Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Similar documents
Verteilte Systeme (Distributed Systems)

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Security. Alessandro Margara Slides based on previous work by Matteo Migliavacca and Alessandro Sivieri

Distributed Systems Principles and Paradigms

Distributed Systems Principles and Paradigms. Chapter 09: Security

UNIT - IV Cryptographic Hash Function 31.1

Security: Focus of Control. Authentication

Chapter 9: Key Management

Cryptographic Protocols 1

Kurose & Ross, Chapters (5 th ed.)

Security: Focus of Control

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CS 425 / ECE 428 Distributed Systems Fall 2017

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CS Computer Networks 1: Authentication

CS 161 Computer Security

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Computer Networks. Wenzhong Li. Nanjing University

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

(2½ hours) Total Marks: 75

14. Internet Security (J. Kurose)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Authentication Handshakes

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Public-key Cryptography: Theory and Practice

CSC 474/574 Information Systems Security

Cryptographic Checksums

5. Authentication Contents

CSC 774 Network Security

CSC/ECE 774 Advanced Network Security

Key Management and Distribution

Authentication Part IV NOTE: Part IV includes all of Part III!

Security Handshake Pitfalls

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Diffie-Hellman. Part 1 Cryptography 136

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSC 482/582: Computer Security. Security Protocols

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Encryption. INST 346, Section 0201 April 3, 2018

Security Handshake Pitfalls

CS3235 Seventh set of lecture slides

Overview. SSL Cryptography Overview CHAPTER 1

EEC-682/782 Computer Networks I

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Lecture 1: Course Introduction

Potential Security Violations CSE 513: Distributed Systems (Security)

Spring 2010: CS419 Computer Security

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Cryptography and Network Security Chapter 14

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

What did we talk about last time? Public key cryptography A little number theory

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

1. Diffie-Hellman Key Exchange

CIS 6930/4930 Computer and Network Security. Final exam review

Session key establishment protocols

Introduction and Overview. Why CSCI 454/554?

Lecture 2 Applied Cryptography (Part 2)

Session key establishment protocols

Network Security. Chapter 8. MYcsvtu Notes.

KALASALINGAM UNIVERSITY

Information Security CS 526

Chapter 10 : Private-Key Management and the Public-Key Revolution

T Cryptography and Data Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Computers and Security

Overview of Authentication Systems

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Security Handshake Pitfalls

Security Handshake Pitfalls

EEC-682/782 Computer Networks I

2.1 Basic Cryptography Concepts

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline Key Management CS 239 Computer Security February 9, 2004

Datasäkerhetsmetoder föreläsning 7

ECE 646 Lecture 3. Key management

Transcription:

Module 9 - Security

Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system security Communication between users or processes that may be on different machines Secure channel (authentication, message integrity, confidentiality) Authorization to ensure that a user or process performs only those actions that is allowed under the security policy Access Control Security services What any distributed system should provide as part of its infrastructure to enable the implementation of different policies. CS454/654 9-2

Basic Concepts Security: attempt to protect the services and data it offers against security threats. Confidentiality: the property of a computer system whereby its information is disclosed only to authorized parties Integrity: the characteristic that alterations to a system s assets can be made only in an authorized way. CS454/654 9-3

Interception Types of Threats An unauthorized party has gained access to a service or data Interruption Services or data become unavailable, unusable, destroyed and so on. Modification Unauthorized changing of data or tampering with a service so that it no longer adheres to its original specifications Fabrication Refers to the situation in which additional data or activity are generated that would normally not exist CS454/654 9-4

Methods of Attack Eavesdropping Obtaining copies of messages without authority Masquerading Sending or receiving messages using the identity of another principal without their authority Message tampering Intercepting messages and altering their contents before passing them on to the intended recipient Man-in-the-middle attack Replaying Storing intercepted messages and sending them out at a later time Denial of service Flooding a communication channel or a system resource with messages in order to deny access for others CS454/654 9-5

Historical context: the evolution of security needs 1965-75 1975-89 1990-99 Current Platforms Multi-user timesharing computers Distributed systems based on local networks The Internet, widearea services The Internet + mobile devices Shared resources Memory, files Local services (e.g. NFS), local networks Email, web sites, Internet commerce Distributed objects, mobile code Security requirements User identification & authentication Protection of services Strong security for commercial transactions Access control for individual objects, secure mobile code Security management environment Single authority, single authorization database (e.g. /etc/ passwd) Single authority, delegation, replicated authorization databases (e.g. NIS) Many authorities, no network-wide authorities Per-activity authorities, groups with shared responsibilities From Coulouris, Dollimore and Kindberg, Distributed Systems: Concepts and Design, 3rd ed. Addison-Wesley Publishers 2000 CS454/654 9-6

Security Mechanisms Encryption transform data into something an attacker cannot understand provides a means to implement confidentiality provides support for integrity Authentication verify the claimed identity of a user, client, server and so on Authorization check whether the client is authorized to perform the action requested Auditing auditing tools are used to trace which clients accessed what, and which way CS454/654 9-7

Security Services - Design Issues Focus of Control Decide the focus of control: data, operations or users Layering of security mechanisms Decide at which level security mechanisms should be placed Simplicity Simplicity will contribute to the trust that end users will put into the application and, more importantly, will contribute to convincing the designers that the system has no security holes. CS454/654 9-8

Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized users From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-9

Layering of Security Mechanisms The logical organization of a distributed system into several layers. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-10

Cryptography The three different attacks that we need to protect against, and for which encryption helps. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-11

Cryptography Symmetric cryptosystem The same key is used to encrypt and decrypt a message P = D K (E K (P)) Also referred to as secret-key or shared-key systems Example: DES (Data Encryption Standard) Asymmetric cryptosystem The keys for encryption and decryption are different, but together form a unique pair P = D KD (E KE (P)) One of the keys is kept private the other is made public (which is public and which is private depends on how the keys are used) Also referred to as public-key systems Example: RSA (Rivest, Shamir, and Adleman) CS454/654 9-12

Cryptography (2) Hash functions A hash function takes a message m of arbitrary length as input and produces a bit string h having a fixed length as output h = H(m) Have a number of properties One-way functions: computationally infeasible to find m that corresponds to a known h. Weak collision resistance: given m and h = H(m), it is computationally infeasible to find m m such that H(m) = H(m ) Strong collision resistance: given only H, it is computationally infeasible to find two different input values m and m, such that H(m) = H(m ) Example: MD5 CS454/654 9-13

Secure Channels Secure communication requires authentication of the communicating parties, but also ensuring message integrity and possibly confidentiality as well. A secure channel protects senders and receivers against interception, modification, and fabrication of messages. It does not necessarily protect against interruption. Protecting messages against interception is done by ensuring confidentiality Protecting messages against modification and fabrication is done through protocols for mutual authentication and message integrity. CS454/654 9-14

Authentication Authentication and message integrity cannot do without each other. The combination works as follows: Alice starts by sending a message to Bob to set up a channel Once the channel has been set up, Alice knows for sure that she is talking to Bob, and Bob knows for sure that he is talking to Alice, they can exchange messages To subsequently ensure integrity it is common practice to use secret-key cryptography by means of session keys. Notation Description K A, B Secret key shared by A and B K A Public key of A K A Private key of A From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-15

Authentication Authentication based on a shared secret key Also known as challenge-response protocol From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-16

A R A K A,B (R A ) K A,B (R A ) A C A R A K A,B (R A ) B R A R A K A,B (R A ) Chuck can impersonate Bob by initiating a second channel with Alice. Requires that Alice is willing to accept channel requests. Can be defeated by including the challenger s name as part of the challenge. CS454/654 9-17

A B R A B R A A K A,B (R A B) K A,B (R A B) A C A Chuck can impersonate Bob by initiating a second channel with Alice. Requires that Alice is willing to accept channel requests. Can be defeated by including the challenger s name as part of the challenge. CS454/654 9-18

Authentication (2) Consider this optimization : Authentication based on a shared secret key, but using three instead of five messages. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-19

The reflection attack. Authentication (3) Tweaking an existing protocol to improve its performance, can easily affect its correctness From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-20

Authentication Using a KDC One of the problems with using a shared secret key for authentication is scalability For a system with N hosts: KDC requires N keys instead of N(N-1)/2 From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-21

Authentication Using a KDC (2) Using a ticket and letting Alice set up a connection to Bob. ticket From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-22

The Needham-Schroeder Authentication Protocol nonce As presented here the algorithm still has a weak point. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-23

The Needham-Schroeder Authentication Protocol nonce The nonce couples message 1 with message 2 and prevents replays of an older message 2. Without a nonce, if Chuck steals one of Bob s old keys (K B,KDC old ) and has intercepted a copy of message 2 that uses the old key. Chuck then waits until Alice tries to set up a channel with Bob, intercepts all of her messages, and replays the old message. Now he can decrypt the ticket to get the session key K A,B and pretend to be As presented here the algorithm still has Bob. a weak point. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-24

The Needham-Schroeder Authentication Protocol nonce Message 2 must also contain B. Without B, Chuck can masquerade as Bob by replacing A,B in message 1 with A,C, and then intercept all messages from Alice to Bob. Chunk will have the necessary keys to respond to the challenges from Alice, and Alice will think she is communicating with Bob. As presented here the algorithm still has a weak point. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-25

The Needham-Schroeder Authentication Protocol nonce If Chuck ever gets a hold of an old key K A,B old he can replay an old copy of message 3 and masquerade as Alice. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-26

The Needham-Schroeder Authentication Protocol Protection against malicious reuse of a previously generated session key. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-27

The Needham-Schroeder Authentication Protocol The extra nonce from Bob to Alice ensures that it is Alice that is sending the ticket, and that Bob can determine the age of the ticket. Protection against malicious reuse of a previously generated session key. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-28

Authentication Using Public-Key Cryptography From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-29

Message Integrity and Confidentiality Besides authentication, a secure channel should also provide guarantees for message integrity and confidentiality Confidentiality is easily established by simply encrypting a message before sending it. Protecting a message against modifications is somewhat more complicated Digital Signatures: Digitally sign a message in such a way that the signature is uniquely tied to its content Several ways to place digital signatures: Use a public-key cryptosystem such as RSA Use a message digest CS454/654 9-30

Digital Signatures Digital signing a message using public-key cryptography. Problems with this scheme: the validity of the signature holds only as long as the private key remains secret what if Alice decides to change her private key encryption of the entire message may be costly in terms of processing requirements and is actually unnecessary From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-31

Digital Signatures Digitally signing a message using a message digest. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-32

Session Keys During the establishment of a secure channel, after the authentication phase has completed, the communicating parties generally use a unique shared session key for confidentiality. The session key is safely discarded when the channel is no longer used. Why not using the same keys for confidentiality as those that are used for setting up the secure channel? Cryptographic keys are subject to wear and tear just like ordinary keys. Protection against replay attacks If a key is compromised, only a single session is affected The combination of a long-lasting keys with the much cheaper and more temporary session keys is often a good choice for implementing secure channels for exchanging data CS454/654 9-33

Access Control In the client-server model, once a client and a server have set up a secure channel, the client can issue requests that are to be carried out by the server. A request involve carrying out operations on resources that are controlled by the server. Such a request can be carried out only if the client has sufficient access rights for that request. Verifying access rights is referred to as access control, whereas authorization is about granting access rights. CS454/654 9-34

General Issues in Access Control General model of controlling access to objects. Controlling the access to an object is all about protecting the object against invocations by subjects that are not allowed to have specific methods carried out Also, protection may include object management issues From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-35

Access Control Matrix A common approach to modeling the access rights of subjects with respect to objects, is to construct an access control matrix M[s,o]={m 1,m 2, } Access Control List: The matrix is distributed column-wise Capabilities: The matrix is distributed row-wise Using an ACL Using capabilities From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-36

Protection Domains ACLs and capabilities help in efficiently implementing an access control matrix by ignoring all empty entries. An ACL or a capability list can still become quite large if no further measures are taken. One general way of reducing ACLs is to make use of protection domains. A protection domain is a set of (object, access rights) pairs. Each pair specifies for a given object exactly which operations are allowed to be carried out. Requests for carrying out an operation are always issued within a domain. CS454/654 9-37

Protection Domains The hierarchical organization of protection domains as groups of users. Advantage: managing group membership is relatively easy Disadvantage: looking up a member can be quite costly if the membership database is distributed. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-38

Role-Based Access Control Related to having groups as protection domains, it is also possible to implement protection domains as roles. In role-based access control, a user always logs into the system with a specific role, which is often associated with a function the user has in an organization. A user may have several functions. Depending on the role the user takes when logging in, he may be assigned different privileges (i.e. his role determines the protection domain in which he will operate). CS454/654 9-39

Firewalls When outsiders are allowed to access the resources controlled by a DS: protection using cryptographic techniques and access control matrix is not enough. External access to any part of a DS is controlled by a special kind of reference monitor known as a firewall. A firewall disconnects any part of a DS from the outside world. All outgoing, but especially all incoming packets are routed through a special computer and inspected before they are passed. Unauthorized traffic is discarded and not allowed to continue. CS454/654 9-40

Firewalls Firewalls come in two different flavors that are often combined: packet-filtering gateway application-level gateway From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-41

Security Management Key Management Secure Group Management Authorization Management CS454/654 9-42

Key Management So far, we have described various cryptographic protocols in which we implicitly assumed that various keys were readily available. For example, in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at its disposal so that it could encrypt the message to ensure confidentiality. However, establishing and distributing keys is not a trivial matter. Also, mechanisms are needed to revoke keys, that is, prevent a key from being used after it has been compromised or invalidated. CS454/654 9-43

Key Establishment How session keys can be established? Easy, if using public-key or shared-key to establish a secure channel The method requires that the communicating parties already have the means available to establish a secure channel. In other words, some form of key establishment and distribution must already have taken place. The same applies when a shared secret key is established by means of a trusted third party, such as a KDC. An elegant and widely applied scheme for establishing a shared key across an insecure channel, is the Diffie-Hellman key exchange (1976). CS454/654 9-44

Diffie-Hellman Key Exchange Diffie-Hellman can be viewed as a public-key cryptosystem. In the case of Alice, x is her private key, where as g x mod n is her public key Securely distributing the public key is essential to making Diffie-Hellman work in practice From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms Prentice-Hall, Inc. 2002 CS454/654 9-45

Key Distribution In a symmetric cryptosystem, the initial shared secret key must be communicated along a secure channel that provides authentication as well as confidentiality. If there are no keys available to Alice and Bob to set up such a secure channel, it is necessary to distribute the key out-of-band. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms CS454/654 Prentice-Hall, Inc. 2002 9-46

Key Distribution In the case of a public-key cryptosystem, we need to distribute the public key in such a way the the receivers can be sure that the key is indeed paired to a claimed private key. From Tanenbaum and van Steen, Distributed Systems: Principles and Paradigms CS454/654 Prentice-Hall, Inc. 2002 9-47

Public-Key Certificates In practice, public-key distribution takes place by means of public-key certificates. Public-key certificate consists of: a public key an entity certification authority signature of the certification authority Signing takes place by means of a private key K - CA that belongs to the certification authority. The corresponding public key K + CA is assumed to be well known (e.g. the public keys of various certification authorities are built into most Web browsers and shipped with the binaries) CS454/654 9-48

Public-Key Certificates The client must assume that the public key K + CA indeed belongs to the associated certification authority. It should be possible to verify the validity of K + CA through another certificate coming from a different, possibly more trusted certification authority. Such hierarchical trust models in which the highest-level certification authority must be trusted by everyone, are not uncommon. Example: Privacy Enhanced Mail (PEM) uses a three-level trust model in which lowest-level certification authorities can be authenticated by Policy Certification Authorities (PCA), which in turn can be authenticated by the Internet Policy Registration Authority (IPRA). CS454/654 9-49

Lifetime of Certificates We need a mechanism to revoke the certificate by making it publicly known that the certificate is no longer valid. One common approach is with a Certificate Revocation List (CRL) published regularly by the certification authority. An alternative approach is to restrict the lifetime of a certificate (analogous to handing out leases). A final extreme case is to reduce the lifetime of a certificate to nearly zero. Practice indicates that client applications hardly ever consult CRLs and simply assume a certificate to be valid until it expires. When it comes to Internet security in practice, there is still much room for improvement. CS454/654 9-50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback