© city university london, dept. of computing distributed systems / 10 - 1 distributed systems...
TRANSCRIPT
© City University London, Dept. of Computing Distributed Systems / 10 - 1
Distributed Systems
Session 10: Security
Christos KloukinasDept. of Computing
City University London
© City University London, Dept. of Computing Distributed Systems / 10 - 2
Session 10 - Outline
1 Motivation
2 Styles of Attacks
3 Cryptography
4 Authentication
5 Security Systems
6 Summary
© City University London, Dept. of Computing Distributed Systems / 10 - 3
Security in Distributed Systems
ENCRYPTION
Authentication Access Control
Auditing Non-Repudiation
High Level
Low Level
E.g. Consider online Bank Example
© City University London, Dept. of Computing Distributed Systems / 10 - 4
1 Motivation
More vital/secret data handled by distributed components.
Security: protecting data stored in and transferred between distributed components from unauthorised access.
Security is a non-functional requirement that cannot be added as a component but has to be built into all components.
© City University London, Dept. of Computing Distributed Systems / 10 - 5
1 Why are Distributed Systems insecure?
Distributed component rely on messages sent and received from network.
Is network (especially WAN networks) secure?» Packets can be intercepted and modified at network layer!
Is client component secure? Is client component who it claims to be? Are users of calling components really who they claim
to be?
© City University London, Dept. of Computing Distributed Systems / 10 - 6
1 Effects of Insecurity
Confidential Data may be stolen, e.g.:» corporate plans.
» new product designs.
» medical/financial records (e.g. Access bills....).
Data may be altered, e.g.:» finances made to seem better than they are.
» results of tests, e.g. on drugs, altered.
» examination results amended (up or down).
© City University London, Dept. of Computing Distributed Systems / 10 - 7
1 Need for Security
Loss of confidence: above effects may reduce confidence in computerised systems.
Claims for damages: legal developments may
allow someone to sue if data on computer has
not been guarded according to best practice.
Loss of privacy: data legally stored on a
computer may well be private to the person
concerned (e.g. medical/personnel) record.
© City University London, Dept. of Computing Distributed Systems / 10 - 8
2 Threats
Categorisation of attacks (and goals of attacks) that may be made on system.
Four main areas:» leakage: information leaving system.» tampering: unauthorised information altering.» resource stealing: illegal use of resources.» vandalism: disturbing correct system operation.» denial of service: disrupting legitimate system use.
Used to specify what the system is secure against.
© City University London, Dept. of Computing Distributed Systems / 10 - 9
2 Threats
Leakage denotes the disclosure of information to unauthorised subjects. » Baazi hacking into a CAD System of Rolls Royce in order to obtain
the latest design RR's jet engines. » Although fatal in this case, leakage is probably the category that
causes the least damage of the above.
Tampering denotes the unauthorised modification of data.» We would have a case of tampering, if you hacked into the
School's database in order to alter the marks of your Distributed System courseworks
© City University London, Dept. of Computing Distributed Systems / 10 - 10
2 Threats (ctd.)
Resource stealing identifies the illegal use of resources and not paying, e.g CPU time, Bandwith, Air time of mobiles
» A case of resource stealing has occurred when hackers hacked into computers of telephone companies and managed to have their phone calls charged to other customer's accounts.
Vandalism denotes the disturbance of correct system operation. » The security of CS Dept. in Milan was broken and super user
privileges were acquired and then the system's hard disks were formatted. This caused serious damage to the departmental operations for a session.
© City University London, Dept. of Computing Distributed Systems / 10 - 11
2 Methods of Attack
Eavesdropping: Obtaining message copies without authority.
Masquerading (Spoofing): Using identity of another principle without authority.
Message tampering: Intercepting and altering messages.
Replaying: Storing messages and sending them later.
Flooding: sending too many messages
© City University London, Dept. of Computing Distributed Systems / 10 - 12
Message
Example
MessageType
requestID
ObjectRef
Method
Arguments
Msg in XDRStub
ORB
IIOP
->Credit(...)
->balance
© City University London, Dept. of Computing Distributed Systems / 10 - 13
Some Examples
Eavesdropping» request parameters from client to server may contain sensitive information,
e.g pins, balances» Stubs marshal these into standard data representation» By listening to or sniffing traffic attackers can obtain and decode request
parameters-->eavesdropping Tampering
» Attacker modifies request parameters before they reach server, e.g credit amount
Replaying» Attacker intercepts and stores message and has server repeatedly execute
operation» NB: no need to interpret messages, so encryption doesn’t help!
© City University London, Dept. of Computing Distributed Systems / 10 - 14
2 Infiltration
Launch of attack requires access to the system.» Launched by legitimate users.
» Launched after obtaining passwords of known users.
Subtle ways of infiltration:» Viruses
» Trojan horses.
© City University London, Dept. of Computing Distributed Systems / 10 - 15
3 Cryptography
1 Terminology
2 Modern cryptography: Symmetric encryption
3 Modern cryptography: Asymmetric
encryption and PGP
© City University London, Dept. of Computing Distributed Systems / 10 - 16
3.1 Cryptographic Terminology
Plain text: the message before encryption. Cipher text: the message after encryption. Key: information needed to convert from plain
text to cipher text (or vice-versa). Function: the encryption or decryption
algorithm used, in conjunction with key, to encrypt or decrypt message.
Key distribution: How to distribute keys between senders and receivers
© City University London, Dept. of Computing Distributed Systems / 10 - 17
3.2 Requirements for modern cryptography
Kerkhoff’s principle: knowledge of encryption algorithm should not be an advantage
With computers a brute force attempt is possible, i.e. try every possible substitution until a valid message is produced.
Computers are good at this, modern schemes must be computationally hard to solve to remain secure.
15 May 1973 American National Bureau of standards requests proposals for encryption standard
Data Encryption Standard, DES, developed. Standard describes DEA, Data Encryption Algorithm
DEA is an improvement of IBM’s 1970 Lucifer algorithm Since November 26, 2001, there’s AES, based on Rijndael
© City University London, Dept. of Computing Distributed Systems / 10 - 18
3.2 DES/AES: Symmetric Encryption
One key is used to both encrypt and decrypt data Encryption and decryption functions are often
chosen to be the same Security should not be compromised by making
function well-known as security comes from secret keys
© City University London, Dept. of Computing Distributed Systems / 10 - 19
3.2 DES/AES: Using Secret Keys
Sender and recipient exchange keys through some secure, trusted, non-network based means.
Sender encodes message using function and sends, knowing that only the holder of the key (the intended recipient) can make sense of it.
Recipient decodes message & knows that only a key-holding sender could have generated it.
Message can be captured but is of no use.
© City University London, Dept. of Computing Distributed Systems / 10 - 20
Secret Key Encryption for Distributed Objects
1.acquire KAB
2.f(KAB, M) --> {M} KAB
3. send()1.acquire KAB
3.f (KAB, {M} KAB) --> M2. receive()
Caller Called
Client A Server B
Stub Skeleton
-1
Figure also suggests how to deploy
{M} KAB
© City University London, Dept. of Computing Distributed Systems / 10 - 21
Secret Key Encryption for Distributed Objects
Encryption is done after marshalling (before un-marshalling) and it has been noted that the server object is not local.
Encrypted object request that is transmitted via network is secured against eavesdropping and message tampering
Note that the encryption can be kept entirely transparent for client and server programmers, as it is done by middleware or by the stubs created by middleware
NB: Disadvantage: For Secret Key encryption for distributed objects, number of keys needed increases quadratically by number of objects (one key per pair of communicating objects…)
Public Key (aka Asymmetric) Encryption overcomes this problem
© City University London, Dept. of Computing Distributed Systems / 10 - 22
3.3 Asymmetric Encryption
Gives 'one-way' security. Two keys generated, one used with
decryption algorithm (private key) and one with encryption algorithm (public key).
Generation of private key, given public key is computationally hard.
Does not need secure key transmission mechanism for key distribution.
© City University London, Dept. of Computing Distributed Systems / 10 - 23
3.3 Asymmetric Encryption: Using Public Keys
Recipient generates key pair. Public key is published by trusted service. Sender gets public key, and uses it to encode
message. Recipient decrypts message with its private
key. Replies can be encoded using sender’s public
key from the trusted distribution service. Message can be captured but is of no use.
© City University London, Dept. of Computing Distributed Systems / 10 - 24
3.3 Asymmetric Encryption: Sending a msg securely
Sender
Message
Encrypted Message
Public key of recipient
Recipient
Message
Encrypted Message
Private key of recipient
transmit
© City University London, Dept. of Computing Distributed Systems / 10 - 25
3.3 Asymmetric Encryption: Signing a msg
Sender
Message
Encrypted Message
Private key of sender
Recipient
Message
Encrypted Message
Public key of sender
transmit
Asymmetric encryption is very versatile: Besides secure transmission, it can be used to sign messages.Question: How to sign a message and send it securely?
© City University London, Dept. of Computing Distributed Systems / 10 - 26
3.3 Asymmetric Encryption with RSA: How does it work?
Rivest, Shamir, Adleman (Boston, Aug 77) develop the RSA algorithm
We need a one-way function (e.g “Yx mod P”) with trap door Solution:
» Private key: p,q (both large prime numbers), Public key: N = p q and e» Encryption: C = Me mod N» Decryption: Calculate d such that e d = 1 mod (p-1)(q-1)
then M=Cd mod N Can it be attacked: No!!!
– as the power in modular arithmetic is a one-way function– computing p,q from N does not work as prime factorisations
is another one-way function (and it’s believed to be computationally hard to factor a number – but nobody has proved that it’s NP… :-( )
© City University London, Dept. of Computing Distributed Systems / 10 - 27
Public Key Encryption for Distributed Objects
1.acquire KPB
2.f(KPB, M) --> {M} KPB
3. send()1.publish KPB
3. g(KSB, {M} KPB) --> M2. receive()
Caller Called
Stub Skeleton
{M} KAB
1.generate KPB, KSB
© City University London, Dept. of Computing Distributed Systems / 10 - 28
Public Key Encryption for Distributed Objects
Transmission of message is secure » as only B has the matching private key to decrypt message
For decryption: » Apply function g to private key and encrypted message.
Differences between public and secret key» One pair of keys generated for every object, so number of keys
is linear to number of objects
Because different functions, f and g » use of public of public keys is more complicated for reply messages.
A must generate pair of keys and publish its public key, which B acquires to encrypt reply message
© City University London, Dept. of Computing Distributed Systems / 10 - 29
3.3 DES, RSA and PGP – some history
Both DES and RSA were independently discovered in 1975 by Ellis,Cocks and Williamson in top secret Government communication HQ in UK
DES and RSA not available to the public (classified as weapons!)
In the 80s Zimmermann implements PGP (pretty good privacy) as freeware!» And gets to meet some nice fellows from the
FBI…
© City University London, Dept. of Computing Distributed Systems / 10 - 30
3.3 Pretty Good Privacy
Public Key encryption used in PGP Generally available, and can be used for
» encryption of messages » digital signatures.
PGP combines DES and RSA» DES fast, but symmetric, hence key distribution
problem» RSA slower, but no key distribution problem» Solution: Use RSA to encrypt and distribute key
for DES encryption!!!
© City University London, Dept. of Computing Distributed Systems / 10 - 31
Hybrid: Secure Layer (SSL) Protocol Uses RSA encryption SSL/TLS Client
» generates a secret key for one session, that key is encrypted using server’s public key
» Server’s Pub key: in server’s certificate» Client can validate certificate with cert. authority
Session key then forwarded to the server and used for further communication between clients and server
Most O-O middleware use SSL rather than straight TCP as transport protocol, to prevent eavesdropping and tampering of object request traffic
© City University London, Dept. of Computing Distributed Systems / 10 - 32
4 Authentication
1 Motivation
2 Types of Authentication
3 Needham/Schroeder Protocol
© City University London, Dept. of Computing Distributed Systems / 10 - 33
4.1 What is Authentication?
Authentication: Proving you are who you claim to be. In centralised systems: Password check at session
start. In distributed systems:
» Ensuring that each message came from claimed source.
» Ensuring that each message has not been altered.
» Ensuring that each message has not been replayed.
© City University London, Dept. of Computing Distributed Systems / 10 - 34
4.2 Types of Authentication
Authentication can be used to ensure a number of different aspects of an interaction.
Proving that a client of a server is who it claims to be.
This can be refined to proving that the end user has the right to use a service.
© City University London, Dept. of Computing Distributed Systems / 10 - 35
4.2 Types of Authentication
Proving both client and server are who they say they are.
This is needed to prevent imposter services collecting information or disrupting (vandalising) the system.
This is really just an extension of the idea of authentication a client.
© City University London, Dept. of Computing Distributed Systems / 10 - 36
4.2 Types of Authentication
Securing communication from eavesdropping. Authentication will usually involve encrypting
data. This can be used just at the start, to prove the
identity of the two ends of the communication link.
© City University London, Dept. of Computing Distributed Systems / 10 - 37
4.3 Needham/Schroeder Protocol
Provides a secure way for pairs of components to obtain keys to be used during communication.
Based on an authentication server:» maintains a name and a secret key for each
component.
» can generate keys for peer-to-peer communications.
Secret keys are used for communication with server.
© City University London, Dept. of Computing Distributed Systems / 10 - 38
4.3 Needham/Schroeder Protocol
AuthenticationServer,AS
C S
1: C
, S, N
C
2: {
N C,S
,KC
S,{
K CS,C
} K S} K C
3: {KCS,C}KS
4: {NS}KCS
5: {NS-1}KCS
C: Client NameS: Server NameKC: Client´s secret keyKS: Server´s secret keyKCS: NEW Secret key for client/server
communicationNx: Nonce generated by x{M}K: Message encrypted in key K
Assumptions:
• C & S’s identity registered with AS
• AS and object share secret key for mutual communication
• AS is a trusted authority
© City University London, Dept. of Computing Distributed Systems / 10 - 39
5 Security Systems: Kerberos Kerberos is a network authentication protocol
» allow users and services to authenticate themselves to each other
Based on Needham/Schroeder Protocol.
Developed by Steiner at MIT (1988).
Used in » OSF/DCE.(OSF Distributed Computing Environment )» Unix NFS.» An adapted version of it is used in Microsoft Windows
© City University London, Dept. of Computing Distributed Systems / 10 - 40
5 Security Systems: CORBA
Supports the following security functionality: Authentication of users. Authentication between objects. Authorisation and access control. Security auditing. Non-repudiation. Administration of security information.
Cryptography is not exposed at interfaces - The OMG has taken explicit care to avoid exposing keys and any other confidential knowledge within the specs. This was done to avoid that the CORBA security specification would be classified by the US Government as a weapon & as such be unavailable for use outside the US.
© City University London, Dept. of Computing Distributed Systems / 10 - 41
6 Summary
Threats, Methods of Attack, Infiltration Cryptology:
» Secret Keys» Public Keys
Authentication: Needham/Schroeder Protocol Systems:
» CORBA