150 likes | 300 Views
Security Concepts in Distributed systems By Harish R. Kumar . What is Security?. Confidentiality Protection from disclosure to unauthorized persons Integrity Maintaining data consistency Authentication Assurance of identity of person or originator of data Authorization
E N D
What is Security? • Confidentiality • Protection from disclosure to unauthorized persons • Integrity • Maintaining data consistency • Authentication • Assurance of identity of person or originator of data • Authorization • Identity combined with an access policy grants the rights to perform some action
Security Levels • Authentication - Is someone who he or she says he or she is? - Is some object (such as a program) what it says it is? - Does a message come from where it says it comes from? • Can someone deny something he or she did (nonrepudiation)? • Authorization - What is a specific person or group of people allowed to do? • What is a specific program allowed to do? • Encryption -Who is allowed to see what information • protection against system damage • Confidentiality - includes virus protection • firewalls and proxies, • protection against denial-of-service attacks • steps taken to minimize accidental system failures
Distributed SystemAuthentication • 1. Message Content Authentication: the ability to verify that the message • received is exactly the message that was sent • . Message Content Authentication can be achieved by: • applying a cryptographic checksum called a message authentication code (MAC), or by applying a public-key digital signature. • 2. Message Origin Authentication: • The ability to verify that the actual sender of a received message is in fact the sender claimed in the message using a symmetric (secret key) cryptosystem, the receiver of a message can be assured of the validity of the sender since only the sender and receiver of the message possess the key used to encrypt the message. • 3. General Identity Authentication: the ability to verify that a principal's identity is who is claimed. The other two types of authentication are message content authentication and message origin authentication.
Security Building Blocks • Encryption provides • confidentiality, can provide authentication and integrity protection • Checksums/hash algorithms provide • integrity protection, can provide authentication • Digital signatures provide • authentication, integrity protection
Authentication methods • Password authentication - Consists of user name and password • password should be encrypted rather than plain text • Address resolution • relies on address of the packet.Packet with authorized address is routed to correct destination • Trusted Host authentication • If DES and public key is used • Relies on trusted root that everyone (sender/receiver) believe it to be trustworthy • Biometric authentication • using personal physical features like finger prints,retina of the eye etc
Firewalls • Firewall is a separator,restrictor ,an analyzer that is used to protect internal network from attacks • Services provided - to restrict people to entering at a carefully controlled point; - to prevent intruders from getting close to your other defenses; - to restrict people to leaving at a carefully controlled point • a firewall is a system, either software or hardware or both, that enforces access control policy between two networks • a firewall is composed of a set of hardware components such as a router or a computer, or some combination of routers, computers and networks with appropriate software installed • The specific firewall configuration for an internal network will depend a lot on the security policy, budget as well as the overall operations of a site
Keys Symmetric Keys • Both parties share the same secret key • Problem is securely distributing the key • DES -Data Encryption Standard (DES). DES, the most widely used commercial encryption algorithm • Developed by the US Government and IBM in the 1970s • Protects financial transactions and electronic communications worldwide • DES uses 56 bit encryption key Public/Private keys • One key is the mathematical inverse of the other • Private keys are known only to the owner • Public key are stored in public servers
Hash Algorithms • Hash :A hash is simply a "summary", or "tag", which is generated from a digital document using a mathematical rule or algorithm • Are a step ahead of CRC • Reduce variable-length input to fixed-length (128 or 160bit) output • Requirements • Can't deduce input from output • Can't generate a given output • Can't find two inputs which produce the same output • Used to • Produce fixed-length fingerprint of arbitrary-length data • Produce data checksums to enable detection of modifications • Distill passwords down to fixed-length encryption keys • Hashes are used to check the integrity of files and documents, and are also often used in digital signature algorithms • Also called message digests or fingerprints
Message Authentication Code (MAC) • Hash algorithm + key to make hash value dependant on the key • Most common form is HMAC (hash MAC) • hash( key, hash( key, data )) • Key affects both start and end of hashing process • Naming: hash + key = HMAC-hash • MD5 1 HMAC-MD5 • SHA-1 1 HMAC-SHA (recommended)
Digital Signatures • Combines a hash with a digital signature algorithm • To sign • hash the data • encrypt the hash with the sender's private key • send data signer’s name and signature • To verify • hash the data • decrypt the signature with the sender's public key • the result of which should match the hash
SSL • SSL- Secure Socket Layer : • a security protocol that provides communications privacy over the Internet. • The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. • Secure message passing protocol • Developed by Netscape. • Protocol for using one or two public/private keys • to authenticate a sever to a client • and by requiring a client key to authenticates the client to the server • establish a shared symetric key (the session key) • uses the session key to encypt all data over the secure channel • Gives you authentication, message integrity and confidentiality
SSL Handshake • Negotiate the cipher(any encryption algorithm) suite cipher suite :A cipher suite defines a cipher specifications supported in SSL • Establish a shared session key • Authenticate the server (optional) • Authenticate the client (optional) • Authenticate previously exhanged data
SSL Handshake - details Client Server Generate Challenge Define Protocols Challenge Encryption protocols Return Server Certificate Generate connection ID Confirm Protocols Server Cert Verify server certificate Connection Id Encryption protocols Decrypt session key Generate server read/write Key pairs Generates session key Generate Client read/write key pairs Encyrpt session key (Session Key) Server's public key Encrypt random challenge phrase Decrypt and verify challenge phrase (Client's Challenge) Server Write Key
References • RSA Laboratories • http://www.rsasecurity.com/rsalabs/pkcs/ • SSL • http://www.ietf.org/SSL-v3 http://www.netscape.com/eng/ssl3/draft302.txt • openSSL http://www.openssl.org/ • www.zdnet.com