Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S

Published byDarcy Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S"— Presentation transcript:

1 slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S http://www.cs.utexas.edu/~shmat/courses/cs380s/

2 slide 2 B. Lampson, M. Abadi, M. Burrows, E. Wobber Authentication in Distributed Systems: Theory and Practice (ACM Trans. Computer Systems 1992)

3 slide 3 network Confidentiality (Secrecy) uConfidentiality is concealment of information Eavesdropping, packet sniffing, illegal copying Q: Who is the receiver of the message? (who might be able to read it)

4 slide 4 Symmetric Encryption ? ----- Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially

5 slide 5 Public-Key Encryption ? Given: Everybody knows Bob’s public key Only Bob knows the corresponding private key private key Goal: Send a message to Bob confidentially public key AliceBob How is this achieved in practice?

6 slide 6 network Authentication uAuthentication is identification and assurance of origin of information Unauthorized assumption of another’s identity Q: Who is the sender of the message? (who might have been able to create it)

7 slide 7 network Integrity uIntegrity is prevention of unauthorized changes Intercept messages, tamper, release again Q: Who is the sender of the message? (who might have been able to modify it)

8 slide 8 MAC: Message Authentication Code Integrity and authentication: only someone who knows KEY can compute MAC for a given message Alice Bob KEY message MAC (usually based on a cryptographic hash, aka “digest”) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message

9 slide 9 Digital Signature ? Given: Everybody knows Bob’s public key Only Bob knows the corresponding private key private key Goal: Bob sends a “digitally signed” message To create a valid signature, must know the private key To verify a signature, enough to know the public key public key AliceBob

10 slide 10 Distribution of Public Keys uPublic announcement or public directory Risks: forgery, tampering uPublic-key certificate Signed statement binding a public key to an identity –sig Alice (“Bob”, PK B ) uCommon approach: certificate authority (CA) An agency responsible for certifying public keys Browsers are pre-configured with 100s of trusted CAs –135 trusted CA certificates in Firefox 3 –A public key for any website in the world will be accepted by the browser if certified by one of these CAs

11 slide 11 Hierarchical Approach uSingle CA certifying every public key is impractical uInstead, use trusted root authorities Everybody has root CAs’ public keys uA root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on Instead of a single certificate, use a certificate chain –sig VeriSign (“UT Austin”, PK UT ), sig UT (“Vitaly S.”, PK V ) What happens if a root authority is ever compromised?

12 slide 12 Trusted Certificate Authorities

13 The Access Control Model uGuards control access to valued resources. Reference monitor Object Do operation Resource Principal GuardRequestSource slide 13 Goal: Decide whether to grant a request to access an object

14 Access Control in OS uAssume secure channel from user uAuthenticate user by local password uMap user to her user ID + group IDs Local database for group memberships uAccess control by ACL on each resource OS kernel is usually the reference monitor Any RPC target can read IDs of its caller uACLs are lists of IDs A program has IDs of its logged-in user slide 14

15 Distributed Systems Are Harder uAutonomy Path to a resource may involve untrusted machines uSize uHeterogeneity Different kinds of channels: encryption, physically secure wires, inter-process channels within OS uFault tolerance Components may be broken or inaccessible slide 15

16 uHardware and local operating system on each node uChannels based on encryption slide 16 Trusted Computing Base (TCB)

17 Authentication and Authorization uGiven a statement s, authentication answers the question “who said s?” uGiven an object o, authorization answers the question “who is trusted to access o?” “who” refers to a principal slide 17

18 Principals and Subjects uPrincipal and subject are both used to denote the active entity in an access operation uMany different and confusing meanings Principals are subjects in the TCSEC sense, but not all subjects are principals. [Gasser, 1989] Principals are public keys. [SDSI, 1996] The term principal represents a name associated with a subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Gong, 1999] slide 18

19 Principal = Abstraction of “Who” uAuthentication: Who sent a message? uAuthorization: Who is trusted? uPrincipal — abstraction of "who" PeopleLampson, Gray MachinesSN12672948, Jumbo Servicesmicrosoft.com, Exchange GroupsUTCS, MS-Employees slide 19

20 Principals and Channels uPrincipal says statements Lampson says “read /MSR/Lampson/foo” Microsoft-CA says “Lampson's key is #7438” uSecure channel says messages (RPCs) Has known possible receivers Has known possible senders Secrecy Integrity slide 20

21 Implementing Secure Channels uWithin a node Responsibility of OS (pipes, interprocess sockets, etc.) uBetween nodes Secure wire - difficult to implement Network - fantasy for most networks Encryption - practical slide 21

22 Delegation uPrincipal A speaks for B: A  B Meaning: if A says something, B says it, too –Lampson  MSR –Server-1  MSR-NFS –Key #7438  Lampson uHandoff rule: if A says B  A, then B  A slide 22

23 Authorization with ACLs uAccess control lists (ACLs) An object O has an ACL that says: principal P may access O with certain rights –Lampson may read and write O –MSR may append to O uACLs typically use names for principals So that humans can read them slide 23

24 Names and Name Spaces uA name is local to some name space Examples of path names: –K microsoft / Lampson / friends –K lampson / friends uA name space is defined by a key uThe key can bind names in its name space via public certificates K microsoft says K bwl  K microsoft / Lampson slide 24

25 Secure Channels uThe channel is defined by the public key If only A knows the private key corresponding to a public key K, then K  A –Intuition: key K speaks for A because any signed message that passes verification with K must have come from A u“K says s” is a message s which is signed by the private key corresponding to public key K uMore complex for symmetric keys slide 25

26 Authenticating a Channel uIntuition: secure channel “speaks for” its sender C  P where C is the channel, P is the sender uTrusted principal K ca that “owns” sender P can authenticate channels from P by providing an appropriate certificate K ca says K ws  K ca / WS K ca says K bwl  K ca / Lampson slide 26

27 Checking Access uGiven a requestQ says read O an ACL P  read/write O uCheck that Q speaks for P Q  P rights are enough read/write  read Q  P  read/write O, thus Q  read/write O slide 27

28 Groups and Group Credentials uA group is a principal; its members speak for it Lampson  MSR Rashid  MSR uCertificates prove group membership K MSR says Lampson  K MSR / MSR slide 28

29 Auditing uFormal proof for every access control decision Can be written into the audit trail uPremises are statements about channels or base assumptions made by the reference monitor uEach proof step is justified by a signed statement (certificate) or a rule slide 29

30 Reasoning About Certificates uCertificates are a general tool, but can be hard to reason about u(Relatively) simple: SSL certificate Trusted third party (CA) attests to binding between a public key and principal’s name uHow can we reason formally about whether collection of certificates truly authenticates some principal to perform some operation on some object? slide 30

31 Strawman Authentication Model uScenario: user on a client workstation needs to authenticate to file server User is a principal User is authorized on file server to perform certain operations on certain file objects uStrawman model Install user’s public key on file server User holds private key on client workstation while logged in User signs each RPC sent to file server using his private key slide 31

32 Drawbacks of Strawman Model uPublic-key cryptography is slow uModel is too rigid for distributed systems Suppose user logs into second machine, now second machine needs to sign file server RPCs, too If it sends messages to first machine for signing, how does first machine know they are authentic? Rely on user – how does user know? What if user goes home, leaves computation running for hours? slide 32

33 Authentication in TAOS uEach machine has identity: public/private key pair uUser lampson logs into machine X, signs certificate “lampson says X speaks for lampson” True because X is executing lampson’s programs uX now can: Open a secure channel to file server, thus file server knows it’s talking to X (why?) Present “lampson says X speaks for lampson” to file server, thus server knows X can speak for user (why?) Send RPCs generated by lampson’s programs to server … all without machine X holding lampson’s private key! slide 33

34 Authorizing Second Machine ulampson logs into second machine (Y) via SSH, wants it to talk to file server on behalf of lampson uSSH on X signs “X says Y can speak for lampson”, gives this certificate to Y when lampson logs into Y uY presents proof to file server: I’m Y X says Y can speak for lampson lampson says X can speak for lampson uFile server can check signatures and verify that request is authorized slide 34

35 Certificates Certificates are true independently of channels and therefore can be u… stored u… passed to other parties u… used to prove transitive trust relationships slide 35

36 Delegation of Authority uMeaning of (A | B) A signed a statement, claiming (no proof yet) that A is speaking for B uMeaning of (A for B) Logical conclusion that A is allowed to speak for B –(A | B) + delegation Interpreted as B for purposes of access control, but preserves who actually signed the statement (A) slide 36

37 Scenario uUser Bob logs into workstation WS uNeed to authenticate requests from Bob’s login session to a remote file server FS uPrincipals involved: Workstation firmware, OS, Bob, channel from WS to FS slide 37

38 State Before Bob Logs In uWorkstation firmware knows long-term private signing key corresponding to public key K vax4 uUser knows his own long-term private signing key PrivateKey bob uFile server has PublicKey bob in an ACL … or, rather, “Bob” + Bob’s public-key certificate slide 38

39 Workstation Boot: Generating K ws uAt boot time, workstation firmware generates fresh public key K ws and correspond. private key Why not just use K vax4 directly? –Don’t want it to be compromised because of frequent use –Don’t want statements to survive reboot - certificates generated for a login session should die with the session uFirmware signs “K vax4 says (K ws speaks for K vax4 )”, K vax4 never used again (until reboot) Why bother preserving K vax4 ’s identity and not just use K ws as workstation’s true identity? –Want workstation’s identity to survive reboots slide 39

40 State after Boot-up uWhy do workstations need identity at all? So users can delegate to it! uAfter boot-up, vax4’s authentication agent knows K ws Certificate: K vax4 says (K ws speaks for K vax4 ) … forgets K vax4 ! slide 40

41 Logging In uLogin = user delegates authority to workstation Want WS to be able to act for Bob uBob signs with his private key following certificate: “K bob says ((K ws | K bob ) speaks for (K ws for K bob ))” –Bob’s private key not used again until next login! uWhy not “K bob says (K ws speaks for K bob )”? If K ws signs something, on whose behalf was it? Statements by K ws are ambiguous, may be used out of context slide 41 Special principal: “WS acting on behalf of Bob”

42 State After Bob’s Login uAfter delegation by Bob, vax4’s authentication agent knows: Private key corresponding to K ws K vax4 says (K ws speaks for K vax4 ) K bob says ((K ws | K bob ) speaks for (K ws for K bob )) slide 42

43 Channels uChannels are encrypted using symmetric-key ciphers and named by their symmetric key uC bob is a mnemonic to indicate intent that channel carries messages from Bob, but system must prove that this is indeed the case! uFile server knows “C bob says RQ” Meaning: file server received request RQ from someone who knows channel key C bob uBut who knows channel key C bob ? K ws ? K ws on behalf of Bob? On behalf of someone else? slide 43

44 Channel Certificates (1) uRQ is encrypted with C bob, need to link it to Bob uWS signs the channel certificate when the channel between WS and file server is first created (K ws | K bob ) says (C bob speaks for (K ws for K bob )) uWhy not just have K bob sign “C bob speaks for K bob ” Authentication agent doesn’t hold the private key corresponding to K bob (why?) and can’t sign such statements slide 44

45 Channel Certificates (2) uWhy not have K ws sign “C bob speaks for K ws ”, along with pre-signed “K ws speaks for K bob ”? C bob doesn’t speak for K ws in general, only for K bob uChannel certificate says only what’s needed and no more K ws says C bob speaks for (K ws speaking for Bob) uBut K ws could sign this statement without Bob’s agreement, so file server needs K ws to prove that it is allowed to speak for Bob slide 45

46 All Certificates Together uK vax4 says (K ws speaks for K vax4 ) uK bob says ((K ws | K bob ) speaks for (K ws for K bob )) u(K ws | K bob ) says (C bob speaks for (K ws for K bob )) slide 46

47 Delegation Axiom uDelegation axiom (informally): If Bob signs a certificate allowing K ws to speak for Bob, then K ws is allowed to speak for Bob uMeaning of delegation certificate If K ws says it’s speaking for Bob, believe it This is different than “K ws speaks for K bob ” (why?) uFile server takes “K bob says ((K ws | K bob ) speaks for (K ws for K bob ))” and deduces, using delegation axiom, “(K ws | K bob ) speaks for (K ws for K bob )” slide 47

48 Proving Authenticity uCombine (K ws | K bob ) speaks for (K ws for K bob ) and (K ws | K bob ) says (C bob speaks for (K ws for K bob )) to derive (K ws for K bob ) says (C bob speaks for (K ws for K bob )) Meaning: K ws really does speak for K bob, not just claiming to do so uConclusion: C bob speaks for K ws speaking for K bob uTherefore, (K ws for K bob ) says RQ slide 48

Download ppt "Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S"

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.

1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.

1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure.

Slide 1 Vitaly Shmatikov CS 378 Public-Key Authentication and Public-Key Infrastructure.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Similar presentations

Ads by Google