Security

1
Security

• Introduction to Distributed SystemsCS
  457/557Fall 2008Kenneth Chiu

2
Security
3
Security Threats, Policies, and Mechanisms

• Can a secure system be undependable? Can
  dependable system be insecure?
• Confidentiality, integrity?
• Types of security threats to consider?
• Interception
• Interruption
• Modification
• Fabrication
• What is the difference between security policy
  and security mechanism?
• Change passwords every month?
• Important mechanisms
• Encryption
• Authentication
• Authorization
• Auditing

4
The Globus Security Policy

• The environment consists of multiple
  administrative domains.
• Local operations are subject to a local domain
  security policy only.
• Global operations require the initiator to be
  known in each domain where the operation is
  carried out.
• Global authentication replaces local
  authentication.
• Operations between entities in different domains
  require mutual authentication.
• Controlling access to resources is subject to
  local security only.
• Users can delegate rights to processes.
• A group of processes in the same domain can share
  credentials.

5
Proxies

• Globus focuses on cross-domain.
• In another domain, it is necessary to have some
  representative.
• User proxies Process that acts on behalf of an
  agent.
• Resource proxies Process that translates global
  operations into local operations. User proxies
  talk to resource proxies.

6
(No Transcript)
7
Design Issues

• Focus of Control (where do you put your
  perimeter).
• Layering (where do you put your security layer)

8
Focus of Control

• Protection against invalid operations, protection
  against unauthorized invocations, protection
  against unauthorized users.

9
Layering of Security Mechanisms

• Where do you put your security?
• This depends on trust.
• Suppose you are calling your mom? Would you be
  happy if someone was listening in? Who are you
  trusting?
• Do you encrypt your e-mail? Who are you trusting?
• Suppose you were sending an e-mail that was a
  matter of life or death.

10
Layering of Security Mechanisms

• Several sites connected through a wide-area
  backbone service.
• Alice wants to send a message to Bob at a
  different site.
• Does she trust the system admins? If not, what
  does she do?
• May trust sysadmins, but the site does not trust
  the backbone.

11
Trust

• Implicit in many security systems is the notion
  of trust, and trust chaining.
• Suppose you meet a stranger A, and A asks to
  borrow money. Do you loan it to him?
• Suppose B says A is trustworthy?
• Suppose C says B is trustworthy?
• Suppose you trust C?
• Ultimately, you have to trust someone. A trusted
  computer system can be built by using similar
  kinds of chaining mechanisms. But you want to
  keep the trust base as small as possible.

12
Developing a TCB
13
Cryptography Terminology

• CEk(P), PDk(C)
• Three different kinds of attacks intercept,
  modify, insert.
• Are there situations where just knowing there are
  messages tells you something?

14
Symmetric vs. Asymmetric

• Symmetric (secret key, shared key) Same key is
  used both to encrypt and decrypt.
• P DK(EK(P))
• KA,B means a key shared by A and B.
• Asymmetric (public-key) Different key is used to
  encrypt and decrypt.
• P DKD(EKE(P))
• Notation KA is public key of A and K-A is
  private key of A.
• How do I send something using secret-key?
  Private-key?
• Which is better?

15
Hash Functions (Message Digests)

• Hash function takes any length message and
  produces a fixed-length bit string
• h H(m)
• What are these used for?
• Fingerprinting Make sure two messages are
  identical.
• Alice sends Bob a plaintext document over a
  high-bandwidth insecure channel. She does not
  care if others read it, but she does want to make
  sure that no one modifies it. She also has a
  low-bandwidth secure channel she could use (phone
  call).
• How can she use a hash function?
• What properties are desirable?
• One-way functions
• Weak collision resistance
• Cannot find another message with the same hash.
• Strong collision resistance
• Cannot find any two messages that collide.
• What is the difference between hash functions and
  CRCs/checksums?

16
Symmetric DES

• A fast, very common symmetric key cipher.
• Uses 56-bit keys.
• Somewhat out-of-date, though.
• Operates on 64-bit blocks of data.

17

• Each block is transformed in 16 rounds.
• Each round uses a different 48-bit key.
• Each of the 16 keys derived from a 56-bit master
  key.
• Initial permutation is used, which is then
  inverted at the end.

18

• In each round, the block is split in half.
• Right part is left part in next round.
• Left part is XORed with a mangling of the right
  part plus the key.

19

• Each 48-bit key is derived from the 56-bit key.
• First permuted, then divided into halves.
• For each round, each half is rotated one or two
  bits to the left or right.
• Then 24 bits are extracted.
• Two halves are added back together.

20

• Does this look suitable for a hardware
  implementation?

21

• DES is fast.
• It is somewhat old, though, and is being
  replaced.
• How would you try to easily improve the security
  of DES, without designing a whole new algorithm?
• Triple DES, using encrypt-decrypt-encrypt, using
  three keys.

22
Public-Key Cryptosystems RSA

• Generating the private and public keys requires
  four steps
• Choose two very large prime numbers, p and q.
• Compute n p q and z (p - 1) (q - 1).
• Choose a number d that is relatively prime to z.
• Compute the number e such that e d 1 mod z.
• To encrypt a message, divide into blocks such
  that m
• Encrypt c me (mod n).
• Decrypt m cd (mod n).
• RSA is about 100-1000 times slower.
• Depends on the fact that it is very hard to
  factor numbers.

23

• Example
• Key generation
• Choose p 61, and q 53.
• n 6153 3233, z 6052 3120
• Choose d 17 (relatively prime)
• Compute e such that ed 1 mod z, choose e
  2753.
• Let public key be (17, 3233), and private key be
  (2753, 3233).
• Encryption
• Divide message into blocks, such that each block
  as a number is less than 3233. We use 11 bits.
• Message is Hello
• In binary, that is 0x48, 0x65, 0x6C, 0x6C, 0x6F.

24
Hash Functions MD5

• Produces a constant-length hash of 128 bits.
• Message needs to be a multiple of 512.
• Pad to 448, add the length as a 64-bit integer.
• Start with some 128-bit value. For each block, do
  a computation on the current hash, plus the next
  512 bit block. This is called a phase.

25

• Each phase consists of four rounds. Each round
  uses a function which operates on three 32-bit
  values, and is one of
• F(x, y, z) (x AND y) OR ((NOT x) AND z)
• G(x, y, z) (x AND z) OR (y AND (NOT z))
• H(x, y, z) x XOR y XOR z
• I(x, y, z) y XOR (x OR (NOT z))
• The current 128-bit hash value is broken up into
  p, q, r, s. The current 512-bit block is broken
  up into 16 32-bit blocks, named b0, b1, etc.

26
Hash Functions MD5

• These are the 16 iterations for first round.
• Round two uses G, H and I are 3rd and 4th round.
• So, one phase per block, each phase is four
  rounds, using F, G, H, and I respectively, and
  each round is 16 iterations.

27
Secure Channels
28
Authentication and Authorization

• How to make communications secure?
• Are you who you say you are?
• How to find out whether or not you authorized to
  do what you want to do?

29
Authentication

• Can you have authentication without message
  integrity?
• I know that Bob sent the message, but someone may
  have tampered with it.
• Suppose your mom sends you a message. You are
  sure it is your mom, because you have
  authentication, but you do not have message
  integrity, so someone might have modified it.
• The message says When are you getting married?
  Does this do you much good?
• I know that no one tampered with it, but I dont
  know whether or not it was really Bob that sent
  it.
• Suppose you get a message, Why havent you
  called me recently? You are positive that the
  message has not been tampered with, because you
  have integrity. It seems to be from your mom, but
  you dont have authentication, so it could
  actually be one of your friends playing a joke on
  you.
• What about authentication and integrity without
  encryption? Is this useful?

30
Shared Secret Key Authentication

• Suppose Alice and Bob share a secret key. How can
  they setup a secure channel over an insecure
  medium?

31

• Alice sends her identity to Bob.
• Bob sends a challenge (random number?).
• Alice must encrypt and return.
• Alice then sends a challenge to Bob.
• Bob must encrypt and return.

32
An Optimization

• Authentication based on a shared secret key, but
  using three instead of five messages.

33
Attack Attempt

• Chuck tries to set pretend to be Alice.
• He sends the initial message to Bob.
• Bob responds with the encrypted challenge, but
  then his own challenge.
• Chuck cannot properly respond to the challenge
  because he doesnt have the key.

34
Reflection Attack

• Moral, never encrypt anything without knowing who
  you are encrypting it for.
• Designing secure algorithms is hard.

35
Key Distribution Centers

• If there are N parties using shared secret keys,
  how many keys are needed?
• Alternative is to use a KDC. It has a shared key
  with every host.
• Does the KDC need to be trusted?

36
Key Distribution Centers

• Disadvantage is that Bob has to get into the loop
  first.
• Solutions?

37
Tickets

• Using a ticket and letting Alice set up a
  connection to Bob.
• Can Bob trust Alice?

38
Authentication Using a Key Distribution Center
(3)

• Figure 9-17. The Needham-Schroeder authentication
  protocol.

39
Authentication Using a Key Distribution Center
(4)

• Figure 9-18. Protection against malicious reuse
  of a previously generated session key in the
  Needham-Schroeder protocol.

40
Authentication Using Public Key Cryptography

• What could happen if KB (public key) is fake?
• How can we assure that it is not?
• Is there some way to digitally sign a piece of
  information?

41
Message Integrity

• Suppose you are conducting a transaction through
  e-mail, and Alice promises to buy your video game
  collection for 500.
• Say you send Alice your collection, and she sends
  you a 300 check. You are being ripped-off. How
  can you prove that she agreed to 500?
• Say that you try to get back at her, and claim
  that she actually offered 700. How can she prove
  that she only offered 500?
• Two things need to be taken care of
• You cant claim that she actually offered 700.
• She cant deny sending the offer.

42
Digital Signatures

• How can you verify that a document is real?
• What do we use in the real world?
• What if we really need to be certain?
• What if it were encrypted with the private key of
  the sender?
• You could decrypt it with As public key. If it
  decrypted properly, then A must have encrypted it.

43
Digital Signatures

• Signing by encrypting the whole message.
• Can Alice claim her key was stolen?

44
Optimization

• Encrypting with PKC is slow. Can we leverage
  hashes somehow?
• Compute hash of the message (message digest).
  Encrypt the hash.
• This known as a digital signature.

45
Digital Signatures

• Signing just the hash.

46
Session Keys

• How to combine PK with symmetric key?
• Is it necessary to change the key every time?

47
Secure Replicated Servers

• Figure 9-22. Sharing a secret signature in a
  group of replicated servers.

48
Example Kerberos

• Ticket Granting Service (TGS), and Authentication
  Server (AS).
• A ticket is a special message used to convince a
  server that the client is who he or she claims to
  be.
• User A and AS share a secret key (derived from
  password). AS and TGS share a key.
• How do you generate a key from a password?
• Is this SSO (Single-Sign On)?

49
Setting Up A Secure Channel

• First send message to Bob, with timestamp to
  prevent replay attacks.
• Bob sends back, also to prevent replay attacks.

50
Access Control
51
Access Control

• Imagine a server with a number of entities (which
  we will call objects) under its control. Requests
  come in, but are allowed only if the sender has
  sufficient access rights.
• Authorization is how to grant rights. Access
  control is how to verify rights. Very similar,
  and frequently used interchangeably.

52
General Model

• Reference monitor is like a security perimeter.

53
Access Control Matrix

• To model the rights, use a matrix. Each row is a
  subject, each object is a column. So Ms,o is an
  entry, which contains the allowed methods.

54
Access Control Lists

• Matrix is large, and often empty. So use a list
  instead, granting or removing rights.
• Bob, readAlice, writeChuck, check timestamp

• What happens if a server has to keep track of a
  1000 users?
• What if your enterprise has a thousand servers?

55
Capabilities

• ACLs require the server to keep track. This can
  be cumbersome, especially if the authority
  granting rights is different.
• Capabilities grant rights, they are like a
  ticket, or a voucher.
• If you have the capability, you are allowed the
  operation.
• How can we implement this? PKI? Kerberos?

Capabilities and ACLs are lists made in different
directions of the matrix.
56
Protection Domains

• Consider using an ACL. Suppose there are 10,000
  users in an organization. How big does the ACL
  list for a service need to be?
• Suppose there are 100 possible operations per
  service.

57

• Groups One approach is to put users into groups.
• When a user attempts an operation, the server
  checks which group the user is in.
• Groups can be hierarchical, as seen below.
• Should you allow a user to be in more than one
  group?

How does the server know which group a user is in?
58

• Roles Protection domains can also be
  implemented/approached as roles.
• Users may have different roles.
• How is this different from groups?
• Primary difference is conceptual approach.
• In terms of implementation, it is flexible.

59

• In addition to grouping the subjects, we can also
  group the objects.

60
Firewalls

• What is a firewall?
• Does it replace the security discussed so far?

61
Mobile Code

• Suppose you have an agent moving around for you,
  trying to find the best airplane ticket, visiting
  different airlines.
• As the mobile agent moves around, who/what might
  need protection?

62
Protecting Mobile Agents

• Can we protect a mobile agent from being
  destroyed?
• How about detecting modifications?
• Suppose you are sending an agent out to book
  airline tickets. Your agent first goes to Chucks
  Cheap Planes, then will go to Alices
  Safety-Last. Could Chuck change your agent so
  that it will think it already went to Alices?
• Detect changes to read-only state.
• Sign the state, so when it arrives, can detect
  modifications. How good?
• Cannot detect if it was using this during
  execution, though.
• Append only logs.
• Initially, log is emptyCinit Kowner(N)
• If a server S appends new data X, S appends X to
  log, and computes new checksum Cnew
  Kowner(Cold, sig(S, X), S)
• Selective revealing of state.
• Provide an array of data items. Each entry is
  only for a designated server, and is encrypted
  with that servers public-key.

63
Protecting the Target (Host)

• What kinds of malicious mobile code might attack
  your computer?
• Virus
• Applets, ActiveX controls, etc.
• How do you protect your computer against
  malicious mobile code?
• Sandboxing two steps
• Make sure that retrieving the remote code is
  secure (secure classloader).
• Verifying the byte code
• What could happen if the first step was not
  secure?

64
Protecting the Target

• Class loaders are trusted, verified.
• Class verifier to make sure that no illegal
  things are done. Such as?
• A security manager is used at run-time. What will
  it allow/disallow?
• What if it needs local files for state, etc.?
• A sandbox is very restrictive. Jail is probably
  a better term.

65
Playgrounds

• It makes sense that an untrusted agent should be
  able to create a file in its own space.
  Playgrounds allow a group of untrusted agents to
  create and use local resources.
• Should it be a separate machine?
• Another policy is to authenticate source, and use
  a specific security policy based on source. In
  other words, tailor the sandbox to the degree of
  trust. If very trusted, then no need for sandbox.

66
Verifying Agents

• How can you trust a mobile agent that you run on
  your computer?

67
Enforcing Security Policies
68

• Can treat object references as capabilities.
• This fine-grained control might be implemented
  using capabilities via object refs.

69

• Stack introspection
• How about more fine-grained?
• All calls to a method m of a resource first call
  enable_privilege to check authorization. Upon
  return, call disable_privilege.
• Java interpreter can handle this automatically.
• Can also use this to check chains. Suppose O1 can
  call O2, but the specific method is not allowed
  to the original invoker of O1. Stack
  introspection can check this.

70
Distributed Denial of Service

• What is it?
• Can be classified into two kinds, roughly.
  Denying bandwidth and hogging up server
  resources.
• How does a typical DDoS work? How can we protect
  against them?

71
Distributed Denial of Service

• No single way to protect, need comprehensive
  plan.
• Protect machines from getting taken over.
• Monitor egress routers.
• Monitor ingress (how well does this work?)
• Monitor overall network.

72
Security Management
73
Key Establishment

• Is it possible for two parties to establish a
  secret key?
• PKC is one way.
• Another way is to use Diffie-Hellman.
• Agree on n and g. (Can be public.)
• Alice picks a large, secret number, say x.
• Sends as below to Bob.
• Bob picks secret number y.
• gx mod n is sent in plaintext, what is required
  for this to work?

74
Key Distribution

• One pain of these systems is distributing the
  actual, initial secret key.

75
Public Key Distribution

• Earlier we talked about how we can be assured
  that a publiic key is genuine.
• Public key distributed with authentication.
  Private with confidentiality and authentication.

76
PK Certificates

• How do we generate a PK pair, for use in PKI? How
  do we verify that the public key is real?
• User generates pair.
• Encrypts cert request (containing public key)
  with public key of CA.
• How do we know the public key is correct?
• Send it to the CA.
• CA decrypts it, then sends back a signed
  document.
• A user, when it needs a public key for Bob, can
  now ask for a certificate. It computes the hash,
  then decrypts the hash in the cert with the
  public key of the CA. If there is a match, then
  the public key must be valid.

77
Digital Certificates Verification

• How can you verify that the public key you have
  for Bob is the real one?
• Compute the hash. Decrypt the signature with the
  public key of the signer. If it matches, must be
  correct.
• What would it take to break?
• Cant change, because dont know private key.
• Can we create a message that has the same hash?

78
Hierarchies of Trust

• Suppose you are a CA, and there are 1000 requests
  per week going to you from, say SUNY Albany. That
  is too many! What do you do?
• Delegate. Tell them to be their own CA. What is
  the disadvantage?
• Multiple trusted root CA certs.
• Instead, use chains of trust.

79
Trust Chains

• There is no solution. Eventually you must trust.
• So, use a chain of trust. Assume that you have
  the public key of the root authority, RA, and
  that you got it in a way that you trust it is
  correct.
• If you have a PK of B, that you can verify was
  encrypted with RAs private key, then RA vouches
  for the authenticity of Bs public key.
• You can chain this trust, so RA encrypts RA1s
  public key, RA1 encrypts RA2s public key, etc.

80
Certificate Revocation

• Suppose you get a certificate for working in a
  company. Suppose you switch jobs.
• Should your certificate still work?
• How to make it not work?
• One way is with a list of known invalid
  certificates.
• How is it distributed? How is it checked? How
  long will it get?
• Another way is by putting an expiration in the
  certificate. How?
• Does a list still need to be checked?
• What would you do?

81
One-Time Pads

• Anyone ever use a shortwave radio?
• Suppose you are a spy, and you cannot use any
  fancy techniques like DES. (Why not?)
• You do have a radio, by which you can transmit
  and receive.
• How do you encrypt your communications?

82
Secure Group Management

• Suppose there are a group of secure servers.
• For communicating within the group, there is a
  shared secret key.
• For communications from outside, there is a
  public-private key pair.
• How does a new process join the group?

83

• There is a shared secret key CKG. There is a
  public private key pair KG and K-G.
• When a process P wants to join, it sends a join
  request (1).
• Q first authenticates P. How does it know the
  join request is real?
• A separate protocol is then used to decide on
  admittance.
• Why use the one-time pad?

84
Authorization Management

• Suppose you go to check out a book, or you are
  trying to get into an exclusive party at a
  nightclub?
• How are you authorized?
• What are the pros/cons of the two approaches?
• Two basic approaches ACLs and capabilities.
• A capability is an unforgeable data structure or
  document that grants the holder certain rights.
  The capability is relatively self-contained.
• Maybe some external information to validate, but
  no explicit storage of rights on server.

85
Capabilities

• How are these implemented?
• Suppose you are trying to access a service. What
  can you present to verify that you have rights to
  that service?
• How about just a string that says I have been
  authorized to access SSNs?
• How about a kind of password?
• Is it possible to delegate (perhaps when changing
  roles)?

86
Capabilities in Amoeba

• Check field is a random number associated with
  the object, and stored in the server.
• Can you forge this?
• How can you create a restricted capability?

87

• XOR new rights with old check field.
• Hash it using a one-way function.
• How does a server verify a capability? Does the
  server need to be involved?
• Can someone add rights to a capability?
• Can multiple levels of delegation occur?

88

• Can we do capabilities with PKI?

89
Delegation

• Assume you want to print a file, but want to do
  it at 4 AM. But you are asleep then, so you send
  in a request now to the print server?
• Does the print server have access rights to your
  file?
• Could just use a certificate, saying that the
  holder of this certificate has rights R. But it
  could be copied.

90

• Proxy used for delegation.
• Let A be the process that created it.
• First part is CR, Sproxy. Sproxy is a public
  part of a secret. C is signed to protect against
  modification.
• If A wants to delegate, creates this proxy. How
  does Bob prove that he didnt just copy it?
• By knowing the secret.
• Can Bob pass on the rights?

91

• How the proxy is used.

92

• What about using signed messages? Can we chain
  these?
• Alice gives Bob a certificate listing rights. She
  also creates a temporary PK certificate.
• Now, if Bob wants to delegate, he can create
  another certificate that he signs using the proxy
  cert. He then sends it to Dave.
• If Dave wants to do something, he presents his
  rights, signed by Bob. Bobs rights, signed by
  Alice.