Distributed Systems Principles and Paradigms. Chapter 09: Security

Similar documents
Distributed Systems Principles and Paradigms

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Verteilte Systeme (Distributed Systems)

Security. Alessandro Margara Slides based on previous work by Matteo Migliavacca and Alessandro Sivieri

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

CS Computer Networks 1: Authentication

UNIT - IV Cryptographic Hash Function 31.1

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Chapter 9: Key Management

Security: Focus of Control. Authentication

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptographic Protocols 1

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Authentication Handshakes

Kurose & Ross, Chapters (5 th ed.)

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Security: Focus of Control

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CSC 474/574 Information Systems Security

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Computer Networks. Wenzhong Li. Nanjing University

CSC/ECE 774 Advanced Network Security

2.1 Basic Cryptography Concepts

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CSC 774 Network Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS3235 Seventh set of lecture slides

CS 161 Computer Security

Encryption. INST 346, Section 0201 April 3, 2018

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Cryptographic Checksums

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

(2½ hours) Total Marks: 75

14. Internet Security (J. Kurose)

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

1 Identification protocols

6. Security Handshake Pitfalls Contents

Spring 2010: CS419 Computer Security

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Password. authentication through passwords

Outline Key Management CS 239 Computer Security February 9, 2004

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Cryptographic Concepts

ECEN 5022 Cryptography

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Ref:

Key Establishment and Authentication Protocols EECE 412

Diffie-Hellman. Part 1 Cryptography 136

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSC 474/574 Information Systems Security

Lecture 1: Course Introduction

Security: Cryptography

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Information Security CS 526

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Cryptography (Overview)

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

CS 161 Computer Security

Session key establishment protocols

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Public-key Cryptography: Theory and Practice

David Wetherall, with some slides from Radia Perlman s security lectures.

Session key establishment protocols

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Security. Communication security. System Security

Security Handshake Pitfalls

PROTECTING CONVERSATIONS

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

CSE 127: Computer Security Cryptography. Kirill Levchenko

CSC 8560 Computer Networks: Network Security

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

EEC-682/782 Computer Networks I

SECURITY IN NETWORKS

ECE 646 Lecture 3. Key management

Securing Internet Communication: TLS

1.264 Lecture 28. Cryptography: Asymmetric keys

Security Handshake Pitfalls

Lecture 1 Applied Cryptography (Part 1)

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

Overview. SSL Cryptography Overview CHAPTER 1

Encryption and Forensics/Data Hiding

KALASALINGAM UNIVERSITY

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Overview of Authentication Systems

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

T Cryptography and Data Security

Transcription:

Distributed Systems Principles and Paradigms Christoph Dorn Distributed Systems Group, Vienna University of Technology c.dorn@infosys.tuwien.ac.at http://www.infosys.tuwien.ac.at/staff/dorn Slides adapted from Maarten van Steen, VU Amsterdam, steen@cs.vu.nl Chapter 09: Security

Contents Chapter 01: Introduction 02: Architectures 03: Processes 04: Communication 05: Naming 06: Synchronization 07: Consistency & Replication 08: Fault Tolerance 09: Security 10: Distributed Object-Based Systems 11: Distributed File Systems 12: Distributed Web-Based Systems 13: Distributed Coordination-Based Systems DS WS 2014 2 / 78

Overview Introduction Secure channels Access control Security management DS WS 2014 3 / 78

Basics Security: Dependability revisited A component provides services to clients. To provide services, the component may require the services from other components a component may depend on some other component. Property Availability Reliability Safety Maintainable Integrity Description Accessible and usable upon demand for authorized entities Continuity of service delivery Very low probability of catastrophes Easy repair of a failure No accidental or malicious alterations of information have been performed (even by authorized entities) DS WS 2014 4 / 78

Security: Dependability revisited Observation In distributed systems, security is the combination of availability, integrity, and confidentiality. Property Confidentiality Availability Integrity Description No unauthorized disclosure of information Accessible and usable upon demand for authorized entities No accidental or malicious alterations of information have been performed (even by authorized entities) DS WS 2014 5 / 78

The players Security threats Subject: Entity capable of issuing a request for a service as provided by objects Channel: The carrier of requests and replies for services offered to subjects Object: Entity providing services to subjects. DS WS 2014 6 / 78

Security threats The threats Threat Channel Object/Server Interruption Inspection Modification Preventing message transfer Reading the content of transferred messages Changing message content Denial of service Reading the data contained in an object/server Changing an object/server s encapsulated data Fabrication Inserting messages Spoofing an object/server DS WS 2014 7 / 78

Issue Security mechanisms To protect against security threats, we have a number of security mechanisms at our disposal: Encryption: Transform data into something that an attacker cannot understand (confidentiality). It is also used to check whether something has been modified (integrity). Authentication: Verify the claim that a subject says it is S: verifying the identity of a subject. (Who is accessing/ requesting?) Authorization: Determining whether a subject is permitted to make use of certain services. (Who is allowed to access/request a service/) Auditing: Trace which subjects accessed what, and in which way. Useful only if it can help catch an attacker. (Attackers will try to avoid leaving traces) DS WS 2014 8 / 78

Design issue: Focus of control Data is protected against wrong or invalid operations Data is protected against unauthorized invocations State Object Invocation Method (a) (b) Data is protected by checking the role of invoker (c) DS WS 2014 9 / 78

Design issue: Layering of mechanisms Issue At which logical level are we going to implement security mechanisms? Application Middleware OS Services High-level protocols Application Middleware OS Services OS kernel Hardware Transport Network Datalink Physical Low-level protocols Transport Network Datalink Physical OS kernel Hardware Network DS WS 2014 10 / 78

Design issue: Layering of mechanisms Trusted Computing Base Typically: security at lower layers often more convenient, BUT Important Whether security mechanisms are actually used is related to the trust a user has in those mechanisms. (Do you trust the network layer between your smart phone and your email server?) No trust implement your own mechanisms (at higher levels). (Now, you need to trust SSL/TLS...) DS WS 2014 11 / 78

Important Fundamental Laws of Security - 1 The security of any distributed system is exactly as good as its weakest component/link. DS WS 2014 12 / 78

Fundamental Laws of Security - 2 DS WS 2014 13 / 78

Observation Fundamental Laws of Security - 3 The security of your system needs to depend on technical and mathematical facts, and never on hidden information. DS WS 2014 14 / 78

Cryptography Passive intruder only listens to C Active intruder can alter messages Active intruder can insert messages Plaintext, P Encryption method Ciphertext C = E (P) K Decryption method Plaintext Sender Encryption key, EK Decryption key, DK Receiver DS WS 2014 15 / 78

Cryptography Methods Symmetric system: Use a single key to (1) encrypt and (2) decrypt. Requires that sender and receiver share the secret key. (e.g., DES, AES) P = D K (E K (P)) Asymmetric system: Use different keys for encryption and decryption, of which one is private (K A ), and the other public (K + A ). (e.g., RSA) P = D K D(E K E (P)) Hashing system: Only encrypt data and produce a fixed-length digest. There is no decryption; only comparison is possible. (e.g., MD5, SHA-1) DS WS 2014 16 / 78

Cryptography Use Cases Symmetric system: Encryption (prevention of interception) Asymmetric system: Authentication (prevention of fabrication) Hashing system: Integrity (prevention of modification) DS WS 2014 17 / 78

Cryptographic functions Essence Make the encryption method E public, but let the encryption as a whole be parameterized by means of a key S (Same for decryption) One-way function: Given some output m out of E S, it is (analytically or) computationally infeasible to find m in : E S (m in ) = m out Example: given E S = Shakespeare and m out = MacBeth infeasible to find/define the environment m in that let Shakespeare s mind to produce MacBeth DS WS 2014 18 / 78

Cryptographic functions Essence Weak collision resistance: Given the pair m,e S (m), it is computationally infeasible to find an m m such that E S (m ) = E S (m) Example: m = mouse is afraid of and E S (m) = cat unable to find m = dog is afraid of and E S (m ) = cat Strong collision resistance: It is computationally infeasible to find any two different inputs m and m such that E S (m ) = E S (m) Example: unable to find m = dog Rex is afraid of and m = dog Struppi is afraid of and E S (m ) = E S (m) = cat DS WS 2014 19 / 78

Cryptographic functions Essence (cnt d) One-way key: Given an encrypted message m out, message m in, and encryption function E, it is analytically and computationally infeasible to find a key K such that m out = E K (m in ) Weak key collision resistance: Given a triplet m,k,e, it is computationally infeasible to find an K K such that E K (m) = E K (m) Strong key collision resistance: It is computationally infeasible to find any two different keys K and K such that for all m: E K (m ) = E K (m) DS WS 2014 20 / 78

Secure channels Authentication Message Integrity and confidentiality DS WS 2014 21 / 78

Secure channels A B C A Confidential channel Authenticated and tamperproof channel D B C D A Secure channel B What s a secure channel Both parties know who is on the other side (authenticated). Both parties know that messages cannot be tampered with (integrity). Both parties know messages cannot leak away (confidentiality). DS WS 2014 22 / 78

Important Authentication versus integrity Authentication and data integrity rely on each other: Consider an active attack by Trudy on the communication from Alice to Bob. Authentication without integrity Alice s message is authenticated, and intercepted by Trudy, who tampers with its content, but leaves the authentication part as is. Authentication has become meaningless. Integrity without authentication Trudy intercepts a message from Alice, and then makes Bob believe that the content was really sent by Alice. Integrity has become meaningless. DS WS 2014 23 / 78

Authentication: Secret (shared) keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B to Alice 3: Alice encrypts R B with shared key K A,B. Bob now knows he is talking to Alice. 4: Alice sends challenge R A to Bob 5: Bob encrypts R A with K A,B. Alice now knows that she is talking to Bob. DS WS 2014 24 / 78

Authentication: Secret (shared) keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B to Alice 3: Alice encrypts R B with shared key K A,B. Bob now knows he is talking to Alice. 4: Alice sends challenge R A to Bob 5: Bob encrypts R A with K A,B. Alice now knows that she is talking to Bob. DS WS 2014 25 / 78

Authentication: Secret (shared) keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B to Alice 3: Alice encrypts R B with shared key K A,B. Bob now knows he is talking to Alice. 4: Alice sends challenge R A to Bob 5: Bob encrypts R A with K A,B. Alice now knows that she is talking to Bob. DS WS 2014 26 / 78

Authentication: Secret (shared) keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B to Alice 3: Alice encrypts R B with shared key K A,B. Bob now knows he is talking to Alice. 4: Alice sends challenge R A to Bob 5: Bob encrypts R A with K A,B. Alice now knows that she is talking to Bob. DS WS 2014 27 / 78

Authentication: Secret (shared) keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B to Alice 3: Alice encrypts R B with shared key K A,B. Bob now knows he is talking to Alice. 4: Alice sends challenge R A to Bob 5: Bob encrypts R A with K A,B. Alice now knows that she is talking to Bob. DS WS 2014 28 / 78

Authentication: Secret (shared) keys 1 2 A R B Alice 3 K A,B ( R B ) Bob 4 R A 5 K A,B ( R A ) 1: Alice sends ID to Bob 2: Bob sends challenge R B to Alice 3: Alice encrypts R B with shared key K A,B. Bob now knows he is talking to Alice. 4: Alice sends challenge R A to Bob 5: Bob encrypts R A with K A,B. Alice now knows that she is talking to Bob. DS WS 2014 29 / 78

Authentication: Secret keys Improvement Combine steps 1&4, and 2&5. Price to pay: correctness. DS WS 2014 30 / 78

Authentication: Secret keys Improvement Combine steps 1&4, and 2&5. Price to pay: correctness. DS WS 2014 31 / 78

Authentication: Secret keys reflection attack 2 1 A, R C R B, K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( R B ) First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice. DS WS 2014 32 / 78

Authentication: Secret keys reflection attack 2 1 A, R C R B, K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( R B ) First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice. DS WS 2014 33 / 78

Authentication: Secret keys reflection attack 2 1 A, R C R B, K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( R B ) First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice. DS WS 2014 34 / 78

Authentication: Secret keys reflection attack 2 1 A, R C R B, K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( R B ) First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice. DS WS 2014 35 / 78

Authentication: Secret keys reflection attack 2 1 A, R C R B, K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( R B ) First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice. DS WS 2014 36 / 78

Authentication: Secret keys reflection attack 2 1 A, R C R B, K A,B ( R C ) First session Chuck 4 3 A, R B R B2, K A,B ( R B ) Bob Second session 5 K A,B ( R B ) First session 1: Chuck claims he s Alice, and sends challenge R C 2: Bob returns a challenge R B and the encrypted R C 3: Chuck starts a second session, claiming he is Alice, but uses challenge R B 4: Bob sends back a challenge, plus K A,B (R B ) 5: Chuck sends back K A,B (R B ) for the first session to prove he is Alice. DS WS 2014 37 / 78

Authentication: Secret keys reflection attack Question to the audience How can we fix the protocol? Your choices are: Bob remembers which challenges he used (head) Bob disallows a second session (nose) This protocol is broken, no way to fix it (ear) DS WS 2014 38 / 78

Problem Authentication: KDC With N subjects, we need to manage N(N 1)/2 keys, each subject knowing N 1 keys use a trusted Key Distribution Center that generates keys when necessary. Alice 1 A,B K A,B KDC, generates 2 2 K A,KDC ( K A,B ) K B,KDC ( K A,B ) Bob Question How many keys do we need to manage? DS WS 2014 39 / 78

Authentication: KDC (Needham-Schroeder) Inconvenient We need to ensure that Bob knows about K A,B before Alice gets in touch let Alice do the work and pass her a ticket to set up a secure channel with Bob. 1 R A1, A, B 2 K A,KDC ( R A1, B, K A,B, K B,KDC ( A, K A,B )) KDC Alice 3 K A,B ( R A2 ), K B,KDC ( A, K A,B ) Bob 4 K A,B ( R A2 1, R B ) 5 K A,B ( R B 1) DS WS 2014 40 / 78

Needham-Schroeder: Subtleties 1 R A1, A, B 2 K A,KDC ( R A1, B, K A,B, K B,KDC ( A, K A,B )) KDC Alice 3 K A,B ( R A2 ), K B,KDC ( A, K A,B ) Bob 4 K A,B ( R A2 1, R B ) 5 K A,B ( R B 1) Some issues Q1: Why does the KDC put Bob into its reply message, and Alice into the ticket? Q2: The ticket sent back to Alice by the KDC is encrypted with Alice s key. Is this necessary? DS WS 2014 41 / 78

Security flaw Needham-Schroeder: Subtleties Suppose Trudy finds out Alice s key she can use that key anytime to impersonate Alice, even if Alice changes her private key at the KDC. Reasoning Once Trudy finds out Alice s key, she can use it to decrypt a (possibly old) ticket for a session with Bob, and convince Bob to talk to her using the old session key. Solution Have Alice get an encrypted number from Bob first, and put that number in the ticket provided by the KDC we re now ensuring that every session is known at the KDC. DS WS 2014 42 / 78

Authentication: Public key 1 K + B(A, R A) Alice 2 K+ A(R A, R B, K A,B) Bob 3 K A,B (R B) 1: Alice sends a challenge R A to Bob, encrypted with Bob s public key K + B. 2: Bob decrypts the message, generates a secret key K A,B (session key), proves he s Bob (by sending R A back), and sends a challenge R B to Alice. Everything s encrypted with Alice s public key K + A. 3: Alice proves she s Alice by sending back the decrypted challenge, encrypted with generated secret key K A,B DS WS 2014 43 / 78

Authentication: Public key 1 K + B(A, R A) Alice 2 K+ A(R A, R B, K A,B) Bob 3 K A,B (R B) 1: Alice sends a challenge R A to Bob, encrypted with Bob s public key K + B. 2: Bob decrypts the message, generates a secret key K A,B (session key), proves he s Bob (by sending R A back), and sends a challenge R B to Alice. Everything s encrypted with Alice s public key K + A. 3: Alice proves she s Alice by sending back the decrypted challenge, encrypted with generated secret key K A,B DS WS 2014 44 / 78

Authentication: Public key 1 K + B(A, R A) Alice 2 K+ A(R A, R B, K A,B) Bob 3 K A,B (R B) 1: Alice sends a challenge R A to Bob, encrypted with Bob s public key K + B. 2: Bob decrypts the message, generates a secret key K A,B (session key), proves he s Bob (by sending R A back), and sends a challenge R B to Alice. Everything s encrypted with Alice s public key K + A. 3: Alice proves she s Alice by sending back the decrypted challenge, encrypted with generated secret key K A,B DS WS 2014 45 / 78

Authentication: Public key 1 K + B(A, R A) Alice 2 K+ A(R A, R B, K A,B) Bob 3 K A,B (R B) 1: Alice sends a challenge R A to Bob, encrypted with Bob s public key K + B. 2: Bob decrypts the message, generates a secret key K A,B (session key), proves he s Bob (by sending R A back), and sends a challenge R B to Alice. Everything s encrypted with Alice s public key K + A. 3: Alice proves she s Alice by sending back the decrypted challenge, encrypted with generated secret key K A,B DS WS 2014 46 / 78

Confidentiality Solutions Secret key: Use a shared secret key to encrypt and decrypt all messages sent between Alice and Bob Public key: If Alice sends a message m to Bob, she encrypts it with Bob s public key: K + B (m) Problems with keys Keys wear out: The more data is encrypted by a single key, the easier it becomes to find that key don t use keys too often Danger of replay: Using the same key for different communication sessions, permits old messages to be inserted in the current session don t use keys for different sessions DS WS 2014 47 / 78

Confidentiality Problems with keys Compromised keys: If a key is compromised, you can never use it again. Really bad if all communication between Alice and Bob is based on the same key over and over again don t use the same key for different things. Temporary keys: Untrusted components may play along perhaps just once, but you would never want them to have knowledge about your really good key for all times make keys disposable DS WS 2014 48 / 78

Confidentiality Essence Don t use valuable and expensive keys for all communication, but only for authentication purposes. Consequence Introduce a cheap session key that is used only during one single conversation or connection ( cheap also means efficient in encryption and decryption: in RSA 100x-1000x slower than DES). DS WS 2014 49 / 78

Digital signatures Scenario Alice sells her iphone5 to Bob for 500 EUR Bob wants to ensure, it s indeed Alice selling the item (and vice versa) Bob wants to ensure, that Alice cannot later claim a higher price Alice wants to ensure that Bob cannot later claim a lower price DS WS 2014 50 / 78

Digital signatures Harder requirements Authentication: Receiver can verify the claimed identity of the sender Nonrepudiation: The sender can later not deny that he/she sent the message Integrity: The message cannot be maliciously altered during, or after receipt Solution Let a sender sign all transmitted messages, in such a way that (1) the signature can be verified and (2) message and signature are uniquely associated DS WS 2014 51 / 78

Public key signatures Alice's computer Bob's computer m Alice's private key, K A Bob's public key, K+ B Bob's private key, K B Alice's public key, K+ A m m K A (m) K B + (m,k A (m)) K A (m) 1: Alice encrypts her message m with her private key K A m = K A (m) 2: She then encrypts m with Bob s public key, along with the original message m m = K + B (m,k A (m)), and sends m to Bob. 3: Bob decrypts the incoming message with his private key K B. We know for sure that no one else has been able to read m, nor m during their transmission. 4: Bob decrypts m with Alice s public key K + A. Bob now knows the message came from Alice. DS WS 2014 52 / 78

Public key signatures Alice's computer Bob's computer m Alice's private key, K A Bob's public key, K+ B Bob's private key, K B Alice's public key, K+ A m m K A (m) K B + (m,k A (m)) K A (m) 1: Alice encrypts her message m with her private key K A m = K A (m) 2: She then encrypts m with Bob s public key, along with the original message m m = K + B (m,k A (m)), and sends m to Bob. 3: Bob decrypts the incoming message with his private key K B. We know for sure that no one else has been able to read m, nor m during their transmission. 4: Bob decrypts m with Alice s public key K + A. Bob now knows the message came from Alice. DS WS 2014 53 / 78

Public key signatures Alice's computer Bob's computer m Alice's private key, K A Bob's public key, K+ B Bob's private key, K B Alice's public key, K+ A m m K A (m) K B + (m,k A (m)) K A (m) 1: Alice encrypts her message m with her private key K A m = K A (m) 2: She then encrypts m with Bob s public key, along with the original message m m = K + B (m,k A (m)), and sends m to Bob. 3: Bob decrypts the incoming message with his private key K B. We know for sure that no one else has been able to read m, nor m during their transmission. 4: Bob decrypts m with Alice s public key K + A. Bob now knows the message came from Alice. DS WS 2014 54 / 78

Public key signatures Alice's computer Bob's computer m Alice's private key, K A Bob's public key, K+ B Bob's private key, K B Alice's public key, K+ A m m K A (m) K B + (m,k A (m)) K A (m) 1: Alice encrypts her message m with her private key K A m = K A (m) 2: She then encrypts m with Bob s public key, along with the original message m m = K + B (m,k A (m)), and sends m to Bob. 3: Bob decrypts the incoming message with his private key K B. We know for sure that no one else has been able to read m, nor m during their transmission. 4: Bob decrypts m with Alice s public key K + A. Bob now knows the message came from Alice. DS WS 2014 55 / 78

Public key signatures Alice's computer Bob's computer m Alice's private key, K A Bob's public key, K+ B Bob's private key, K B Alice's public key, K+ A m m K A (m) K B + (m,k A (m)) K A (m) 1: Alice encrypts her message m with her private key K A m = K A (m) 2: She then encrypts m with Bob s public key, along with the original message m m = K + B (m,k A (m)), and sends m to Bob. 3: Bob decrypts the incoming message with his private key K B. We know for sure that no one else has been able to read m, nor m during their transmission. 4: Bob decrypts m with Alice s public key K + A. Bob now knows the message came from Alice. DS WS 2014 56 / 78

Basic idea Message digests Don t mix authentication and secrecy. Instead, it should also be possible to send a message in the clear, but have it signed as well take a message digest, and sign that. Alice's computer m Bob's computer m m Hash function, H Hash function, H Alice's private key, K A Alice's public key, K+ A Compare OK H(m) K A (H(m)) H(m) DS WS 2014 57 / 78

Security management Key establishment and distribution Authorization management DS WS 2014 58 / 78

Key establishment: Diffie-Hellman Observation We can construct secret keys in a safe way without having to trust a third party (i.e. a KDC): Alice and Bob have to agree on two large numbers, n (prime) and g. Both numbers may be public. Alice chooses large number x, and keeps it to herself. Bob does the same, say y. DS WS 2014 59 / 78

Key establishment: Diffie-Hellman Alice picks x Bob picks y Alice computes y (g mod n) x = gxy mod n Alice 1 n, g, 2 g x mod n g y mod n Bob Bob computes x y (g mod n) = gxy mod n 1: Alice sends (n,g,g x mod n) to Bob 2: Bob sends (g y mod n) to Alice 3: Alice computes K A,B = (g y mod n) x = g xy mod n 4: Bob computes K A,B = (g x mod n) y = g xy mod n Note n = kq + 1, with q being prime > 160 bits. In practice, n,g > 512 bits. DS WS 2014 60 / 78

Key establishment: Diffie-Hellman Alice picks x Bob picks y Alice computes y (g mod n) x = gxy mod n Alice 1 n, g, 2 g x mod n g y mod n Bob Bob computes x y (g mod n) = gxy mod n 1: Alice sends (n,g,g x mod n) to Bob 2: Bob sends (g y mod n) to Alice 3: Alice computes K A,B = (g y mod n) x = g xy mod n 4: Bob computes K A,B = (g x mod n) y = g xy mod n Note n = kq + 1, with q being prime > 160 bits. In practice, n,g > 512 bits. DS WS 2014 61 / 78

Key establishment: Diffie-Hellman Alice picks x Bob picks y Alice computes y (g mod n) x = gxy mod n Alice 1 n, g, 2 g x mod n g y mod n Bob Bob computes x y (g mod n) = gxy mod n 1: Alice sends (n,g,g x mod n) to Bob 2: Bob sends (g y mod n) to Alice 3: Alice computes K A,B = (g y mod n) x = g xy mod n 4: Bob computes K A,B = (g x mod n) y = g xy mod n Note n = kq + 1, with q being prime > 160 bits. In practice, n,g > 512 bits. DS WS 2014 62 / 78

Key establishment: Diffie-Hellman Alice picks x Bob picks y Alice computes y (g mod n) x = gxy mod n Alice 1 n, g, 2 g x mod n g y mod n Bob Bob computes x y (g mod n) = gxy mod n 1: Alice sends (n,g,g x mod n) to Bob 2: Bob sends (g y mod n) to Alice 3: Alice computes K A,B = (g y mod n) x = g xy mod n 4: Bob computes K A,B = (g x mod n) y = g xy mod n Note n = kq + 1, with q being prime > 160 bits. In practice, n,g > 512 bits. DS WS 2014 63 / 78

Key establishment: Diffie-Hellman Alice picks x Bob picks y Alice computes y (g mod n) x = gxy mod n Alice 1 n, g, 2 g x mod n g y mod n Bob Bob computes x y (g mod n) = gxy mod n 1: Alice sends (n,g,g x mod n) to Bob 2: Bob sends (g y mod n) to Alice 3: Alice computes K A,B = (g y mod n) x = g xy mod n 4: Bob computes K A,B = (g x mod n) y = g xy mod n Note n = kq + 1, with q being prime > 160 bits. In practice, n,g > 512 bits. DS WS 2014 64 / 78

Essence Key distribution Authentication requires cryptographic protocols, require session keys to establish secure channels, who s responsible for handing out keys? Secret keys Create your own and exchange it out of band Trust a key distribution center (KDC) and ask it for a key. Public keys: How to guarantee that A s public key is actually from A? Personally exchanged out of band Use a trusted certification authority (CA) to hand out public keys. A public key is put in a certificate, signed by a CA. Trust Hierarchy: work your way up the hierarchy to increase your confidence DS WS 2014 65 / 78

Key distribution: getting keys to owners Plaintext, P Encryption method Decryption method Plaintext Encryption key, K Ciphertext Decryption key, K Symmetric key generator Secure channels with confidentiality and authentication (a) Plaintext, P Encryption method Decryption method Plaintext Public key, K+ Ciphertext Asymmetric key generator Private key, K Secure channel with authentication only (b) Secure channel with confidentiality and authentication DS WS 2014 66 / 78

Certificate Lifetime Essence Lifelong certificates would be nice but need revocation when compromised Certificate Revocation Lists: CRL regularly published by CA Expiration Time: limit lifetime, invalid after expiration time (extreme case reduce to zero) and couple with CRL In Practise: certificates with limited lifetime, users hardly check CRLs, but some software installers do DS WS 2014 67 / 78

Some Common Attack Scenarios Distributed systems security can be compromised on any layer Thus remember: any security breach potentially renders the entire system insecure. Just a small set of examples Following attacks happen in practice all the time Buffer Overflows SQL Injection Attach Cross-Side Scripting Attach (XSS) Distributed Denial-of-Service Attack (DDoS) Sidechannel Attacks Social Engineering DS WS 2014 68 / 78

Buffer Overflows Common security problem in unmanaged programming languages (e.g., C / C++) Input data larger than reserved heap space Hence data flows over into next frame, allowing an attacker to overwrite the return address pointer of a procedure call with a custom address Hence allowing the attacker to execute arbitrary code DS WS 2014 69 / 78

Buffer Overflow Source http://cis1.towson.edu/ cssecinj/modules/cs2/ buffer-overflow-cs2-c/ DS WS 2014 70 / 78

SQL Injection Attack Observation Some web applications do not sufficiently check data received from users before issuing SQL queries s e l e c t now assume following input: from users where user = $username and pw = md5( $pw) $username = 1 or 1=1; drop table users; -- and you get: s e l e c t from users where user = 1 or 1=1; drop table users ; DS WS 2014 71 / 78

DS WS 2014 72 / 78 SQL Injection Attack

Observation Cross-Side Scripting Attack (XSS) Some web applications do not sufficiently check data received from users Similar principle to SQL injection Allows attacker to inject arbitrary scripts into a legit (trustable) web site Example: blog with commentary function that accepts arbitrary HTML code Very i n t e r e s t i n g a r t i c l e! <s c r i p t type = t e x t / j a v a s c r i p t > <! window. l o c a t i o n = h t t p : / / 6 2. 1 7 8. 7 1. 1 0 5 ; > </ s c r i p t > DS WS 2014 73 / 78

Observation Distributed Denial-of-Service Attack (DDoS) Attacker uses a network of hacked machines Bots/Zombies overload the resources of the target with requests Difficult to protect against (needs to be done at ISP level) Difficult to identify the attacker (all request come from unassuming zombies) DS WS 2014 74 / 78

Sidechannel Attacks & Social Engineering Ignore the technical security mechanisms finding out the secret that the mechanism was based on Phishing for passwords or keys NSA demanding private keys from certification authorities Reverse-engineering keys in embedded devices by measuring energy comsumption Social Engineering Sidechannel attacks on humans behind the secure technical system usual assumption: people are easily manipulated e.g.: incoming call Hey, I m from IT. We have a problem with your account here DS WS 2014 75 / 78

Further Lectures on Security [183.367] Security for Systems Engineering [183.645] Advanced Security for Systems Engineering [183.633] IT Security in Large IT Infrastructures [188.312] Organizational Aspects of IT Security [183.606] Seminar aus Security DS WS 2014 76 / 78

Organizational Issues Next/Last Lecture on Monday, Nov 10. No lecture next week! Lecture Feedback on TISS: between 24.11.2014 and 12.02.2015 DS WS 2014 77 / 78

Looking for a Bachelor Thesis topic? Check out some topics on my webpage http://christophdorn.wordpress.com/ stuff-for-students Not related to consistency, replication, or security algorithms, but very implementation-centric Software Architecture Self-Adaptive Systems Collaboration/Coordination Systems Context-aware Systems DS WS 2014 78 / 78

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback