Security Chapter 8

Download Report

Transcript Security Chapter 8

Security

Chapter 8

Security

• Security in distributed system can be divided into two parts: – A

secure channel

is a mechanism for ensuring communication though authentication, message integrity, and confidentiality. –

Authorization

deals with ensuring that a process gets only those access rights to the resources.

Security

• • A dependable and trusted system should include: –

Availability

: Accessible and usable upon demand for authorized entities – – – –

Reliability

: Continuity of service delivery

Safety

: Very low probability of catastrophes

Confidentiality

: No unauthorized disclosure of information

Integrity

: No accidental or malicious alterations of information have been performed (even by authorized entities) In distributed systems, security is the combination of availability, integrity, and confidentiality. A dependable distributed system is thus fault tolerant and secure.

Security Threats

• Four types of security threats: –

Inspection

data.

refers to the situation that an unauthorized party has gained access to a service or –

Interruption

services or data become unavailable, unusable, or destroyed.

refers to the situation in which –

Modifications

involve unauthorized changing of data or tampering with a service.

–

Fabrication

refers to the situation in which additional data or activity are generated that would normally not exist.

Security Threats

• Examples of security threats: – Interruption • Channel: Preventing message transfer • Object: Denial of service – Inspection • Channel: Reading the content of transferred messages • Object: Reading the data contained in an object – Modification • Channel: Changing message content • Object: Changing an object's encapsulated data – Fabrication • Channel: Inserting messages • Object: Spoofing an object

Security Mechanisms

• • • A

security policy

describes precisely which actions are allowed and which are prohibited.

To protect against security threats, we have a number of

security mechanisms

at our disposal: –

Encryption

: Transform data into something that an attacker cannot understand (confidentiality). It is also used to check whether something has been modified (integrity). –

Authentication

: Verify the claim that a subject says it is : verifying the identity of a subject. –

Authorization

: Determining whether a subject is permitted to make use of certain services. –

Auditing

: Trace which subjects accessed what, and in which way. Useful only if it can help catch an attacker. Authorization makes sense only if the requesting subject has been authenticated.

• • •

Security Policies

Policy: Prescribes how to use mechanisms to protect against attacks. Requires that a model of possible attacks is described (i.e., security architecture). Example: Globus security architecture – There are multiple administrative domains – – – – – – Local operations subject to local security policies Global operations require requester to be globally known Interdomain operations require mutual authentication Global authentication replaces local authentication Users can delegate privileges to processes Credentials can be shared between processes in the same domain Policy statements leads to the introduction of mechanisms for crossdomain authentication and making users globally known user proxies and resource proxies

Security Policies

• • Globus Example: – Consider a mobile agent in Globus that carries out a task by initiating several operations in different domains. – By authenticating an agent and subsequently checking its rights, Globus should be able to allow an agent to initiate an operation without having to contact the agent’s owner.

To allow cross-domain authentication and make a user known in remote domain, two types of representatives are introduced: – A

user proxy

is a process that is given permission to act on behalf of a user.

– A

resource proxy

is a process running within a specific domain that is used to translate global operations on a resource into local operations.

Security Policies

• The security architecture defines four different protocol: – Creation of user proxy – Allocation of a resource by the user in a remote domain – Allocation of a resource by a process in a remote domain – Making user known in remote domain • Three design issues are concerned: – Focus of control – Layering of security mechanisms – Simplicity

Example: Globus Security Architecture

Diagram of Globus security architecture.

Design Issue: Focus of Control

• • Policy: What is our focus when talking about protection? Three approaches: (a) data, (b) invalid operations, (c) unauthorized users.

• We generally need all three, but each requires different mechanisms .

At which logical level are we going to implement security mechanisms? – It depends on the trust a client has in how secure the services are in a particular layer.

Focus of Control

Three approaches for protection against security threats a) b) c) Protection against invalid operations Protection against unauthorized invocations Protection against unauthorized users

• • • •

Design Issue: Layering of Security Mechanisms

An example such as Switched Multi-megabit Data Service (SMDS). – Security can be provided by place encryption devices at each SMDS router.

– These devices encrypt and decrypt packets but do not provide secure communication.

– Secure Socket Layer (SSL) can be used to securely send messages across a TCP connection.

In distributed systems, security mechanisms are often places in the middleware layer.

Whether security mechanisms are actually used is related to the trust a user has in those mechanisms. If you do not trust those mechanisms, you can implement your own mechanisms.

Trusted Computing Base

: What is the set of mechanisms needed to enforce a policy. The smaller, the better.

Layering of Security Mechanisms

The logical organization of a distributed system into several layers.

Layering of Security Mechanisms

Several sites connected through a wide-area backbone service.

Design Issue: Layering of Security Mechanism

• Dependencies between services regarding trust lead to the notion of a

Trusted Computing Base (TCB)

. A TCB is the set of mechanisms needed to enforce a policy. The smaller, the better. • Where to place mechanisms? Simplicity.

Distribution of Security Mechanisms

The principle of RISSC as applied to secure distributed systems.

Crypotography

• • The original form of the message that is sent is called the

plaintext

(P). The encrypted form is referrred to as the

ciphertext

(C).

Three types of intruders: – Passive intruder only listens to messages.

– – Active intruder can alter messages.

Active intruder can insert messages.

Cryptography

Intruders and eavesdroppers in communication.

Crypotography

• • •

Symmetric (secret-key) system

: Use a single key to (1) encrypt the plaintext and (2) decrypt the ciphertext. Requires that sender and receiver share the secret key.

Asymmetric (public-key) system

and the other public. : Use different keys for encryption and decryption, of which one is private,

Hashing system

: Only encrypt data and produce a fixedlength digest. There is no decryption; only comparison is possible.

Cryptographic Functions

• • Make the encryption method E public, but let the encryption as a whole be parameterized by means of a key S (Same for decryption) Properties of Hash functions: –

Oneway function

: Given some output m out computationally infeasible to find m in of E S , it is (analytically or) –

Weak collision resistance

H(m’). : Given an input m and its associated output h = H(m) it is computationally infeasible to find an m’ such that H(m) = –

Strong collision resistance

: given only H, it is computationally infeasible to find any two different inputs m and m’ such that H(m) = H(m’).

Cryptography

Notation

K A, B  K

 K

Description

Secret key shared by A and B Public key of A Private key of A Notation used in this chapter.

Symmetric Cryptosystems

• Substitute Cipher: each letter or group of letter is replaced by another letter or group of letters – Caesar cipher: rotate the letter (a  D, b  E, c  F, z  C). • Example: attack  DWWDFN – Monoalphabetic substitution • Each letter replaced by different letter Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM • Disadvantage: It does not smooth out frequencies in the cipher text.

– Polyalphabatic cipher – use multiple cipher alphabets.

Secret-Key Cryptography

Transition cipher: reorder the letters, but don't disguise them.

– select a key MEGABUCK 7 4 5 1 2 8 3 6 p l e a s e t r a n s f e r o n e h u n d r e d  afnsedtoelnhesurndpaeerr Plain text  cipher text

Transposition Ciphers

A transposition cipher.

Symmetric Cryptosystems: DES

• Data Data Encryption Standard (DES) was developed by IBM and adopted as a US national standard in 1977.

• The encryption function maps a 64-bit plaintext input into a 64-bit encrypted output using a 56-bit master key.

• The algorithm has 16 key-dependent stages known as rounds where each round uses a different 48-bit key for encryption and was time-consuming.

• The DES algorithm is difficult to break using analytical methods ((the rationale behind the design has never been clearly explained). Using a brute-force attack will do the job because the key length is 56 bits. In June 1997, it was successfully cracked. Only used for the protection of low value information.

Symmetric Cryptosystems: DES

a) b) The principle of DES Outline of one encryption round

Symmetric Cryptosystems: DES

Details of per-round key generation in DES.

Symmetric Cryptosystems: AES

• • • • • Triple-DES: apply DES three times with another two different keys. Give strength against brute-force attacks.

In 1997, the US NIST issued an invitation for Advanced Encryption Standard (AES).

NIST is pleased to announce the approval of the Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard, FIPS-197. This standard specifies Rijndael algorithm (blocks of 128 bits) as a FIPS-approved symmetric encryption algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information. The algorithm has been designed to be fast enough so that it can even be implemented on smart.

Public-Key Cryptosystems: RSA

• • • • RSA, named after its inventors Rivest, Shamir, and Adlemean, a public-key cryptographic algorithm.

The security of RSA comes from the fact that no methods are known to efficiently find the

prime factors

to large numbers.

For example, 2100 can be written as 2100 = 2 x 2 x 3 x 5 x 5 x 7 making 2, 3, 5, and 7 the prime factors in 2100.

In RSA, the private and public keys are constructed from very large prime numbers. It turns out breaking RSA is equivalent to finding those two prime numbers.

Public-Key Cryptosystems: RSA

• 1.

• 4.

Generating the private and public key requires four steps: Choose two very large prime numbers,

and

Compute

n = p

and

z = (p – 1)

(q – 1)

Choose a number

that is relatively prime to

(that is, such that d has no common factors with z) Compute the number

such that

d = 1 mod z

Group P into blocks such that C=P e P=C d (mod n) where 0 <= P < n (mod n) and

Public-Key Cryptography

• • Example: p=13 q=17  n = 13 x 17 = 221 z = (13 – 1) x (17 – 1) = 192. let d=5 (prime to z) e x d = 1 mod 192 = 1, 193, 385, ...

385 is divisible by d e = 385/5 = 77 Example: p=3 q=11  n = 3 x 11 = 33 z = (3 – 1) x (11 – 1) = 20. let d=7 (prime to z) 7 x e mod 20 = 1 C = P 3  e=3 (mod 33), P = C 7 (mod 33)

RSA

An example of the RSA algorithm.

Public-Key vs. Secret-Key Cryptosystems

• Compare RSA to DES: – Encrypting message using RSA is much slower than DES – RSA is most used for exchange only shared keys

Pretty Good Privacy (PGP)

• • • • • P retty Good Privacy (PGP) is a popular program used to encrypt and decrypt e-mail over the Internet. It can also be used to send an encrypted digital signature that lets the receiver verify the sender's identity and know that the message was not changed en route. Available both as freeware and in a low-cost commercial version, PGP is the most widely used privacy-ensuring program by individuals and is also used by many corporations. Developed by Philip R. Zimmermann in 1991, PGP has become a de facto standard for e-mail security. PGP can also be used to encrypt files being stored so that they are unreadable by other users or intruders. .

Hash Functions : MD5

• • • MD5 (Message Digest 5) is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input which may be a message of any length.

MD5, which was developed by Professor Ronald L. Rivest of MIT, is intended for use with digital signature applications, which require that large files must be compressed by a secure method before being encrypted with a secret key, under a public key cryptosystem. MD5 is currently a standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 1321.

Hash Functions : MD5

The structure of MD5

Hash Functions : MD5

The 16 iterations during the first round in a phase in MD5.

Secure Channels

• Goal: Set up a channel allowing for secure communication between two processes. – They both know who is on the other side (authenticated). – They both know that messages cannot be tampered with (integrity). – They both know messages cannot leak away (confidentiality).

Authentication versus Integrity

• • • • Note: Authentication and data integrity rely on each other: Consider an active attack by Trudy on the communication from Alice to Bob. Authentication without integrity: Alice's message is authenticated, and intercepted by Trudy, who tampers with its content, but leaves the authentication part as is. Authentication has become meaningless. Integrity without authentication: Trudy intercepts a message from Alice, and then makes Bob believe that the content was really sent by Trudy. Integrity has become meaningless. Question: What can we say about confidentiality versus authentication and integrity?

Authentication: Secret Keys

1: Alice sends ID to Bob 2: Bob sends challenge R B (i.e. a random number) to Alice 3: Alice encrypts R B with shared key K A,B knows he's talking to Alice . Now Bob 4: Alice send challenge R A to Bob • 5: Bob encrypts R A talking to Bob with K A,B . Now Alice knows she's Note: We can improve the protocol by combining steps 1&4, and 2&3. This costs only the correctness.

Authentication (1)

Authentication based on a shared secret key.

Authentication (2)

Authentication based on a shared secret key, but using three instead of five messages.

Authentication: Secret Keys

Authentication (3)

The reflection attack.

Authentication: Secret Keys

Authentication Using a Key Distribution Center (1) The principle of using a KDC.

Authentication Using a Key Distribution Center (2) Using a ticket and letting Alice set up a connection to Bob.

Authentication Using a Key Distribution Center (3) The Needham-Schroeder authentication protocol.

Authentication Using a Key Distribution Center (4) Protection against malicious reuse of a previously generated session key in the Needham-Schroeder protocol.

Authentication Using Public-Key Cryptography

Mutual authentication in a public-key cryptosystem.

NeedhamSchroeder: Subtleties

• • • • • Q1: Why does the KDC put ob into its reply message, and Alice into the ticket? Q2: The ticket sent back to Alice by the KDC is encrypted with Alice's key. Is this necessary? Security flaw: Suppose Chuck finds out Alice's key he can use that key anytime to impersonate Alice, even if Alice changes her private key at the KDC. Reasoning: Once Chuck finds out Alice's key, he can use it to decrypt a (possibly old) ticket for a session with Bob, and convince Bob to talk to him using the old session key. Solution: Have Alice get an encrypted number from Bob first, and put that number in the ticket provided by the KDC we're now ensuring that every session is known at the KDC.

Confidentiality

• • • • Compromised keys: If a key is compromised, you can never use it again. Really bad if all communication between Alice and Bob is based on the same key over and over again don't use the same key for different things Temporary keys: Untrusted components may play along perhaps just once, but you would never want them to have knowledge about your really good key for all times make keys disposable Essence: Don't use valuable and expensive keys for all communication, but only for authentication purposes. Solution: Introduce a ``cheap'' session key that is used only during one single conversation or connection (``cheap'' also means efficient in encryption and decryption)

Confidentiality

• • • Secret key: Use a shared secret key to encrypt and decrypt all messages sent between Alice and Bob Public key: If Alice sends a message m to Bob, she encrypts it with Bob's public key: K There are a number of problems with keys: – Keys wear out: The more data is encrypted by a single key, the easier it becomes to find that key don't use keys too often – Danger of replay: Using the same key for different communication sessions, permits old messages to be inserted in the current session don't use keys for different sessions

Digital Signatures

• • • • • Harder requirements: Authentication: Receiver can verify the claimed identity of the sender Nonrepudiation: The sender can later not deny that he/she sent the message Integrity: The message cannot be maliciously altered during, or after receipt Solution: Let a sender sign all transmitted messages, in such a way that (1) the signature can be verified and (2) message and signature are uniquely associated

Digital Signatures (1)

Digital signing a message using public-key cryptography.

Message Digests

• • • Basic idea: Don't mix authentication and secrecy. Instead, it should also be possible to send a message in the clear, but have it signed as well. Solution: take a message digest, and sign that: Recall: Message digests are computed using a hash function, which produces a fixedlength message from arbitrarylength data.

Digital Signatures (2)

Digitally signing a message using a message digest.

Secure Group Communication

• • Design issue: How can you share secret information between multiple members without losing everything when one member turns bad. Confidentiality: Follow a simple (hardtoscale) approach by maintaining a separate secret key between each pair of members.

Secure Group Communication

• Replication: You also want to provide replication transparency. Apply secret sharing: – No process knows the entire secret; it can be revealed only through joint cooperation – Assumption: at most k out of N processes can produce an incorrect answer – At most c k processes have been corrupted • Note: We are dealing with a k fault tolerant process group.

Secure Replicated Services

Sharing a secret signature in a group of replicated servers.

Authorization versus Authentication

• • • Authentication: Verify the claim that a subject says it is : verifying the identity of a subject Authorization: Determining whether a subject is permitted certain services from an object Note: authorization makes sense only if the requesting subject has been authenticated

General Issues in Access Control

General model of controlling access to objects.

Access Control Matrix

• • • Essence: Maintain an access control matrix in which entry contains the permissible operations that subject can perform on object Implementation (a): Each object maintains an access control list (ACL): describing the per missible operations per subject (or group of subjects) Implementation (b): Each subject has a capability: describing the permissible operations per object (or category of objects)

Access Control Matrix

Comparison between ACLs and capabilities for protecting objects.

a) b) Using an ACL Using capabilities .

Protection Domains

• • • • Issue: ACLs or capability lists can be very large. Reduce information by means of protection domains: – – – Set of (object, access rights) pairs Each pair is associated with a protection domain For each incoming request the reference monitor first looks up the appropriate protection domain Common implementation of protection domains: Groups: Users belong to a specific group; each group has associated access rights Roles: Don't differentiate between users, but only the roles they can play. Your role is determined at login time. Role changes are allowed.

Protection Domains

The hierarchical organization of protection domains as groups of users.

Firewalls

• • Essence: Sometimes it's better to select service requests at the lowest level: network packets. Packets that do not fit certain requirements are simply removed from the channel • Solution: Protect your company by a firewall: it implements access control Question: What do you think would be the biggest breach in firewalls?

Firewalls

A common implementation of a firewall.

Secure Mobile Code

• Problem: Mobile code is great for balancing communication and computation, but is hard to implement a generalpurpose mechanism that allows different security policies for local resource access. In addition, we may need to protect the mobile code (e.g., agents) against malicious hosts.

Protecting a Host

• • • • Observation: We need to be able to distinguish local from remote code before being able to do anything Refinement 1: We need to be able to assign a set of permissions to mobile code before its execution and check operations against those permissions at all times Refinement 2: We need to be able to assign different sets of permissions to different units of mobile code authenticate mobile code (e.g. through signatures) Question: What would be a very simple policy to follow (Microsoft's approach)?

Protecting the Target (1)

8-27 The organization of a Java sandbox.

Protecting the Target (2)

8-28 a) b) A sandbox A playground

Protecting the Target (3)

8-29 The principle of using Java object references as capabilities.

Protecting the Target (4)

The principle of stack introspection.

Key Establishment

• • Observation: We can construct secret keys in a safe way without having to trust a third party (i.e. a KDC): – Alice and Bob have to agree on two large numbers, n and g. Both numbers may be public. – Alice chooses large number x, and keeps it to herself. Bob does the same, say y. Key Establishment: – – – – Alice sends (n, g, g x mod n) to Bob Bob sends (g y mod n) to Alice Alice computes K A,B = (g y mod n) x = g xy mod n Bob computes K A,B = (g x mod n) y = g xy mod n

Key Establishment

The principle of Diffie-Hellman key exchange.

Key Distribution

• • • • Essence: If authentication is based on cryptographic protocols, and we need session keys to establish secure channels, who's responsible for handing out keys? Secret keys: Alice and Bob will have to get a shared key. They can invent their own and use it for data exchange. Alternatively, they can trust a key distribution center (KDC) and ask it for a key. Public keys: Alice will need Bob's public key to decrypt (signed) messages from Bob, or to send private messages to Bob. But she'll have to be sure about actually having Bob's public key, or she may be in big trouble. Use a trusted certification authority (CA) to hand out public keys. A public key is put in a certificate, signed by a CA.

Key Distribution (1)

Secret-key distribution

Key Distribution (2)

Public-key distribution (see also [menezes.a96]).

Secure Group Management

• Structure: Group uses a key pair K for communication with nongroup members. There is a separate shared secret key CK G for internal communication. Assume process P wants to join the group and contacts Q.

Secure Group Management

• • • • P generates a onetime reply pad RP, and a secret key K P G . It sends a join request to Q, signed by itself (notation: JR P ), along with a certificate containing its public key K P .

2: Q authenticates P, checks whether it can be allowed as member. It returns the group key CK G , encrypted with the onetime pad, as well as the group's private key, encrypted as CK G K Q authenticates P and sends back K P G N letting Q know that it has all the necessary keys. Question: Why didn't we send K P + (CK G ) instead of using RP?

Secure Group Management

Securely admitting a new group member.

Authorization Management

• • Issue: To avoid that each machine needs to know about all users, we use capabilities and attribute certificates to express the access rights that the holder has. In Amoeba, restricted access rights are encoded in a capability, along with data for an integrity check to protect against tampering.

Capabilities and Attribute Certificates (1)

48 bits Server port 24 bits Object 8 bits Rights A capability in Amoeba.

48 bits Check

Capabilities and Attribute Certificates (2)

Generation of a restricted capability from an owner capability.

Delegation

• • • Observation: A subject sometimes wants to delegate its privileges to an object O1 , to allow that object to request services from another object O2 Example: A client tells the print server to fetch a file from the file server to make a hard copy the client delegates its read privileges on to Nonsolution: Simply hand over your attribute certificate to a delegate (which may pass it on to the next one, etc.)

Delegate Privileges

• • Problem: To what extent can the object trust a certificate to have originated at the initiator of the service request, without forcing the initiator to sign every certificate? Solution: Ensure that delegation proceeds through a secure channel, and let a delegate prove it got the certificate through such a path of channels originating at the initiator.

Delegation (1)

The general structure of a proxy as used for delegation.

Delegation (2)

Using a proxy to delegate and prove ownership of access rights.

Example: Kerberos (1)

Authentication in Kerberos.

Example: Kerberos (2)

Setting up a secure channel in Kerberos.

SESAME

• • • • • •

SMIB

: Database holding shared secret keys, basic access rights, and so on

: Authenticates a user, and returns a ticket

PAS

: Hands out attribute certificates

KDS

: Generates session keys for authenticated users

Security Manager

: Handles setting up and communicating over a secure channel

PVF

: Validates access rights contained in attribute certificates

SESAME Components

Overview of components in SESAME.

Privilege Attribute Certificates (PACs)

Field

Issuer domain Issuer identity Serial number Creation time Validity Time periods Algorithm ID Signature value Privileges Certificate information Miscellaneous Protection methods

Description

Name the security domain of the issuer Name the PAS in the issuer's domain A unique number for this PAC, generated by the PAS UTC time when this PAC was created Time interval when this PAC is valid Additional time periods outside which the PAC is invalid Identifier of the algorithm used to sign this PAC The signature placed on the PAC A list of (attribute, value)-pairs describing privileges Additional information to be used by the PVF Currently used for auditing purposes only Fields to control how the PAC i s used The organization of a SESAME Privilege Attribute Certificate.

Electronic Payment Systems (1)

Payment systems based on direct payment between customer and merchant.

a) b) c) Paying in cash.

Using a check.

Using a credit card.

Electronic Payment Systems (2)

Payment systems based on money transfer between banks.

a) b) Payment by money order.

Payment through debit order.

Privacy (1)

Merchant Customer Bank Observer Merchant

Full Full None Full

Customer

Partial Full None Partial

Date

Full Full None Full

Amount

Full Full None Full

Item

Full Full None Full Information hiding in a traditional cash payment.

Privacy (2)

Party

Merchant Customer Bank Observer Merchant

Full Full Full Full

Customer

Full Full Full Partial Information

Date

Full

Amount

Full Full Full Full Full Full Full

Item

Full Full None Full Information hiding in a traditional credit-card system (see also [camp.lj96a])

E-cash

The principle of anonymous electronic cash using blind signatures.

Secure Electronic Transactions (SET)

The different steps in SET.