290 likes | 371 Views
Security III. CSE 5306 Lecture Quiz due at 5 PM on 30 July 2014. Firewalls. Firewalls are bullet-proof reference monitors that protect entire distributed systems from incoming (hackers) and outgoing (trusted employees’ use of banned websites) unauthorized message traffic.
E N D
Security III CSE 5306 Lecture Quiz due at 5 PM on 30 July 2014
Firewalls • Firewalls are bullet-proof reference monitors that protect entire distributed systems from incoming (hackers) and outgoing (trusted employees’ use of banned websites) unauthorized message traffic. • Packet-filtering gateway scrutinizes source and destination addresses. • Drops outsiders’ messages to the company web server. • Accepts messages from SMDS-connected company enterprise host. • Application-level gateway scrutinizes message content. • Email exceeding a size limit or spam. • A digital library gateway delivers documents inside but only abstracts outside (with invitation to order document for a price). • Proxy gateway; e.g., Web proxy gateway discards downloads that contain executable code.
Secure Mobile Code • When you ask for a lowest price airfare, Travelocity’s mobile agent visits many secure airline company websites. • The agent must be protected from phony airlines. • Legitimate airlines are wary of the agent. • Distributed systems must provide and support other’s mobile code in a flexible, but fully controlled manner.
Protecting an Agent • Mobile agents can’t be protected against attacks, but (if the agent makes it home) attacks can be detected: • Read-only state: encrypt a message digest of the entire agent with your private key, and each airline will verify the digest, add its quote, sign a new digest and send it off to its next destination. • Append-only log: as above, except each airline does not replace your digest; it adds its own. • Selective revealing: a secret message to each airline is encrypted with its public key, and all messages are signed by encrypting them with your private key.
R U O K ? Match the following terms with their definitions below. • Firewall __ • Packet-filtering gateway __ • Application-level gateway __ • Proxy gateway __ • Passes only those messages that meet the associated application’s criteria. • Routes packets based on their source and destination addresses. • Prevents malicious packets from entering or leaving a distributed system. • Routes packets based on their contents.
R U O K ? 5. What could possibly go wrong with Travelocity’s mobile code? • Offering the lowest rate, Birdbath Airlines could advise the agent not to shop elsewhere, by deleting the remainder of its planned destinations. • Fly-By-Nite Airlines could implant a really clever virus in the agent, with which it could infect everyone else it visits. • Delta Airlines could be infected by the agent’s virus. • All of the above. • None of the above.
R U O K ? 6. Which offers agents the best protection, a read-only state or an append-only log? • Read-only state. • Append-only log. • They are about the same. • Neither is worth the trouble.
Protecting the Target • A Java “sandbox” interprets every downloaded instruction before executing it. • Even benign instructions are prevented from changing protected registers or vulnerable memory. • The sandbox has its own class loaders that download the Java code’s required classes. • The sandbox’ byte code verifier checks all foreign servers’ classes for illegal instructions and for benign instructions that that could corrupt the stack or memory. • Like a reference monitor, the sandbox’ security manager vets all input/output operations at runtime; e.g., catching mouse events and using the local graphics library are permitted, accessing local files and connecting to anything but the mobile code’s home server are denied.
Protecting the Target (continued) • With more flexibility than the sandbox, a Java playground offers to untrusted mobile code all of the resources of an isolated computer, which communicates with users through RPCs. • Another sandbox alternative is code-signing; i.e., run only Java code that is signed by a trusted server.
Protecting the Target (continued) • Trusted mobile Java code security policies can be enforced by… • Insisting that the code call local resource methods by their private names (above left). • Name space management; i.e., insisting that the code include local header files that name those resource methods. • Extended stack introspection; i.e., immediately prior to a local method’s execution, its name appears in the runtime stack (above right), and the mobile code’s permission to run it can be verified.
Denial of Service • Distributed denial of service (DoS) attacks… • Deplete bandwidth by implanting viri in innocent machines that send great numbers of messages to the victim or • Deplete resources by initiating a huge number of the victim’s TCP connections (i.e., SYN-flooding). • DoS countermeasures… • Prevent virus infections. • Discard all outbound packets with incorrect source addresses. • ISPs drop packets going to a destination, when the those going to it are much more numerous than those returning from it. • All of the above.
R U O K ? Match the following terms with their definitions below. 7. Sandbox __ 8. Class loaders __ 9. Byte code verifier __ 10. Sandbox’ security manager __ 11. Playground __ 12. Code-signing __ 13. Name space management __ 14. Extended stack introspection __ • Provides complete resources of an isolated computer, which replies to users’ RPCs. • Checks all foreign servers’ classes for illegal instructions and for benign instructions that that could corrupt local stack or memory. • Ensures safety of all mobile code input/output operations at runtime. • Load the mobile code’s referenced classes from the local Java virtual machine and from other trusted servers. • Run only mobile code that is signed by a trusted server • A Java interpreter that carefully inspects every instruction of mobile code before executing it. • Verify mobile code’s per mission to run each local method, as it appears on the runtime stack. • Insists that mobile code include local header files that name local resource methods.
R U O K ? 15. Name some effective ways to deal with denial of service attacks. • Prevent viral infections. • Discard similar packets at the the victim organization’s ingress router. • Discard all outbound packets with incorrect destination addresses. • ISPs drop packets going to a destination, when the those going to it are much more numerous than those returning from it. • All of the above.
Security/Key Management • Certificates play an important role in distributing cryptographic keys. • The most critical step in secure server group management is persuading an old group of servers to trust their newest member. • Critical issues in authorization management include… • Issuing capability attribute certificates and • Enabling processes to securely delegate their rights to other processes. • Key management must provide means for revoking compromised keys, and it must solve the problems of key generation and distribution.
Key Establishment • The Diffie-Hellman key exchange is a similar to RSA (slide 23 of 3/17/14 lecture): • I choose n and g, subject to math constraints (?) • I secretly choose a large random number, x, as my private key, K-x= x. • You secretly choose a large random number, y, as your private key, K-y= y. • I send you n, g and my public key, K+x= gx mod n. • You send me your public key, K+y = gy mod n. • And now we both have a shared secret key, Ks = gxy mod n = (gx mod n)y = (gy mod n)x. • X and y cannot be inferred from anything we have sent in the clear (i.e., in our insecure channel).
Key Distribution • Public keys must pass through an authenticated secure channel. Secret keys must pass through a confidential, authenticated secure channel. • A trusted certification authority’s signing a public-key certificate, which consists of the public key and strings identifying both its issuer and the authority, assures the public-key’s authenticity. (The certifier’s public key that decrypts the certificate is widely known.) • Likewise higher level authorities can certify lower ones; e.g., IPRA -> PCA -> distrusted PEM email.
Lifetime of Certificates • Compromised security keys must be revoked, and the likelihood of compromise continually inevitably increases with passing time. • A certification revocation list (CRL) can be consulted to see if the issuer has revoked a key that you are about to use. But CRLs are always a little late, and nobody uses them. • Internet applications typically have one-year “leases” that automatically expire. • If you come up with a better idea, please let Tanenbaum know in time for his 3rd edition….
R U O K ? 16. What are the most important security management questions today? • How can certificates aid in cryptographic key distribution? • How can a new member be most safely added to a group of replicated key distributors or certification authorities? • How can attribute certificates aid in granting and delegating access rights to resources? • All of the above. • None of the above.
R U O K ? 17. Let’s do the Deffie-Hellman key exchange. I’ll go first: n = 2; g = 3; my private key K-x = x = 4; and my public key is gx mod n = 1. May I suggest that your private key K-y= y = 5? Thanks. Now you tell me; what are your public key, K+y, and our secret key, Ks? • K+y = 1 and Ks = 7. • K+y = 6 and Ks = 1. • K+y = 1 and Ks = 1. • K+y = 2 and Ks = 5. • None of the above.
R U O K ? 18. I am about to encrypt a secret message to you using your public key. How can I be sure this key is yours and not Chatty Cathy’s? • I can carefully examine the certificate that it is wrapped in. • If you passed it to me in an authenticated secure channel, it must be your public key. • It came from our mutually trusted key distribution center. • I really should check all of the above. • None of the above provides adequate assurance.
R U O K ? 19. What is the problem in revoking certificates? • A security key cannot be safely used, after it has been compromised. • A certification revocation list can tell you not to use the key, but the list is never up to date, and users seldom consult it anyway. • Internet applications generally come with one-year “leases,” even if their security keys are compromised in the lease’s first month. • All of the above. • None of the above.
R U O K ? 20. Why is an established secure certification group so willing to share both of its group keys, after a new membership applicant’s first call (Fig. 9-35, p.434)? • Both her identity and her public key were authenticated by a trusted certification authority in her join request. • She had called upon a trusted key distribution center to generate a valid reply pad and a secret key to share with the group. • The group member, who received her join request, gathered recommendations from all seated members before replying with their group admittance message. • All of the above. • None of the above.
Secure Group Management • So as to always be readily available, key distribution centers and certificate authorities are replicated; then they constitute a secure group. • Every certification group holds a secret key for internal messages and a public/private key pair for external messages. • Any process, P, which wants to join a group, G… • Sends a join request JR identifying P, G, local time T, a generated reply pad RP* and a generated secret key KP,G (see above). KP,Gand RP are encrypted by the group’s public key. The JR is signed by P and attached to a certificate containing P’s public key. • After authenticating P’s entire JR, receiving group member Q asks all others to approve the new member. If P is approved, Q sends a group admittance message GA identifying P and including a nonce. The reply pad RP is used to encrypt the group’s secret key CKG, which is used to encrypt the group’s private key KG—. The entire message is signed with P’s KP,G key. • P returns the nonce to confirm that he has joined the group. • Using the once-generated RP to encrypt CKG, instead of P’s public key protects the group.
Capabilities and Attribute Certificates • To invoke an operation on any Amoeba distributed system object, a client passes its capability (above) to its local operating system, which does an RPC to that object’s server. • The server that owns the desired object grants the client new rights by the process shown above. (Its one-way function makes tampering ineffective and easy to detect.) • Alternately an object server can authorize an attribute certificate, whose (attribute, value) pairs grant resource rights to clients. Message Digest Capability:
Delegation • How can I delegate to a printer my access right to a file? • I give it my proxy; i.e., an authentic certificate that says, “This token’s bearer has all of Steve’s rights” (see Delegation Proxy above). • Or I give it only the rights that it needs: “This token’s bearer has read-only rights to file Z.” • You can delegateyour file access to me: • You add a personal question S+proxy, which only you and I can answer S—proxy, and you sign the proxy to keep me from tampering with your list of rights (see the Delegation Protocol’s message 1 above). • Omitting the personal answer, I pass the proxy to the printer, which sees that you have rights. • But who am I…? Using your question as a public key, it encrypts a nonce. • I decrypt and return the nonce to show that I am your trusted friend. Delegation Protocol: Delegation Proxy:
Summary • Distributed systems should provide mutually authenticated and confidential secure channels between processes. • Related design questions: • How to trade off uses of asymmetric private/public keys and symmetric shared secret keys; e.g., currently the former are used to distribute the latter (session keys). • After user authentication, we also must verify her access control rights to distributed resources. • A certificate lists all of a client’s rights, which can then be delegated to a trusted agent. • Mobile agents cannot be protected from hostile hosts, but attacks can be detected. Hosts can be protected from hostile mobile code, by running it in a Java sandbox or an isolated playground. • Management design issues include: • Key management by trusted key distribution centers. • Authorization management by attribute certificates and delegation.
R U O K ? 21. How does Amoeba’s one-way function protect against users tampering with their rights to remote resources? • “One-way” means rights cannot inferred (for the purpose of editing) from the 48-bit check field in the user’s capability. • Tampering with the 48-bit check field would simply invalidate all of the user’s current capabilities. • Any effort to tamper with the capability certainly would be detected, probably resulting in the offender losing his job and all prospects of similar future employment. • All of the above. • None of the above.
R U O K ? • How does your sharing your personal secret help me re-delegate a right that you have delegated to me? • If I pass your secret question and answer on to another human, then she looks like your delegate. • If I pass your secret question on to a process, it uses your secret question as your public key to encrypt a nonce. When I show that I can decrypt its nonce (by using your secret answer as a private key), it knows that you and I are close friends. • No one needs to ask you if I share your rights. • All of the above. • None of the above.
R U O K ? 23. What security issues remain for you to settle in future distributed systems? • What are the most effective ways in which symmetric and asymmetric keys can work together? • After a user is authenticated, how can her access to resources be controlled most effectively? • How can key distribution centers and certificate authorities be managed most effectively? • All of the above. • None of the above.