640 likes | 1.08k Views
Security in Distributed Systems. ECE7610/ECE7650 Cheng-Zhong Xu. Outline. General Security Requirements Cryptography Secure Channel Access Control Security in Mobile Codes Case Studies Kerberos Systems SSL SET. General Security Requirements. Confidentiality (Privacy, Secrecy)
E N D
Security in Distributed Systems ECE7610/ECE7650 Cheng-Zhong Xu
Outline • General Security Requirements • Cryptography • Secure Channel • Access Control • Security in Mobile Codes • Case Studies • Kerberos Systems • SSL • SET
General Security Requirements • Confidentiality (Privacy, Secrecy) • Protection from disclosure to unauthorized parties • E.g. overhear talk, illegal data copy (Interception) • Integrity • Protection from unauthorized change of data/tampering of services • Violations be detectable and recoverable • E.g. Message relay (Fabrication, Modification) • Availability • Legitimate users have access anytime • E.g. Denial of Service Attack (Interrupt) • One facet of dependable systems, as well
Security Policy vs Mechanism • Policy specifies which actions the entities of a system can or can’t take • Entities: users, services, data, machines, etc • Mechanism facilitates policy enforcement • Encryption: transform data into unreadable • Authentication: verify claimed identify • Authorization: • Auditing: help detect security breach
Security in Distributed Systems • Security threats in isolated systems • Assumption: Isolated systems are secure • Security Mechanism: Protect from physical break-in • Security in networked systems within an administrative domain but isolated from Internet • Identity Assumption: • Whenever a program attempts some action, we can easily identify a person to whom that action can be attributed, and it is safe to assume that that person intends the action to be taken. • Optimistic Assumption about Trojan Horse Attack • Users are responsible for actions of their programs • Mechanisms: • Cryptographic Password • Authorized users with different privilege levels
m Copy of The enemy m’ p m Process q Process Communication channel Security in Distrib. Systems (cont’) • Security in systems cross admini. domains • Assumptions • Untrusted users in open systems, but protection domain per user • Insecure communication • Rare code migration becomes common
Cryptography B Principal A Principal The enemy p Process Process q Secure channel Security in Distributed Systems (cont’) • Examples of Mechansims (e-Commerce): • Authentication: verify claimed identify (CA) • Secure comm. channel (SSL based https) • Firewall: packet filtering, authorization check • Resource access control: client access resources via server ops; access right checking during invocations.
Threats not defeated by secure channelsor other cryptographic techniques • Denial of service attacks • Deliberately excessive use of resources to the extent that they are not available to legitimate users • E.g. the Internet 'IP spoofing' attack, February 2000 • Trojan horses and other viruses • Viruses can only enter computers when program code is imported. • But users often require new programs, for example: • New software installation • Mobile code downloaded dynamically by existing software (e.g. Java applets) • Accidental execution of programs transmitted surreptitiously • Defences: code authentication (signed code), code validation (type checking, proof), sandboxing. *
Recap: Network Security • attacks on Internet infrastructure: • infecting/attacking hosts: spyware, virus, worms, Trojan Horse, unauthorized access, and malware in geneal • Malware: sw designed to infiltrate or damage a computer system w/o the owner’s informed consent [Wikipedia]; based on intention of its creator, rather than any features • In law, malware is defined as a computer contaminant • denial of service: deny access to resources (servers, link BW) • Vulnerability attack; BW flooding; Connection flooding • Internet not originally designed with security in mind • original vision: “a group of mutually trusting users attached to a transparent network” • Internet protocol designers playing “catch-up” • Security considerations in all layers! Taxonomy
Spyware: infection by downloading web page with spyware records keystrokes, web sites visited, upload info to collection site Virus infection by receiving object (e.g., e-mail attachment), actively executing self-replicating: propagate itself to other hosts, users What can bad guys do: malware? • Worm: • infection by passively receiving object that gets itself executed • self- replicating: propagates to other hosts, users Sapphire Worm in 2003: aggregate scans/sec in first 5 minutes of outbreak (CAIDA, UWisc data) Double in every 8.5 sec 90% infected in 10 min Taxonomy
Denial of service attacks • attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic select target break into hosts around the network (collectively, known as botnet) target send packets toward target from compromised hosts Taxonomy
src:B dest:A payload Sniff, modify, delete your packets Packet sniffing: • broadcast media (shared Ethernet, wireless) • promiscuous network interface reads/records all packets (e.g., including passwords!) passing by C A B • Ethereal (Wireshark) software used for end-of-chapter labs is a (free) packet-sniffer Taxonomy
src:B dest:A payload Masquerade as you • IP spoofing: send packet with false source address C A B Taxonomy
Masquerade as you Man-in-the-middle attack • IP spoofing: send packet with false source address • record-and-playback: sniff sensitive info (e.g., password), and use later • password holder is that user from system point of view C A src:B dest:A user: B; password: foo B Taxonomy
src:B dest:A user: B; password: foo Masquerade as you • IP spoofing: send packet with false source address • record-and-playback: sniff sensitive info (e.g., password), and use later • password holder is that user from system point of view later ….. C A B Taxonomy
Threats and forms of attack • Eavesdropping • obtaining private or secret information • Masquerading • assuming the identity of another user/principal • Message tampering • altering the content of messages in transit • man in the middle attack (tampers with the secure channel mechanism) • Replaying • storing secure messages and sending them at a later date • Denial of service • flooding a channel or other resource, denying access to others *
Key Issues • Secure Channels • Authentication: Verify of claimed identify • Message Integrity: Detect of any alteration • Confidentiality: Inf exposes to authorized parties only • Access Control • Authorization Cryptography is fundamental
Cryptography • Three possible ways of attack • Intruders (eavesdroppers) intercept the msg silently • Modify the msg • Insert the msg, attempting to make R believe these msgs come from S.
Cryptosystems • Symmetric Cryptosystem: same key to encrypt/decrypt P = Dk( Ek(P) ) • 56-bit Data Encryption Standard (DES), 128-bit IDEA and triple-DES • New U.S. standard: 128, 192, 256-bit AES based Rijndael algorithm (Joan Daemen and Vincent Rijmen (Effective May 26, 2002) • Asymmetric Cryptosystem. Two keys form a pair. e.g. RSA P = Dkd( Eke(P) ) Public-key systems: K+ as public key and K- as private key For example: • (1) How can Alice send a confidential msg to Bob ? • (2) How can Bob verify if the msg come from Alice
Symmetric Key Crypto: two basic ops Substitution: substituting one thing for another • monoalphabetic cipher: substitute one letter for another translation:abcdefghijklmnopqrstuvwxyz table : mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Permutation: rearrange (shuffle) the input
Symmetric encryption algorithms These are all programs that perform confusion and diffusion operations on blocks of binary data TEA: a simple but effective algorithm developed at Cambridge U (1994) for teaching and explanation. 128-bit key, 700 kbytes/sec DES: The US Data Encryption Standard (1977). No longer strong in its original form. 56-bit key, 350 kbytes/sec. Triple-DES: applies DES three times with two different keys. 112-bit key, 120 Kbytes/sec IDEA: International Data Encryption Algorithm (1990). Resembles TEA. 128-bit key, 700 kbytes/sec AES: A proposed US Advanced Encryption Standard (1997). 128/256-bit key. There are many other effective algorithms. See Schneier [1996]. The above speeds are for a Pentium II processor at 330 MHZ. Today's PC's (January 2002) should achieve a 5 x speedup. *
key 4 x 32 bits plaintext and result 2 x 32 Exclusive OR logical shift TEA encryption function • Lines 5 & 6 perform confusion (XOR of shifted text)and diffusion (shifting and swapping) void encrypt(unsigned long k[], unsigned long text[]) { unsigned long y = text[0], z = text[1]; unsigned long delta = 0x9e3779b9, sum = 0; int n; for (n= 0; n < 32; n++) { sum += delta; y += ((z << 4) + k[0]) ^ (z+sum) ^ ((z >> 5) + k[1]); 5 z += ((y << 4) + k[2]) ^ (y+sum) ^ ((y >> 5) + k[3]); 6 } text[0] = y; text[1] = z; }
TEA decryption function void decrypt(unsigned long k[], unsigned long text[]) { unsigned long y = text[0], z = text[1]; unsigned long delta = 0x9e3779b9, sum = delta << 5; int n; for (n= 0; n < 32; n++) { z -= ((y << 4) + k[2]) ^ (y + sum) ^ ((y >> 5) + k[3]); y -= ((z << 4) + k[0]) ^ (z + sum) ^ ((z >> 5) + k[1]); sum -= delta; } text[0] = y; text[1] = z; }
TEA in use void tea(char mode, FILE *infile, FILE *outfile, unsigned long k[]) { /* mode is ’e’ for encrypt, ’d’ for decrypt, k[] is the key.*/ char ch, Text[8]; int i; while(!feof(infile)) { i = fread(Text, 1, 8, infile); /* read 8 bytes from infile into Text */ if (i <= 0) break; while (i < 8) { Text[i++] = ' ';) /* pad last block with spaces */ switch (mode) { case 'e': encrypt(k, (unsigned long*) Text); break; case 'd': decrypt(k, (unsigned long*) Text); break; } fwrite(Text, 1, 8, outfile); /* write 8 bytes from Text to outfile */ } }
Classical Feistel Structure • Virtually all conventional block encryption algorithms, including Data Encryption Standard (DES) have a structure first described by Horst Feistel of IBM in 1973 • Properties • a particular structure of permutation and substitution of input; the structure is made public • the most important component is the F function • the F function does not even need to be one-to-one to decrypt message so long the receiver knows the key
DES: Data Encryption Standard • US encryption standard [NIST 1993] • 56-bit symmetric key, 64 bit plaintext input • Use a 16 round Feistel Network input processing key generation
Intuitively, the design of F is to make it hard to inverse the function (by any crypto analysis technique), i.e., security by confusion and obfuscation the design philosophy of the F function of DES is not known thus the “best known” attack is to try all possible 56-bit keys on the ciphertext to see if a key generates a “reasonable” plaintext However, 56 bit keys appear to be too short Security of DES
Making DES More Secure • Use three keys sequentially (3-DES) on each datum • C = ciphertext • P = Plaintext • EK[X] = encryption of X using key K • DK[Y] = decryption of Y using key K notation: EK[X], {X}K both mean encrypt X using key K • Replaced by Advanced Encryption Standard [NIST 2000]:http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf C = EK3[DK2[EK1[P]]]
Advanced Encryption Standard (AES) ByteSub ShiftRow MixColumn
Cipher block chaining (CBC) XOR n+3 n+2 n+1 plaintext blocks E(K, M) n-3 n-2 n-1 n ciphertext blocks Stream cipher keystream number E(K, M) buffer n+3 n+2 n+1 generator XOR ciphertext plaintext stream stream Cipher blocks, chaining and stream ciphers Most algorithms work on 64-bit blocks. Weakness of simple block cipher:- repeated patterns can be detected.
Asymmetric encryption algorithms They all depend on the use of trap-door functions • A trap-door function is a one-way function with a secret exit - e.g. product of two large numbers; easy to multiply, very hard (infeasible) to factorize. RSA: The first practical algorithm (Rivest, Shamir and Adelman 1978) and still the most frequently used. Key length is variable, 512-2048 bits. Speed 1-7 kbytes/sec. (350 MHz PII processor) Elliptic curve: A recently-developed method, shorter keys and faster. Asymmetric algorithms are ~1000 x slower and are therefore not practical for bulk encryption, but their other properties make them ideal for key distribution and for authentication uses.
RSA (1) To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and form: N = P x Q Z = (P–1) x (Q–1) 2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z). We illustrate the computations involved using small integer values for P and Q: P = 13, Q = 17 –> N = 221, Z = 192 d = 5 3. To find e solve the equation: e x d = 1 mod Z That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... . e x d = 1 mod 192 = 1, 193, 385, ... 385 is divisible by d e = 385/5 = 77 4. (e, N) is an encryption key and (d, N) is corresponding descryption key
RSA (2) To encrypt text using the RSA method, the plaintext is divided into equal blocks of length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024). k = 7, since 27 = 128 The function for encrypting a single block of plaintext M is: E'(e,N,M) = Me mod N for a message M, the ciphertext is M77 mod 221 The function for decrypting a block of encrypted text c to produce the original plaintext block is: D'(d,N,c) = cd mod N Rivest, Shamir and Adelman proved that E' and D' are mutual inverses (that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ N. The two parameters e,N can be regarded as a key for the encryption function, and similarly d,N represent a key for the decryption function. So we can write Ke= <e,N> and Kd = <d,N>
d e c = m mod n m = c mod n d c RSA Another Example Bob chooses P=5, Q=7. Then N=35, Z=24. e=5 (so e, Z relatively prime) d=29 (so ed-1 exactly divisible by Z) e m m letter encrypt: L 17 1524832 12 c letter decrypt: L 17 12 481968572106750915091411825223071697
Digital signatures Requirements: • To authenticate stored document files as well as messages • To protect against forgery • To prevent the signer from repudiating a signed document (denying their responsibility) Encryption of a document in a secret key constitutes a signature • impossible for others to perform without knowledge of the key • strong authentication of document • strong protection against forgery • weak against repudiation (signer could claim key was compromised) *
Secure Digest Function • h = H(m): take a msg of arbitrary length and produce a bit string of a fixed length. • Example: • 128-bit MD5 (Rivest’92): generate 128 bit fixed length msg digest from an arbitrary length binary input string • 160-bit SHA (NIST’95), based on Rivest’s MD4, but made more secure by producing a 160-bit digest. • Any symmetric encryption algorithm in the CBC (cipher block chaining) mode. The last block in the chain is H(m) • Properties: • One-way function: Given h, it’s computationally infeasible to compute m • weak collision resistance: Given an input m and its associated output h, it’s computationally infeasible to find another m’ that is not equal to m but H(m)=H(m’) • strong collision resistance: Given only H, it’s computationally infeasible to find any two different inputs m and m’, such that H(m) = H(m’) • Both MD5 and SHA are shown to be broken lately!!http://www.schneier.com/blog/archives/2005/06/more_md5_collis.htmlhttp://www.schneier.com/blog/archives/2005/02/sha1_broken.html
Digital Signature for Message Integrity • DA using public-key crypto, like RSA • Bob verifies msg m by comparison • Alice is protected against Bob’s modification because of her signature. • But, what if Alice wants to change her key? • Need central authority to keep records
Digital Signatures (cont’) • Encryption of an entire message with a private key is very time-consuming • Using hash function, H, to generate a message digest and encrypting the digest instead
M signed doc h H(M+K) M K M h H(M+K) h = h'?authentic:forged h' K MACs: Low-cost signatures with a shared secret key MAC: Message Authentication Code Signing Signer and verifier share a secret key K Verifying
Key size/hash size Extrapolated PRB optimized speed (bits) speed (kbytes/sec.) (kbytes/s) TEA 128 700 - DES 56 350 7746 112 120 2842 Triple-DES IDEA 128 700 4469 512 7 - RSA RSA 2048 1 - MD5 128 1740 62425 160 750 25162 SHA Perf of encryption and secure digest algs Figure 7.14 speeds are for a Pentium II processor at 330 MHZ Algorithm Secret key Publickey Digest PRB = Preneel, Rijmen and Bosselaers [Preneel 1998]
Outline • General Security Requirements • Cryptography • Secure Communication Channel • Authentication • Message integrity and confidentiality • Access Control • Security in Mobile Codes • Case Studies • Kerberos Systems • SSL • E-Cash and SET
Secure Channel • Authentication • Message Integrity: msg is protected against modification • More than authentication of communication parties. e.g. protection of the integrity of on-line transaction agreement • Confidentiality: Msg won’t be intercepted and read by evaesdroppers • Cryptographic keys are not enough
Secure Channel: Authentication • Alice initiates in setting up a channel between Alice and Bob. Once it is done, Alice and Bob know for sure whom they are talking to. • Authentication based on shared secrete keys (Session Keys): Challenge-Response Protocol 1: identify of A 2: Challenge of B 3: Encrypted challenge 4: Challenge of A 5: Encrypted challenge
Optimized Authentication ? • Authentication based on a shared secret key, but using three instead of five keys
Reflection Attack • Two comm parties use the same challenge in different runs of the protocol • Also, valuable info. Ka,b(Rc) is released to unknown person
Key Distributed Center • Shared-key based authentication is not scalable. In a system with n hosts, n(n-1)/2 keys are needed and each host needs to manage n-1 keys • Alternative is to assume a trusted third party,like KDC, which shares a secret key with each host • The message KB,KDC(KA,B) is called a ticket • Alice uses this ticket to establish connection with Bob
Needham-Schroeder Protocol • RA1 is a nonce (random number, “number use for once”) to uniquely related msg 1 and msg 2 to each other. • The identify B of Bob is included in msg 2 to confirm the return ticket between A and B. • Returning RA2-1 in msg 4 proves Bob knows the shared key and he actually has used the key to decrypted the challenge.
Improved Needham-Schroeder Protocol • Using an extra nonce RB1 to protect against malicious reuse of a previously generated session key
Shared Key Setup by Public-Key • Mutual authentication, assuming knowledge of public keys of each other Be assured that Alice is actually using Bob’s public key How??
Initial Key Establishment • Diffie-Hellman Key Exchange • Alice and Bob agree on two large public numbers n and g • Alice and Bob pick up two large random numbers, x and y, as their private keys • Alice send gx mod n to Bob and Bob sends gymod n to Alice, along with n ang g • gx mod n is one-way function: x is impossible to be computed • Established shared key: (gx mod n)y = gxy mod n Diffie-Hellman can also be viewed as a public-key cryptography, where x and y are private keys, gx mod n and gy mod n are public keys.