Transcript Document

Security in Distributed Systems
ECE7610/ECE7650
Cheng-Zhong Xu
C. Xu, 2002-2009
1
Outline
•
•
•
•
•
•
General Security Requirements
Cryptography
Secure Channel
Access Control
Security in Mobile Codes
Case Studies
– Kerberos Systems
– SSL
– SET
C. Xu, 2002-2009
2
General Security Requirements
• Confidentiality (Privacy, Secrecy)
– Protection from disclosure to unauthorized parties
– E.g. overhear talk, illegal data copy (Interception)
• Integrity
– Protection from unauthorized change of data/tampering
of services
– Violations be detectable and recoverable
– E.g. Message relay (Fabrication, Modification)
• Availability
– Legitimate users have access anytime
– E.g. Denial of Service Attack (Interrupt)
– One facet of dependable systems, as well
C. Xu, 2002-2009
3
Security Policy vs Mechanism
• Policy specifies which actions the entities of
a system can or can’t take
– Entities: users, services, data, machines, etc
• Mechanism facilitates policy enforcement
–
–
–
–
Encryption: transform data into unreadable
Authentication: verify claimed identify
Authorization:
Auditing: help detect security breach
C. Xu, 2002-2009
4
Security in Distributed Systems
• Security threats in isolated systems
– Assumption: Isolated systems are secure
– Security Mechanism: Protect from physical break-in
• Security in networked systems within an
administrative domain but isolated from Internet
– Identity Assumption:
• Whenever a program attempts some action, we can easily identify a person
to whom that action can be attributed, and it is safe to assume that that
person intends the action to be taken.
– Optimistic Assumption about Trojan Horse Attack
• Users are responsible for actions of their programs
– Mechanisms:
• Cryptographic Password
• Authorized users with different privilege levels
C. Xu, 2002-2009
5
Security in Distrib. Systems (cont’)
• Security in systems cross admini. domains
– Assumptions
• Untrusted users in open systems, but protection domain
per user
• Insecure communication
• Rare code migration  becomes common
Copy of m
The enemy
Process p
m’
m
Process q
Communication channel
C. Xu, 2002-2009
6
Security in Distributed Systems (cont’)
• Examples of Mechansims (e-Commerce):
–
–
–
–
Authentication: verify claimed identify (CA)
Secure comm. channel (SSL based https)
Firewall: packet filtering, authorization check
Resource access control: client access resources via
server ops; access right checking during invocations.
Cryptography
PrincipalA
Processp
C. Xu, 2002-2009
The enemy
Secure channel
Principal B
Processq
7
Threats not defeated by secure channels
or other cryptographic techniques
• Denial of service attacks
– Deliberately excessive use of resources to the extent that they are
not available to legitimate users
• E.g. the Internet 'IP spoofing' attack, February 2000
• Trojan horses and other viruses
– Viruses can only enter computers when program code is imported.
– But users often require new programs, for example:
• New software installation
• Mobile code downloaded dynamically by existing software (e.g. Java
applets)
• Accidental execution of programs transmitted surreptitiously
– Defences: code authentication (signed code), code validation (type
checking, proof), sandboxing.
C. Xu, 2002-2009
8
Recap: Network Security
 attacks on Internet infrastructure:
 infecting/attacking hosts: spyware, virus, worms, Trojan
Horse, unauthorized access, and malware in geneal
• Malware: sw designed to infiltrate or damage a computer system
w/o the owner’s informed consent [Wikipedia]; based on
intention of its creator, rather than any features
• In law, malware is defined as a computer contaminant

denial of service: deny access to resources (servers, link BW)
• Vulnerability attack; BW flooding; Connection flooding
 Internet not originally designed with security in mind
 original vision: “a group of mutually trusting users attached
to a transparent network” 
 Internet protocol designers playing “catch-up”
 Security considerations in all layers!
Taxonomy
1-9
What can bad guys do: malware?
 Spyware:
 Worm:
 infection by downloading
 infection by passively
web page with spyware
receiving object that gets
itself executed
 records keystrokes, web
sites visited, upload info
 self- replicating: propagates
to collection site
to other hosts, users
 Virus
 infection by receiving
object (e.g., e-mail
attachment), actively
executing
 self-replicating:
propagate itself to
other hosts, users
Sapphire Worm in 2003: aggregate scans/sec
in first 5 minutes of outbreak (CAIDA, UWisc data)
Double in every 8.5 sec
90% infected in 10 min
Taxonomy
1-10
Denial of service attacks
 attackers make resources (server, bandwidth)
unavailable to legitimate traffic by overwhelming
resource with bogus traffic
1.
select target
2. break into hosts
around the network
(collectively, known as
botnet)
target
3. send packets toward
target from
compromised hosts
Taxonomy
1-11
Sniff, modify, delete your packets
Packet sniffing:
broadcast media (shared Ethernet, wireless)
 promiscuous network interface reads/records all
packets (e.g., including passwords!) passing by

C
A
src:B dest:A

payload
B
Ethereal (Wireshark) software used for endof-chapter labs is a (free) packet-sniffer
Taxonomy
1-12
Masquerade as you
 IP
spoofing: send packet with false source address
C
A
src:B dest:A
payload
B
Taxonomy
1-13
Masquerade as you
Man-in-the-middle attack
 IP
spoofing: send packet with false source address
 record-and-playback: sniff sensitive info (e.g.,
password), and use later
 password holder is that user from system point of
view
A
C
src:B dest:A
user: B; password: foo
B
Taxonomy
1-14
Masquerade as you
 IP
spoofing: send packet with false source address
 record-and-playback: sniff sensitive info (e.g.,
password), and use later
 password holder is that user from system point of
view
later …..
A
C
src:B dest:A
user: B; password: foo
B
Taxonomy
1-15
Threats and forms of attack
• Eavesdropping
– obtaining private or secret information
• Masquerading
– assuming the identity of another user/principal
• Message tampering
– altering the content of messages in transit
• man in the middle attack (tampers with the secure channel
mechanism)
• Replaying
– storing secure messages and sending them at a later date
• Denial of service
– flooding a channel or other resource, denying access to others
C. Xu, 2002-2009
16
Key Issues
• Secure Channels
– Authentication: Verify of claimed identify
– Message Integrity: Detect of any alteration
– Confidentiality: Inf exposes to authorized parties only
• Access Control
– Authorization
Cryptography is fundamental
C. Xu, 2002-2009
17
Cryptography
• Three possible ways of attack
– Intruders (eavesdroppers) intercept the msg silently
– Modify the msg
– Insert the msg, attempting to make R believe these msgs come from S.
C. Xu, 2002-2009
18
Cryptosystems
• Symmetric Cryptosystem: same key to encrypt/decrypt
P = Dk( Ek(P) )
– 56-bit Data Encryption Standard (DES), 128-bit IDEA and triple-DES
– New U.S. standard: 128, 192, 256-bit AES based Rijndael algorithm
(Joan Daemen and Vincent Rijmen (Effective May 26, 2002)
• Asymmetric Cryptosystem. Two keys form a pair. e.g. RSA
P = Dkd( Eke(P) )
Public-key systems: K+ as public key and K- as private key
For example:
– (1) How can Alice send a confidential msg to Bob ?
– (2) How can Bob verify if the msg come from Alice
C. Xu, 2002-2009
19
Symmetric Key Crypto: two basic ops
Substitution: substituting one thing for another
– monoalphabetic cipher: substitute one letter for another
translation:abcdefghijklmnopqrstuvwxyz
table :
E.g.:
mnbvcxzasdfghjklpoiuytrewq
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
Permutation: rearrange (shuffle) the input
C. Xu, 2002-2009
20
Symmetric encryption algorithms
These are all programs that perform confusion and diffusion operations on
blocks of binary data
TEA: a simple but effective algorithm developed at Cambridge U (1994)
for teaching and explanation. 128-bit key, 700 kbytes/sec
DES: The US Data Encryption Standard (1977). No longer strong in its
original form. 56-bit key, 350 kbytes/sec.
Triple-DES: applies DES three times with two different keys. 112-bit key,
120 Kbytes/sec
IDEA: International Data Encryption Algorithm (1990). Resembles TEA.
128-bit key, 700 kbytes/sec
AES: A proposed US Advanced Encryption Standard (1997). 128/256-bit
key.
There are many other effective algorithms. See Schneier [1996].
The above speeds are for a Pentium II processor at 330 MHZ. Today's PC's
(January 2002) should achieve a 5 x speedup.
C. Xu, 2002-2009
21
*
TEA encryption function
key 4 x 32 bits
void encrypt(unsigned long k[], unsigned long text[]) {
unsigned long y = text[0], z = text[1];
unsigned long delta = 0x9e3779b9, sum = 0; int n;
for (n= 0; n < 32; n++) {
sum += delta;
y += ((z << 4) + k[0]) ^ (z+sum) ^ ((z >> 5) + k[1]);
z += ((y << 4) + k[2]) ^ (y+sum) ^ ((y >> 5) + k[3]);
}
text[0] = y; text[1] = z;
}
Exclusive OR
plaintext
and result 2 x 32
5
6
logical shift
• Lines 5 & 6 perform confusion (XOR of shifted text)
and diffusion (shifting and swapping)
C. Xu, 2002-2009
22
TEA decryption function
void decrypt(unsigned long k[], unsigned long text[]) {
unsigned long y = text[0], z = text[1];
unsigned long delta = 0x9e3779b9, sum = delta << 5; int n;
for (n= 0; n < 32; n++) {
z -= ((y << 4) + k[2]) ^ (y + sum) ^ ((y >> 5) + k[3]);
y -= ((z << 4) + k[0]) ^ (z + sum) ^ ((z >> 5) + k[1]);
sum -= delta;
}
text[0] = y; text[1] = z;
}
C. Xu, 2002-2009
23
TEA in use
void tea(char mode, FILE *infile, FILE *outfile, unsigned long k[]) {
/* mode is ’e’ for encrypt, ’d’ for decrypt, k[] is the key.*/
char ch, Text[8]; int i;
while(!feof(infile)) {
i = fread(Text, 1, 8, infile); /* read 8 bytes from infile into Text */
if (i <= 0) break;
while (i < 8) { Text[i++] = ' ';) /* pad last block with spaces */
switch (mode) {
case 'e':
encrypt(k, (unsigned long*) Text); break;
case 'd':
decrypt(k, (unsigned long*) Text); break;
}
fwrite(Text, 1, 8, outfile); /* write 8 bytes from Text to outfile */
}
}
C. Xu, 2002-2009
24
Classical Feistel Structure
• Virtually all conventional block
encryption algorithms, including
Data Encryption Standard (DES)
have a structure first described
by Horst Feistel of IBM in 1973
• Properties
– a particular structure of
permutation and substitution of
input; the structure is made public
– the most important component is
the F function
– the F function does not even need
to be one-to-one to decrypt
message so long the receiver knows
the key
C. Xu, 2002-2009
25
DES: Data Encryption Standard
• US encryption standard [NIST 1993]
• 56-bit symmetric key, 64 bit plaintext input
• Use a 16 round Feistel Network
C. Xu, 2002-2009
input processing
key generation
26
Security of DES
• Intuitively, the design of F is to make it hard to inverse
the function (by any crypto analysis technique), i.e.,
security by confusion and obfuscation
– the design philosophy of the F function of DES is not known
– thus the “best known” attack is to try all possible 56-bit keys on
the ciphertext to see if a key generates a “reasonable” plaintext
• However, 56 bit keys appear to be too short
Winner(s)
Announced
Key Size / Encryption
Type
Cracked
in...
June 1997
56-bit / DES
96 Days
RSA's DES Challenge II-1
February 1998
56-bit / DES
41 Days
RSA's DES Challenge II-2
July 1997
56-bit / DES
56 Hours
January 1999
56-bit / DES
22 Hours
Challenge
RSA's DES Challenge
RSA's DES Challenge III
C. Xu, 2002-2009
27
Making DES More Secure
• Use three keys sequentially (3-DES) on each datum
C = EK3[DK2[EK1[P]]]
•
•
•
•
C = ciphertext
P = Plaintext
EK[X] = encryption of X using key K
DK[Y] = decryption of Y using key K
notation: EK[X], {X}K both mean encrypt X using key K
• Replaced by Advanced Encryption Standard [NIST
2000]:
http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
C. Xu, 2002-2009
28
Advanced Encryption Standard (AES)
ByteSub
ShiftRow
MixColumn
C. Xu, 2002-2009
29
Cipher blocks, chaining and stream ciphers
Most algorithms work on 64-bit blocks.
Weakness of simple block cipher:- repeated patterns can be detected.
Cipher block chaining (CBC)
n+3
plaintext blocks
n+2
n+1
XOR
E(K, M)
ciphertext blocks
n-3
n-2
n-1
n
Stream cipher
keystream
number
generator
n+3
n+2
n+1
E(K, M)
buffer
XOR
plaintext
stream
C. Xu, 2002-2009
ciphertext
stream
30
Asymmetric encryption algorithms
They all depend on the use of trap-door functions
A trap-door function is a one-way function with a secret exit - e.g. product of two
large numbers; easy to multiply, very hard (infeasible) to factorize.
RSA: The first practical algorithm (Rivest, Shamir and
Adelman 1978) and still the most frequently used. Key
length is variable, 512-2048 bits. Speed 1-7 kbytes/sec.
(350 MHz PII processor)
Elliptic curve: A recently-developed method, shorter keys and
faster.
Asymmetric algorithms are ~1000 x slower and are therefore
not practical for bulk encryption, but their other properties
make them ideal for key distribution and for authentication
uses.
C. Xu, 2002-2009
31
RSA (1)
To find a key pair e, d:
1. Choose two large prime numbers, P and Q (each greater than 10100), and form:
N=PxQ
Z = (P–1) x (Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d has no
common factors with Z).
We illustrate the computations involved using small integer values for P and Q:
P = 13, Q = 17 –> N = 221, Z = 192
d=5
3.To find e solve the equation:
e x d = 1 mod Z
That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .
e x d = 1 mod 192 = 1, 193, 385, ...
385 is divisible by d
e = 385/5 = 77
4. (e, N) is an encryption key and (d, N) is corresponding descryption key
C. Xu, 2002-2009
32
RSA (2)
To encrypt text using the RSA method, the plaintext is divided into equal blocks of
length k bits where 2k < N (that is, such that the numerical value of a block is always
less than N; in practical applications, k is usually in the range 512 to 1024).
k = 7, since 27 = 128
The function for encrypting a single block of plaintext M is:
E'(e,N,M) = Me mod N
for a message M, the ciphertext is M77 mod 221
The function for decrypting a block of encrypted text c to produce the original
plaintext block is:
D'(d,N,c) = cd mod N
Rivest, Shamir and Adelman proved that E' and D' are mutual inverses
(that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ N.
The two parameters e,N can be regarded as a key for the encryption function, and
similarly d,N represent a key for the decryption function.
So we can write Ke = <e,N> and Kd = <d,N>
C. Xu, 2002-2009
33
RSA Another Example
Bob chooses P=5, Q=7. Then N=35, Z=24.
e=5 (so e, Z relatively prime)
d=29 (so ed-1 exactly divisible by Z)
encrypt:
decrypt:
C. Xu, 2002-2009
m
me
12
1524832
letter
L
c
17
d
c
481968572106750915091411825223071697
c = me mod n
17
m = cd mod n letter
12
L
34
Digital signatures
Requirements:
– To authenticate stored document files as well as messages
– To protect against forgery
– To prevent the signer from repudiating a signed document (denying
their responsibility)
Encryption of a document in a secret key constitutes a
signature
-
impossible for others to perform without knowledge of the key
strong authentication of document
strong protection against forgery
weak against repudiation (signer could claim key was
compromised)
C. Xu, 2002-2009
35
*
Secure Digest Function
• h = H(m): take a msg of arbitrary length and produce a bit
string of a fixed length.
• Example:
– 128-bit MD5 (Rivest’92): generate 128 bit fixed length msg digest from an
arbitrary length binary input string
– 160-bit SHA (NIST’95), based on Rivest’s MD4, but made more secure by
producing a 160-bit digest.
– Any symmetric encryption algorithm in the CBC (cipher block chaining)
mode. The last block in the chain is H(m)
• Properties:
– One-way function: Given h, it’s computationally infeasible to compute m
– weak collision resistance: Given an input m and its associated output h, it’s
computationally infeasible to find another m’ that is not equal to m but
H(m)=H(m’)
– strong collision resistance: Given only H, it’s computationally infeasible to
find any two different inputs m and m’, such that H(m) = H(m’)
• Both MD5 and SHA are shown to be broken lately!!
http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
C. Xu, 2002-2009
36
Digital Signature for Message Integrity
• DA using public-key crypto, like RSA
• Bob verifies msg m by comparison
• Alice is protected against Bob’s modification because
of her signature.
• But, what if Alice wants to change her key?
 Need central authority to keep records
C. Xu, 2002-2009
37
Digital Signatures (cont’)
• Encryption of an entire message with a private key
is very time-consuming
• Using hash function, H, to generate a message
digest and encrypting the digest instead
C. Xu, 2002-2009
38
MACs: Low-cost signatures with a shared
secret key
MAC: Message Authentication Code
M
signed doc
H(M+K)
Signing
h
M
K
Signer and verifier
share a secret key K
M
h
H(M+K)
Verifying
h = h'?authentic:forged
h'
K
C. Xu, 2002-2009
39
Perf of encryption and secure digest algs
Figure 7.14
Algorithm
TEA
speeds are for a Pentium II processor at 330 MHZ
Key size/hash size
(bits)
Extrapolated
speed
(kbytes/sec.)
PRB optimized
speed
(kbytes/s)
128
700
-
56
350
7746
112
120
2842
IDEA
128
700
4469
RSA
Secret DES
key
Triple-DES
Public
RSA
key
512
7
-
2048
1
-
MD5
128
1740
62425
SHA
160
750
25162
Digest
C. Xu, 2002-2009
PRB = Preneel, Rijmen and Bosselaers [Preneel 1998]
40
Outline
• General Security Requirements
• Cryptography
• Secure Communication Channel
– Authentication
– Message integrity and confidentiality
• Access Control
• Security in Mobile Codes
• Case Studies
– Kerberos Systems
– SSL
– E-Cash and SET
C. Xu, 2002-2009
41
Secure Channel
• Authentication
• Message Integrity: msg is protected against
modification
– More than authentication of communication
parties. e.g. protection of the integrity of online transaction agreement
• Confidentiality: Msg won’t be intercepted
and read by evaesdroppers
– Cryptographic keys are not enough
C. Xu, 2002-2009
42
Secure Channel: Authentication
• Alice initiates in setting up a channel between
Alice and Bob. Once it is done, Alice and Bob
know for sure whom they are talking to.
• Authentication based on shared secrete keys
(Session Keys): Challenge-Response Protocol
1: identify of A
2: Challenge of B
3: Encrypted challenge
4: Challenge of A
5: Encrypted challenge
C. Xu, 2002-2009
43
Optimized Authentication ?
• Authentication based on a shared secret
key, but using three instead of five keys
C. Xu, 2002-2009
44
Reflection Attack
• Two comm parties use the same challenge in different runs of
the protocol
• Also, valuable info. Ka,b(Rc) is released to unknown person
C. Xu, 2002-2009
45
Key Distributed Center
• Shared-key based authentication is not scalable. In a
system with n hosts, n(n-1)/2 keys are needed and each
host needs to manage n-1 keys
• Alternative is to assume a trusted third party,like KDC,
which shares a secret key with each host
• The message KB,KDC(KA,B) is called a ticket
• Alice uses this ticket to establish connection with Bob
C. Xu, 2002-2009
46
Needham-Schroeder Protocol
• RA1 is a nonce (random number, “number use for once”) to
uniquely related msg 1 and msg 2 to each other.
• The identify B of Bob is included in msg 2 to confirm the
return ticket between A and B.
• Returning RA2-1 in msg 4 proves Bob knows the shared key
and he actually has used the key to decrypted the challenge.
C. Xu, 2002-2009
47
Improved Needham-Schroeder Protocol
• Using an extra nonce RB1 to protect against malicious
reuse of a previously generated session key
C. Xu, 2002-2009
48
Shared Key Setup by Public-Key
• Mutual authentication, assuming knowledge
of public keys of each other
Be assured that Alice is actually using Bob’s public key
How??
C. Xu, 2002-2009
49
Initial Key Establishment
• Diffie-Hellman Key Exchange
– Alice and Bob agree on two large public numbers n and g
– Alice and Bob pick up two large random numbers, x and y, as their private keys
– Alice send gx mod n to Bob and Bob sends gy mod n to Alice, along with n ang g
• gx mod n is one-way function: x is impossible to be computed
– Established shared key: (gx mod n)y = gxy mod n
Diffie-Hellman can also be viewed as a public-key cryptography,
where x and y are private keys, gx mod n and gy mod n are public keys.
C. Xu, 2002-2009
50
Session key for Confidentiality
• Confidentiality: msg won’t be intercepted and read by
eavesdroppers
• Cryptogrphaic keys are subject to “wear and tear” (A
frequently used key tends to be stolen)
• Lose of cryptographic keys leads to replay attacks
• Replacing cryptographic keys are expensive
 Create a unique session key for each secure
communication channel
C. Xu, 2002-2009
51
Example in Java (http://www.javaworld.com)
import java.io.*;
import java.security.*;
class GenSig {
public static void main(String[] args) { /* java GenSig data-be-signed */
try{ /* Initialize the Key-Pair Generator */
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA",
"SUN");
;
keyGen.initialize(1024,SecureRandom.getInstance(“SHA1PRNG”,”SUN”)
/* Generate the Pair of Keys */
KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv = pair.getPrivate(); PublicKey pub = pair.getPublic()
/* Create a Signature and initialize it with the private key */
Signature dsa = Signature.getInstance("SHA1withDSA", "SUN");
dsa.initSign(priv);
/* Update and sign the data */
FileInputStream fis = new FileInputStream(args[0]);
BufferedInputStream bufin = new BufferedInputStream( fis );
byte[] buffer = new byte[1024]; int len;
while (bufin.available() != 0) {
len = bufin.read(buffer);
dsa.update(buffer, 0, len);
};
52
bufin.close();
……
Example in Java (Cont’)
try {
……
/* Generate a signature for the data */
byte[] realSig = dsa.sign();
/* Save the signature in a file */
FileOutputStream sigfos = new FileOutputStream("sig");
sigfos.write(realSig);
sigfos.close();
/* Save the public key in a file */
byte[] key = pub.getEncoded();
FileOutputStream keyfos = new FileOutputStream("suepk");
keyfos.write(key);
keyfos.close();
} catch (Exception e) {
System.err.println("Caught exception " + e.toString());
} };
C. Xu, 2002-2009
53
Summary
• General Security Requirements
• Cryptography
• Secure Communication Channel
– Authentication
– Message integrity and confidentiality
• To be discussed
– Access Control
– Security in Mobile Codes
– Case Studies
• Kerberos Systems
• SSL
• SET
C. Xu, 2002-2009
54