Distributed Systems Principles and Paradigms

Similar documents
Distributed Systems Principles and Paradigms. Chapter 09: Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Security. Alessandro Margara Slides based on previous work by Matteo Migliavacca and Alessandro Sivieri

Verteilte Systeme (Distributed Systems)

UNIT - IV Cryptographic Hash Function 31.1

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Chapter 9: Key Management

Computer Networks. Wenzhong Li. Nanjing University

CS Computer Networks 1: Authentication

Security: Focus of Control. Authentication

Cryptographic Checksums

Authentication Handshakes

CSC 474/574 Information Systems Security

6. Security Handshake Pitfalls Contents

Security: Focus of Control

(2½ hours) Total Marks: 75

Kurose & Ross, Chapters (5 th ed.)

1 Identification protocols

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Lecture 1: Course Introduction

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Security Handshake Pitfalls

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

EEC-682/782 Computer Networks I

2.1 Basic Cryptography Concepts

Spring 2010: CS419 Computer Security

14. Internet Security (J. Kurose)

CSC 774 Network Security

Session key establishment protocols

Session key establishment protocols

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CSC/ECE 774 Advanced Network Security

Cryptographic Protocols 1

5. Authentication Contents

Public-key Cryptography: Theory and Practice

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Security Handshake Pitfalls

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

CS 161 Computer Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Encryption. INST 346, Section 0201 April 3, 2018

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Key Establishment and Authentication Protocols EECE 412

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS3235 Seventh set of lecture slides

Cryptography (Overview)

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Applied Cryptography Protocol Building Blocks

Real-time protocol. Chapter 16: Real-Time Communication Security

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Outline Key Management CS 239 Computer Security February 9, 2004

S. Erfani, ECE Dept., University of Windsor Network Security

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS 494/594 Computer and Network Security

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Distributed Systems. Lecture 14: Security. 5 March,

Authentication Part IV NOTE: Part IV includes all of Part III!

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Chapter 9 Public Key Cryptography. WANG YANG

Network Security and Cryptography. December Sample Exam Marking Scheme

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Computer Networks & Security 2016/2017

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

CSC 8560 Computer Networks: Network Security

CS 425 / ECE 428 Distributed Systems Fall 2017

22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

ECEN 5022 Cryptography

Ref:

CS 395T. Formal Model for Secure Key Exchange

Elements of Security

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Cryptographic Concepts

Trusted Intermediaries

Computer Communication Networks Network Security

AIT 682: Network and Systems Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Grenzen der Kryptographie

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Transcription:

Distributed Systems Principles and Paradigms Chapter 09 (version April 7, 2008) Maarten van Steen Vrije Universiteit Amsterdam, Faculty of Science Dept. Mathematics and Computer Science Room R4.20. Tel: (020) 598 7784 E-mail:steen@cs.vu.nl, URL: www.cs.vu.nl/ steen/ 01 Introduction 02 Architectures 03 Processes 04 Communication 05 Naming 06 Synchronization 07 Consistency and Replication 08 Fault Tolerance 09 Security 10 Distributed Object-Based Systems 11 Distributed File Systems 12 Distributed Web-Based Systems 13 Distributed Coordination-Based Systems 00 1 /

Overview Introduction Secure channels Access control Security management 09 1 Security/

Security: Dependability Revisited Basics: A component provides services to clients. To provide services, the component may require the services from other components a component may depend on some other component. Property Availability Reliability Safety Confidentiality Integrity Description Accessible and usable upon demand for authorized entities Continuity of service delivery Very low probability of catastrophes No unauthorized disclosure of information No accidental or malicious alterations of information have been performed (even by authorized entities) Observation: In distributed systems, security is the combination of availability, integrity, and confidentiality. A dependable distributed system is thus fault tolerant and secure. 09 2 Security/9.1 Introduction

Security Threats Subject: Entity capable of issuing a request for a service as provided by objects Channel: The carrier of requests and replies for services offered to subjects Object: Entity providing services to subjects. Channels and objects are subject to security threats: Threat Channel Object Interruption Preventing message Denial of service transfer Inspection Reading the content of transferred messages Reading the data contained in an object Modification Changing message content Changing an object s encapsulated data Fabrication Inserting messages Spoofing an object 09 3 Security/9.1 Introduction

Security Mechanisms Issue: To protect against security threats, we have a number of security mechanisms at our disposal: Encryption: Transform data into something that an attacker cannot understand (confidentiality). It is also used to check whether something has been modified (integrity). Authentication: Verify the claim that a subject says it is S: verifying the identity of a subject. Authorization: Determining whether a subject is permitted to make use of certain services. Auditing: Trace which subjects accessed what, and in which way. Useful only if it can help catch an attacker. Note: authorization makes sense only if the requesting subject has been authenticated 09 4 Security/9.1 Introduction

Security Policies (1/2) Policy: Prescribes how to use mechanisms to protect against attacks. Requires that a model of possible attacks is described (i.e., security architecture). Example: Globus security architecture There are multiple administrative domains Local operations subject to local security policies Global operations require requester to be globally known Interdomain operations require mutual authentication Global authentication replaces local authentication Users can delegate privileges to processes Credentials can be shared between processes in the same domain 09 5 Security/9.1 Introduction

Security Policies (2/2) Policy statements leads to the introduction of mechanisms for cross-domain authentication and making users globally known user proxies and resource proxies Protocol 3: Allocation of a resource by a process in remote domain Proxy creates process Domain Domain Process Resource proxy Process Resource proxy Process Local security policy and mechanisms Global-to-local mapping of IDs Process Local security policy and mechanisms Global-to-local mapping of IDs Process spawns child process Protocol 4: Making user known in remote domain User must be known in domain Domain User User proxy Protocol 1: Creation of user proxy Protocol 2: Allocation of a resource by the user in a remote domain 09 6 Security/9.1 Introduction

Design Issue: Focus of Control Essence: What is our focus when talking about protection: (a) data, (b) invalid operations, (c) unauthorized users Data is protected against wrong or invalid operations Data is protected against unauthorized invocations State Object Invocation Method (a) (b) Data is protected by checking the role of invoker (c) Note: We generally need all three, but each requires different mechanisms 09 7 Security/9.1 Introduction

Design Issue: Layering of Mechanisms and TCB Essence: At which logical level are we going to implement security mechanisms? Application Middleware OS Services High-level protocols Application Middleware OS Services OS kernel Hardware Transport Network Datalink Physical Low-level protocols Transport Network Datalink Physical OS kernel Hardware Network Important: Whether security mechanisms are actually used is related to the trust a user has in those mechanisms. No trust implement your own mechanisms. Trusted Computing Base: What is the set of mechanisms needed to enforce a policy. The smaller, the better. 09 8 Security/9.1 Introduction

Cryptography Passive intruder only listens to C Active intruder can alter messages Active intruder can insert messages Plaintext, P Encryption method Ciphertext C = E (P) K Decryption method Plaintext Sender Encryption key, E K Decryption key, D K Receiver Symmetric system: Use a single key to (1) encrypt the plaintext and (2) decrypt the ciphertext. Requires that sender and receiver share the secret key. Asymmetric system: Use different keys for encryption and decryption, of which one is private, and the other public. Hashing system: Only encrypt data and produce a fixed-length digest. There is no decryption; only comparison is possible. 09 9 Security/9.1 Introduction

Cryptographic Functions (1/2) Essence: Make the encryption method E public, but let the encryption as a whole be parameterized by means of a key S (Same for decryption) One-way function: Given some output m out of E S, it is (analytically or) computationally infeasible to find m in : E S (m in ) = m out Weak collision resistance: Given a pair m, E S (m), it is computationally infeasible to find an m = m such that E S (m ) = E S (m) Strong collision resistance: It is computationally infeasible to find any two different inputs m and m such that E S (m) = E S (m ) 09 10 Security/9.1 Introduction

Cryptographic Functions (2/2) One-way key: Given an encrypted message m out, message m in, and encryption function E, it is analytically and computationally infeasible to find a key K such that m out = E K (m in ) Weak key collision resistance: Given a triplet m, S, E, it is computationally infeasible to find an K = K such that E K (m) = E K (m) Strong key collision resistance: It is computationally infeasible to find any two different keys K and K such that for all m: E K (m) = E K (m) Note: Not all cryptographic functions have keys (such as hash functions) 09 11 Security/9.1 Introduction

Secure Channels Authentication Message Integrity and confidentiality Secure group communication 09 12 Security/9.2Secure Channels

Secure Channels Goal: Set up a channel allowing for secure communication between two processes: A B C A Confidential channel Authenticated and tamperproof channel D B C D A Secure channel B They both know who is on the other side (authenticated). They both know that messages cannot be tampered with (integrity). They both know messages cannot leak away (confidentiality). 09 13 Security/9.2Secure Channels

Authentication versus Integrity Note: Authentication and data integrity rely on each other: Consider an active attack by Trudy on the communication from Alice to Bob. Authentication without integrity: Alice s message is authenticated, and intercepted by Trudy, who tampers with its content, but leaves the authentication part as is. Authentication has become meaningless. Integrity without authentication: Trudy intercepts a message from Alice, and then makes Bob believe that the content was really sent by Trudy. Integrity has become meaningless. Question: What can we say about confidentiality versus authentication and integrity? 09 14 Security/9.2Secure Channels

Authentication: Secret Keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B (i.e. a random number) to Alice 3: Alice encrypts R B with shared key K A,B. Now Bob knows he s talking to Alice 4: Alice send challenge R A to Bob 5: Bob encrypts R A with K A,B. Now Alice knows she s talking to Bob Note: We can improve the protocol by combining steps 1&4, and 2&3. This costs only the correctness. 09 15 Security/9.2Secure Channels

Authentication: Secret Keys Reflection Attack 2 1 R B A,, R C K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( ) R B First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice 09 16 Security/9.2Secure Channels

Authentication: Public Key 1 + B K (A, R ) A Alice 2 K + A(R A, R B, K A,B) Bob 3 K A,B (R B) 1: Alice sends a challenge R A to Bob, encrypted with Bob s public key K + B. 2: Bob decrypts the message, generates a secret key K A,B, proves he s Bob (by sending R A back), and sends a challenge R B to Alice. Everything s encrypted with Alice s public key K + A. 3: Alice proves she s Alice by sending back the decrypted challenge, encrypted with generated secret key K A,B Note: K A,B is also known as a session key (we ll come back to these keys later on). 09 17 Security/9.2Secure Channels

Authentication: KDC (1/2) Problem: With N subjects, we need to manage N(N 1)/2 keys, each subject knowing N 1 keys. Essence: Use a trusted Key Distribution Center that generates keys when necessary. 1 A,B K A,B Alice 2 K A,KDC ( ) K B,KDC ( K A,B ) K A,B KDC, generates 2 Bob Question: How many keys do we need to manage? 09 18 Security/9.2Secure Channels

Authentication: KDC (2/2) Inconvenient: We need to ensure that Bob knows about K A,B before Alice gets in touch. Solution: Let Alice do the work and pass her a ticket to set up a secure channel with Bob 2 K A,KDC 1 R A1 K A,B, A, B ( R A1, B,, K B,KDC ( A, )) K A,B KDC Alice 3 R A2 K A,B ( ), K B,KDC ( A, K A,B ) Bob 4 K A,B ( R A2 1, R B ) 5 K A,B ( R B 1) Note: This is also known as the Needham-Schroeder authentication protocol, and is widely applied (in different forms). 09 19 Security/9.2Secure Channels

Needham-Schroeder: Subtleties Q1: Why does the KDC put Bob into its reply message, and Alice into the ticket? Q2: The ticket sent back to Alice by the KDC is encrypted with Alice s key. Is this necessary? Security flaw: Suppose Chuck finds out Alice s key he can use that key anytime to impersonate Alice, even if Alice changes her private key at the KDC. Reasoning: Once Chuck finds out Alice s key, he can use it to decrypt a (possibly old) ticket for a session with Bob, and convince Bob to talk to him using the old session key. Solution: Have Alice get an encrypted number from Bob first, and put that number in the ticket provided by the KDC we re now ensuring that every session is known at the KDC. 09 20 Security/9.2Secure Channels

Confidentiality (1/2) Secret key: Use a shared secret key to encrypt and decrypt all messages sent between Alice and Bob Public key: If Alice sends a message m to Bob, she encrypts it with Bob s public key: K + B (m) There are a number of problems with keys: Keys wear out: The more data is encrypted by a single key, the easier it becomes to find that key don t use keys too often Danger of replay: Using the same key for different communication sessions, permits old messages to be inserted in the current session don t use keys for different sessions 09 21 Security/9.2Secure Channels

Confidentiality (2/2) Compromised keys: If a key is compromised, you can never use it again. Really bad if all communication between Alice and Bob is based on the same key over and over again don t use the same key for different things Temporary keys: Untrusted components may play along perhaps just once, but you would never want them to have knowledge about your really good key for all times make keys disposable Essence: Don t use valuable and expensive keys for all communication, but only for authentication purposes. Solution: Introduce a cheap session key that is used only during one single conversation or connection ( cheap also means efficient in encryption and decryption) 09 22 Security/9.2Secure Channels

Digital Signatures Harder requirements: Authentication: Receiver can verify the claimed identity of the sender Nonrepudiation: The sender can later not deny that he/she sent the message Integrity: The message cannot be maliciously altered during, or after receipt Solution: Let a sender sign all transmitted messages, in such a way that (1) the signature can be verified and (2) message and signature are uniquely associated 09 23 Security/9.2Secure Channels

Public Key Signatures Alice's computer Bob's computer m Alice's private key, K A Bob's public key, K B + Bob's private key, K B Alice's public key, K A + m m K A (m) K B + (m,k A (m)) K A (m) 1: Alice encrypts her message m with her private key K A m = K A (m) 2: She then encrypts m with Bob s public key, along with the original message m m = K + B (m,k A (m)), and sends m to Bob. 3: Bob decrypts the incoming message with his private key K B. We know for sure that no one else has been able to read m, nor m during their transmission. 4: Bob decrypts m with Alice s public key K + A. Bob now knows the message came from Alice. Question: Is this good enough against nonrepudiation? 09 24 Security/9.2Secure Channels

Message Digests Basic idea: Don t mix authentication and secrecy. Instead, it should also be possible to send a message in the clear, but have it signed as well. Solution: take a message digest, and sign that: Alice's computer m Bob's computer m Hash function, H m Hash function, H Alice's private key, K A Alice's public key, K A + Compare OK H(m) K A (H(m)) H(m) Recall: Message digests are computed using a hash function, which produces a fixed-length message from arbitrary-length data. 09 25 Security/9.2Secure Channels

Secure Group Communication Design issue: How can you share secret information between multiple members without losing everything when one member turns bad. Confidentiality: Follow a simple (hard-to-scale) approach by maintaining a separate secret key between each pair of members. Replication: You also want to provide replication transparency. Apply secret sharing: No process knows the entire secret; it can be revealed only through joint cooperation Assumption: at most k out of N processes can produce an incorrect answer At most c k processes have been corrupted Note: We are dealing with a k fault tolerant process group. 09 26 Security/9.2Secure Channels

Secure Replicated Group (1/2) Server group Server S1 Server S2 r1,sig(s1,r1) r2,sig(s2,r2) r1 r2 r3 r4 r5 r Client's computer Hash function, H md(r) = H(r) Server S3 Server S4 Server S5 r3,sig(s3,r3) r4,sig(s4,r4) r5,sig(s5,r5) sig(s1,r1) sig(s2,r2) sig(s3,r3) sig(s4,r4) sig(s5,r5) Set of three signatures, V Decryption function, D(V) d d = md(r)? NO YES Select other (r,v) combination r is OK Let N = 5,c = 2 Each server S i gets to see each request and responds with r i Response r i is sent along with digest md(r i ), and signed with private key K i. Signature is denoted as sig(s i,r i ) = K i (md(r i )). 09 27 Security/9.2Secure Channels

Secure Replicated Group (2/2) Server group Server S1 Client's computer Server S2 r1,sig(s1,r1) r2,sig(s2,r2) r1 r2 r3 r4 r5 r Hash function, H md(r) = H(r) Server S3 Server S4 Server S5 r3,sig(s3,r3) r4,sig(s4,r4) r5,sig(s5,r5) sig(s1,r1) sig(s2,r2) sig(s3,r3) sig(s4,r4) sig(s5,r5) Set of three signatures, V Decryption function, D(V) d d = md(r)? NO YES Select other (r,v) combination r is OK Client uses special decryption function D that computes a single digest d from three signatures: d = D(sig(S,r),sig(S,r ),sig(s,r )) If d = md(r i ) for some r i, r i is considered correct Also known as (m,n)-threshold scheme (with m = c + 1,n = N) 09 28 Security/9.2Secure Channels

Access Control General issues Firewalls Secure mobile code 09 29 Security/9.3 Access Control

Authorization versus Authentication Authentication: Verify the claim that a subject says it is S: verifying the identity of a subject Authorization: Determining whether a subject is permitted certain services from an object Note: authorization makes sense only if the requesting subject has been authenticated Subject Reference monitor Object Request for operation Authorized request 09 30 Security/9.3 Access Control

Access Control Matrix Essence: Maintain an access control matrix ACM in which entry ACM[S,O] contains the permissible operations that subjectscan perform on object O Client Server Create access request r as subject s (s,r) (a) ACL Object if (s appears in ACL) if (r appears in ACL[s]) grant access; Client Server Create access request r for object o. Pass capability C (o, r) C Object if (r appears in C) grant access; (b) Implementation (a): Each object O maintains an access control list (ACL): ACM[*,O] describing the permissible operations per subject (or group of subjects) Implementation (b): Each subject S has a capability: ACM[S,*] describing the permissible operations per object (or category of objects) 09 31 Security/9.3 Access Control

Protection Domains Issue: ACLs or capability lists can be very large. Reduce information by means of protection domains: Set of (object, access rights) pairs Each pair is associated with a protection domain For each incoming request the reference monitor first looks up the appropriate protection domain Common implementation of protection domains: Groups: Users belong to a specific group; each group has associated access rights Roles: Don t differentiate between users, but only the roles they can play. Your role is determined at login time. Role changes are allowed. 09 32 Security/9.3 Access Control

Firewalls Essence: Sometimes it s better to select service requests at the lowest level: network packets. Packets that do not fit certain requirements are simply removed from the channel Solution: Protect your company by a firewall: it implements access control Packet filtering router Application gateway Packet filtering router Connections to internal networks Connections to outside networks Inside LAN Outside LAN Firewall Question: What do you think would be the biggest breach in firewalls? 09 33 Security/9.3 Access Control

Secure Mobile Code Problem: Mobile code is great for balancing communication and computation, but is hard to implement a general-purpose mechanism that allows different security policies for local-resource access. In addition, we may need to protect the mobile code (e.g., agents) against malicious hosts. 09 34 Security/9.3 Access Control

Protecting an Agent Ajanta: Detect that an agent has been tampered with while it was on the move. Most important: appendonly logs: Data can only be appended, not removed There is always an associated checksum. Initially, C init = K owner + (N), with N a nonce. Adding data X by server S: C new = K owner + (C old,sig(s, X),S) Removing data from the log: K owner (C) C prev,sig(s, X),S allowing the owner to check integrity of X 09 35 Security/9.3 Access Control

Protecting a Host (1/2) Simple solution: Enforce a (very strict) single policy, and implement that by means of a few simple mechanisms Sandbox model: Policy: Remote code is allowed access to only a pre-defined collection of resources and services. Mechanism: Check instructions for illegal memory access and service access Playground model: Same policy, but mechanism is to run code on separate unprotected machine. Trusted code Untrusted code Only trusted code Untrusted code Local network Sandbox Playground Local network (a) (b) 09 36 Security/9.3 Access Control

Protecting a Host (2/2) Observation: We need to be able to distinguish local from remote code before being able to do anything Refinement 1: We need to be able to assign a set of permissions to mobile code before its execution and check operations against those permissions at all times Refinement 2: We need to be able to assign different sets of permissions to different units of mobile code authenticate mobile code (e.g. through signatures) Question: What would be a very simple policy to follow (Microsoft s approach)? 09 37 Security/9.3 Access Control

Security Management Key establishment and distribution Secure group management Authorization management 09 38 Security/9.4 Security Management

Key Establishment: Diffie-Hellman Observation: We can construct secret keys in a safe way without having to trust a third party (i.e. a KDC): Alice and Bob have to agree on two large numbers, n and g. Both numbers may be public. Alice chooses large number x, and keeps it to herself. Bob does the same, say y. Alice picks x Bob picks y Alice computes y (g mod n) x = gxy mod n Alice 1 n, g, 2 g x mod n g y mod n Bob Bob computes x y (g mod n) = gxy mod n 1: Alice sends (n, g, g x mod n) to Bob 2: Bob sends (g y mod n) to Alice 3: Alice computes K A,B = (g y mod n) x = g xy mod n 4: Bob computes K A,B = (g x mod n) y = g xy mod n 09 39 Security/9.4 Security Management

Key Distribution (1/2) Essence: If authentication is based on cryptographic protocols, and we need session keys to establish secure channels, who s responsible for handing out keys? Secret keys: Alice and Bob will have to get a shared key. They can invent their own and use it for data exchange. Alternatively, they can trust a key distribution center (KDC) and ask it for a key. Public keys: Alice will need Bob s public key to decrypt (signed) messages from Bob, or to send private messages to Bob. But she ll have to be sure about actually having Bob s public key, or she may be in big trouble. Use a trusted certification authority (CA) to hand out public keys. A public key is put in a certificate, signed by a CA. 09 40 Security/9.4 Security Management

Key Distribution (2/2) Another problem: How do we get the secret keys to their new owners? Plaintext, P Encryption method Decryption method Plaintext Encryption key, K Ciphertext Decryption key, K Symmetric key generator Secure channels with confidentiality and authentication (a) Plaintext, P Encryption method Decryption method Plaintext Public key, K + Ciphertext Asymmetric key generator Private key, K Secure channel with authentication only (b) Secure channel with confidentiality and authentication 09 41 Security/9.4 Security Management

Secure Group Management (1/2) Structure: Group uses a key pair (K + G,K G ) for communication with nongroup members. There is a separate shared secret key CK G for internal communication. Assume process P wants to join the group and contacts Q. 1 [G, P, T, K + (RP, K )] G P,G P, [P, K + P ] CA P 2 [P, N, CK RP, CK (K )] G G G Q Q 3 K P,G (N) 1: P generates a one-time reply pad RP, and a secret key K P,G. It sends a join request to Q, signed by itself (notation: [JR] P ), along with a certificate containing its public key K + P. 09 42 Security/9.4 Security Management

Secure Group Management (2/2) 1 [G, P, T, K + (RP, K )] G P,G P, [P, K + P ] CA P 2 [P, N, CK RP, CK (K )] G G G Q Q 3 K P,G (N) 2: Q authenticates P, checks whether it can be allowed as member. It returns the group key CK G, encrypted with the one-time pad, as well as the group s private key, encrypted as CK G (K G ). 3: Q authenticates P and sends back K P,G (N) letting Q know that it has all the necessary keys. Question: Why didn t we send K + P (CK G) instead of using RP? 09 43 Security/9.4 Security Management

Authorization Management Issue: To avoid that each machine needs to know about all users, we use capabilities and attribute certificates to express the access rights that the holder has. In Amoeba, restricted access rights are encoded in a capability, along with data for an integrity check to protect against tampering: Capability Proposed new rights Port Object 11111111 C 00000001 Exclusive or f One-way function Restricted capability Port Object 00000001 f(c 00000001) 09 44 Security/9.4 Security Management

Delegation (1/2) Observation: A subject sometimes wants to delegate its privileges to an object O1, to allow that object to request services from another object O2 Example: A client tells the print server PS to fetch a file F from the file server FS to make a hard copy the client delegates its read privileges on F to PS Nonsolution: Simply hand over your attribute certificate to a delegate (which may pass it on to the next one, etc.) Problem: To what extent can the object trust a certificate to have originated at the initiator of the service request, without forcing the initiator to sign every certificate? 09 45 Security/9.4 Security Management

Delegate Privileges (2/2) Solution: Ensure that delegation proceeds through a secure channel, and let a delegate prove it got the certificate through such a path of channels originating at the initiator. Certificate R S+ proxy + sig(a, {R, S proxy}) S proxy access rights public part of secret signature private part of secret 1 [ R, S + proxy ] A, K A,B (S ) proxy Alice Bob 2 3 [ R, S + proxy ] A S+ proxy (N) Server 4 N 09 46 Security/9.4 Security Management

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback