Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences."— Presentation transcript:

1 1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 94720-1776

2 2 Attacks  Interception (eavesdropping): unauthorized party gains access to service or data  Interruption (denial of service attack): services or data become unavailable  Modification: unauthorized party changes the data or tampers with the service  Fabrication: unauthorized party generate additional data or activity

3 3 Security Requirements  Authentication: ensures that sender and receiver are who they are claiming to be  Data integrity: ensure that data is not changed from source to destination  Confidentiality: ensures that data is red only by authorized users  Non-repudiation: ensures that the sender has strong evidence that the receiver has received the message, and the receiver has strong evidence of the sender identity (not discussed here) -The sender cannot deny that it has sent the message and the receiver cannot deny that it has received the message

4 4 Outline  Cryptographic Algorithms (Confidentiality and Integrity)  Authentication

5 5 Cryptographic Algorithms  Security foundation: cryptographic algorithms -Secret key cryptography, Data Encryption Standard (DES) -Public key cryptography, RSA algorithm -Message digest, MD5

6 6 Symmetric Key  Both the sender and the receiver use the same secret keys Internet Encrypt with secret key Decrypt with secret key Plaintext Ciphertext

7 7 Data Encryption Standard (DES)  DES encrypts a 64-bit block of plain text using a 64-bit key  Three phases 1.Permute the 64 bits in the block 2.Apply a given operation 16 times on the 64 bits 3.Permute the 64 bits using the inverse of the original permutation Round 1 Round 16... key 1 st phase IP(input) 3 rd phase IP -1 (input) 2 nd phase

8 8 Initial Permutation (IP)  IP: bit 58 of input becomes 1 st bit, bit 50 becomes 2 nd bit, etc 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7  IP -1 : inverse of IP, e.g., IP(1) = 58, IP -1 (58) = 1 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

9 9 2 nd Phase: Operation In Each Round  Key K is 64 bits  16 rounds  Each round i select a 48 bit key K i from the original 64 bit key K. Perform (F is a given function): + F 63 0 3231 0 KiKi L i-1 R i-1 LiLi RiRi

10 10 Encrypting Larger Messages  Initialization Vector (IV) is a random number generated by sender and sent together with the ciphertext + Block 1 Cipher 1 DES + Block 2 DES + Block 3 DES + Block 4 DES Cipher 2 Cipher 3 Cipher 4 IV

11 11 DES Properties  Provide confidentiality -No mathematical proof, but practical evidence suggests that decrypting a message without knowing the key requires exhaustive search -To increase security use triple-DES, i.e., encrypt the message three times

12 12 Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman)  Sender uses a public key -Advertised to everyone  Receiver uses a private key Internet Encrypt with public key Decrypt with private key Plaintext Ciphertext

13 13 Generating Public and Private Keys  Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q  Chose encryption key e such that e and (p-1)*(q-1) are relatively prime  Compute decryption key d, where d = e -1 mod ((p-1)*(q-1)) (equivalent to d*e = 1 mod ((p-1)*(q-1)))  Public key consist of pair (n, e)  Private key consists of pair (n, d)

14 14 RSA Encryption and Decryption  Encryption of message block m: -c = m e mod n  Decryption of ciphertext c: -m = c d mod n

15 15 Example (1/2)  Choose p = 7 and q = 11  n = p*q = 77  Compute encryption key e: (p-1)*(q-1) = 6*10 = 60  chose e = 13 (13 and 60 are relatively prime numbers)  Compute decryption key d such that 13*d = 1 mod 60  d = 37 (37*13 = 481)

16 16 Example (2/2)  n = 77; e = 13; d = 37  Send message block m = 7  Encryption: c = m e mod n = 7 13 mod 77 = 35  Decryption: m = c d mod n = 35 37 mod 77 = 7

17 17 Properties  Confidentiality  A receiver B computes n, e, d, and sends out (n, e) -Everyone who wants to send a message to A uses (n, e) to encrypt it  How difficult is to recover d ? (Someone that can do this can decrypt any message sent to B !)  Recall that d = e -1 mod ((p-1)*(q-1))  So to find d, you need to find primes factors p and q -This is provable very difficult

18 18 Message Digest (MD) 5  Can provide data integrity and non-repudation -Used to verify the authentication of a message  Idea: compute a hash on the message and send it along with the message  Receiver can apply the same hash function on the message and see whether the result coincides with the received hash

19 19 Message Digest Operation  Transformation contains complex operations (see textbook) 512 bits Message (padded) Initial digest (constant) Transformation... Message digest

20 20 Digital Signature  In practice someone cannot alter the message without modifying the digest -Digest operation very hard to invert  Encrypt digest with sender’s private key  K A -, K A + : private and public keys of A

21 21 Digital Signature Properties  Integrity: an attacker cannot change the message without knowing A’s private key  Confidentiality: if needed, encrypt message with B’s public key

22 22 Outline  Cryptographic Algorithms (Confidentiality and Integrity)  Authentication

23 23 Authentication  Goal: Make sure that the sender an receiver are the ones they claim to be  Solutions based on secret key cryptography (e.g., DES) -Three-way handshaking -Trusted third party (key distribution center)  One solution based on public key cryptography (e.g., RSA) -Public key authentication

24 24 Authentication  Authentication based on a shared secret key -A, B: sender and receiver identities -K A,B : shared secret key -R A,R B : random keys exchanged by A and B to verify identities Alice Bob A 1 RBRB 23 K A,B (R B ) RARA 45 K A,B (R A )

25 25 “Optimization”  Is this authentication protocol secure? Alice Bob A, R A 1 2 R B, K A,B (R A ) 3 K A,B (R B )

26 26 Reflection Attack  An attacker (Chuck) can fool Bob in believing that he is Alice! Chuck A, R C 1 2 R B, K A,B (R C ) Alice Bob A, R B 3 4 R B2, K A,B (R B ) 2 nd session 1 st session 5 K A,B (R B ) 1 st session

27 27 Authentication using KDC (Basic Protocol)  KDC – Key Distribution Center  Maintain only N keys in the system: one for each node Alice Bob A, B 1 KDC (generates K A,B ) 2 K A,KDC (K A,B )K B,KDC (K A,B ) 2

28 28 Authentication using KDC (Ticket Based)  No need for KDC to contact Bob Alice Bob A, B 1 KDC 2 K A,KDC (K A,B ), 3 K B,KDC (K A,B ) A, K B,KDC (K A,B )  Vulnerable to replay attacks if Chuck gets hold on K B,KDC old

29 29 Authentication using KDC (Needham-Schroeder Protocol)  Relate messages 1 and 2: use challenge response mechanism  R A1, R A2, R B : nonces -Nonce: random number used only once to relate two messages Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B (R A2 ), K B,KDC (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1)  Vulnerable to replay attacks if Chuck gets hold on K A,B

30 30 What if R A1 is Missing?  Assume Chuck intercepted -K A,KDC (B,K A,B, K B,KDC old (A,K A,B )) -Knows K B,KDC old Bob (K B,KDC ) A,B 1 KDC Alice 3 K A,B (R A2 ), K B,KDC old (A, K A,B ) 4 K A,B (R A2 -1, R B ) 5 K A,B (R B -1) Chuck (K B,KDC old ) 2 K A,KDC (B,K A,B, K B,KDC old (A,K A,B )) (replayed message) Here Chuck gets K A,B !

31 31 What if B is Missing from Message 2?  Assume Chuck intercepts message 1 Alice Bob (K B,KDC ) R A1,A,B 1 KDC 2 K A,KDC (R A1,K A,C, K C,KDC (A,K A,C )) 3 K A,C (R A2 ), K C,KDC (A, K A,C ) 4 K A,C (R A2 -1, R B ) 5 K A,C (R B -1) Chuck (K B,KDC old ) R A1,A,C Here Chuck gets K A,C !

32 32 What if Chuck gets K A,B old ?  Assume Chuck intercepted -K A,B (R A2 ), K B,KDC,(A,K A,B ) -Knows K A,B old Alice Bob R A1,A,B 1 KDC 2 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B )) 3 K A,B old (R A2 ), K B,KDC (A, K A,B old ) 4 K A,B old (R A2 -1, R B ) 5 K A,B old (R B -1) (replayed message) Chuck (K A,B old )

33 33 Defend Against leaking of K A,B  Message 5 (former 3) contains an encrypted nonce (K B,KDC (R B1 )) provided by Bob  Chuck can no longer replay message 4 (former 3) Alice Bob R A1,A,B, K B,KDC (R B1 ) 3 KDC 4 K A,KDC (R A1,B,K A,B, K B,KDC (A,K A,B,R B1 )) 5 K A,B (R A2 ), K B,KDC (A, K A,B,R B1 ) 6 K A,B (R A2 -1, R B2 ) 7 K A,B (R B2 -1) A 1 2 K B,KDC (R B1 )

34 34 Authentication Using Public-Key Crypthography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B (R B )

35 35 Secure Replicated Servers  A client issues a request to a group of replicated servers  Servers can be subject to Byzantine failures  How does the client gets the answer?

36 36 Strawman Solution  Servers gets replies from all servers…  … and take majority voting  Problem: client needs to authenticate each server (violates replication transparency)

37 37 Solution: Secret Sharing  Secret sharing: none of users know the entire secret  Intuition: -Assume we want to tolerate c failures (some of them can by Byzantine failures) -Need to combine responses such that c+1 correct servers are sufficient to get the correct response

38 38 (k,n)-threshold Signature Scheme  One public key K +  n shares of corresponding private keys, K i -, 1 <= i <= n  Encrypted value v with each of private key shares, i.e., v i =K i - (v)  A client can decrypt value v using K + only if it knows at least k values of v i

39 39 Solution: Secret Sharing  Assume 5 replicated servers that tolerate 2 corrupted servers

Download ppt "1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences."

Similar presentations

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Distributed Systems CS 15-440 Security – Part I Lecture 21, Nov 28, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.

Distributed Systems CS Security – Part I Lecture 21, Nov 28, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Cryptography Basic (cont)

Cryptography Basic (cont)
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
8.1 Learning Objectives To become familiar with the range of security threats faced by networked and distributed systems (DSs); To examine various cryptographic.

8.1 Learning Objectives To become familiar with the range of security threats faced by networked and distributed systems (DSs); To examine various cryptographic.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Network Security understand principles of network security:

Network Security understand principles of network security:
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google