Any questions on… • Administrativia, organizational matters? TCP/IP: Ethernet, IP, and ARP • Historical/cultural overview? (and a PGP refresher) Network Security Lecture 2 Eike Ritter Network Security - Lecture 2 1 Today • PGP in 6 slides • IP • Ethernet • ARP • Attacks: sniffing PGP Eike Ritter Network Security - Lecture 2 2 Eike Ritter Network Security - Lecture 2 3 Pretty Good Privacy (PGP) Generating a key • Application for data encryption and • $ gpg --gen-key decryption created by Phil Zimmermann • Every user has one (or more) key pairs, • Message format used by PGP is standardized consisting of a private key and a public key (RFC 4880), so that interoperability among – The private key can be encrypted using a different programs is possible passphrase – All keys are stored in a keyring • Here we will use GnuPG • This command generates a new key pair and stores it in the keyring Eike Ritter Network Security - Lecture 2 4 Eike Ritter Network Security - Lecture 2 5
Publishing the public key Encrypting a message • $ gpg --export –a ‘Eike Ritter (Test • $ gpg -r <recipient-key> -e secret.txt key)’ • Encrypts the file secret.txt so that the -----BEGIN PGP PUBLIC KEY BLOCK----- recipient having public key <recipient-key> can Version: GnuPG v1.4.10 (GNU/Linux) recover its plain text content mQENBE8KvXUBCADGTet/EQF0qPeaG5IkwWzGfRxc2XT7I6KvOKI4NverNxC8JijF ZKMf0RSZ5himtEVGjXTmc0hyMzuYlDzg/oVM70tygqEEC28IpppdINJVtyUfNYwu … • In practice, a session key is generated randomly … =aGju and is used to encrypt (symmetrically) the file -----END PGP PUBLIC KEY BLOCK----- • Public key can be upload it to web site or to • The session key is encrypted with the public key keyserver, such as pgp.mit.edu of the recipient(s) and attached to the file • Decrypting: $ gpg -d secret.gpg Eike Ritter Network Security - Lecture 2 6 Eike Ritter Network Security - Lecture 2 7 Signing a message Other common operations • $ gpg -s -a secret.txt • Generating a detached signature • Generates a signature for the given file (in • Signing and encrypting a message ASCII format) using the private key of the user • Web of trust: sign a public key • The signature can be verified by using the • Revoking a key public key of the signer: $ gpg --verify secret.asc gpg: Signature made Mon 09 Jan 2012 10:43:15 GMT using RSA key ID AA226670 gpg: Good signature from "Eike Ritter (Test key) <test@rittere.co.uk>" Eike Ritter Network Security - Lecture 2 8 Eike Ritter Network Security - Lecture 2 9 TCP/IP Protocol Suite • Network protocols – IP (Internet Protocol) – ICMP (Internet Control Message Protocol) • Transport protocols – TCP (Transmission Control Protocol) – UDP (User Datagram Protocol) • Application protocols – HTTP (HyperText Transfer Protocol) – SSH TCP/IP – DNS • Other protocols – ARP (Address Resolution Protocol) Eike Ritter Network Security - Lecture 2 10 Eike Ritter Network Security - Lecture 2 11
TCP/IP layering IP addresses • Each host has one or more IP addresses for each network Application RPC DNS FTP HTTP SSH RPC DNS FTP HTTP SSH interface • Application-specific protocols • IPv4 addresses are composed of 32 bit (class+netid+hostid) Transport • Represented in dotted-decimal notation: 147.188.193.82 UDP UDP TCP TCP • Ordering, multiplexing, • Classes (up to ~1993) correctness Network IP ICMP Class Starts with Netid bits Hostid bits # hosts IP ICMP • Transmission and routing A 0 7 24 16,777,21 across subnets 4 B 10 14 16 65,534 Data link Network card Network card C 110 21 8 254 • Error control between adjacent nodes D 1110 Multicast address E 1111 Reserved for future use Physical Ethernet, Wireless Ethernet, Wireless • Connect to channel • Send/receive bytes Eike Ritter Network Security - Lecture 2 12 Eike Ritter Network Security - Lecture 2 13 Special addresses Classless Inter-Domain Routing (CIDR) • 127.0.0.0 – 127.255.255.255: loopback interface • Classes lead to inefficient use of IP space and to large routing tables • Private networks (RFC 1597): – Not enough class B – 10.0.0.0 - 10.255.255.255 – Little opportunity for route aggregation (many class C – 172.16.0.0 - 172.31.255.255 networks geographically dispersed) – 192.168.0.0 - 192.168.255.255 • Solution: variable-length subnet masking, i.e., the • Network netid/hostid boundary can be placed on arbitrary bit – hostid bits set to 0 • Notation: /N gives the number of bits interpreted as • Broadcast network number (“prefix”) – All bits set to 1: local broadcast – /24: legacy class C – Netid+hostid with all bits to 1: net-directed broadcast to – /16: legacy class B netid (147.188.255.255) – /8: legacy class A Eike Ritter Network Security - Lecture 2 14 Eike Ritter Network Security - Lecture 2 15 Internet Protocol (IP) IP datagram • Transmissions of blocks of data (datagrams) from 0 4 8 12 16 20 24 28 31 source to destination Version HL ToS Total length • Standardized in RFC 791 Identifier Flags Fragment offset • Transmission properties Time To Live Protocol Header checksum – Connectionless Source IP address – Unreliable, best-effort Destination IP address • delivery, integrity, ordering, non-duplication are not guaranteed Options Padding • IP does handle fragmentation and reassembly of long datagrams • For direct communication, IP relies on lower level Data protocols (e.g., Ethernet) Eike Ritter Network Security - Lecture 2 16 Eike Ritter Network Security - Lecture 2 17
IP header IP header • Normal size: 20 bytes • Flags (3 bits) and Offset (13 bits): to support fragmentation • Version (4 bits): 4 (IPv4) • Time To Live (8 bits): max number of hops in the • Header length (4 bits): number of 32-bit words in the delivery process header, including options (max header size: 60 bytes) • Protocol (8 bits): specifies the protocol encapsulated in • Type Of Service (8 bits): the datagram data (e.g., TCP, UDP) – Used to be: priority (3 bits), quality of service (4 bits), • Header checksum (16 bits): checksum calculated over unused bit the IP header – Now: Differentiated Services Code Point (6 bits), Explicit Congestion Notification (2 bits) – Recomputed at each hop (TTL, fragmentation) • Total length (16 bits): datagram length in bytes (max • Source and destination address (32 bits each): IP size: 65,535 bytes) addresses of the source and destination of the datagram • ID (16 bits): datagram identifier Eike Ritter Network Security - Lecture 2 18 Eike Ritter Network Security - Lecture 2 19 IP options IP encapsulation • Present if header length > 5 • How are IP datagrams transferred over a LAN? • Variable length • RFC 894 explains IP over Ethernet • Type is identified by first byte – Encapsulation + direct delivery – Record route IP header IP header IP data IP data – Source route – Timestamp – … Frame header Frame data • Not often used Frame header Frame data Eike Ritter Network Security - Lecture 2 20 Eike Ritter Network Security - Lecture 2 21 IP direct delivery Ethernet • Sender forwards a packet to the final • Widely-used link layer protocol destination on a directly attached network • Uses CSMA/CD (Carrier Sense, Multiple Access 147.188.193.6 From: 00:19:D1:80:AE:45 with Collision Detection) 00:04:96:1D:6B:20 To: 00:04:96:1D:6B:20 From: 147.188.193.82 Dest Src Ethertype Payload CRC To: 147.188.193.6 6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes 0800 0800 IP datagram IP datagram 0806 ARP 0806 ARP 147.188.193.82 147.188.193.15 147.188.193.80 00:19:D1:80:AE:45 Eike Ritter Network Security - Lecture 2 22 Eike Ritter Network Security - Lecture 2 23
Recommend
More recommend
