Verteilte Systeme (Distributed Systems) Lorenz Froihofer l.froihofer@infosys.tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/
Security Threats, mechanisms, design issues Cryptographic foundations Secure channels: authentication, integrity, confidentiality Key management and certificates Access control
Need for security Information is becoming a commodity its purchase and sale is central to the free enterprise system: e-banking e-commerce, online auctions e-government e-* Protection mechanisms are like putting a lock on the door of a merchant's warehouse 3
Security definition CIA properties: Confidentiality: information only disclosed to authorized parties. Integrity: modifications only possible by authorized entities. Availability: resource accessible whenever an authorized party needs access to it. 4
Security threats Interception Unauthorized party gained access to service or data: e.g., overhearing of communication between two parties or copying of data. Interruption Services become unavailable or unusable: e.g., Denial-of-Service (DoS) attacks where a service is made inaccessible to authorized parties through service or network overload. 5
Security threats Modification Unauthorized changing of data or service: e.g., in combination with interception a network message is modified before it is transmitted to the recipient. Fabrication Additional data or activity are generated that would normally not exist: e.g., adding an additional password entry in the password database. 6
Possible attacks Eavesdropping Masquerading (spoofing) Message tampering Replaying Infiltration Traffic analysis Denial of service Social engineering Man in the middle Client Server Fake client Fake server We need security mechanisms to prevent these attacks! 7
Security mechanisms Encryption Transform code or data into something an attacker cannot understand. Support for confidentiality and integrity Authentication Verify the claimed identity of an entity (user, client, server, etc.) Who is accessing an entity? Prerequisite for authorization. 8
Security mechanisms Authorization Specification of whether a certain entity is authorized to perform a specific action: e.g., library users can only query database entries while the library staff has the right to introduce new books etc. Who is allowed to access a specific entity? Auditing Trace which clients accessed what and in which way, e.g., by means of log files. But: Be careful! Attackers will try to hide their traces or try not to leave traces at all! 9
Focus of protection a) Protection against invalid operations, e.g., data integrity constraints. b) Protection against unauthorized invocations, e.g., permissions based on object methods. c) Protection against unauthorized users, e.g., based on user roles. 10
Layering of security mechanisms The logical organization of a distributed system into several layers. At which layer should we introduce security? 11
Layering of security mechanisms Alice Chuck Internet Decryption device Bob Several sites connected through a wide-area backbone service. 12
It s a matter of trust! Encrypt communication through Secure Sockets Layer (SSL) Trust in SSL implementation required. If using secure RMI Trust in RMI implementation required. If RMI uses SSL Trust in RMI+SSL req. Information must not be intercepted before being encrypted Trust in operating system required. In any way: Trust required in client and server application to do what they promise! 13
Security Threats, mechanisms, design issues Cryptographic foundations Secure channels: authentication, integrity, confidentiality Key management and certificates Access control
Cryptography (One) definition of cryptography Mathematical techniques related to aspects of information security such as Confidentiality Keep content of information from all but authorized entities. Integrity Protect information from unauthorized alteration. Authentication Identification of data or communicating entities. Non-repudiation Prevent entity from denying previous commitments or actions. 15
Cryptography Figure 9-6. Intruders and eavesdroppers in communication. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 16
Symmetric cryptography Only one key, called secret or shared key Both sender and receiver must have the key Normally used for session bulk encryption Examples: DES, Triple-DES, AES (Rijndael) plaintext Alice (sender) K A,B Encryption algorithm ciphertext K A,B Decryption algorithm plaintext Bob (receiver) 17
Public-key cryptography (Asymmetric cryptography) Each principal has public and private keys Public key of recipient is used by sender for encryption Recipient uses private key to decrypt public private plaintext Alice (sender) K pub Encryption algorithm ciphertext K priv Decryption algorithm plaintext Bob (receiver) 18
Public-Key Cryptosystems: RSA 1978 by Rivest, Shamir and Adleman Based on the prime factoring problem: no efficient methods known to find the prime factors of large numbers. p, q large primes private d exponent private modulus n=pq public e exponent public Encryption Decryption M e mod n = C C d mod n = M ed mod n = M 19
How fast is encryption? In hardware, RSA is about 1000 times slower than DES. In software, RSA is about 100 times slower than DES. Whenever safe, try to use secret key! 20
Cryptographical notation Figure 9-7. Notation used in Chapter 9. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 21
Security Threats, mechanisms, design issues Cryptographic foundations Secure channels: authentication, integrity, confidentiality Key management and certificates Access control
Possible attacks revisited Eavesdropping Masquerading (spoofing) Message tampering Replaying Infiltration Traffic analysis Denial of service Social engineering Man in the middle Client Server Fake client Fake server We need a secure channel where we are not affected by these attacks! 23
Secure channels Secure channels can be implemented by encryption Encrypt the communication so that it cannot be read by eavesdroppers. Two classes of encryption techniques Secret-key encryption Public-key encryption 24
Message authentication and integrity Message authentication: who sent the message? Alice Bob: I want to buy 10 widgets. Bob Alice: Here are your 10 widgets. Alice Bob: I did not order widgets! Who sent the order message? Message integrity: messages are only modified by authorized parties. Alice Bob: I want to buy 10 widgets. Bob Alice: Here are your 100 widgets. Alice Bob: I ordered 10! Bob Alice: I received an order for 100! Who has modified the message? We want to be sure about the identity of the sender and that the message has not been modified! 25
Mutual public key authentication Figure 9-19. Mutual authentication in a public-key cryptosystem. 26
Authentication Based on a Shared Secret Key (1) Figure 9-12. Authentication based on a shared secret key. Challenge-response protocol Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 27
Authentication Based on a Shared Secret Key (2) Security problem! Figure 9-13. Authentication based on a shared secret key, but using three instead of five messages. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 28
Authentication Based on a Shared Secret Key (3) Figure 9-14. The reflection attack. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 29
Authentication achieved, but key management quite complex! N-1 keys per host N*(N-1)/2 keys in total 30
Security Threats, mechanisms, design issues Cryptographic foundations Secure channels: authentication, integrity, confidentiality Key management and certificates Access control
Key Distribution Centre (KDC) KDC Reduction from N*(N-1)/2 keys to N keys. 32
Authentication Using a Key Distribution Center (1) Figure 9-15. The principle of using a KDC. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 33
Authentication Using a Key Distribution Center (2) Figure 9-16. Using a ticket and letting Alice set up a connection to Bob. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 34
Authentication with Kerberos Kerberos server AS TGS Client TGS ticket Authentication Service Service ticket Ticket Granting Service Server Login session Service Service function First deployed at MIT, Sept. 1986. 35
Message authentication and integrity Message authentication: who sent the message? Alice Bob: I want to buy 10 widgets. Bob Alice: Here are your 10 widgets. Alice Bob: I did not order widgets! Who sent the order message? Message integrity: messages are only modified by authorized parties. Alice Bob: I want to buy 10 widgets. Bob Alice: Here are your 100 widgets. Alice Bob: I ordered 10! Bob Alice: I received an order for 100! Who has modified the message? We want to be sure about the identity of the sender and that the message has not been modified! 36
Digital signatures (1) Figure 9-20. Digital signing a message using public-key cryptography. Problem solved, but not efficient! Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 37
Hash Functions A hash function takes a message m and produces a fixed-length message digest, known as hash (bit string) h h=h(m); Hash functions are one-way functions It is computationally infeasible to find the input m that corresponds to a known output h. Weak collision resistance: for a given x, it is hard to find a y!= x such that H(x) = H(y). Strong collision resistance: it is hard to find any x and y such that H(x) = H(y). Example hash function: MD5 128bits E.g., UNIX command md5sum Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 38
Digital signatures (2) Figure 9-21. Digitally signing a message using a message digest. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 39
Public key cryptography Ensures: Message authentication and integrity. Can provide: Message confidentiality through encryption Limitations: Who guarantees the binding (key, owner)? Public key cryptography is much slower than shared key cryptography. The more often a key is used, the easier it becomes to reveal it. 40
Session keys After authentication phase, participants often share a unique session key for confidentiality. Benefits: Session keys only used for single session limits amount of data gathered for compromising key. Worst case: if session key is compromised, only a single session is affected if private key was compromised, old sessions would become readable. Protection against replay attacks key expires after session. 41
Digital signature and certification authority (CA) CA Step 0: Submit A s public key (done once, earlier) Step 4: A s public key Step 3: Request A s public key A Step 2: Send the signed message B Step 1: Generate signature (sign a message with a TS) Step 5: Verify signature Certificate: public key together with data about its owner digitally signed by certificate authority, e.g., VeriSign, Thawte, A-Trust 42
Lifetime of certificates Lifelong certificates would be nice, but: If private key is compromised, certificate has to be revoked. Ways to revoke certificates: Certificate Revocation List (CRL) published regularly by CA. Issue certificates with limited lifetime only (certificate invalid after expiration time) extreme case: reduce lifetime to nearly zero. In practise: Certificates are issued with limited lifetime allows removing expired certificates from CRL. Clients hardly ever consult CRL! However, some software installers (new software and updates) automatically check CRL. 43
Key distribution (1) Figure 9-34. (a) Secret-key distribution. [see also Menezes et al. (1996)]. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 44
Key distribution (2) Figure 9-34. (b) Public-key distribution [see also Menezes et al. (1996)]. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 45
Security Threats, mechanisms, design issues Cryptographic foundations Secure channels: authentication, integrity, confidentiality Key management and certificates Access control
Access Control A request from a client generally involves invoking a method of a specified object Operation is carried out if access rights are sufficient Formally verifying access rights is referred to as access control Authorization is about granting access rights 47
General access control model General model of controlling access to objects. 48
Access Control Matrix Common approach to modeling access rights. Subjects represented by row, objects by columns. Cell lists operations a specific subject request on the respective object. The matrix is distributed column-wise across all objects, empty entries are left out This type of implementation is called an Access Control List (ACL) Another approach is to distribute the matrix row-wise Each subject receives a list of capabilities for each object Capability is comparable to a ticket 49
Protection Domains One general way of reducing ACLs A set of (object, access rights) pairs When a request comes, reference monitor checks domain One approach is to construct groups of users One can also make use of certificates to prove to which group one belongs to. Similar to groups: role-based access control E.g., a function within the organization. Depending on the role one takes when logging in, different permissions may be assigned. 50
Firewalls Figure 9-28. A common implementation of a firewall. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 51
Filtering routers Specify the filtering that is used Each rules specifies action (allow, deny) source address/port pattern destination address/port pattern presence or absence of flags When a packet is received the rules are applied in an ordered sequence if a rule matches the corresponding action is taken if no rule matches, a default action is taken 52
Application-level gateway Inspection of the content of incoming/outgoing messages. Interpretation and actions based on application semantics. Mail example: Drop attachments that potentially contain a virus. Web example: Filter out scripts or applets to prevent execution behind the firewall. 53
Further courses on security Internet Security VU, Summer Semester TCP/IP security (spoofing, hijacking, sequence number guessing, denial-of-service attacks) Web security (e.g., SQL Injections) Network discovery/vulnerability scanning: techniques and tools (portscans, ping sweeps) Operating system security and vulnerabilities Advanced Internet Security (optional), Winter Semester Practical programming assignments where you break applications Stack/Heap overflows Viruses Application cracking UNIX/Windows vulnerabilities See http://www.iseclab.org/ 54
Summary Demand for security (unfortunately) obvious: e- banking, e-government, online auctions, etc. Security services are necessary to protect communications and transactions in open networks Security can be provided by secure channels and authorization services Authorization requires authentication and access control Encryption is used for secure communication Public key and secret key cryptography can be used for authentication (e.g. digital signatures) Distribution of encryption keys must be managed by a trusted third party or out-of-band communication. 55