Security Protection Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Computer Security Triad Three key objectives are at the heart of computer security Data and services Availability Confidentiality Integrity

The Security Environment Threats Security goals and threats. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Can We Build Secure Systems? Two questions concerning security: 1.Is it possible to build a secure computer system? 2.If so, why is it not done? Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Trusted Computing Base Reference monitor Accepts all system call security and makes security decisions Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Protection Domains Resources to be protected Domain is a set of (object, rights)pairs. – Each pair specifies an object and some operation that can be preformed on it. – Right, in this context, means the permission to perform one of the operations. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Protection Domains (1) Three protection domains. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Principle of Least Authority In general, Security works best when each domain has the minimum objects and privileges to do its work and no more. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Protection Domains (2) A protection matrix. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Protection Domains (3) A protection matrix with domains as objects. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Two methods of implementation Access Control lists Capabilities list Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Access control lists: slice by columns A protection matrix. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Access Control Lists (1) Use of access control lists to manage file access. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Access Control Lists (2) Tana belongs to two groups and requires 2 login An alternative is to have each entry be a group OR an individual Pigeon_data : debbie:RW, phil: RW, pigfan:RW Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Access Control Lists (2) Easy to change permissions with respect to file Only check at file open. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Capabilities lists: slice by rows A protection matrix. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Capabilities (1) When capabilities are used, each process has a capability list. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Protect the list from tampering: A cryptographically protected capability. Suited for distributed files Capabilities (2) Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Cryptographically protected capability list Client sends a message to remote serve to create a file object. Server creates the object and generates a long random number ‘check field’ Slot on the server’s table (inode) is reserved It is not sent back to the user and never put on the network Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Cryptographically protected capability list Sent to the user is the capability entry in the form: Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved. Run object,rights, and check through a one- way function (f). User sends the capability entry when it wants to access the file.

Capabilities (3) Examples of generic rights: 1.Copy capability: create new capability for same object. 2.Copy object: create duplicate object with new capability. 3.Remove capability: delete entry from C-list; object unaffected. 4.Destroy object: permanently remove object and capability. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Formal Models of Secure Systems (a) An authorized state. (b) An unauthorized state. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Multilevel Security Discretionary Access Control – Operating systems allow individual to determine who may read and write their files Mandatory Access Control – Organizational rules state who can see and modify what. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Multilevel Security Bell-LaPadula Model Bell-LaPadula Model rules for information flow: 1.The simple security property – Process running at security level k can read only objects at its level or lower 2.The * property – Process running at security level k can write only objects at its level or higher Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Bell-LaPadula Model The Bell-LaPadula multilevel security model. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Bell-LaPadula Model The Bell-LaPadula multilevel security model was devised to keep secrets, not guarantee the integrity of data. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

The Biba Model To guarantee the integrity of the data: 1.The simple integrity principle – process running at security level k can write only objects at its level or lower (no write up). 2.The integrity * property – process running at security level k can read only objects at its level or higher (no read down). Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

BUT… security leaks still can occur Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Covert Channels (1) (a) The client, server, and collaborator processes. (b) The encapsulated server can still leak to the collaborator via covert channels. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Covert Channels (2) Figure A covert channel using file locking. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Steganography Concealing secrets in plain site – Hiding secret information in paintings, jpegs, MP3 files… or messages… or the network Network Security

Steganography example The German Embassy in Washington, DC, sent these messages in telegrams to their headquarters in Berlin during World War I (Kahn 1996). PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY. PERSHING SAILS FROM N.Y. JUNE 1 Network Security

“StegTorrent” Bob sends messages through computers which he previously established control over. The order of the messages and which computer sends them, hides the secret. – Bob commands two computers to request a file from Alice – Alice send message to computer 1 then computer 2 – Alice sends message to computer 2 then compute 1 Network Security Binary 1 Binary 0

Skyde (Skype Hide) Skype packs data into audio packets while Alice is talking Skype continues to send audio packets when Alice is silent. – This improves the quality of the call and helps data continue to clear firewalls ‘Silent’ packets are hijacked contents are replaced with encrypted data – Receiver application just assumes the original silent packets were lost 30% of silent packets can be compromised with out notice Network Security

Steganography (a)Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare. Demo: Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Basics of Cryptography Relationship between the plaintext and the ciphertext. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Secret-Key Cryptography An encryption algorithm in which each letter is replaced by a different letter. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Network Security Key Cryptography symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if never “met”)? Diffie-Hellman Key exchange Diffie-Hellman Key exchange Khan Academy public key cryptography  radically different approach [Diffie- Hellman76, RSA78]  sender, receiver do not share secret key  public encryption key known to all  private decryption key known only to receiver

Network Security Public key cryptography plaintext message, m ciphertext encryption algorithm decryption algorithm Bob’s public key plaintext message K (m) B + K B + Bob’s private key K B - m = K ( K (m) ) B + B -

Network Security Public key encryption algorithms need K ( ) and K ( ) such that B B.. given public key K, it should be impossible to compute private key K B B Requirements: 1 2 RSA: Rivest, Shamir, Adelson algorithm + - K (K (m)) = m B B

Network Security Prerequisite: modular arithmetic x mod n = remainder of x when divide by n Facts: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) - (b mod n)] mod n = (a-b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n Thus (a mod n) d mod n = a d mod n Example: x=14, n=10, d=2: (x mod n) d mod n = 4 2 mod 10 = 6 x d = 14 2 = 196 x d mod 10 = 6

Network Security RSA: getting ready A message is a bit pattern. A bit pattern can be uniquely represented by an integer number. Thus encrypting a message is equivalent to encrypting a number. Example m= This message is uniquely represented by the decimal number 145. To encrypt m, we encrypt the corresponding number, which gives a new number (the ciphertext).

Network Security RSA: Creating public/private key pair 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B -

Network Security RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt message m (<n), compute c = m mod n e 2. To decrypt received bit pattern, c, compute m = c mod n d m = (m mod n) e mod n d Magic happens! c

Network Security RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). bit pattern m m e c = m mod n e 0000l c m = c mod n d c d encrypt: decrypt: Encrypting 8-bit messages.

Network Security Why does RSA work? Must show that c d mod n = m where c = m e mod n Fact: for any x and y: x y mod n = x (y mod z) mod n – where n= pq and z = (p-1)(q-1) – If p and q are prime Thus, c d mod n = (m e mod n) d mod n = m ed mod n = m (ed mod z) mod n = m 1 mod n = m

Network Security RSA: another important property The following property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) B B + - = use public key first, followed by private key use private key first, followed by public key Result is the same!

Network Security Follows directly from modular arithmetic: (m e mod n) d mod n = m ed mod n = m de mod n = (m d mod n) e mod n K ( K (m) ) = m B B - + K ( K (m) ) B B + - = Why ?

Network Security Why is RSA Secure? suppose you know Bob’s public key (n,e). How hard is it to determine d? essentially need to find factors of n without knowing the two factors p and q. fact: factoring a big number is hard. Generating RSA keys  have to find big primes p and q  approach: make good guess then apply testing rules (see Kaufman)

Network Security Ensuring Networked Message Integrity allows communicating parties to verify that received messages are authentic. – Content is not read by anyone other than intended recipient – Content of message has not been altered – Source of message is who/what you think it is: – Message has not been replayed

Network Security Goal: Allow communicating parties to verify that received messages are authentic. – Content is not read by anyone other than intended recipient Encryption – Content of message has not been altered – Source of message is who/what you think it is – Message has not been replayed Ensuring Networked Message Integrity

Network Security Ensuring Network Message Integrity allows communicating parties to verify that received messages are authentic. – Content is not read by anyone other than intended recipient Encryption – Content of message has not been altered Message Digests – Source of message is who/what you think it is – Message has not been replayed

Network Security Message Digests function H( ) that takes as input an arbitrary length message and outputs a fixed-length string: “message signature” note that H( ) is a many-to-1 function H( ) is often called a “hash function” desirable properties: – easy to calculate – irreversibility: Can’t determine m from H(m) – collision resistance: computationally difficult to produce m and m’ such that H(m) = H(m’) – seemingly random output large message m H: Hash Function H(m)

Network Security Internet checksum: poor message digest Internet checksum has some properties of hash function: üproduces fixed length digest (16-bit sum) of input üis many-to-one  but given message with given hash value, it is easy to find another message with same hash value.  e.g.,: simplified checksum: add 4-byte chunks at a time: I O U B O B 49 4F E D2 42 message ASCII format B2 C1 D2 AC I O U B O B 49 4F E D2 42 message ASCII format B2 C1 D2 AC different messages but identical checksums!

Network Security Hashed Message Digest MD5 hash function widely used (RFC 1321) – computes 128-bit message digest in 4-step process. SHA-1 is also used. – US standard [ NIST, FIPS PUB 180-1] – 160-bit message digest

Network Security Message Authentication Code (MAC) message H( ) s message s H( ) compare s = shared secret Authenticates sender Verifies message integrity No encryption ! Also called “keyed hash” Notation: MD m = H(s||m) ; send m||MD m

Network Security Message Integrity allows communicating parties to verify that received messages are authentic. – Content is not read by anyone other than intended recipient – Content of message has not been altered : Message Digests – Source of message is who/what you think it is: Digital Signatures Certification Authority – Message has not been replayed

Network Security REMEMBER: RAS important property The following property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) B B + - = use public key first, followed by private key use private key first, followed by public key Result is the same!

Network Security Digital Signatures cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. goal is similar to that of MAC, except now use public-key cryptography verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document (Non-repudiation: Alice can take m, and signature K B (m) to court and prove that Bob signed m. )

Network Security Digital Signatures simple digital signature for message m: Bob signs m by encrypting with his private key K B, creating “signed” message, K B (m) - - Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Bob Bob’s message, m Public key encryption algorithm Bob’s private key K B - Bob’s message, m, signed (encrypted) with his private key K B - (m)

Network Security large message m H: Hash function H(m) digital signature (encrypt) Bob’s private key K B - + Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: K B (H(m)) - encrypted msg digest K B (H(m)) - encrypted msg digest large message m H: Hash function H(m) digital signature (decrypt) H(m) Bob’s public key K B + equal ? Digital signature = signed message digest

Network Security Digital Signatures (more) suppose Alice receives msg m, digital signature K B (m) Alice verifies m signed by Bob by applying Bob’s public key K B to K B (m) then checks K B (K B (m) ) = m. if K B (K B (m) ) = m, whoever signed m must have used Bob’s private key Alice thus verifies that: üBob signed m. üno one else signed m. üBob signed m and not m’. Non-repudiation: Alice can take m, and signature K B (m) to court and prove that Bob signed m. -

Network Security Ensuring Message Integrity – Content is not read by anyone other than intended recipient Encryption – Content of message has not been altered Message Digests – Source of message is who/what you think it is Digital Signatures Certification Authority – Message has not been replayed

Network Security Public-key certification motivation: Trudy plays pizza prank on Bob – Trudy creates order: Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob – Trudy signs order with her private key – Trudy sends order to Pizza Store – Trudy sends to Pizza Store her public key, but says it’s Bob’s public key. – Pizza Store verifies signature; then delivers four pizzas to Bob. – Bob doesn’t even like Pepperoni

Network Security Certification Authorities Certification authority (CA): binds public key to particular entity, E. E (person, router) registers its public key with CA. – E provides “proof of identity” to CA. – CA creates certificate binding E to its public key. – certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA

Network Security Certification Authorities when Alice wants Bob’s public key: – gets Bob’s certificate (Bob or elsewhere). – apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key K B + digital signature (decrypt) CA public key K CA + K B +

Network Security Certificates: summary primary standard X.509 (RFC 2459) certificate contains: – issuer name – entity name, address, domain name, etc. – entity’s public key – digital signature (signed with issuer’s private key) Public-Key Infrastructure (PKI) – certificates, certification authorities – often considered “heavy”

Network Security Ensuring Message Integrity – Content is not read by anyone other than intended recipient Encryption – Content of message has not been altered Message Digests – Source of message is who/what you think it is Digital Signatures Certification Authority – Message has not been replayed Nonce

Network Security End-point authentication want to be sure of the originator of the message – end-point authentication assuming Alice and Bob have a shared secret, will MAC provide end-point authentication? – we do know that Alice created message. – … but did she send it?

Network Security MAC Transfer $1M from Bill to Trudy MAC Transfer $1M from Bill to Trudy Playback attack MAC = f(msg,s)

Network Security “I am Alice” R MAC Transfer $1M from Bill to Susan MAC = f(msg,s,R) Defending against playback attack: nonce

Digital Signatures (a) Computing a signature block. (b) What the receiver gets. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Authentication (1) Methods of authenticating users when they attempt to log in based on one of three general principles: 1.Something the user knows. 2.Something the user has. 3.Something the user is. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Authentication (2) (a) A successful login. (b) Login rejected after name is entered. (c) Login rejected after name and password are typed. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

UNIX Password Security The use of salt to defeat precomputation of encrypted passwords. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Challenge-Response Authentication Questions should be chosen so that the user does not need to write them down. Examples: 1.On what street was your elementary school? 2.What did Mrs. Ellis teach? Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Authentication Using a Physical Object Use of a smart card for authentication. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Authentication Using Biometrics A device for measuring finger length. Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

End of part 1 Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.