public-key to encrypt a message that will contain the identity of user A plus a “nonce N1”. This message will be deliver to user B.
4. User B send  a timestamped message to the public key authority.
This message contain a request for the public key of user A.
5. The public-key authority responds to user B returning an encrypted message using it’s private key. This message contains:
1. The original request so it can be use to match with the request
2. The original timestamp so it can be determined if the message is not from the public-key authority.
3. The public key of user A.
6. User B encrypt a message using the public-key of user A and send this encrypted message to user A.
This encrypted message have:

1. User A’s nonce
2. A nonce genereated by User B
7. User A encrypt a message using the public-key of User B and send this encrypted message to user B.
This encrypted message holds:

1. the  nonce N2 of user A

(This will ensure user B that the encrypted message is coming from user A).

Disavantages:

Since the users must appeal to the public-key authority in order to obtain the other users’ public key it can produce a bottleneck.

Public Key Certificates

Another way to exchange keys without the need of a public-key authority is the public-key certificates. The general idea would be:

1. A certificate is a data block that contains a public key plus an identifier of the key’s owner. This data block would be signed by a trusted third party which would be the certificate authority.
2. A user would generate a pair key and send the public key to this certify authority in a secure way and obtain a certificate issued by the certify authority (the trusted third party).
3. This user then would publish this certificate so another user can verify that the certificate was created by the trusted third party.

Please notice that the certificate authority (the trusted third party) is the only one that can create and update certificates.

Steps:

1. User A supply a public key PUa with a request for a certificate to the certificate authority. This request must be done in a secure ways such as in person for example.
2. The certificate authority would provide user A with this from:
where E is the encryption algorithm, PRauth is the authority’s private key and Time1 is a timestamp, and IDa is the user A identification.
3. User A then can pass the certificate CA any user (in this case user B).
4. User B get the certificate from user A and verify if the certificate correspond to the certify authority by decrypting the message using the authority’s public key:

In this way it can verify that the certificate is not counterfeit.

## Introduction to Network Security – Part 3

NOTIFICATION: These examples are provided for educational purposes. The use of this code and/or information is under your own responsibility and risk. The information and/or code is given ‘as is’. I do not take responsibilities of how they are used.

Socket Programming

In networks applications, communications are almost always done using a client-server model.

A client will perform request for a service to the server, and receive a service from the server (which should be usually on). The only thing that the client needs to know is the address of the server and which port to use. Once the connection between the client and the server is establish, then the client and the server can send and receive information back and forwards. Eg. FTP client to a FTP server

The client usually should communicate with only one server at a time; however, there are exceptions such as the web browser. In today web browsers, a web browsers could connect to different servers in order to download all the elements of a page faster. A page could indicate that the images are from one server, while the flash animation is coming from a different server.

In order to a client and a server to communicate they must use sockets in order to send and receive messages from each other. A socket is used by a sending process to send a message to the transport infrastructure which deliver the message to a receiving process which also is using a socket to receive the message.

The first step for a process that is receiving a message is to have an identifier. This identifier must include the IP address and a port number. The port number must be associated with the process. The port number is a 16-bit number used to identify the application process. Notice that an IP address do not identify a process but the port does, so you can have more than one process running at the host which means different ports can be used at the same time with the same IP address.

Right now, October 27 of 2010, there are two Internet Protocols (IP) available: IPv4 and IPv6.

1. IPv4 (IP version 4) is a 32-bit binary number represented by using 4 decimal values, separated by periods, in dotted decimal notation. Each decimal value is an octed (8-bits) which range between 0 to 255. Example: 192.168.1.101  would be 11000000.10101000.00000001.01100101.
1. 192 → 11000000
2. 168 → 10101000
3. 1      → 00000001
4. 101 → 01100101
2. IPv6 (IP version 6) is designed to succeed IPv4 (IP version 4). Instead of a 32-bit binary number, IPv6 use 128-bits. This means that the use of Notation Address Translation (NAT) is not needed as in IPv4. Network security such as IPSec (http://en.wikipedia.org/wiki/IPsec) which allow to authenticate and encrypt IP packages have being incorporated.

Ports

As explained previously a port is a 16-bit identifier number which identify the type of application process, this means that there are a total number of 65535 ports number available. For more information you can go to the Internet Assigned Numbers Authority (IANA) <http://www.iana.org> . This institution is in charge of the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.

1. Ports from 0 to 1023 are called well-known ports.
1. Examples of reserved ports: HTTP (Port 80), FTP (Port 21), Telnet (Port 23), STMP (Port 25), etc.
2. Ports from 1024 through 49151 are called reserved ports.
3. Ports from 49152 to 65535 are called Dynamic ports, Private ports, or Ephemeral ports.

TCP Socket on Client Side.

1. Create a socket to create an endpoint for communication.
1. (In Linux) ANSI C:
`int socket(int domain, int type, int protocol);`
2. Specify the server’s IP address and port to connect
3. Establish a connection initiate a connection on a socket with the server.
1. (In Linux) ANSI C:
`int connect(int sockfd, const struct sockaddr *addr,  socklen_t addrlen);`
4. Send data to the server and receive data from the server
5. Close the connection
Here is an example of a client/server program using ANSI C in Linux: <http://www.acarlstein.com/?p=891>
TCP Socket on Server Side
1. Create a socket to create an endpoint for communication.
1. (In Linux) ANSI C:
`int socket(int domain, int type, int protocol);`
2. Bind the socket with an address to specify the server’s IP address and port.
1. (In Linux) ANSI C:
`int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);`
`int listen(int sockfd, int backlog);`
`int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);`