Distributed Operating Systems CS551 Colorado State University at Lockheed-Martin

Download Report

Transcript Distributed Operating Systems CS551 Colorado State University at Lockheed-Martin 

Distributed Operating Systems
CS551
Colorado State University
at Lockheed-Martin
Lecture 9 -- Spring 2001
CS551: Lecture 9

Topics
–
Distributed Security (Chapter 11)
 Cryptography
& Digital Signatures
 Authentication
 Access Controls (Firewalls)
–
11 April 2001
Other Algorithms
CS-551, Lecture 9
2
Terms
Computer security: “frequently consists of
two parts: authentication and access
control”
 Authentication: “involves the verification
and identification of a valid user”
 Access control: “strives to prevent
unwanted tampering with data files and
system resources”

11 April 2001
CS-551, Lecture 9
3
Terms, continued
Encryption: “encoding data using a key in
such a manner that an eavesdropper cannot
easily read the data”
 Plaintext: “ the original data”
 Ciphertext: “the encrypted data”
 Decryption: “going from ciphertext to
plaintext”

11 April 2001
CS-551, Lecture 9
4
Terms, concluded
Computationally secure: “An encryption
algorithm is computationally secure if the
system cannot be broken by systematic
analysis with available resources.”
 Private key versus public key
 Symmetric versus asymmetric encryption

11 April 2001
CS-551, Lecture 9
5
Simple Encryption
Cereal box code ring
 See Java assignment on encryption

–
–
11 April 2001
Caesar cipher
Polyalphabetic cipher
CS-551, Lecture 9
6
Figure 11.1 Alice and Bob Use
Cryptography.
Read I as J in Cypher text
11 April 2001
CS-551, Lecture 9
7
Symmetric Encryption


“encryption algorithms where the encryption and
the decryption algorithm utilize the same key”
Examples:
–
–



Caesar cipher
Polyalphabetic cipher
Key must be private
“Secret-key encryption”
Q: how to communicate the key?
–
11 April 2001
Diffie-Hellman key exchange
CS-551, Lecture 9
8
Figure 11.5 Diffie-Hellman Key
exchange.
11 April 2001
CS-551, Lecture 9
9
DES: Data Encryption Standard
Popular private key encryption method
 US standard (NIST 1977)
 Based on IBM’s LUCIFER system
 64-bit key (8 for error detection)
 Encrypts data in blocks of 64 bits
 70,000,000,000,000,000 possible keys
 Three-phrase encryption and decryption

11 April 2001
CS-551, Lecture 9
10
DES Phase 1: Initial Permutation
A permutation of the 64-bit block, changing
the order of bits within each block
 Each 64-bits broken up into two halves

–
–

L0, left half
R0, right half
See DES Permutation Table
–
–
11 April 2001
E.g. the new first bit was the 58th bit
The new last bit was the 7th bit
CS-551, Lecture 9
11
Table 11.1 DES Initial
Permutation [NIST77].
58
50
42
34
26
18
10
2
60
52
44
36
28
20
12
4
62
54
46
38
30
22
14
6
64
56
48
40
32
24
16
8
57
49
41
33
25
17
9
1
59
51
43
35
27
19
11
3
61
53
45
37
29
21
13
5
63
55
47
39
31
23
15
7
11 April 2001
CS-551, Lecture 9
12
DES Phase 2: Shifting (16 times)
Table-dependent
 Each shift uses different subblock of key
 Which subblock is used is determined by

–
–

another set of tables
its own shifting algorithm
The subscripts of the left and right halves
are incremented with each shift
11 April 2001
CS-551, Lecture 9
13
DES Phase 3: Inverse Permutation

Similar to Phase 1
–
Permutes order of bits within each block
Employs the DES Inverse Permutation table
 Generates the final ciphertext
 See figure 11.2

11 April 2001
CS-551, Lecture 9
14
Table 11.2 DES Inverse
Permutation [NIST77].
40
8
48
16
56
24
64
32
39
7
47
15
55
23
63
31
38
6
46
14
54
22
62
30
37
5
45
13
53
21
61
29
36
4
44
12
52
20
60
28
35
3
43
11
51
19
59
27
34
2
42
10
50
18
58
26
33
1
41
9
49
17
57
25
11 April 2001
CS-551, Lecture 9
15
Figure 11.2 The Three Phases
of DES.
11 April 2001
CS-551, Lecture 9
16
Triple DES
Enhanced security
 Employs three 64-bit keys
 DES is used three times on the data, each
time with a different key

–
–
–
11 April 2001
E(P, k1) = C1
E(C1, k2) = C2
E(C2, k3) = C3 (ciphertext)
CS-551, Lecture 9
17
Figure 11.3 Triple DES.
11 April 2001
CS-551, Lecture 9
18
Asymmetric Encryption

Involves two keys
–
–





A public key, ku
A private key, kr
E(P, ku) = C and D(C, kr) = P OR
E(P, kr) = C and D(C, ku) = P
Do not decrypt ciphertext with same key as
encryption key
Mathematically difficult to obtain one key from
the other
Example: Diffie-Hellman, 1976
11 April 2001
CS-551, Lecture 9
19
Figure 11.4 Public-Key
Cryptography.
Output
is ????
Does not
use Kr
Appears
to use Ku
Where
Kr != Ku
11 April 2001
CS-551, Lecture 9
20
RSA
By Rivest, Shamir, and Adleman (1978)
 A public-key encryption algorithm
 Patented
 Three phases

11 April 2001
CS-551, Lecture 9
21
RSA Phase 1
Determining public and private keys

1.
2.
3.
4.
5.
6.
11 April 2001
Choose two large prime numbers, P and Q
Compute N = P * Q
Compute F(N) = (P – 1) (Q – 1)
Choose e: 1 <= e <= N–1; GCD (e, F(N)) = 1
Compute d, where ed = 1 (mod F(N))
Make d and N public as they make up the
public key
CS-551, Lecture 9
22
RSA Phases 2 and 3
Phase 2: Encrypting the message, M

–
–
1 <= M <= N – 1
C = Me (mod N), ciphertext
Phase 3: Decrypting the ciphertext, C

–
11 April 2001
Cd (mod N) = M, original message
CS-551, Lecture 9
23
RSA Example
Phase 1:

1.
2.
3.
4.
5.
Alice chooses P=5, Q=11
So, N = P*Q = 55
F(N) = (P - 1) (Q - 1) = 40
Choose e = 7 [GCD(40,7) = 1]
Determine D = 23
since 7*23 (mod 40) = 161 (mod 40) = 1
11 April 2001
CS-551, Lecture 9
24
RSA Example, continued
Phase 2

1.
2.
11 April 2001
Send message M = 25
Compute C = Me (mod N)
= 257 (mod 55)
= 610,351,625 (mod 55)
= 20 (ciphertext)
CS-551, Lecture 9
25
RSA Example, concluded
Phase 3

1.
2.
11 April 2001
C = 20
Cd (mod N) = M
So 2023 (mod 55) = 8388608 *1023 (mod 55)
= 25
=M
CS-551, Lecture 9
26
Figure 11.5 Diffie-Hellman Key
exchange.
11 April 2001
CS-551, Lecture 9
27
Diffie-Hellman Example
1.
2.
3.
4.
5.
6.
7.
11 April 2001
Alice and Bob agree to let p=11, a=7
Alice generates x=5, where 2 <= 5 <= 11-1
Alice computes ax (mod p) = 75 (mod 11) =
16807 (mod 11) = 10 and sends 10 to Bob
Bob generates y=8, where 2 <= 8 <= 11
Bob computes ay (mod p) = 78 (mod 11) =
5,764,801 (mod 11) = 9 and sends 9 to Alice
Bob computes (ax)y (mod p) = (75)8 (mod 11) =
75*8 (mod 11)
Alice computes (ay)x (mod p) = (78)5 (mod 11) =
78*5 (mod 11)
CS-551, Lecture 9
28
Digital Signatures with Public-Key
Encryption
Employs RSA
 May use private key to encrypt

–
–
Entire file (expensive)
Just signature
Advantage: no key distribution problems
 Recipient may use public key to decrypt and
verify origin
 Only proper public key will decrypt

11 April 2001
CS-551, Lecture 9
29
Authentication
Several steps necessary
 First step is verifying identity of user
 Three methods

–
–
–

User password
User key
Uniqueness of user (fingerprint, retina pattern)
Note: these methods work on centralized
systems as well
11 April 2001
CS-551, Lecture 9
30
Authentication in a DS

Concerns:
–
–
–
–

Eavesdropping
Multiple password management
Replay
Trust
Common solution: certificates
11 April 2001
CS-551, Lecture 9
31
Certificates
“a computer-generated, frequently timevalid, authenticated packet of information”
 Time-valid => prevents later replay

–
–

Can be done with timestamp or nonce
Nonce: “a random value unique for each
communication”
Two approaches:
–
–
11 April 2001
List of certificates, e.g. X.509
Centralized certificate distribution center
CS-551, Lecture 9
32
Figure 11.6 Certificate List
Utilized in Secure RPC.
11 April 2001
CS-551, Lecture 9
33
Figure 11.7 Three-Way X.509
Authentication.
11 April 2001
CS-551, Lecture 9
34
Figure 11.8 Chaining Certificate
Authorities in X.509.
11 April 2001
CS-551, Lecture 9
35
Figure 11.9
Details.
Kerberos Phase 1
IDT = Ticket Granting Service’s ID
IDC = Client’s ID
IDS = Server’s ID
Ni = Nonce value
KC = Client’s private key
KS = Application Server’s key
KT = Ticket Granting Service’s
private key
K1 = System Ticket
K2 = Service Ticket
TS = Starting Time Stamp
TE = Ending Time Stamp
E(a,K) = Applications on encryption
algorithm to a with key K
11 April 2001
CS-551, Lecture 9
36
Figure 11.10 Kerberos
Phase 2 Details.
11 April 2001
CS-551, Lecture 9
37
Figure 11.11 Kerberos Phase 3
Details.
11 April 2001
CS-551, Lecture 9
38
Access Control (Firewalls)
Firewall: “should be immune to security
threats and prevent all security threats from
passing through the wall and to the
system(s) it protects”
 Categories

–
–

Packet-filtering gateways
Proxy services
Both types may be used together
11 April 2001
CS-551, Lecture 9
39
Packet Filtering Gateways
“involves a security engineer who must
explicitly state what may pass through the
wall … what internal information may go
out of the firewall as well as what outside
locations are allowed … may specify what
internal computer services may be shared
with the outside world.”
 “generally implemented on the router that
connects the internal system to the outside
world”

11 April 2001
CS-551, Lecture 9
40
Firewall Routers
“provide a better user interface”
 “easier to configure for security-based
filtering”
 Uses source/destination IP addresses
 Checks IP addresses against table of rules

11 April 2001
CS-551, Lecture 9
41
Proxy Servers
“represents an internal client’s services to
the outside world”
 Two basic types

–
–
11 April 2001
Application-level gateway proxy services
Circuit-level proxy services
CS-551, Lecture 9
42
Application-level gateways
Bastion hosts
 Dual-homed hosts

11 April 2001
CS-551, Lecture 9
43
Circuit-level gateways

Transparent to user
11 April 2001
CS-551, Lecture 9
44
Firewall Architectures
Bastion host architecture
 Filtering host architecture
 Filtering subnet architecture

11 April 2001
CS-551, Lecture 9
45
Figure 11.12 Bastion Host Firewall
Architecture.
11 April 2001
CS-551, Lecture 9
46
Figure 11.13 Filtering Host
Firewall Architecture.
11 April 2001
CS-551, Lecture 9
47
Figure 11.14 Filtering Subnet
Firewall Architecture.
11 April 2001
CS-551, Lecture 9
48
Agreement Protocols
Distributed processes sometimes must agree
 If some sites are faulty, this can be difficult

–

Need to identify/isolate the faults
Model assumptions:
–
–
–
–
–
11 April 2001
n PEs, at most m PEs are faulty
PEs can communicate directly with each other
Receiver can always determine sender of a msg
Communication medium is reliable
PEs can fail
CS-551, Lecture 9
49
Synchronous Computation

A step (or round) consists of the following:
–
–
–
Receive messages
Compute
Send messages
PEs in lockstep
 This model is assumed

11 April 2001
CS-551, Lecture 9
50
Asynchronous Computation

No synchronization
–
At any time, a PE can
 Send
messages
 Compute
 Receive messages

Agreement problem is unsolvable in this
case
11 April 2001
CS-551, Lecture 9
51
PE Failure Model (modes)

Crash fault
–

Omission fault
–

PE stops, does not restart
PE omits to send a message that it should have
Malicious fault
–
Random behavior
 E.g.

sends fictitious messages
If a non-faulty PE doesn’t receive a
message, it can make up a message
11 April 2001
CS-551, Lecture 9
52
Authenticated Messages
Also called signed messages
 A message cannot be forged or modified by
a faulty PE
 Non-authenticated messages

–
PE can forge or modify a message
 As
11 April 2001
it relays it to the next node
CS-551, Lecture 9
53
Performance

Time
–

Message traffic
–

Number of rounds to reach agreement
Number of messages needed to reach
agreement
Storage overhead
–
11 April 2001
Amount of information stored at each node
CS-551, Lecture 9
54
Types of Agreement Problems
Byzantine Agreement Problem
 Consensus Problem
 Interactive Consistency Problem

Recall Lamport’s Byzantine Generals paper
11 April 2001
CS-551, Lecture 9
55
Byzantine Agreement Problems
An arbitrary (source) PE broadcasts a value
 Solution:

–
Agreement
 All
–
non-faulty PEs agree on one value
Validity
source PE is non-faulty, then agree on source’s
initial value
 If
–
–
11 April 2001
If source is faulty, can agree on any value
Faulty PE can agree or not (don’t care)
CS-551, Lecture 9
56
Consensus Problems
All PEs broadcast initial values to all PEs
 Solution:

–
Agreement
 All
–
non-faulty PEs agree on one value
Validity
 If
all non-faulty PEs start with same value, they will
agree on that value
11 April 2001
CS-551, Lecture 9
57
Interactive Consistency Problem
All PEs broadcast initial values to all PEs
 Solution:

–
Agreement
 All
–
non-faulty PEs agree on vector v1, v2, …, vn
Validity
 If ith
PE is non-faulty and its value is vi, then all
non-faulty PEs end with vi as ith value
11 April 2001
CS-551, Lecture 9
58
How the problems compare

Byzantine is special case of interactive problem
–


If each PE runs a copy of Byzantine, then this is
the same as solving the interactive problem
Can use interactive to solve consensus problem
–

Only uses one of the vector values
Can agree to use a majority value in vector
So, can derive all solutions from a solution to the
Byzantine problem
–
11 April 2001
So only consider the Byzantine
CS-551, Lecture 9
59
Byzantine Solutions

All PEs must exchange messages to reach
consensus
–
–
–

Send their own values
Relay received values
Faulty PEs will be confusing
Limit on number of faulty PEs
11 April 2001
CS-551, Lecture 9
60
Limit on Faulty PEs
Limit: m <= floor ( (n-1) / 3 )
 Need m+1 rounds of message exchanges (at
least)
 E.g if n = 4, then m <= 1

–
If m = 1, then each non-faulty PE gets 3
messages
 It
–
11 April 2001
can take the majority value
The faulty PE will always be outvoted
CS-551, Lecture 9
61
Lamport – Shostak - Pease

Given n PEs and less than m faulty PEs
–

n >= 3m + 1
Recursive algorithm
–
OM(0) – Oral Message Algorithm
 Source
sends its value to all other PEs
 Each PE uses the value it receives for the source
11 April 2001
CS-551, Lecture 9
62
Lamport-Shostak-Pease: Example
OM(0)
7
P0
7
P1
7
7
P3
P2
11 April 2001
CS-551, Lecture 9
63
L-S-P: Example, continued
OM(1)
7
P0
7
7
P1
7
P3
7
7
2
3
7
7
P2
P2 is faulty
11 April 2001
CS-551, Lecture 9
64
L-S-P: Example, continued
OM(1)
7
P0
7,2,7
7,3,7
P3
P1
P2 7,7,7
11 April 2001
CS-551, Lecture 9
65
L-S-P: Example, concluded
OM(1)
7
P0
7
7
P3
P1
7
P2
11 April 2001
CS-551, Lecture 9
Now try an example
with N=7 and M=2
66