Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 25-1 Computer Science 425 Distributed Systems CS 425 / CSE 424 / ECE 428 Fall 2010 Indranil Gupta (Indy) November 27, 2012 Lecture 25 Security.

Published byJacob Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 25-1 Computer Science 425 Distributed Systems CS 425 / CSE 424 / ECE 428 Fall 2010 Indranil Gupta (Indy) November 27, 2012 Lecture 25 Security."— Presentation transcript:

1 Lecture 25-1 Computer Science 425 Distributed Systems CS 425 / CSE 424 / ECE 428 Fall 2010 Indranil Gupta (Indy) November 27, 2012 Lecture 25 Security Reading: Chapter 11 (relevant parts)  2012, I. Gupta, K. Nahrtstedt, S. Mitra, N. Vaidya, M. T. Harandi, J. Hou

2 Lecture 25-2 ISIS algorithm for total ordering 2 1 1 2 2 1 Message 2 Proposed Seq P 2 P 3 P 1 P 4 3 Agreed Seq 3 3

3 Lecture 25-3 Napster S S S P P PP P P Peers napster.com Servers Store their own files Store peer pointers for all files 3. Response 1. Query 2. All servers search their lists (ternary tree algo.) 4. ping candidates 5. download from best host

4 Lecture 25-4 Chord: client to client N80 0 Say m=7 N32 N45 File bad.mp3 with key K42 stored here At node n, send query for key k to largest successor/finger entry < k if none exist, return successor(n) to requestor All “arrows” are RPCs N112 N96 N16 Who has bad.mp3? (hashes to K42)

5 Lecture 25-5 Distributed banking transaction.. BranchZ BranchX participant C D Client BranchY B A participant join T a.withdraw(4); c.deposit(4); b.withdraw(3); d.deposit(3); openTransaction b.withdraw(T, 3); closeTransaction T =openTransaction a.withdraw(4); c.deposit(4); b.withdraw(3); d.deposit(3); closeTransaction Note: the coordinator is in one of the servers, e.g. BranchX

6 Lecture 25-6 Security Threats  Leakage: An unauthorized party gains access to a service or data.  Attacker obtains knowledge of a withdrawal or account balance, e.g., via eavesdropping  Tampering: Unauthorized change of data, tampering with a service  Attacker changes the variable holding your personal checking $$ total  Vandalism: Interference with proper operation, without gain to the attacker  Attacker does not allow any transactions to your account  E.g., DOS=denial of service

7 Lecture 25-7 How Attacks are Carried Out Attacks on Communication Channel / Network  Eavesdropping – Obtaining copies of messages without authority.  Masquerading – Sending or receiving messages with the identity of another principal (user or corporation). Identity theft.  Message tampering – Intercepting messages and altering their contents before passing them onto the intended recipient.  Replaying – Intercepting messages and sending them at a later time.  Denial of Service Attack – flooding a channel or other resources (e.g., port) with messages.

8 Lecture 25-8 Addressing the Challenges: Security’s CIA  Leakage: An unauthorized party gains access to a service or data. –Confidentiality : protection against disclosure to unauthorized individuals.  Tampering: Unauthorized change of data, tampering with a service –Integrity : protection against alteration or corruption.  Vandalism: Interference with proper operation, without gain to the attacker –Availability : protection against interference with the means to access the resources.

9 Lecture 25-9 Security Policies & Mechanisms  A Security Policy indicates which actions each entity (user, data, service) is allowed or prohibited to take.  E.g., Only an owner is allowed to make transactions to his account. CIA properties.  A Security Mechanism implements and enforces the policy  Encryption and decryption: transform data to a form only understandable by authorized users, and vice-versa.  Authentication: verify the claimed identity of a principal, i.e., user, client, service, process, etc.  Authorization: verify access rights of principal for resource.  Auditing: make record of and check access to data and resources. Mainly an offline analysis tool, often ex-post.

10 Lecture 25-10 Designing Secure Systems Need to make worst-case assumptions about attackers: –exposed interfaces, insecure networks, algorithms and program code available to attackers, attackers may be computationally very powerful –Typically design system to withstand a known set of attacks (Attack Model or Attacker Model) –Tradeoff between security and performance impact Designing Secure Systems –Traditionally done as a layer on top of existing protocols. Three phases: –Design security protocol –Analyze Protocol Behavior when under attacks –Effect on overall performance if there were no attacks

11 Lecture 25-11 Familiar Names for Principals in Security Protocols AliceFirst participant BobSecond participant CarolParticipant in three- and four-party protocols DaveParticipant in four-party protocols EveEavesdropper MalloryMalicious attacker SaraA server

12 Lecture 25-12 Cryptography Notations KAKA Alice’s secret key KBKB Bob’s secret key K AB Secret key shared between Alice and Bob K Apriv Alice’s private key (known only to Alice) K Apub Alice’s public key (published by Alice for all to read) {M} K (Typical) Message M encrypted with key [M]K]K MessageM signed with key K (Typical)

13 Lecture 25-13 Encryption Plain Text (M) Encryption K Bpub, E Cryptography  Encoding (encryption) of a message that can only be read (decryption) by a key.  In shared key cryptography (symmetric cryptography) the sender and the recipient know the key, but no one else does.  E.g., DES (Data Encryption Standard) – 56 b key operates on 64 b blocks of data. Notation: K AB (M).  How do Alice and Bob get the shared key K AB to begin with?  In public/private key pairs messages are encrypted with a published public key, and can only be decrypted by a secret private decryption key.  E.g., RSA / PGP keys – at least 512 b long Plain Text (M) Decryption K Bpriv, D Decryption Alice Bob E(K,M)={M} K D(K, {M} K )=M {M} K Code for E & D is “open-source” (hence known to attacker)

14 Lecture 25-14 Cryptography  Shared versus public/private:  Shared reveals information to too many principles; may need key distribution and repudiation mechanisms  In electronic commerce or wide area applications, public/private key pairs are preferred to shared keys.  Public/private key encrypt/decrypt ops are costly  May use hybrid: pub/pri generates a shared key.  Presentation of many next few protocols independent of which keying scheme, viz., shared or pub/priv

15 Lecture 25-15 Authentication  Use of cryptography to have two principals verify each others’ identities.  Direct authentication: the server uses a shared secret key to authenticate the client.  Indirect authentication: a trusted authentication server (third party) authenticates the client.  The authentication server knows keys of principals and generates temporary shared key (ticket) to an authenticated client. The ticket is used for messages in this session.  E.g., Verisign servers

16 Lecture 25-16 Direct Authentication Authentication based on a shared secret key. Bob calculates K A,B (R B ) and matches with reply. Alice is the only one who could have replied correctly. “Nonce”=random num,

17 Lecture 25-17 “Optimized” Direct Authentication Authentication based on a shared secret key, but using three instead of five messages.

18 Lecture 25-18 Replay/Reflection Attack (with shared keys) Steps 1, 2, 5 -> Chuck is authenticated as Alice

19 Lecture 25-19 Indirect Authentication Using a Key Distribution Center Using a ticket and letting Alice set up a connection to Bob. Alice and Bob are the only ones who can decrypt parts of this message Ticket

20 Lecture 25-20 Digital Signatures  Signatures need to be authentic, unforgeable, and non- repudiable. K A- K B+ A’s Priv. Key, K A- B’s Pub Key, K B+ m m,{m} K A- B’s Priv. Key, K B- A’s Pub Key, K A+ m m,{m} K A- A B K A- Digest Function A’s Priv. Key, K A- m m,D(m) Compare A’s Pub Key, K A+ m A B Digest Function m,D(m) D(m) Digital Signature Using Public-Private Keys D()=Digital Signature Using One-way hash, e.g., SHA-1 or MD-5 Hashes are fast and have compact output

21 Lecture 25-21 Digital Certificates  A digital certificate is a statement signed by a third party principal, and can be reused  e.g., Verisign Certification Authority (CA)  To be useful, certificates must have:  A standard format, for construction and interpretation  A protocol for constructing chains of certificates  A trusted authority at the root of the chain Alice Bob Service (S) Request with digital signature 1 {Certificate} 2 K S- K S+ Transaction + {Certificate} K S- 3 Certificate=She is Alice

22 Lecture 25-22 Alice’s Bank Account Certificate 1.Certificate type:Account number 2.Name:Alice 3.Account:6262626 4.Certifying authority:Bob’s Bank 5.Signature: {Digest(field 2 + field 3)} K Bpriv

23 Lecture 25-23 Public-Key Certificate for Bob’s Bank 1.Certificate type:Public key 2.Name:Bob’s Bank 3.Public key:K Bpub 4.Certifying authority:Fred – The Bankers Federation 5.Signature: {Digest(field 2 + field 3)} K Fpriv (In turn, Fred has a certificate from Verisign, i.e., the root).

24 Lecture 25-24  Control of access to resources of a server.  A basic form of access control checks requests for:  Authenticates the principal.  Authorization check for desired op, resource.  Access control matrix M (e.g., maintained at server)  Each principal is represented by a row, and each resource object is represented by a column.  M[s,o] lists precisely what operations principal s can request to be carried out on resource o.  Check this before carrying out a requested operation.  M may be sparse.  Access control list (ACL)  Each object maintains a list of access rights of principals, i.e., an ACL is some column in M with the empty entries left out.  Capability List = row in access control matrix, i.e., per- principal list. May be a signed certificate (verifiable by anyone). Authorization: Access Control

25 Lecture 25-25 Focus of Access Control Three approaches for protection against security threats a)Protection against invalid operations b)Protection against unauthorized invocations c)Protection against unauthorized users

26 Lecture 25-26 ACL and Capability Usage Comparison between ACLs and capabilities for protecting objects. a)Using an ACL b)Using capabilities.

27 Lecture 25-27  XSS = Cross-site Scripting (84% vulnerabilities, according to Symantec in 2007)  Most common reported vulnerability to websites  Same origin policy: used by sites to enable code within same website to access each other without restrictions, but not across different websites. Browsers often use HTTP cookies for this.  XSS exploits/bypasses origin policy  Two flavors: (while you’re using your favorite bank mybank.com)  (More frequent) Non-persistent: You click on a link that takes you to mybank.com (the real one), but the link contains malicious code. This code executes in your browser with same credentials as mybank.com, e.g., code could send your cookie to attacker who then exploits info from inside it.  Persistent: Attacker uses info from inside your cookie to pretend to be you. E.g., someone adds a script to their myspace profile, and when you visit it, the script executes with your authentication.  Prevention  Better cookie handling, e.g., tie cookie to an IP address, or make cookie unavailable to client-side scripts  Disable scripts Common Web Attacks: XSS

28 Lecture 25-28  Exploits user’s trust in user’s deputy (often the browser)  Clickjacking: “layer” a malicious site over/under another legitimate site. When user clicks on legitimate site, they’re actually clicking on malicious site.  Prevention: Firefox NoScript feature  CSRF (Cross-Site Request Forgery): Different from XSS in many ways: carried out from user’s IP address.  While browsing mybank.com, you open another tab to browse a Google group  Someone there has posted a link Like this page!  You like that page by clicking. Boom!  Prevention  Better cookie handling, e.g., timeout  Authentication for each operation Confused Web Attacks: Deputy Attacks

29 Lecture 25-29 Announcements Next two lectures: Byzantine Fault tolerance and Distributed graph processing –Imranul Hoque –Abhishek Verma HW4 due next Tue (Dec 4). MP4 – you should have an original design and have started coding Midterms (including regrades) + graded HW3’s –Please collect them now

30 Lecture 25-30 Optional Slides (Not Covered)

31 Lecture 25-31  SSL was developed by Netscape for electronic transaction security.  A protocol layer is added below the application layer for:  Negotiating encryption and authentication methods.  Bootstrapping secure communication  It consists of two layers:  The Record Protocol Layer implements a secure channel by encrypting and authenticating messages  The Handshake Layer establishes and maintains a secure session between two nodes. Secure Socket Layer Protocol

32 Lecture 25-32 SSL Protocol Stack SSL Handshake protocol SSL Change Cipher Spec SSL Alert Protocol Transport layer (usually TCP) Network layer (usually IP) SSL Record Protocol HTTPTelnet SSL protocols:Other protocols:

33 Lecture 25-33 SSL Record Protocol The record protocol takes an application message to be transmitted, –fragments the data into manageable blocks, –optionally compresses the data, –computes a message authentication code (MAC), –encrypts and –adds a header. Application data abcdefghi abcdefghi Record protocol units Compressed units MAC Encrypted TCP packet Fragment/combine Compress Hash Encrypt Transmit

34 Lecture 25-34 SSL Handshake Protocol Cipher suite: a list of cryptographic algorithm supported by the client The client sends a change Cipher Spec message and copies the pending CipherSpec into the current CipherSpec. Phase 1: Establish security capabilities Phase 2: Sever authentication and key exchange Phase 3: Client authentication and key exchange Phase 4: Finish

35 Lecture 25-35 Needham-Schroeder Authentication KBKB KAKB…KAKB… System A System B Authentication System 1 KBKB 3 K AB 4 5 K AB KAKA 6 K AB 2 KAKA KBKB Ticket A asks for a key to communicate with B A demonstrates that it is the sender of the previous message “Nonce”=random num,

36 Lecture 25-36 Why Do We Need Nonce N A in Message 1? KBKB KAKB…KAKB… System A System C Authentication System 1 KAKA 2 KBKB KAKA KBKB KAKA Because we need to relate message 2 to message 1 Chuck has stolen K B and intercepted message 2. It can masquerade as the authentication system. 1’1’ KBKB KAKA 2’2’

37 Lecture 25-37 Needham–Schroeder Secret-key Authentication Protocol HeaderMessageNotes 1. A->S: A, B, N A A requests S to supply a key for communication with B. 2. S->A:{N A, B, K AB, {K AB, A} K B } K A S returns a message encrypted in A’s secret key, containing a newly generated key K AB and a ‘ticket’ encrypted in B’s secret key. The nonce N A demonstrates that the message was sent in response to the preceding one. A believes that S sent the message because only S knows A’s secret key. 3. A->B: A sends the ‘ticket’ to B. 4. B->A: B decrypts the ticket and uses the new key K AB to encrypt another nonce N B. 5. A->B: A demonstrates to B that it was the sender of the previous message by returning an agreed transformation of N B. {K AB, A} K B {N B } K AB {N B - 1} K AB Variant used for authentication in Windows 2K (slightly modified – nonce added to msg 3)

38 Lecture 25-38 Kerberos Authentication Read section 7.6.2 from text

39 Lecture 25-39  Notion of protection domain for a collection of processes:  A protection domain is a set of (object, access rights) pairs kept by a server.  A protection domain is created for each principal when it starts  Unix: each (uid,gid) pair spans a protection domain, e.g., user parts of two processes with same (uid, gid) pair have identical access rights.  Whenever a principal requests an operation to be carried out on an object, the access control monitor checks if the principal belongs to the object’s domain, and then if the request is allowed for that object.  Each principal can carry a certificate listing the groups it belongs to.  The certificate should be protected by a digital signature. Access Control

Download ppt "Lecture 25-1 Computer Science 425 Distributed Systems CS 425 / CSE 424 / ECE 428 Fall 2010 Indranil Gupta (Indy) November 27, 2012 Lecture 25 Security."

Similar presentations

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security --- 2 Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security Steve Ko Computer Sciences and Engineering University at Buffalo.
CS 425 / ECE 428 Distributed Systems Fall 2014 Indranil Gupta (Indy) Lecture 24B: Security All slides © IG.

CS 425 / ECE 428 Distributed Systems Fall 2014 Indranil Gupta (Indy) Lecture 24B: Security All slides © IG.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,

CS425/CSE424/ECE428 – Distributed Systems Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
CS542: Topics in Distributed Systems Security. Why are Distributed Systems insecure?  Distributed component rely on messages sent and received from network.

CS542: Topics in Distributed Systems Security. Why are Distributed Systems insecure?  Distributed component rely on messages sent and received from network.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Chapter 8 Web Security.

Chapter 8 Web Security.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google