real-time & multimedia lab chapter:8 security rtmm lab kyung hee univ. distributed system

Real-Time & MultiMedia Lab

Chapter:8 Security

RTMM Lab

Kyung Hee Univ.

Distributed System


Motivation

• 1. Social implications

Do you still trust

– Your bank

– Your doctor

• 2. Economical implications

– Your company loose credit

• 3. Legal implication

– Your company in front of a court


Outline

1. Introduction

2. Cryptography

3. Secure Channel

4. Access Control

5. Security Management

6. Examples


Introduction

• Security in distributed system is generally similar to techniques used in a non-distributed system, but much more difficult to implement

• Difficult to get right, impossible to get perfect!


Security Threats

• Interception – unauthorized access to data.

• Interruption – a service becomes unavailable.

• Modification – unauthorized changes to, and tampering of, data.

• Fabrication – non-normal, additional activity.


Security Requirements

• Authentication: ensures that sender and receiver are who they are claiming to be

• Data integrity: ensure that data is not changed from source to destination

• Confidentiality: ensures that data is read only by authorized users

• Non-repudiation: ensures that the sender has strong evidence that the receiver has received the message, and the receiver has strong evidence of the sender identity

– The sender cannot deny that it has sent the message and the receiver cannot deny that it has received the message


Security Mechanisms

• Encryption– Transform data into something that an attacker cannot understand

(confidentiality) – Check whether something has been modified (integrity)

• Authentication– Verify the identity of a subject

• Authorization – determine if a subject is permitted to request service

• Auditing – trace subjects and requests can help catch an attacker


Key Point

• Matching security mechanisms to threats is only possible when a Policy on security and security issues exists.

• Security Policy: Prescribes how to use mechanisms to protect against attacks.

Requires that a model of possible attacks is described


Cryptography(1)

Intruders and eavesdroppers in communication.


Cryptography(2)

Symmetric system (secret key cryptography):

• Use a single key to encrypt the plaintext and decrypt the ciphertext.

• sender and receiver share the secret key

• e.g. Data Encryption Standard (DES)

Asymmetric system (public key cryptography):

• Use different keys for encryption and decryption

• one is private, the other public

• e.g. RSA algorithm

Hashing system (message digest):

• Only encrypt data and produce a fixed-length digest

• There is no decryption; only comparison is possible

• e.g. MD5


Data Encryption Standard (DES)

• DES encrypts a 64-bit block of plain text using a 56-bit key

• Three phases

1. Permute the 64 bits in the block

2. Apply a given operation 16 times on the 64 bits

3. Permute the 64 bits using the inverse of the original permutation

Round 1

Round 16

... key

1st phaseIP(input)

3rd phaseIP-1(input)

2nd phase


2nd Phase: Operation In Each Round

• Original Key K is 56 bits

• 16 rounds

• Each round i select a 48 bit key Ki from the original 56 bit key K. Perform (F is a given function):

+

F

63 0

63 32 31 0

Ki

Li-1 Ri-1

Li Ri

),( 11

1

iiii

ii

KRFLR

RL


Encrypting Larger Messages

• Initialization Vector (IV) is a random number generated by sender and sent together with the ciphertext

+

Block1

Cipher1

DES

+

Block2

DES

+

Block3

DES

+

Block4

DES

Cipher2 Cipher3 Cipher4

IV


DES Properties

• Provide confidentiality

– No mathematical proof, but practical evidence suggests that decrypting a message without knowing the key requires exhaustive search

– To increase security use triple-DES, i.e., encrypt the message three times


Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman)

Generating Public and Private Keys

• Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q

• Chose encryption key e such that e and (p-1)*(q-1) are relatively prime

• Compute decryption key d, where

– d = e-1 mod ((p-1)*(q-1))

– (equivalent to d*e = 1 mod ((p-1)*(q-1)))

• Public key consist of pair (n, e)

• Private key consists of pair (n, d)


RSA Encryption and Decryption

• Encryption of message block m:

– c = me mod n

• Decryption of ciphertext c:

– m = cd mod n

e.g. choose p=7 & q=11


Properties

• Confidentiality

• A receiver B computes n, e, d, and sends out (n, e)

– Everyone who wants to send a message to A uses (n, e) to encrypt it

• How difficult is to recover d ? (Someone that can do this can decrypt any message sent to B!)

• Recall that

d = e-1 mod ((p-1)*(q-1))

• So to find d, you need to find primes factors p and q

– This is provable very difficult


Message Digest (MD) 5

• Can provide data integrity and non-repudation

– Used to verify the authentication of a message

• Idea: compute a hash on the message and send it along with the message

• Receiver can apply the same hash function on the message and see whether the result coincides with the received hash


Message Digest Operation

• Transformation contains complex operations

512 bits 512 bits 512 bits

Message (padded)128 constant

Transformation

Transformation

Transformation

...

Message digest


MD5: Operation in each round

• The 16 iterations during the first round in a phase in MD5.

The 16 iterations during the first round in a phase in MD5.


Applications of Cryptography

Two Major Issues in DS Security

• Secure communications between parties.

• Authorization.

• Note that authentication and message integrity as technologies rely on each other

• Secure channels protect against (protected by):

• Interception (confidentiality).

• Modification (auth. and integrity).

• Fabrication (auth. and integrity).

Authentication

Message Integrity

Confidentiality


Authentication

• Authentication based on a shared secret key

– A, B: sender and receiver identities

– KA,B: shared secret key

– RA,RB: random numbers exchanged by A and B to verify identitiesA

lice

Bo

b

A1

RB2

3 KA,B(RB)

RA4

5 KA,B(RA)


“Optimization”

• Is this authentication protocol secure?

Alic

e

Bo

b

A, RA1

2 RB, KA,B(RA)

3 KA,B(RB)


Reflection Attack

• An attacker (Chuck) can fool Bob in believing that he is Alice!

Ch

uck

A, RC1

2 RB, KA,B(RC)

Alic

e

Bo

b

A, RB3

4 RB2, KA,B(RB) 2nd session

1st session

5 KA,B(RB) 1st session


Authentication using KDC(Basic Protocol)

• KDC – Key Distribution Center

• Maintain only N keys in the system: one for each node

Alic

e

Bo

b

A, B1

KD

C (

ge

nera

tes

KA

,B)

2 KA,KDC(KA,B) KB,KDC(KA,B)2


Authentication using KDC(Ticket Based)

• No need for KDC to contact BobA

lice

Bo

b

A, B1

KD

C

2 KA,KDC(KA,B),

3

KB,KDC(KA,B)

A, KB,KDC(KA,B)

• Vulnerable to replay attacks if Chuck gets hold on KB,KDCold


Authentication using KDC(Needham-Schroeder Protocol)

• Relate messages 1 and 2: use challenge response mechanism

• RA1, RA2, RB: nonces

– Nonce: random number used only once to relate two messages

Alic

e

Bo

b

RA1,A,B1

KD

C

2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))

3 KA,B(RA2), KB,KDC(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)

• Vulnerable to replay attacks if Chuck gets hold on KA,B


What if RA1 is Missing?

• Assume Chuck intercepted

– KA,KDC(B,KA,B, KB,KDCold(A,KA,B))

– Knows KB,KDCold

Bo

b (K

B,K

DC)

A,B1

KD

C

Alic

e

3 KA,B(RA2), KB,KDCold(A, KA,B)

4 KA,B(RA2-1, RB)

5 KA,B(RB-1)

Ch

uck

(K

B,K

DC

old)

2 KA,KDC(B,KA,B, KB,KDCold(A,KA,B))

(replayed message)

Here Chuck gets KA,B !


What if B is Missing from Message 2?

• Assume Chuck intercepts message 1

Alic

e

Bo

b (K

B,K

DC)

RA1,A,B1

KD

C

2 KA,KDC(RA1,KA,C, KC,KDC(A,KA,C))

3 KA,C(RA2), KC,KDC(A, KA,C)

4 KA,C(RA2-1, RB)

5 KA,C(RB-1)

Ch

uck

(K

B,K

DC

old)

RA1,A,C

Here Chuck gets KA,C !


What if Chuck gets KA,Bold?

• Assume Chuck intercepted

– KA,B(RA2), KB,KDC,(A,KA,B)

– Knows KA,Bold

Alic

e

Bo

b

RA1,A,B1

KD

C

2 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B))

3 KA,Bold(RA2), KB,KDC(A, KA,B

old)

4 KA,Bold(RA2-1, RB)

5 KA,Bold(RB-1)

(replayed message)

Ch

uck

(K

A,B

old)


Defend Against leaking of KA,B

• Message 5 (former 3) contains an encrypted nonce (KB,KDC(RB1)) provided by Bob

• Chuck can no longer replay message 4 (former 3)

Alic

e

Bo

b

RA1,A,B, KB,KDC(RB1)3

KD

C

4 KA,KDC(RA1,B,KA,B, KB,KDC(A,KA,B,RB1))

5 KA,B(RA2), KB,KDC(A, KA,B,RB1)

6 KA,B(RA2-1, RB2)

7 KA,B(RB2-1)

A1

2 KB,KDC(RB1)


Authentication Using Public-Key Crypthography

• KA+, KB

+: public keys

Alic

e

Bo

b

KB+(A, RA)1

2 KA+(RA, RB,KA,B)

3 KA,B(RB)


More on Secure Channels

• In addition to authentication, a secure channel also requires that messages are confidential, and that they maintain their integrity.

• For example: Alice needs to be sure that Bob cannot change a received message and claim it came from her. And Bob needs to be sure that he can prove the message was sent by/from Alice, just in case she decides to deny ever having sent it in the first place.

• Solution: Digital Signing.


Digital Signatures

• Digital signing a message using public-key cryptography.• This is implemented in the RSA technology. • Note: the entire document is encrypted/signed - this can sometimes be a costly

overkill.


Digital Signature Digests

• Digitally signing a message using a message digest. • Message is sent as plaintext. However, the digest can be used to assure Bob of

message integrity.


8.3 Access Control

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking,

but rather on the fact that we have made our position unassailable".The art of war, Sun Tzu


8.3.1 General Issues in Access Control

• Controlling an access to an object is all about protecting the object against invocations by subjects that are not allowed to have specific method carry out.

• Also, protection may include the object management issues, such as creating, renaming, or deleting objects.

• Protection is often enforced by reference monitor. A reference monitor records which subject may do what and decides whether subject allowed to have specific operation carried out.

Subject ObjectReference

Monitor

Request for operation

Authorized Request


Access Control Matrix • A common approach to modeling the access rights of subjects with respect to

objects, is to construct an access control matrix.

• Each subject is represented by a row in this matrix.

• Each object is represented by a column.

• If a Matrix is denoted ‘M’, then an Entry M [ s, o] lists precisely which operation subjects s can request the invocation of method ‘m’ of a object ‘o’.

• Problem:– For large environment, where we have thousands of users and millions of

objects that require protection, implementing Access control matrix is not efficient.

– Many entries in the matrix will be empty: a single subject will generally have access to relatively few objects.


Access Control Matrix (2)

• Two Techniques

1. Access Control List (ACL): in which each object maintain a list of the access rights of subjects that want to access the object.

• Matrix is distributed column-wise across all objects, and that empty entries are left out.

• Each object has its own ACL.

2. Capabilities: in which, distribute the matrix row –wise by giving each subject a list of capabilities it has for each object. In other words, a capability corresponds to an entry in the access control matrix.

• Not having the capability for a specific object means that subject has no access rights for the object.



Ref: http://www.owasp.org/columns/jwilliams/jwilliams3.html



Fig: Using ACL

ServerClient

Create access request r as subject s

ACL Object

if (s appear in ACL) if (r appear in ACL [s]) grant access;

Fig: Using Capabilities

ServerClient

Create access request r for object o

Pass capability

Object

if (r appear in C) grant access;


Protection Domains

• ACLs and capabilities help on efficiently implementing an access control matrix by ignoring all empty entries.

• Nevertheless, an ACL or capability list can still become quite large if no further measures are taken.

• One general way to reducing ACLs is to make use of “protection domain”.

• One approach to create “protection domain” is the formation of “groups”.

• Most common technique for forming a group is “hierarchical approach”


Protection Domains

• Hierarchical Approach:

– Advantage: managing group membership is relatively easy and that very large groups can be constructed efficiently.

– Disadvantage: looking up a member can be quite costly if the membership database is distributed.

– Alternative Approach: Instead of letting the reference monitor do all the work, an alternative is to let each subject carry a “certificate” listing the groups it belongs to. Whenever subject sends request, he handover the certificate to the reference monitor. It order to ensure that certificate is genuine digital signature mechanism is used.


8.3.2 Firewalls • Firewall is the special kind of

reference monitor, which has capability to disconnects any part of distributed system from the outside world.

• All the outgoing and specially incoming packets are routed through special computer and inspected before they are passed.

• Unauthorized traffic is discarded and not allowed to continue.


Limitations of Firewalls

• These are not capable of providing granular access control in which just part of application functionality is opened to specific group of users.

• Does not provide integrity or confidentiality.

• Do not predict or record suspicious activity, nor do they send alerts/alarms unless they are bundled with an IDS.


Packet Filtering Firewalls

• Packet Filtering Firewalls: Examining packet header and make a decision based on rules e.g. protocol, Source address / destination address, Source port / destination port, etc

• Advantages:

– Conceptually Simple

– Higher Performance

– More transparent

• Disadvantages

– Difficulty of setting up packet filter rules

– Lack of Authentication


Application level Gateways Firewalls

• Application level Gateways: Examining contents of all incoming an outgoing packets. Typical example is mail gateway.

• Advantages

– More rigorous security

– Less Transparent

– Better Control

• Disadvantages

– Additional processing overhead on each connection


8.3.3 Secure Mobile Code

• An important development in modern distributed systems is the ability to migrate the code between hosts instead of just migrating passive data.

• However mobile code introduces a number of serious security threads such as

– How to protect agents from malicious hosts that try to steal or modify information carried by agent?

– How to protect hosts against malicious agents?


Protecting an Agent (1)

• Scenario # 1

– Consider a mobile agent that is roaming a distributed system on behalf of a user.

– Such a agent may be searching for the cheapest airplane ticket from Seoul to Karachi, and has been authorized by its owner to make the reservation as soon as it found a flight.

– For this purpose, the agent may carry an electronic card.

• Security Concerns:

– When ever the agent moves to a host, that host should not be allowed to steal the agent’s credit card information.

– Agent should be protected against the modifications that make the owner pay much more than actually is needed.



• Unfortunately, fully protecting an agent against all types of attacks is impossible.

• This impossibility is primarily caused by the fact that no hard guarantees can be given that a host will do what it promises.

• Alternative Approach: is to organize agents in such a way that modification can be at least detected. This approach has been followed in Ajanta system (Karnik and Tripathi, 2001)

• Ajanta provides 3 mechanisms through which agent owner can be able to detect modifications.1. Read only state2. Append only logs and 3. Selective revealing of state to certain servers



• Read Only State: of Ajanta agent consist of a collection of data items that is signed by the agent’s owner.

• Signing take place at the time when agent constructed and initialized before it is send off to other hosts.

• The owner first construct the message digest, which is subsequently encrypt with it private key.

• When the agent arrives at a host, the host can easily detect whether the read only state has been tampered with the verifying state against the signed

message digest of the original state.



• Append Only Logs: allow an agent to collect information while moving between hosts.

• These logs are characterized by the fact that data can only be appended to the logs; there is no way that data can be removed or modified without the owner being able to detect this.

• Initially the log is empty and has only an associated checksum owner Cinit calculated as Cinit = K+

owner(N), K+owner is the public key of agent’s owner, and

N is a secret nonce known only to owner.

• When the agent moves to the server S that wants to hand it some data X, S append X to the log then signs X with its sig(S,X) and calculates a checksum: Cnew = K+

owner (Cold, sig (S, X), S) where Cold is the checksum used previously.

• When the agent comes back to its owner, the owner can easily verify whether the log has been tampered with.



• Ajanta supports Selective revealing of state by providing an array of data items, where each entry is intended for a designated server.

• Each entry is encrypted with the designated server’s public key to ensure confidentiality.

• The entire array is signed by the agent’s owner to ensure integrity of the array as a whole.

• If any entry is modified by a malicious host, any of the designated servers will notice and can take appropriate action.


Protecting the Target (1)

• One approach used for protection is “Sand Box”.

• Sand box is a technique by which a downloaded program is executed in such a way that each of its instructions can be fully controlled.

• If an attempt is made to execute an instruction that has been forbidden by the host, execution

of the program will be stopped.


Protecting the Target (2)

The organization of a Java sandbox.

8-27


8.4 Security Management


8.4.1 Key Establishment

• Scenario # 1 : By using Public Key Scheme• Pre-requisites:

– Both parties knows each other public key.

• Scenario # 2 : By using Shared Secret Key

1. Established Secure Channel

2. Generate session key and return it to Aliceby using her public key

AliceBob

1. Start secure communication


Key Establishment: Public Key Cryptosystem

• An elegant and widely applied scheme for establishing a shared secret key across insecure channel, is Diffie-Hellman key exchange.

1. First they agree on two large numbers, ‘n’ and ‘g’ that are subject to a number of mathematical properties

2. Both n and g can be made public; there is no need to hide them from outsiders3. Alice picks a large random number, say x, which she keeps secret4. Similarly Bob picks a large random number, say y, which he keeps secret5. Alice starts sending “gx mod n” to Bob along with “n”, “g”.6. When Bob receive the msg, then he calculate “gxy mod n”.

In addition he sends “gy mod n” to Alice, who can compute gxy mod n.7. Now Alice and Bob have shared secret key gxy mod n.

Eavesdropper


Secret Key Distribution (1)

• In symmetric cryptosystem, the initial shared key must be communicate along a secure channel that provides authentication and confidentiality.

• If there is no key available to Alice and Bob to setup such a secure channel, it is necessary to distribute the key out-of-band.


Public Key Distribution (2)

• In public cryptosystem, we need to distribute the public key in such a way that the receivers can be sure that the key is indeed paired to a claimed private key.

• In practice, public key distribution take place by means of public key certificates.


Digital Certificates: Samples


8.4.2 Secure Group Management (1)

• Many security systems make use of special services such as Key Distribution Centers (KDCs) or Certification Authorities (CAs).

• These services demonstrate a difficult problem in distributed systems

– In the First place , they must be trusted.

• To Enhance the trust in security services, it is necessary to provide a high degree of protection against all kinds of security threats.

• e.g. as soon as CA has compromised, it becomes impossible to verify the validity of public key.

– It must offer high availability. For example, in the case of KDC, each time two process want to setup a secure channel, at least one of them will need to contact the KDC for shared secret key.

• If the KDC is not available, secure communication cannot be established unless an alternative approach for key distribution is available.

• The solution for high availability is “replication”


Secure Group Management (2)

• Problem:

– How to actually manage a group of replicated servers.

– The problem that needs to be solved is to ensure that when a process asks to join group G, the integrity of the group is not compromised.

• Solution:

– A Group G is assumed to use secret key CKG shared by all group members for encrypting group messages.

– In addition it also uses a public and private key pair (KG+, KG

-) for communication with non-group members.

– When a process P wants to join th group G, it sends the join request JR identifying G, P, P’s local time T, a generated reply pad RP, and generated secret key KP,G.

– RP and KP,G are jointly encrypted using groups public key KG+.

– The joined request JR is signed by P, and is send along with a certificate containing P’s public key.


Secure Group Management (3)

• When a group member Q receives such a joined request, it first authenticates P, after which communication with other group members takes place to see whether P can be admitted as a group member.

• Authentication of P takes place in the usual way by means of certificate.


8.4.3 Authorization Management

• Managing security in distributed systems is also concerned with managing access rights.

• Most common technique for defining access rights is “capabilities”.

• Different implementations of capabilities exist. Here I will given you the implementation technique of “capabilities” that is used in “Amoeba operating system.”

• “Amoeba” is one of the first object-based distributed systems.


Amoeba Capabilities

• When a object is created, its server picks a random check field and stores it both in the capability as well as internally in its own table.

• All the right bits in new capability are initially on, and it is this owner capability that is return to client.

• When the capability is sent back to server in a request to perform an operation, the check field is verified.

• A “capability” is 128-bit identifier.

48 bits 24 bits 8 bits 48 bits

Server port Object Rights Check


Restricted Capabilities

• To create restricted capability, a client can pass a capability back to the server, along with a bit mask for the new rights.

• The server takes the original check field from its tables, XORs it with the new rights, and then runs the result through a one-way function.

• The server then creates a new capability, with the same value in the object field, but with the new rights field and the output of one-way hash value in the check field.

• The new capability is then return back to the caller. The client may send this new capability to another process.


Attribute Certificates

• A generalization of capabilities that is used in modern distributed systems is the attribute certificate.

• Attribute certificates can be used to list the access rights that the holder of a certificate has with respect to the identified resources.

• Attributed certificates are handed out by special certification authorities, called attribute certification authorities.


Delegation (1)

• Delegation: is the process of passing access rights from one process to another process.

• Advantage:

– It become easier to distribute work between several processes without adversely affecting the protection of resources.

• There are several ways to implement delegation. A general approach is the use of proxy.

• A proxy in the context of security in CS, is a token that allows it owner to operate with the same or restricted rights and privileges as the subject that granted the token.

• A process can create a proxy with at best the same rights and privileges it has itself.


Neuman’s Scheme for Proxy

• A proxy in Neuman’s scheme has two parts.

1. Let A be the process that create proxy. The first part of the proxy is a set C={R, S+

proxy}, consisting of a set R of access rights that have been delgated by A, along with the publicly known part of a secret that is used to authenticate the holder of the certificate. The certificate carries signature sig (S, A) of A, to protect against modifications.

2. 2nd part contains the other part of the secret, denoted as S-proxy is protected

against disclosures when delegating rights to another process.


Delegation (2)

• Using a proxy to delegate and prove ownership of access rights.


8.5 Example: Kerberos (1)


Example: Kerberos (2)

Authentication in Kerberos.


Example: Kerberos (3)

• Setting up a secure channel in Kerberos.


Home Assignment

• Read following Examples by your self

– 8.6 SEAME : Secure European System for Application in a Multi-vendor Environment.

– 8.7 Electronic Payment System


8.8 Summary• Security plays a an extremely important role in distributed systems.

• Three important issues has been discussed

1. How distributed system should offer facilities to establish secure channels between processes.

2. How can we implement access control or authorization.

3. How can we perform security management such as key management and authorization management.


Any Questions?

This chapter is presented by Weiwei & Riaz

real-time & multimedia lab chapter:8 security rtmm lab kyung hee univ. distributed system

Documents