IT Dec. 10 Assignment: Crypto (yeah!): 3. I thought I'd start with MD5 hashes. This past semester has made me drastically more paranoid about downloading software. Is this really what I think it is? Am I installing a backdoor along with this seemingly harmless video game? So let's go download something. Okay, I nabbed the file openssl-0.9.1c.tar.gz and an md5 hash on the same page (it's "okay" because the files come from the originating site, not a mirror). [localhost:~/Desktop] gabe% md5sum openssl-0.9.1c.tgz 189d7b8c2aac76682409ad1209ad7e3b openssl-0.9.1c.tgz [localhost:~/Desktop] gabe% cat openssl-0.9.1c.tgz.md5 MD5(openssl-0.9.1c.tar.gz)= 189d7b8c2aac76682409ad1209ad7e3b Looks good to me. Now let's modify it. Alright, so I changed a single character in the Makefile and then restuffed it. [localhost:~/Desktop/Networking] gabe% md5sum openssl-0.9.1c.tgz 77904935f27190e64cca063aa04b994d openssl-0.9.1c.tgz Entirely different. Now, this might not be entirely accurate since the changes made (saving new character in and restuffing) undoubtedly changed the modification date as well. Still, it clearly doesn't take much to corrupt this hash. 4. The Math of the RSA algorithm. It so happens this is something that I have a bit of experience with. Here's a trivial example I can do with just a calculator: Public key(N, E): N is the product of two prime numbers, so let's use 43 * 37 is 1591 = N. (43-1)*(37-1)=1512. GCD(11, 1512), so we'll make our E = 11. Private key(D): E*D = 1(mod 1512). Since our numbers are small, we can just use trial and error, and we get D=275. So any number M raised to the E-th power mod N, then raised to the D-th power mod N, should give us the original value. Let's try a small test case: M = 15. (M^11)%1591 = 1536. (1536^275)%1591 = 15. Joy! It works! Snort: Snort is more convenient than Ethereal for logging stuff it seems. It can output everything to a folder as it gets it and can run quietly in Daemon mode, meaning you really don't have to think about it while it's running, nor stop it in order to examine the packets. Snort also separates the packets into individual folders based on IP address. The downside of this is that it's harder to just look at the play by play packet traffic, but it makes examining individual conversations easy. I was running snort with these options: -v: Verbose. Pretty self explanatory. -d: Displays application layer on screen as it gets them. -e: Displays "second layer header info". They used this in the examples on the snort homepage, but I'm not entirely sure what it's doing- I assume showing the TCP header info... -l: Log to folder. -h: Specify an IP address/subnet mask for which to grab packets. Intrusion Detection Systems: I tried installing Osiris and chkrootkit. Chkrootkit gave my system a clean bill of health, which isn't surprising since no one seems to attack the Mac platform. Lucky me. Osiris's documentation was a bit confusing, so it was a chore just to install, but I got it running eventually. I guess at this point I just have to sit back and wait for something in my system to change and it'll whine to my syslog. It seems kind of impractical for my personal box though, since I have to tell Osiris it's okay every time I change something, so I may get rid of it soon. Here ends the final IT homework assignment. Tempus fugit, pax vobiscum and all that.