Distributed Systems. Lecture 14: Security. 5 March,

Similar documents
Distributed Systems. Lecture 14: Security. Distributed Systems 1

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Computers and Security

(2½ hours) Total Marks: 75

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Verteilte Systeme (Distributed Systems)

The Security Problem

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Network Security and Cryptography. 2 September Marking Scheme

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Network Security and Cryptography. December Sample Exam Marking Scheme

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Security: Cryptography

Most Common Security Threats (cont.)

Cryptography (Overview)

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Cryptographic Concepts

e-commerce Study Guide Test 2. Security Chapter 10

Chapter 15: Security. Operating System Concepts 8 th Edition,

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Lecture 1 Applied Cryptography (Part 1)

Lecture 15: Cryptographic algorithms

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

David Wetherall, with some slides from Radia Perlman s security lectures.

Chapter 19 Security. Chapter 19 Security

Firewalls, Tunnels, and Network Intrusion Detection

Part 1. Lecturer: Prof. Mohamed Bettaz Coordinator: Prof. Mohamed Bettaz Internal Examiner: Dr. Mourad Maouche. Examination Paper

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Computer Communication Networks Network Security

Lecture 19: cryptographic algorithms

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

14. Internet Security (J. Kurose)

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Recovery. Independent Checkpointing

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Security in Distributed Systems. Network Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Encryption I. An Introduction

CSC 474/574 Information Systems Security

SE 4C03 Winter 2005 Network Firewalls

2.1 Basic Cryptography Concepts

Introduction to Computer Security

1-7 Attacks on Cryptosystems

Chapter 15: Security. Chapter 15: Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Internet Security: Firewall

Distributed Systems Principles and Paradigms

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Overview. SSL Cryptography Overview CHAPTER 1

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Cryptography

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Cryptography and Network Security. Sixth Edition by William Stallings

Why Firewalls? Firewall Characteristics

CS6701 CRYPTOGRAPHY AND NETWORK SECURITY 2 Mark Questions & Answers

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

2. System Models Page 1. University of Freiburg, Germany Department of Computer Science. Distributed Systems. Chapter 2 System Models

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Cryptography MIS

SE420 Software Quality Assurance

Indicate whether the statement is true or false.

Security Digital Certificate Manager

Introduction to information Security

Cryptography and Network Security

Symmetric Encryption

Service Managed Gateway TM. Configuring IPSec VPN

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Security in ECE Systems

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Security+ SY0-501 Study Guide Table of Contents

Network Security Essentials

CS 332 Computer Networks Security

Anonymity. Assumption: If we know IP address, we know identity

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Internet Security Firewalls

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Network Security - ISA 656 Review

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CTS2134 Introduction to Networking. Module 08: Network Security

Computer Networks. Wenzhong Li. Nanjing University

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

CSC 482/582: Computer Security. Security Protocols

PROTECTING CONVERSATIONS

Cryptography Introduction

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

19.1. Security must consider external environment of the system, and protect it from:

Define information security Define security as process, not point product.

IBM i Version 7.2. Security Digital Certificate Manager IBM

Transcription:

06-06798 Distributed Systems Lecture 14: Security 5 March, 2002 1

What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication and cryptography Security techniques access control firewalls cryptographic algorithms 5 March, 2002 2

Definition Security set of measures to guarantee the privacy, integrity and availability of resources: objects, databases, servers, processes, channels, etc involves protection of objects and securing processes and communication channels Security policies specify who is authorised to access resources (e.g. file ownership) Security mechanisms enforce security policy (e.g. file access control) 5 March, 2002 3

Security model Object: intended for use by different clients, via remote invocation Principal: authority on whose behalf invocation is issued invocation Access rights Object Client result Server Principal (user) Network Principal (server) 5 March, 2002 4

The enemy Processes: encapsulate resources, interact by messages Messages: exposed to attack by enemy Copy of m Process p m The enemy m Communication channel Process q 5 March, 2002 5

Security threats: what & where File Store Processor Data Link Switching Node Data Link Terminal Unauthorized Access Hacking Viruses Eavesdropping Tampering Replaying Unauthorized usage Password cracking 5 March, 2002 6

Security threats: examples Online shopping/banking intercept credit card information purchase goods using stolen credit card details replay bank transaction, e.g. credit an account Online stock market information service observe frequency or timing of requests to deduce useful information, e.g. the level of stock Website flooding with requests (denial of service) My computer receive/download malicious code (virus) 5 March, 2002 7

Eavesdropping Types of security threats obtaining copies of messages without authority Masquerading sending/receiving messages using the identity of another principal without their authority Message tampering intercepting and altering messages Replaying intercepting, storing and replaying messages Denial of service flooding a channel with requests to deny access to others 5 March, 2002 8

Defeating the enemy: how? Encryption (scrambling a message to hide its contents) does not prove identity of sender Shared secrets (keys) messages encrypted with the shared key can only be decrypted if the key is known Identification (are you who you are?) password protection, etc Authentication (are you who you say you are?) include in message identity of principal/data, timestamp encrypt with shared key 5 March, 2002 9

Secure channels Processes: reliably know identity of principal Messages: protected against tampering, timestamped to prevent replaying/reordering. Principal A Principal B Process p Secure channel Process q 5 March, 2002 10

Threats due to mobility... Mobile code (Java JVM) applets, mobile agents (travel collecting information) downloaded from server, run locally Security issues: what if the program... illegally writes to a file? writes over another program s memory? crashes? Some solutions stored separately from other classes type-checking and code-validation (instruction subset) still does not guard fully against programming errors... 5 March, 2002 11

Designing secure systems Basic message networks are insecure interfaces are exposed Threat analysis assume worst-case scenario list all threats - complex scenarios!!! Design guidelines log at points of entry so that violations detected limit the lifetime and scope of each secret publish algorithms, restrict access to shared keys minimise trusted base 5 March, 2002 12

Main security techniques Access control implement resource protection, e.g. file protection essential in distributed systems (remote login) Firewalls monitor traffic into and out of intranet Cryptographic algorithms ciphers authentication digital signatures 5 March, 2002 13

Access control Definition ensure that users/processes access computer resources in a controlled and authorised manner Protection domain is a set of rights for each resource, e.g. Unix files associated with each principal Two implementations of protection domains Capabilities request accompanied by key, simple access check open to key theft, or key retained when person left company Access control lists list of rights stored with each resource request requires authentication of principal 5 March, 2002 14

Access control Subject Reference Monitor Target object Access Request Access Check Access OK Access denied How it works: Reference Monitor intercepts all access attempts authenticates request and principal s credentials applies access control if Yes, access proceeds if No, access is denied, error message returned to the subject 5 March, 2002 15

Firewalls Monitor and control all communication into and out of an intranet. Service control: filter requests for services on internal hosts e.g. reject HTTP request unless to official webserver Behaviour control prevent illegal or anti-social behaviour e.g. filter spam messages User control: allow access to authorised group of users e.g. dial-up services 5 March, 2002 16

How does it work... A set of processes, at different protocol levels: IP packet filtering screening of source & destination, only clean packets proceed performed in OS kernel of router TCP gateway monitors TCP connection requests Application-level gateway runs proxy for an application on TCP gateway, e.g. Telnet Bastion separate computer within intranet protected by IP packet filtering, runs TCP/application gateway 5 March, 2002 17

Firewall configurations a) Filtering router Router/ filter Protected intranet Internet web/ftp server b) Filtering router and bastion R/filter Bastion Internet web/ftp server c) Screened subnet for bastion R/filter Bastion R/filter Internet web/ftp server 5 March, 2002 18

Encryption Cryptographic algorithms apply rules to transform plaintext to ciphertext defined with a function F and key K denote message M encrypted with K by F K (M) = {M} K Decryption uses inverse function F -1 K ({M} K ) = M can be symmetric (based on secret key known to both parties) or asymmetric (based on public key) 5 March, 2002 19

Symmetric cryptography One-way functions encryption function F K easy to compute decryption function F -1 K hard, not feasible in practice Idea difficult to discover F K given {M} K difficulty increases with K, to prevent brute-force attack combine blocks of plaintext with key through series of XOR, bit shifting, etc, obscuring bit pattern Examples several algorithms: TEA, DES secure secret key size 128 bits 5 March, 2002 20

Asymmetric cryptography Trap-door functions pair of keys (e.g. large numbers) encryption function easy to compute (e.g. multiply keys) decryption function infeasible unless secret known (e.g. factorise the product if one key not known) Idea two keys produced: encryption key made public, decryption key kept secret anyone can encrypt messages, only participant with decryption key can operate the trap door Examples a few practical schemes: RSA 5 March, 2002 21

Block ciphers plaintext blocks n+3 n+2 n+1 XOR {M} K ciphertext blocks n-3 n-2 n-1 n How it works message divided into fixed size blocks (64 bits), padded encryption block by block Cipher block chaining combine each plaintext block with preceding ciphertext block using XOR before encryption 5 March, 2002 22

How it works Stream ciphers used when no block structure (e.g. voice) encryption performed bit by bit generate sequence of numbers, concatenate into secure bit stream keystream number generator n+3 n+2 n+1 {M} K buffer XOR plaintext stream ciphertext stream 5 March, 2002 23

Security Lecture summary achieves privacy, integrity and availability of distributed systems Main techniques access control firewalls cryptography Design issues consider worst-case scenario of threats balance cost versus risk log and detect 5 March, 2002 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback