Potential Security Violations CSE 513: Distributed Systems (Security)

Transcription

1 Potential Security Violations CSE 513: Distributed Systems (Security) Guohong Cao Department of Computer Science& Engineering 310 Pond Lab Unauthorized information releases An unauthorized person is able to access the information stored in a computer system. Unauthorized information modification Unauthorized person is able to alter the information; e.g., changing student grades, change banking account balance. Unauthorized denial of service Preventing authorized users from access the information. 1 2 People Who Cause Security Problems and Why 3 Design Principles of Secure System Economy Complete Mediation Each request to access an object is checked Open design Should work even if its underlying principles are known to an attacker Separation of privileges Two keys to lock and unlock Least privilege A subject is only given the minimum access right Acceptability Simple to use

2 The Access Matrix Model Access Matrix Current objects (O) A set of entities to which access is to be controlled; e.g., a file. Current subjects (S) A set of entities that access current objects; e.g., a process. Generic rights A finite set of generic rights; such as read, write, execute. Protection state Represented by (S, O, P), where P is an access matrix. 5 6 Enforcing A Security Policy A security policy is enforced by validating every user access for appropriate access rights. Each access to an object is validated as follows. A subject s requests an access α to object o. The protection system presents triple (s, α, o) to the monitor of o. Check the access rights of s to o. If α P[s,o], then the access is permitted; else it is denied. Implementations of the Access Matrix The access matrix model is very popular because of its simplicity and elegant structure. Since the matrix is very sparse, it may not be storage efficient. Capability-based matrix: decomposing the matrix into rows and assigning the access rights contained in rows to their respective subjects. Null entries can be removed for efficiency Access control list: decompose the matrix by columns. Lock-key method: combination of the above two. 7

3 Capabilities Each subject s is assigned a list of tuples (o, P[s,o]) for all objects o that is allowed to access. The tuples are referred to as capabilities. A capability has two fields: object descriptor and access rights. Advantages: efficiency, simplicity, and flexibility. 9 Capability-based Addressing The system uses the capability ID to search the capability list to locate the capability, and then use the information of the object to get the data. With capability-based addressing, relocatability and sharing can be achieved. An object can be relocated without any change to the capabilities that refer to it. Several programs can share the same object. Implementation issues, a user should not be able to access a capability. Partitioned approach: capabilities and ordinary data are stored separately. Tagged approach: one or more bits are attached to the word, and users cannot manipulate words with their tag bits ON. 10 Capability-based Addressing 11 Disadvantages Control of propagation After a subject passes a copy of capability for an object to another subject, the second subject can pass copies to others without the first subject s knowledge. Solution: a copy bit, or a depth counter. Review Difficult to find out all subjects who have access to the object. Simple in systems with the partitioned approach. Revocation of access rights Since a subject may make copies of the capability, revoke of the access right is difficult. Garbage collection An object may not be accessible to anyone.

4 Access Control List Access Control List When a subject s requests access α to object o, it is executed in the following way. The system searches the access control list of o to find out if an entry (s, φ) exists for subject s. If an entry (s, φ) exists for subject s, the system checks to see if the requested access is permitted (i.e., α φ). If the requested access is permitted, the request is executed, else it is denied. Advantages Easy revocation Easy review of an access Implementation Issues Execution efficiency is poor since an access control list must be searched for each access to a protected object. Solution: after the first access, the access rights of the subject are fetched and stored in a place, called shadow register, which acts like a capability. Negative effect: revocation is complex. Efficiency of storage Limiting the access rights to only a small number and assigning a bit in a vector. Use protection groups. Authority to change an access control list Self control, the owner can modify the access control list. Hierarchical control: the owner specifies a set of other processes which have the right to modify the access control list. 15 The Lock-Key Method Every subject has a capability list that contains tuples of the form (o,k), indicating that the subject can access object o using key k. Each object has an access control list that contains tuples (l, φ), called a lock entry, indicating that any subject which can open the lock l can access the object in modes contained in the set φ. To access o in mode α. The system locates (o,k) in the capability list of the subject. If no such tuple, the access is not permitted. Otherwise, the access is permitted only if there exists a lock entry (l, φ) in the access control list of the object o such that k=l and α φ.

5 Firewall Use firewall to ensure security A firewall consists of two routers that do packet filtering and an application gateway Packet filters are driven by tables configured by the system administrator The tables list source and destinations that are acceptable, sources and destinations that are blocked, and some default rules. A company can block port 119 so that employees cannot spend all day reading USENET news, or block port 79 so that others cannot finger its network hosts. Application gateway operates at the application level A mail gateway can be set up to examine each message based on the header fields, message size or subjects (e.g., nuclear or bomb may get attention from FBI).

6 Firewall Denial-of-service A denial-of-service attach is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: Attempts to flood a network, thereby preventing legitimate network traffic. Attempts to disrupt connections between two machines, thereby preventing access to a service. Attempts to prevent a particular individual from accessing a service ICMP Echo Attack Profiles of Participants Typical perpetrators Cracked superuser account on well-connected enterprise network Superuser accout on university residence hall network (ethernet) Typical PPP dial-up account (for smaller targets) Typical Bounce sites Large co-location subnets Large switched enterprise subnets Typical victims Users, operators, and servers Providers who eliminate troublesome users accounts 23

7 TCP Three Way Handshake Before data can be transmitted, the source and the destination must establish a connection. Setup a sequence number 25 TCP Data Structure The socket structure holds information related to the local end of the communication link: state info, addressing info, connection queues, and buffers. The TCP control block structure (tcpcb) contains TCP specific info such as timer info, sequence number info, flow control status. The combined size of these data structures for a single TCP connection may exceed 280 bytes. When a SYN arrives at a port, the above data structures are allocated. There is a limit on the number of connections in a halfopen connection state, called SYN_RECVD state. Discard all new requests when reaching the limit. 26 TCP Connection Establishment If the SYN arrives for a socket in the LISTEN state, the data structures are allocated. If the backlog queue is full, the server will terminate the connection The server sends SYN x+1 and ACK y to the client. The state changes to SYN_RECVD. A connection establishment timer is started (75 s). The connection remains in the SYN_RECVD state until either an ACK is received or timeout. In case of timeout, all memory structures are deallocated, back to LISTEN state. The Attack Attacker A initiates a SYN flooding attack by sending many connection requests with spoofed source addresses to D. If the spoofed SYN packet contains the source address of a reachable host, it will send a RST to D and case D to reset the connection. A tries to use an unreachable host address. The resource overhead of A is negligible. Different attach mode: single address, short list, no list. 27

8 Solutions Reduce the timeout period from default to a short time Long round trip time packets Increase the length of backlog queue More resource usage Disable non-essential services, thus reducing the number of ports that can be attacked Configure router to block packets whose source address is not in this network. Mobile IP Terminology Plaintext: the messages to be encrypted. Ciphertext: the output of the encryption. Intruder: the enemy who hears or even modify the ciphertext Cryptology: the art of devising ciphers (cryptography) and breaking them (cryptanalysis) is collectively known as cryptology. Eavesdropping: obtaining copies of messages without authority. Message tampering: intercepting messages and altering their contents before passing them on to the intended recipient. Replaying: storing intercepted messages and sending them at a later date The Encryption Model Cryptology A fundamental rule of cryptography is that one must assume that the cryptanalyst knows the general method of encryption used. By publicizing the algorithm, get free consulting from a large number of academic cryptologists. Use key to ensure security. Variations of the cryptanalysis problem Ciphertext only problem: no plaintext. Known plaintext problem: has some matched ciphertext and plaintext. Conventional encryption Techniques Substitution ciphers and transposition ciphers. 31

9 Substitution Ciphers (Caesar Cipher) Each letter is replaced by another letter. E: P (P+3) modular 26 where 0 P 25. plaintext Julius is transformed into mxolxv. Improvement is to use a table map some letter to other letters. Plain text: a (Q), b (W) c(e) k(a) t(z) Attack is transformed into QZZQEA For 26 letters, there are 26! Possible keys. It is almost impossible to break? Breaking Techniques Use the statistical properties of natural language. In English, e, t, o, a, n, i are most commonly used letters. th, in, er, re, and an are most commonly used diagrams. Counting the relative frequencies of all letters in the ciphertext. Tentatively assign e to the most common one. If you have a txe, it suggest that X is h. Guess a probable word or phase Messages in an accounting firm may have financial. Then try to find a match Transposition Ciphers Must first aware that he is dealing with transposition cipher 35 Cryptographic Principles Encrypted messages must contain some redundancy For example, a company with 60,000 products. Two bytes are used to represent the product id, one byte is used to represent the quantity. Encrypt these three bytes. Although someone does not know the key, random numbers can be generated, and fool the computer. If 9 bytes are used with many redundant 0s in the start, it is difficult for the intruder to generate the connect number. Disadvantages? Some measures must be taken to prevent active intruders from playing back old messages. Tap the phone line and keep repeating previously sent valid messages.

10 Secret-Key Algorithms Modern cryptography uses the same basic ideas as traditional cryptography: transposition and substitution. Traditionally, use simple algorithms and rely on long keys. Now, use complex algorithms. DES (data encryption standard) developed by IBM. Problems? DES Cipher block chaining IV: random chosen initialization vector New problem: long delay. Solution Break DES NSA asks IBM to change the 128-bit key to 56 bits. Currently, a machine can break DES by exhaustive search of the entry key space in four hours. How about running DES twice, with two different 56-bit keys. Then there are possibilities, and it is impossible to break. Merkle and Hellman developed the meet-in-the-middle algorithm to break it. C i =E k2 (E k1 (P i )) D k2 (C i )=E k1 (P i ) 39

11 Meet-in-the Middle Based on the above formula, the meet-in-the middle attacks is as follows Computer R i =E i (P 1 ) for all 2 56 values of i. Sort this table in ascending order of R i. Computer S j =D j (C 1 ) for all 2 56 values of j. Sort this table in ascending order of S j. Scan the first table looking for an R i that matches some S j in the second table. When a match is found, we have a key pair (i,j) such that D j (C 1 ) = E i (P 1 ). Potentially, i is K1 and j is K2. Check to see if E j (E i (P 2 )) is equal to C 2. If it is, try all the other (plaintext, ciphertext) pairs. If it is not, continue searching the two tables looking for matches. 41 Triple Encryption and IDEA The meet-in-the middle attach requests 2 57 encryption or decryption operation, but 2 60 bytes of storage. Triple encryption is very reliable Why only two keys instead of three keys. IDEA (international data encryption algorithm) was designed by two researchers (Lai and Massey) in Switzerland. Use 128-bit keys 42 Public-Key Algorithm Although IDEA is secure, but how to distribute the key? In 1976, Diffie and Hellman at Stanford proposed the public key algorithm, which has three requirements. D(E(p)) = P It is almost impossible to deduce D from E. E cannot be broken by a chosen plaintext attack. Each one has two keys: the public key and the private key. Asymmetric cryptography. 43 RSA Algorithm Developed by Rivest, Shamir, and Adleman in MIT. Choose two large primes, p and q (typically greater than ). Compute n=p * q and z=(p-1) * (q-1). Choose a number relatively prime to z and call it d. Find e such that e * d =1 mod z. Using the RSA algorithm Group the plaintext (P) into blocks of k bits, where 2 k < n. To encrypt a message, C=P e (mod n). To decrypt a message, P=C d (mod n). The public key consists of the pair (e, n) and the private key consists of (d, n). The security of the method is based on the difficulty of factoring large numbers. Other public-key: knapsack algorithm by Merkle. Broke by Shamir, and Rivest.

12 An Example p=3, q=11, then n=33, z=20. Choose d=7 since 7 and 20 have no common factors. e can be found by solving the equation 7e= 1(mod 20) which yields e=3. The same input block gives the same output block. Problem? 45 Authentication Protocols Authentication deals with the questions of whether or not you are actually communicating with a specific process. Authorization is concerned with what that process is permitted to do. For example, a client contacts a file server and say I am Scott s process and I want to delete the file cookbook.old. Is this actually Scott s process? Is Scott allowed to delete cookbook.old? Challenge-response protocol: one party sends a random number to the other, who then transforms it in a special way and then returns the result. A, B are the identities of Alice and Bob. R i s are the challenges, where the subscript identifies the challenger. K i s are keys, where i indicates the owner, K s is the session key. A session key is used in the upcoming conversation. 46 Two-Way Authentication Reflection Attack 47 General rules Have the initiator prove who she is before the responder has to. Have the initiator and the responder use different keys for proof, even if this means having two shared keys. Have the initiator and responder draw their challenges from different sets. For example, the initiator must use even numbers and the responder must use odd numbers.

13 Authentication Using KDC How to get the shared secret key? By phone, arrange a meeting Key distribution center (KDC) approach. Each user has a single key shared with the KDC. Authentication and session key management goes through the KDC. 49 Replay Attack Trudy requests Alice to return her money by paying through bank transfer. Alice then establishes a session key with her banker Bob, and asks bob to do the transfer. Trudy snoops on the network, copies both message 2 and the money-transfer request. Later she replays both of them to Bob, and Bob transfers the money again. Solution 1: Use a timestamp in each message. Solution 2: put a one-time, unique message number, called nonce, in each message. Each party has to remember all previous nonces and reject the used one. Combine these two. 50 Needham-Schroeder Authentication Kerberos A real authentication system is Kerberos, which is based on a variant of Needham-Schroeder. Designed in MIT to allow workstation users to access network resources in a secure way. Assume the clock is fairly-well synchronized. It has three servers in addition to Alice (the client) Authentication server (AS): verifies users during login. Ticket-granting server (TGS): issues proof of identity tickets. Bob (the server): do the requested work. The client can access the network in a secure way, and the password never has to go over the network. 51

14 Operation of Kerberos Authentication Using Public-Key E b is the public key of Bob Digital Signatures Need something to replace handwritten signatures. Digital signature has three requirements The receiver can verify the claimed identity of the sender. The sender cannot later deny the contents of the message. The receiver cannot possibly modify the message. Secret-Key Signatures BB (big Brother), whom everyone trusts. Public-Key Signatures In secret-key signatures, everyone must trust BB. BB gets to read all signed messages. BB candidates can be government, bank, or layers. Public-key signature address the issue based on D(E(P))=P. Problems? 55

15 Message Digests One criticism of signature methods is that they often couple two distinct functions: authentication and secrecy. Authentication should not require encrypting the entire message. The idea is to use a one-way hash function that takes an arbitrarily long piece of plaintext and from it computes a fixed-length bit string. This hash function is called a message digest Given P, it is easy to compute MD(P). Given MD(P), it is effectively impossible to find P. No one can generate two messages that have the same message digest. 57 Message Digest In the private key signature, K BB (A, t, P) is replaced by K BB (A, t, MD(P)). Two message digest functions are MD5 and Secure Hash Algorithm (SHA). MD5 generates 128 bit message digests. How much operations is required to subvert it? 58