1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Slides:



Advertisements
Similar presentations
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Advertisements

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Distributed Systems CS Security – Part I Lecture 21, Nov 28, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Cryptography Basic (cont)
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
8.1 Learning Objectives To become familiar with the range of security threats faced by networked and distributed systems (DSs); To examine various cryptographic.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Network Security understand principles of network security:
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
CS542: Topics in Distributed Systems Security. Why are Distributed Systems insecure?  Distributed component rely on messages sent and received from network.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Katz, Stoica F04 EE 122: (More) Network Security November 5, 2003.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.
Chapter 31 Network Security
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Message Digest Can provide data integrity and non-repudation
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Network Security. Cryptography Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message digest (e.g., MD5) Security services Privacy:
Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.
Cryptography, Authentication and Digital Signatures
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
Network Security David Lazăr.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
Digital Signatures, Message Digest and Authentication Week-9.
Real-Time & MultiMedia Lab Chapter:8 Security RTMM Lab Kyung Hee Univ. Distributed System.
1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CS 6401 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Network Security Celia Li Computer Science and Engineering York University.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Security Outline Encryption Algorithms Authentication Protocols
Advanced Computer Networks
Introduction to Security
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA

2 Attacks  Interception (eavesdropping): unauthorized party gains access to service or data  Interruption (denial of service attack): services or data become unavailable  Modification: unauthorized party changes the data or tampers with the service  Fabrication: unauthorized party generate additional data or activity

3 Security Requirements  Authentication: ensures that sender and receiver are who they are claiming to be  Data integrity: ensure that data is not changed from source to destination  Confidentiality: ensures that data is red only by authorized users  Non-repudiation: ensures that the sender has strong evidence that the receiver has received the message, and the receiver has strong evidence of the sender identity (not discussed here) -The sender cannot deny that it has sent the message and the receiver cannot deny that it has received the message

4 Outline  Cryptographic Algorithms (Confidentiality and Integrity)  Authentication

5 Cryptographic Algorithms  Security foundation: cryptographic algorithms -Secret key cryptography, Data Encryption Standard (DES) -Public key cryptography, RSA algorithm -Message digest, MD5

6 Symmetric Key  Both the sender and the receiver use the same secret keys Internet Encrypt with secret key Decrypt with secret key Plaintext Ciphertext

7 Data Encryption Standard (DES)  DES encrypts a 64-bit block of plain text using a 64-bit key  Three phases 1.Permute the 64 bits in the block 2.Apply a given operation 16 times on the 64 bits 3.Permute the 64 bits using the inverse of the original permutation Round 1 Round key 1 st phase IP(input) 3 rd phase IP -1 (input) 2 nd phase

8 Initial Permutation (IP)  IP: bit 58 of input becomes 1 st bit, bit 50 becomes 2 nd bit, etc  IP -1 : inverse of IP, e.g., IP(1) = 58, IP -1 (58) =

9 2 nd Phase: Operation In Each Round  Key K is 64 bits  16 rounds  Each round i select a 48 bit key K i from the original 64 bit key K. Perform (F is a given function): + F KiKi L i-1 R i-1 LiLi RiRi

10 Encrypting Larger Messages  Initialization Vector (IV) is a random number generated by sender and sent together with the ciphertext + Block 1 Cipher 1 DES + Block 2 DES + Block 3 DES + Block 4 DES Cipher 2 Cipher 3 Cipher 4 IV

11 DES Properties  Provide confidentiality -No mathematical proof, but practical evidence suggests that decrypting a message without knowing the key requires exhaustive search -To increase security use triple-DES, i.e., encrypt the message three times

12 Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman)  Sender uses a public key -Advertised to everyone  Receiver uses a private key Internet Encrypt with public key Decrypt with private key Plaintext Ciphertext

13 Generating Public and Private Keys  Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q  Chose encryption key e such that e and (p-1)*(q-1) are relatively prime  Compute decryption key d, where d = e -1 mod ((p-1)*(q-1)) (equivalent to d*e = 1 mod ((p-1)*(q-1)))  Public key consist of pair (n, e)  Private key consists of pair (n, d)

14 RSA Encryption and Decryption  Encryption of message block m: -c = m e mod n  Decryption of ciphertext c: -m = c d mod n

15 Example (1/2)  Choose p = 7 and q = 11  n = p*q = 77  Compute encryption key e: (p-1)*(q-1) = 6*10 = 60  chose e = 13 (13 and 60 are relatively prime numbers)  Compute decryption key d such that 13*d = 1 mod 60  d = 37 (37*13 = 481)

16 Example (2/2)  n = 77; e = 13; d = 37  Send message block m = 7  Encryption: c = m e mod n = 7 13 mod 77 = 35  Decryption: m = c d mod n = mod 77 = 7

17 Properties  Confidentiality  A receiver B computes n, e, d, and sends out (n, e) -Everyone who wants to send a message to A uses (n, e) to encrypt it  How difficult is to recover d ? (Someone that can do this can decrypt any message sent to B !)  Recall that d = e -1 mod ((p-1)*(q-1))  So to find d, you need to find primes factors p and q -This is provable very difficult

18 Message Digest (MD) 5  Can provide data integrity and non-repudation -Used to verify the authentication of a message  Idea: compute a hash on the message and send it along with the message  Receiver can apply the same hash function on the message and see whether the result coincides with the received hash

19 Message Digest Operation  Transformation contains complex operations (see textbook) 512 bits Message (padded) Initial digest (constant) Transformation... Message digest

20 Digital Signature  In practice someone cannot alter the message without modifying the digest -Digest operation very hard to invert  Encrypt digest with sender’s private key  K A -, K A + : private and public keys of A

21 Digital Signature Properties  Integrity: an attacker cannot change the message without knowing A’s private key  Confidentiality: if needed, encrypt message with B’s public key

22 Outline  Cryptographic Algorithms (Confidentiality and Integrity)  Authentication

23 Authentication  Goal: Make sure that the sender an receiver are the ones they claim to be  Solutions based on secret key cryptography (e.g., DES) -Three-way handshaking -Trusted third party (key distribution center)  One solution based on public key cryptography (e.g., RSA) -Public key authentication

24 Authentication  Authentication based on a shared secret key -A, B: sender and receiver identities -K A,B : shared secret key -R A,R B : random keys exchanged by A and B to verify identities Alice Bob A 1 RBRB 23 K A,B (R B ) RARA 45 K A,B (R A )

25 “Optimization”  Is this authentication protocol secure? Alice Bob A, R A 1 2 R B, K A,B (R A ) 3 K A,B (R B )

26 Reflection Attack  An attacker (Chuck) can fool Bob in believing that he is Alice! Chuck A, R C 1 2 R B, K A,B (R C ) Alice Bob A, R B 3 4 R B2, K A,B (R B ) 2 nd session 1 st session 5 K A,B (R B ) 1 st session

27 Authentication using KDC (Basic Protocol)  KDC – Key Distribution Center  Maintain only N keys in the system: one for each node Alice Bob A, B 1 KDC (generates K A,B ) 2 K A,KDC (K A,B )K B,KDC (K A,B ) 2

28 Authentication using KDC (Ticket Based)  No need for KDC to contact Bob Alice Bob A, B 1 KDC 2 K A,KDC (K A,B ), 3 K B,KDC (K A,B ) A, K B,KDC (K A,B )  Vulnerable to replay attacks if Chuck gets hold on K B,KDC old

29 Authentication using KDC (Needham-Schroeder Protocol)  Relate messages 1 and 2: use challenge response mechanism  R A1, R A2, R B : nonces -Nonce: random number used only once to relate two messages Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B (R A2 ), K B,KDC (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1)  Vulnerable to replay attacks if Chuck gets hold on K A,B

30 What if R A1 is Missing?  Assume Chuck intercepted -K A,KDC (B,K A,B, K B,KDC old (A,K A,B )) -Knows K B,KDC old Bob (K B,KDC ) A,B 1 KDC Alice 3 K A,B (R A2 ), K B,KDC old (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1) Chuck (K B,KDC old ) 2 K A,KDC (B,K A,B, K B,KDC old (A,K A,B )) (replayed message) Here Chuck gets K A,B !

31 What if B is Missing from Message 2?  Assume Chuck intercepts message 1 Alice Bob (K B,KDC ) R A1,A,B 1 KDC 2 K A,KDC (R A1,K A,C, K C,KDC (A,K A,C )) 3 K A,C (R A2 ), K C,KDC (A, K A,C ) 4 K A,C (R A2 -1, R B ) 5 K A,C (R B -1) Chuck (K B,KDC old ) R A1,A,C Here Chuck gets K A,C !

32 What if Chuck gets K A,B old ?  Assume Chuck intercepted -K A,B (R A2 ), K B,KDC,(A,K A,B ) -Knows K A,B old Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B old (R A2 ), K B,KDC (A, K A,B old ) 4 K A,B old (R A2 -1, R B ) 5 K A,B old (R B -1) (replayed message) Chuck (K A,B old )

33 Defend Against leaking of K A,B  Message 5 (former 3) contains an encrypted nonce (K B,KDC (R B1 )) provided by Bob  Chuck can no longer replay message 4 (former 3) Alice Bob R A1,A,B, K B,KDC (R B1 ) 3 KDC 4 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B,R B1 )) 5 K A,B (R A2 ), K B,KDC (A, K A,B,R B1 ) 6 K A,B (R A2 -1, R B2 ) 7 K A,B (R B2 -1) A 1 2 K B,KDC (R B1 )

34 Authentication Using Public-Key Crypthography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B (R B )

35 Secure Replicated Servers  A client issues a request to a group of replicated servers  Servers can be subject to Byzantine failures  How does the client gets the answer?

36 Strawman Solution  Servers gets replies from all servers…  … and take majority voting  Problem: client needs to authenticate each server (violates replication transparency)

37 Solution: Secret Sharing  Secret sharing: none of users know the entire secret  Intuition: -Assume we want to tolerate c failures (some of them can by Byzantine failures) -Need to combine responses such that c+1 correct servers are sufficient to get the correct response

38 (k,n)-threshold Signature Scheme  One public key K +  n shares of corresponding private keys, K i -, 1 <= i <= n  Encrypted value v with each of private key shares, i.e., v i =K i - (v)  A client can decrypt value v using K + only if it knows at least k values of v i

39 Solution: Secret Sharing  Assume 5 replicated servers that tolerate 2 corrupted servers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.