Fri 14 Jul @ 18:00

Public-key cryptographic, code verification and network security.

Complete parts 1 and 2. Graduate students should additionally complete part 3.

Part 1: Public-key cryptography

  1. Given an RSA cryptosystem with prime values $p = 11$ and $q = 17$, as well as a public-key exponent $b = 7$ and private-key component $a = 23$:

    1. Show how a sender can encrypt the plaintext block $P = 25$.

    2. Show how the received ciphertext can be decrypted to yield $P$.

    3. Bonus: Show how the Extended Euclidean Algorithm can be used to compute $a$ from $p$, $q$ and $b$. You may use, e.g., the Python egcd module in lieu of computing the EEA by hand.

  2. Read the "JAR file verification" section of the manual page for the Java jarsigner tool (run man jarsigner on just about any Unix machine, or else on a web page).

    1. Use jarsigner to verify the signature of this JAR file. What cryptographic hash function was used to hash the manifest file? What algorithm was used to sign the JAR file? (provide evidence for your claims)

    2. Extract the JAR file. Compare the SHA-1 sum of any file within the extracted JAR file (e.g., using the shasum command) to that contained within the signed manifest file META-INF/MANIFEST.MF. How do they differ?

    3. Using a Base64 encoder (e.g., base64 or openssl base64 at the command line or an online tool, obtain the Base64-encoded SHA-1 hash of any .class file from the JAR file. How that that compare with the value in META-INF/MANIFEST.MF?

Part 2: Network security

  1. Does your home network use NAT? Provide evidence to support your claim.

  2. Firewalls

    1. Identify three Memorial hostname/port pairs that are accessible from outside of the University network.

    2. Explain how you could access an on-campus service (e.g., a website) from off campus when that service is blocked by Memorial’s perimeter firewall.

  3. Using Verisign’s DNSSEC Debugger, inspect the DNSSEC signature chain for www.cl.cam.ac.uk. Graph this chain of DNS records, by hand or using GraphViz (e.g., via GraphViz Online). For each Resource Record in the chain, include the type of RR (e.g., DNSKEY) as well as any relevant Key IDs.

Part 3: Protocol dissection

Capture some HTTPS traffic using tcpdump or Wireshark. Explain, with reference to selected information from the packet capture, the process by which the communication begins, starting from the initial DNS lookup. Show all DNS and TLS packets up to the point where encrypted communication begins.