Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Published byArlene Garrison Modified over 9 years ago

Similar presentations

Presentation on theme: "1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences."— Presentation transcript:

1 1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 94720-1776

2 2 Outline  Key Management  Group management  Authorization management  Example: Kerberos

3 3 Security Management  Problem: how do you get keys in the first place?  Key distribution: securely associate an entity with a key -Example: Public Key Infrastructure (PKI)  Key establishment: establish session keys -Use public key cryptography (we already know ho to do it) -Diffie-Hellman key exchange

4 4 Public Key Infrastructure (PKI)  System managing public key distribution on a wide-scale  Trust distribution mechanism  Allow arbitrary level of trust

5 5 Components of a PKI

6 6 Digital Certificate  Signed data structure that binds an entity (E) with its corresponding public key (K E + ) -Signed by a recognized and trusted authority, i.e., Certification Authority (CA) -Provide assurance that a particular public key belongs to a specific entity  How? -CA generates K CA - (E, K E + ) -Everyone can verify signature using K CA +

7 7 Certification Authority (CA)  People, processes responsible for creation, delivery and management of digital certificates  Organized in an hierarchy (use delegation – see next) CA-1CA-2 Root CA

8 8 Registration Authority  People, processes and/or tools that are responsible for -Authenticating the identity of new entities (users or computing devices) -Requiring certificates from CA’s.

9 9 Certificate Repository  A database which is accessible to all users of a PKI, contains: -Digital certificates, -Certificate revocation information -Policy information

10 10 Example  Alice generates her own key pair. public key Alice private key Alice  Bob generates his own key pair.  Both sent their public key to a CA and receive a digital certificate public key Bob private key Bob

11 11 Example  Alice gets Bob’s public key from the CA private key Alice public key Bob private key Bob public key Alice  Bob gets Alice’s public key from the CA

12 12 Certificate Revocation  Process of publicly announcing that a certificate has been revoked and should no longer be used.  Approaches: -Use certificates that automatically time out -Use certificate revocation list

13 13 Key Establishment: Diffie-Hellman Key Exchange  Agree on two numbers n, g; both number can be made public!  Alice and Bob pick two secret numbers x and y  Similar to public-key cryptography -Example: For Alice, K A - =x, K A + = g x mod n

14 14 Outline  Key Management  Group management  Authorization management  Example: Kerberos

15 15 Secure Group Management  Motivation: offer high availability for security services  How: replicate services  Problem: how to add a new replica to a group without compromising the integrity of the group?

16 16 Securely admitting a new group member join request New process Process in group G  C KG : secret key used for communication within group  K G +,K G - : public-private key pair to communicate with non-group members  K P,G : secret key  RP: reply pad  T: local time  Notation: [X] Y : X was signed by Y group admittance

17 17 Outline  Key Management  Group management  Authorization management  Example: Kerberos

18 18 Outline  Key Management  Group management  Authorization management  Example: Kerberos

19 19 Authorization Management  Granting authorization rights  Related with access control which verifies access rights (see book)

20 20 Capabilities (1)  Capability: -Unforgeable data structure for a specific resource R -Specify access right the holder has with respect to R  Capability in Amoeba: 48 bits24 bits8 bits48 bits Server portObjectRightsCheck

21 21 Capabilities (2)  Generation of a restricted capability from an owner capability Owner

22 22 Delegation  A wants to delegate an operation on a resource to B  Problem: how does A delegates its access rights to B?  Solutions: A signs (A, B, R)  If B wants to delegate operation to C, C needs to contact A -Avoid this problem using a proxy (Neuman scheme) -Proxy: a token allowing its owner to operate with the same or rstricted rights as the entity granting the token

23 23 Delegation: Neuman Scheme  The general structure of a proxy as used for delegation:

24 24 Delegation: Neuman Scheme  Using a proxy to delegate and prove ownership of access rights  In practice S + proxy, S - proxy can be a public-private key pair and N can be a nonce

25 25 Kerberos  Based on Needham-Schroeder authentication scheme  Developed at MIT

26 26 Example: Kerberos  Authentication in Kerberos -AS: Authentication server -TGS: Ticket Granting Service -T: timestamp used to avoid replay attacks of message 6

27 27 Example: Kerberos  Setting up a secure channel in Kerberos:

Download ppt "1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Computer Security Key Management

Computer Security Key Management
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

Similar presentations

Ads by Google