Download Presentation
## Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Security**Introduction to Distributed Systems**Security**Preliminary Version, Not Final**Security Threats, Policies, and Mechanisms**• Can a secure system be undependable? Can dependable system be insecure? • Confidentiality, integrity? • Types of security threats to consider? • Interception • Interruption • Modification • Fabrication • What is the difference between security policy and security mechanism? • Change passwords every month? • Important mechanisms: • Encryption • Authentication • Authorization • Auditing Preliminary Version, Not Final**The Globus Security Policy**• The environment consists of multiple administrative domains. • Local operations are subject to a local domain security policy only. • Global operations require the initiator to be known in each domain where the operation is carried out. • Global authentication replaces local authentication. • Operations between entities in different domains require mutual authentication. • Controlling access to resources is subject to local security only. • Users can delegate rights to processes. • A group of processes in the same domain can share credentials. Preliminary Version, Not Final**Proxies**• Globus focuses on cross-domain. • In another domain, it is necessary to have some representative. • User proxies: Process that acts on behalf of an agent. • Resource proxies: Process that translates global operations into local operations. User proxies talk to resource proxies. Preliminary Version, Not Final**Design Issues**• Focus of Control (where do you put your perimeter). • Layering (where do you put your security layer) Preliminary Version, Not Final**Focus of Control**• Protection against invalid operations, protection against unauthorized invocations, protection against unauthorized users. Preliminary Version, Not Final**Layering of Security Mechanisms**• Where do you put your security? • This depends on trust. • Suppose you are calling your mom? Would you be happy if someone was listening in? Who are you trusting? • Do you encrypt your e-mail? Who are you trusting? • Suppose you were sending an e-mail that was a matter of life or death. Preliminary Version, Not Final**Layering of Security Mechanisms**• Several sites connected through a wide-area backbone service. • Alice wants to send a message to Bob at a different site. • Does she trust the system admins? If not, what does she do? • May trust sysadmins, but the site does not trust the backbone. Preliminary Version, Not Final**Trust**• Implicit in many security systems is the notion of trust, and trust chaining. • Suppose you meet a stranger A, and A asks to borrow money. Do you loan it to him? • Suppose B says A is trustworthy? • Suppose C says B is trustworthy? • Suppose you trust C? • Ultimately, you have to trust someone. A trusted computer system can be built by using similar kinds of chaining mechanisms. But you want to keep the trust base as small as possible. Preliminary Version, Not Final**Developing a TCB**Preliminary Version, Not Final**Cryptography Terminology**• C=Ek(P), P=Dk(C) • Three different kinds of attacks: intercept, modify, insert. • Are there situations where just knowing there are messages tells you something? Preliminary Version, Not Final**Symmetric vs. Asymmetric**• Symmetric (secret key, shared key): Same key is used both to encrypt and decrypt. • P = DK(EK(P)) • KA,B means a key shared by A and B. • Asymmetric (public-key): Different key is used to encrypt and decrypt. • P = DKD(EKE(P)) • Notation: K+A is public key of A and K-A is private key of A. • How do I send something using secret-key? Private-key? • Which is better? Preliminary Version, Not Final**Hash Functions (Message Digests)**• Hash function takes any length message and produces a fixed-length bit string: • h = H(m) • What are these used for? • Fingerprinting: Make sure two messages are identical. • Alice sends Bob a plaintext document over a high-bandwidth insecure channel. She does not care if others read it, but she does want to make sure that no one modifies it. She also has a low-bandwidth secure channel she could use (phone call). • How can she use a hash function? • What properties are desirable? • One-way functions • Weak collision resistance • Cannot find another message with the same hash. • Strong collision resistance • Cannot find any two messages that collide. • What is the difference between hash functions and CRCs/checksums? Preliminary Version, Not Final**Symmetric: DES**• A fast, very common symmetric key cipher. • Uses 56-bit keys. • Somewhat out-of-date, though. • Operates on 64-bit blocks of data. Preliminary Version, Not Final**Each block is transformed in 16 rounds.**• Each round uses a different 48-bit key. • Each of the 16 keys derived from a 56-bit master key. • Initial permutation is used, which is then inverted at the end. Preliminary Version, Not Final**In each round, the block is split in half.**• Right part is left part in next round. • Left part is XORed with a mangling of the right part plus the key. Preliminary Version, Not Final**Used fornext round**• Each 48-bit key is derived from the 56-bit key. • First permuted, then divided into halves. • For each round, each half is rotated one or two bits to the left or right. • Then 24 bits are extracted. • Two halves are added back together. Preliminary Version, Not Final**Does this look suitable for a hardware implementation?**Preliminary Version, Not Final**DES is fast.**• It is somewhat old, though, and is being replaced. • How would you try to easily improve the security of DES, without designing a whole new algorithm? • Triple DES, using encrypt-decrypt-encrypt, using three keys. Preliminary Version, Not Final**Public-Key Cryptosystems: RSA**• Generating the private and public keys requires four steps: • Choose two very large prime numbers, p and q. • Compute n = p × q and z = (p − 1) × (q − 1). • Choose a number d that is relatively prime to z. • Compute the number e such that e × d = 1 mod z. • To encrypt a message, divide into blocks such that m < n. • Encrypt: c = me (mod n). • Decrypt: m = cd (mod n). • RSA is about 100-1000 times slower. • Depends on the fact that it is very hard to factor numbers. Preliminary Version, Not Final**Example:**• Key generation: • Choose p = 61, and q = 53. • n = 61*53 = 3233, z = 60*52 = 3120 • Choose d = 17 (relatively prime) • Compute e such that e*d = 1 mod z, choose e = 2753. • Let public key be (17, 3233), and private key be (2753, 3233). • Encryption: • Divide message into blocks, such that each block as a number is less than 3233. We use 11 bits. • Message is: “Hello” • In binary, that is 0x48, 0x65, 0x6C, 0x6C, 0x6F. Preliminary Version, Not Final**Hash Functions: MD5**• Produces a constant-length hash of 128 bits. • Message needs to be a multiple of 512. • Pad to 448, add the length as a 64-bit integer. • Start with some 128-bit value. For each block, do a computation on the current hash, plus the next 512 bit block. This is called a phase. Preliminary Version, Not Final**Each phase consists of four rounds. Each round uses a**function which operates on three 32-bit values, and is one of: • F(x, y, z) = (x AND y) OR ((NOT x) AND z) • G(x, y, z) = (x AND z) OR (y AND (NOT z)) • H(x, y, z) = x XOR y XOR z • I(x, y, z) = y XOR (x OR (NOT z)) • The current 128-bit hash value is broken up into p, q, r, s. The current 512-bit block is broken up into 16 32-bit blocks, named b0, b1, etc. Preliminary Version, Not Final**Hash Functions: MD5**• These are the 16 iterations for first round. • Round two uses G, H and I are 3rd and 4th round. • So, one phase per block, each phase is four rounds, using F, G, H, and I respectively, and each round is 16 iterations. Preliminary Version, Not Final**Secure Channels**Preliminary Version, Not Final**Authentication and Authorization**• How to make communications secure? • Are you who you say you are? • How to find out whether or not you authorized to do what you want to do? Preliminary Version, Not Final**Authentication**• Can you have authentication without message integrity? • I know that Bob sent the message, but someone may have tampered with it. • Suppose your mom sends you a message. You are sure it is your mom, because you have authentication, but you do not have message integrity, so someone might have modified it. • The message says: “When are you getting married?” Does this do you much good? • I know that no one tampered with it, but I don’t know whether or not it was really Bob that sent it. • Suppose you get a message, “Why haven’t you called me recently?” You are positive that the message has not been tampered with, because you have integrity. It seems to be from your mom, but you don’t have authentication, so it could actually be one of your friends playing a joke on you. • What about authentication and integrity without encryption? Is this useful? Preliminary Version, Not Final**Shared Secret Key Authentication**• Suppose Alice and Bob share a secret key. How can they setup a secure channel over an insecure medium? Preliminary Version, Not Final**Alice sends her identity to Bob.**• Bob sends a challenge (random number?). • Alice must encrypt and return. • Alice then sends a challenge to Bob. • Bob must encrypt and return. Preliminary Version, Not Final**An Optimization**• Authentication based on a shared secret key, but using three instead of five messages. Preliminary Version, Not Final**Chuck…er…Alice**? Attack Attempt • Chuck tries to set pretend to be Alice. • He sends the initial message to Bob. • Bob responds with the encrypted challenge, but then his own challenge. • Chuck cannot properly respond to the challenge because he doesn’t have the key. Preliminary Version, Not Final**Reflection Attack**• Moral, never encrypt anything without knowing who you are encrypting it for. • Designing secure algorithms is hard. Preliminary Version, Not Final**Key Distribution Centers**• If there are N parties using shared secret keys, how many keys are needed? • Alternative is to use a KDC. It has a shared key with every host. • Does the KDC need to be trusted? Preliminary Version, Not Final**Key Distribution Centers**• Disadvantage is that Bob has to get into the loop first. • Solutions? Preliminary Version, Not Final**Tickets**• Using a ticket and letting Alice set up a connection to Bob. • Can Bob trust Alice? Preliminary Version, Not Final**Authentication Using Public Key Cryptography**• What could happen if K+B (public key) is fake? • How can we assure that it is not? • Is there some way to digitally “sign” a piece of information? Preliminary Version, Not Final**Message Integrity**• Suppose you are conducting a transaction through e-mail, and Alice promises to buy your video game collection for $500. • Say you send Alice your collection, and she sends you a $300 check. You are being ripped-off. How can you prove that she agreed to $500? • Say that you try to get back at her, and claim that she actually offered $700. How can she prove that she only offered $500? • Two things need to be taken care of: • You can’t claim that she actually offered $700. • She can’t deny sending the offer.**Digital Signatures**• How can you verify that a document is real? • What do we use in the real world? • What if we really need to be certain? • What if it were encrypted with the private key of the sender? • You could decrypt it with A’s public key. If it decrypted properly, then A must have encrypted it.**Digital Signatures**• Signing by encrypting the whole message. • Can Alice claim her key was stolen? Preliminary Version, Not Final**Optimization**• Encrypting with PKC is slow. Can we leverage hashes somehow? • Compute hash of the message (message digest). Encrypt the hash. • This known as a digital signature. Preliminary Version, Not Final**Digital Signatures**• Signing just the hash. Preliminary Version, Not Final**Session Keys**• How to combine PK with symmetric key? • Is it necessary to change the key every time? Preliminary Version, Not Final**Example: Kerberos**• Ticket Granting Service (TGS), and Authentication Server (AS). • A ticket is a special message used to convince a server that the client is who he or she claims to be. • User A and AS share a secret key (derived from password). AS and TGS share a key. • How do you generate a key from a password? • Is this SSO (Single-Sign On)? Preliminary Version, Not Final**Setting Up A Secure Channel**• First send message to Bob, with timestamp to prevent replay attacks. • Bob sends back, also to prevent replay attacks. Preliminary Version, Not Final**Access Control**Preliminary Version, Not Final**Access Control**• Imagine a server with a number of entities (which we will call objects) under its control. Requests come in, but are allowed only if the sender has sufficient access rights. • Authorization is how to grant rights. Access control is how to verify rights. Very similar, and frequently used interchangeably. Preliminary Version, Not Final**General Model**• Reference monitor is like a security perimeter. Preliminary Version, Not Final**Access Control Matrix**• To model the rights, use a matrix. Each row is a subject, each object is a column. So M[s,o] is an entry, which contains the allowed methods. Preliminary Version, Not Final