450 likes | 583 Views
CS6223: Distributed Systems. Security. Attacks on Distributed Systems. Eavesdropping. Obtaining copies of data without authority. Message tampering. Intercepting messages and altering their contents.
E N D
CS6223: Distributed Systems Security
Attacks on Distributed Systems • Eavesdropping. Obtaining copies of data without authority. • Message tampering. Intercepting messages and altering their contents. • Impersonating. Sending/receiving messages using other’s identity or imposters of client or server. • Playback. Storing messages and sending them at a later time to obtain illegal access. (Encryption alone cannot defeat playback attacks). • Denial of service. Usual security protocols cannot defeat DoS attacks.
Outlines • Cryptography • Client - Server authentication • Digital signature • Email security (a case study)
Examples of simple cryptographic systems 1. Substitution ciphers • Substitute one alphabetic character for another, e.g. Caesar cipher simply shifts the alphabet AD, BE, CF, ... A general method is to shift letters by k, which is the key for encryption / decryption. • A more complex method is to map each letter to another randomly. The cipher can be broken by counting frequencies of letters in the ciphertext and guessing out the plaintext. 2. Transposition ciphers • Plaintext remains the same, but the order of characters is shifted around. • A simple example is to write the plain text as an array, with row first. The ciphertext is read out by columns. To break this cipher, one needs to know: a) it is a transposition cipher, and b) the number of columns.
Decrypted by K Encrypted by K Plain text Cipher text Plain text Secret Key ( “symmetric”) Cryptography • Same key for both encryption and decryption • Efficient for encryption/decryption • Difficult to exchange secret keys • Often use session keys (short-lived) to encrypt/decrypt data after authentication
normal encryption / decryption Decrypted by K- Decrypted by K+ Encrypted by K+ Encrypted by K- Plain text Plain text Cipher text Cipher text Plain text Plain text protect messages from tampering Public Key ( “asymmetric”) Cryptography • A pair of keys: a public key K+ (made for public) and a private key K- (kept for private) • More costly (time, ciphertext size, …) for encryption/decryption • Easy for public key distribution • Often used for authentication (for secret key exchange)
64 bit plain text Initial transposition Iteration 1 Iteration 2 Generate 16 keys 56 bit key … Iteration 16 32 bit swap Inverse transposition 64 bit cipher text Secret Key Encryption/Decryption AlgorithmsDES (Data Encryption Standard) • Developed by Diffie and Hellman (1976) at IBM and recommended by US Federal (DES) for commercial use, but not for secret government use. • It uses a 56-bit secret key. Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of cipher text. • The algorithm has 19 stages. The 16 stages of iteration are parameterized by the 56-bits key. • It is basically a substitution cipher, using 64-bit chars (it can be broken based on this).
64 bit plain text 64 bit plain text Iteration 1 Iteration 2 … Iteration 7 Iteration 8 Transformation Secret Key Encryption/Decryption AlgorithmsIDEA (International Data Encryption Algorithm) • Developed by James L Massey & Xuijia Laia (1990). • It uses 128-bits secret keys, the strongest secret key algorithm available. • The basic structure resembles DES. 64-bit plaintext input blocks are mangled in a sequence of 8 iterations (parameterized by the 128-bit key) to produce 64-bit cipher text output bocks.
Secret Communication with Shared Keys Alice wishes to send some secret information to Bob. Problems are: • How can Alice know the other side is Bob, and how can Bob be sure it is really Alice who makes the request? • How does Bob know that the message is not eavesdropped, tampered, or a copy of an earlier encrypted message? Let Alice and Bob share a secret key KA,B.
An “Improved Protocol”, but… Authentication by using 3 messages, instead of 5…
Authentication using Key Distribution Center The principle of using a KDC
One-way Authentication using KDC Using a ticket and letting Alice set up a connection to Bob But, Bob is not sure if the other side is really Alice …
Mutual (two-way) Authentication using KDCNeedham-Schroeder authentication protocol
Possible attack if no “nonce” in messages 1 & 2 … Chunk Alice KDC Chunk 1 A, B 2 KA, KDC(B, KA, B, KB,KDC(A, KA, B)) 3 KA, B(RA2), KB,KDC(A, KA, B) 4 KA, B(RA2-1, RB) 5 KA, B(RB-1)
Possible attack if no Bob ‘B’ in messages 1&2 … Chunk Alice KDC Chunk 1 RA1, A, C RA1, A, B 2 KA, KDC(RA1, KA, C, KC,KDC(A, KA, C)) 3 KA, C(RA2), KC,KDC(A, KA, C) 4 KA, C(RA2-1, RB) 5 KA, C(RB-1)
KDC Bob Alice Chunk 3 KA, B(RA2), KB,KDC(A, KA, B) 4 KA, B(RA2-1, RB) 5 KA, B(RB-1) Possible Replay Attack to the Protocol…
Enhanced Authentication defeating replay attack This protocol was adopted in Kerberos, RB1 is a timestamp t.
Public Key Cryptography RSA (Rivest, Shamir, Aldeman) Algorithm, 1979 at MIT: • Use a public key and a private key for encryption and decryption. Difficult to deduce private key from public key • Keys are 500-2,000 bits in length • Support authentication and digital signatures
RSA Algorithm The RSA method is based on some principles of numbers: • Choose two large primes, p and q ( 10100 ). • Compute n = pq and z = (p - 1) (q - 1). • Choose a number d, which is relatively prime to z. • Find e such that (e d) modz = 1. One of e or d is public key, the other private key. Encryption • Divide the plaintext into blocks, so that the binary value of each block P < n (i.e., block size is k-bits and 2k < n). • Compute C = Pe (mod n), where C is the ciphertext. Decryption • When receiving a block of cipertext C: compute P = Cd(mod n) • It is proven: (Pe (mod n))d (mod n) = P Public key: (e, n) Private Key: (d, n) Note: p, q and z are discarded after generating e, n and d. It is very difficult to find p, q and z from the public key e and n.
Mutual Authentication using Public-Key Cryptography N.B. Alice must be sure K+B is truly the public key of Bob, the same for Bob…
Digital Signatures Digital signatures mimic conventional signatures. It requires: • Receiver or third party can verify that this message was produced by the signer. • Signer cannot repudiate its signature, i.e. the sender cannot sign a message and then later claim that he did not do this. • Message cannot be modified after it has been signed. • Signature must be unique for a message, i.e. the signature cannot be electronically “cut” from the original message and “pasted” onto another message.
Digital Signatures using Private Keys A sends B the original message, ID and a copy of the encrypted message (by A’s private key): A B: M, A, {M}K-A Correctness verification: • B can verify the signature by decrypting {M}K-A using K+A. • The message M cannot be modified after signed and the signature cannot be cut and pasted to another document. • A cannot repudiate the signature, bcs only he knows K-A. Security problem: • There is no trusted body to keep record of A’s K-A and K+A if A changes its keys after some time.
Digital Signatures using Security ServerNeedham and Schroeder Protocol Suppose there is a security server S. KA, KB and KS are secret keys. • A S: A, {M}KA • S A: {A, M, t}KS S makes a signed and dated certificate of A’s document, encrypts the certificate by its secret key, and sends back to A. • A B: M, {A, M, t}KS A sends B the original document and the certificate issued by S. • B S: B, {A, M, t}KS B saves the document & certificate for later proof, and sends the certificate to S for decryption. • S B: {A, M, t}KB B decrypts the message, extracts M that is used to verify if or not the document received from A at step 3 is modified. The protocol satisfies: the signature is verifiable (via S), non-modifiable, and non-repudiatable.
Message Digest • Encryption / decryption is very time consuming. • Message digest approach does not require encrypting entire document. It uses a “checksum” (usually 128 bits) or “1-way hash function”. • Internet standard MD5 (RFC 1321) defines the latest checksum algorithm (128-bits) A hash functions, H(P), has the property that: • Given P, easy to compute H(P), but not the other direction. • For P1 P2, the probability of H(P1) = H(P2) is very small. • The length of H(P) << length of P. • H(P) is a “message digest” or “message integrity check”.
Hash Functions : MD5 • MD5 is a hash function to compute a 128-bit fixed length message digest for any arbitrary length of input string. • The input string is padded to a length of multiple of 512 bits and divided into a sequence of 512-bit blocks. • Starting with a 128-bit constant, MD5 has k iterations (k is the number of 512-bit blocks of the input). In each iteration, a new 128-bit digest is computed out of an input data block and the previous digest.
Digital signatures using message digests • To sign a message M, A (or S) computes the message digest, D(M), and encrypts only D(M). • B stores {M,{D(M)}K-A} (or {D(M)}KS ). B can verify the signature by computing D(M) and comparing with {{D(M)}K-A}K+A. • Everybody must use the same hash function to compute message digest.
Security Management Key Management • Key establishment • Key distribution
Key EstablishmentDiffie-Hellman key exchange How can Alice and Bob reach an agreement on a secret key? gxy(mod n) is the shared key between Alice and Bob
Secret-key distribution Alice Alice Bob
Public-key Distribution Alice Bob Alice
A Case Study: Email SecurityExisting Email System Originator Recipient User agent Editor User agent Submission SMTP (RFC 821) SMTP Server Retrieval (e.g. POP3 RFC 1725) Mail transfer Agent (SMTP relay) Mail transfer Agent (SMTP) SMTP (RFC 821) Intermediate relay point Recipient’s mailbox server 35
Basic Email Security SMTP/POP3 (RFC821/RFC1725) provides basic email delivery and retrieval services. They are not secure: • Basic SMTP, as implemented by most sites, has none of the security features – authentication, confidentiality, integrity,... • In particular SMTP does not authenticate the sender, hence the sender appearing in the field FROM may not be the actual owner of the FROM address at all. • POP3 provides for userid/password authentication • userid/password sent in clear – subject to eavesdropping • POP3 provides encrypted password option, butthis option is rarely used 36
Secure Email Systems Three widely used secure email systems: PGP – Pretty Good Privacy PEM – Privacy Enhanced Mail S/MIME – Secure Multipurpose Internet Mail Extensions
Email Security Requirements and Solutions • Source authentication. Ensure that the originator of the message is who he/she claims to be. • Solution: require originator to produce a digital signature for the message, which is then sent with the message. • Confidentiality of message. Prevent messages from being eavesdropped or tampered. • Solution: encrypt the message. 38
Certificates and Email Security For a brief introduction, see: http://www.joar.com/certificates/ http://www.emailprivacy.info/digital_signatures Certificates are used to identify people’s identities in the digital world (like your passport or your ID card): • Certificates are issued by authorities in digital world, called CA (Certificate Authorities). • Each certificate is signed by the CA who issues it and it can be verified by using public key of the CA. Public keys of CAs are pre-installed in standard email systems. • A certificate has a pair of keys for the user who requests it, a public key (embedded in the certificate) and a private key (kept in your local PC). It uses public key method for encryption and authentication.
Personal Certificate A certificate (defined in X.509) contains information on: • The individual who requests the certificate; • The CA that issues the certificate. A certificate has two parts: data, and CA’s signature. The data part contains: • version no. of X.509 standard, serial no. of the certificate (unique to a CA) • signature algorithm used by the CA (e.g, PKCS #1 MD5 with RSA Encryption) • distinguished name of the CA and the certificate subject (in X.500 format) • valid period • information about the public key being certified and the public-key algorithm • Special extensions (optional) The signature of CA includes: signature of the CA and the signature algorithm. Anyone receiving the certificate can use the signature algorithm and CA's PublicKey to verify it. PublicKeys of the CA is built in outlook.
A Sample Certificate This is a certificate issued by Ace CA: Data Version: v1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Ltd, C=US Validity: Not Before: Fri Nov 15 00:24:11 1996 Not After: Sat Nov 15 00:24:11 1997 Subject: CN=Jane Doe, O=Ace Industry, C=US Subject Public Key Info: Algorithm: PKCS #1 RSA Encryption Public Key: 00:d0:e5:60:7c:82:19:14:cf:38: F7:5b:f7:35:4e:14:41:2b:ec:24: 33:73:be:06:aa:3d:8b:dc:0d:06: 35:10:92:25:da:8c:c3:ba:b3:d7: lf:1d:5a:50:6f:9a:86:53:15:f2: 53:63:54:40:88:a2:3f:53:11:ec: 68:fa:e1:f2:57 Public Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 12:f6:55:19:3a:76:d4:56:87:a6: 39:65:f2:66:f7:06:f8:10:de:cd: 1f:2d:89:33:90:3d:a7:e3:ec:27: ac:e1:c0:29:c4:5a:69:17:51:dc: 1e:0c:c6:5f:eb:dc:53:55:77:01: 83:8f:4a:ab:41:46:02:d7:c8:9a: fe:7a:91:5c
Obtain a Certificate Apply a free email certificate from thawte website: http://www.thawte.com/secure-email/personal-email-certificates/index.html Steps: • Fill in your personal details for on-line application. • It generates a certificate and a private key (this certificate is associated with your email address, and other optional information). Then, it emails to inform you where to download the certificate. • Download (install) the certificate to your local site (your PC). • Now, you can use your certificate for signing / encrypting emails.
Sign an Email and Read a Signed Email A signed email ensures you the email is really sent by the owner of the email-address (when applying for a certificate, the email address is supplied): • When you click “sign” to sign an outgoing email, your private key is used to generate a signature. The message, together with this signature and your certificate, will be sent out; • When the recipient receives your signed email, the mail-reader (e.g., outlook) will: • Verify the attached certificate, if yes, then • Verify the message signature by using the certificate (the certificate will be also saved into recipient’s database).
Encrypt / Decrypt Emails • When you click “encrypt” for an outgoing email, the message will be encrypted by using the recipient’s public key (embedded in the recipient’s certificate). • You need to have the recipient’s certificate for encrypting a message to him (ask the recipient to send you a signed, not encrypted (why?), message. His certificate will be automatically extracted and stored in your local database). • When the recipient receives an encrypted email, the mail-system will use his private key to decrypt it. • An encrypted message may not be signed! It only ensures the message is not eavesdropped or tampered.