CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived...
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived...
![Page 1: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/1.jpg)
Security in Distributed systems
CS425/CSE424/ECE428 – Distributed Systems
2011-10-27 Nikita Borisov - UIUC 1
Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra, K. Nahrstedt, N. Vaidya
![Page 2: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/2.jpg)
ISIS algorithm for total ordering
2
1
1
2
2
1 Message
2 Proposed Seq
P2
P3
P1
P4
3 Agreed Seq
3
3
Nikita Borisov - UIUC 2
![Page 3: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/3.jpg)
Chord: client to client
N80
0Say m=7
N32
N45
File bad.mp3 with key K42 stored here
At node n, send query for key k to largest successor/finger entry < kif none exist, return successor(n) to requestor
All “arrows” are RPCs
N112
N96
N16
Who has bad.mp3?(hashes to K42)
Nikita Borisov - UIUC 3
![Page 4: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/4.jpg)
Distributed banking transaction
..
BranchZ
BranchX
participant
participant
C
D
Client
BranchY
B
A
participant join
join
join
T
a.withdraw(4);
c.deposit(4);
b.withdraw(3);
d.deposit(3);
openTransaction
b.withdraw(T, 3);
closeTransaction
T = openTransaction a.withdraw(4); c.deposit(4); b.withdraw(3); d.deposit(3); closeTransaction
Note: the coordinator is in one of the servers, e.g. BranchX
Nikita Borisov - UIUC 4
![Page 5: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/5.jpg)
Security Threats
Leakage: An unauthorized party gains access to a service or data.Attacker obtains knowledge of a withdrawal or account
balance, e.g., via eavesdropping
Tampering: Unauthorized change of data, tampering with a serviceAttacker changes the variable holding your personal
checking $$ total
Vandalism: Interference with proper operation, without gain to the attackerAttacker does not allow any transactions to your accountE.g., DOS=denial of service
Nikita Borisov - UIUC 5
![Page 6: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/6.jpg)
More Concerns
Attacks on Communication Channel / NetworkEavesdropping – Obtaining copies of messages
without authority. Masquerading – Sending or receiving messages
with the identity of another principal (user or corporation).
Message tampering – Intercepting messages and altering their contents before passing them onto the intended recipient.
Replaying – Intercepting messages and sending them at a later time.
Denial of Service Attack – flooding a channel or other resources (e.g., port) with messages.
Nikita Borisov - UIUC 6
![Page 7: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/7.jpg)
Addressing the Challenges: SecurityLeakage: An unauthorized party gains
access to a service or data.– Confidentiality : protection against disclosure to
unauthorized individuals.
Tampering: Unauthorized change of data, tampering with a service– Integrity : protection against alteration or corruption.
Vandalism: Interference with proper operation, without gain to the attacker– Availability : protection against interference with the
means to access the resources.
Nikita Borisov - UIUC 7
![Page 8: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/8.jpg)
Security Policies & Mechanisms
A Security Policy indicates which actions each entity (user, data, service) is allowed or prohibited to take.E.g., Only an owner is allowed to make transactions to his
account. CIA properties.
A Security Mechanism enforces the policy Encryption and decryption: transform data to a form only
understandable by authorized users, and vice-versa. Authentication: verify the claimed identity of a user,
client, service, process, etc. Authorization: verify access rights for an authenticated
entity. Auditing: make record of and check access to data and
resources. Mainly an offline analysis tool, often after the fact.
Nikita Borisov - UIUC 8
![Page 9: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/9.jpg)
Security Tenets
Make worst-case assumptions Network compromised Code / mechanism is known Nothing remains secret forever
Separate policy from mechanism Cryptography for secure channels Identity management (PKI, passwords,
etc.) for authentication Access control lists, capabilities for
authorization2011-10-27 Nikita Borisov - UIUC 9
![Page 10: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/10.jpg)
Cryptography
Science of enciphering data Cryptology (algorithm design) +
cryptanalysis (breaking algorithms) History
First algorithms thousands of years old Encryption driven by military,
intelligence, and financial uses Since 1970’s, subject of much open
research Backbone of most Internet security
mechanisms2011-10-27 Nikita Borisov - UIUC 10
![Page 11: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/11.jpg)
Encryption (symmetric)
Block cipher: EK(P) = C
DK(C) = P P: Plaintext C: Ciphertext K: Shared key
Example: AES Result of design competition by NIST AES-128: key, block size are 128 bits Also, AES-192, AES-256
2011-10-27 Nikita Borisov - UIUC 11
![Page 12: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/12.jpg)
Encryption (symmetric)
Stream cipher: Keystream(K)
▪ Produce infinite, unpredictable key stream from key K
C = P xor Keystream(K) P = C xor Keystream(K)
Example: RC4 Used in older version of 802.11, SSL Some security vulnerabilities
2011-10-27 Nikita Borisov - UIUC 12
![Page 13: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/13.jpg)
Security Properties
Indistinguishability Adversary queries encryption, decryption oracles
▪ EK(.), DK(.)
▪ Polynomial # of times
Adversary provides M1, M2
Challenger provides EK(Mb) for b = 0 or 1 Adversary queries oracles again Outputs guess for b
Security Adversary can’t win with probability (non-
negligibly) more than 1/22011-10-27 Nikita Borisov - UIUC 13
![Page 14: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/14.jpg)
Encryption mode
Basic encryption primitives insecure Block cipher: C = C’ => P = P’ Stream cipher: C xor C’ = P xor P’
Must use operation mode E.g., CBC C1 = IV (random)
C2 = EK(P1 xor C1)
C3 = EK(P2 xor C2) …
2011-10-27 Nikita Borisov - UIUC 14
![Page 15: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/15.jpg)
Secure channel
Alice, Bob share key K Each sends EK(M) to send M over secure
channel Security properties?
Confidentiality▪ Guaranteed by security of E
Integrity▪ Not guaranteed
Availability▪ Cannot be guaranteed by cryptography
2011-10-27 Nikita Borisov - UIUC 15
![Page 16: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/16.jpg)
Integrity Protection
Message Authentication Code (MAC) aka Message Integrity Code (MIC)
MACK(M) = x Security: unforgeability
Adversary queries MAC oracle ▪ MACK(.)
Adversary produces (M,x) where M has never been queried
Wins if MACK(M) = x Secure if adversary cannot win with probability non-
negligibly more than 0 Examples: HMAC, CBC-MAC2011-10-27 Nikita Borisov - UIUC 16
![Page 17: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/17.jpg)
Secure Channel
Encryption key EK, MAC key MK Send(M) = EEK(M) || MACMK(M) Secure?
Replay Reflection
Solution: Sequence numbers Different keys in different directions
2011-10-27 Nikita Borisov - UIUC 17
![Page 18: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/18.jpg)
Public-key cryptography
Must establish symmetric key with everyone O(N2) keys total Must be exchanged over secure channel!
Public key cryptography Two keys: PK – public, SK – secret C = EPK(P)
P = DSK(C) O(N) keys total
2011-10-27 Nikita Borisov - UIUC 18
![Page 19: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/19.jpg)
RSA
Example: RSA Rivest, Shamir, Adleman, 1977
Key generation N = p*q, for two large primes p e = 3, d = e-1 in ZN
* ▪ d can be computed with knowledge of p, q
PK = (N, e), SK = d▪ Factoring N into p,q currently infeasible if p,q > ~1024 bits
Encryption C = Me (mod N) P = Cd (mod N)
Note: insecure in this form Must use randomization, padding to ensure
indistinguishability2011-10-27 Nikita Borisov - UIUC 19
![Page 20: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/20.jpg)
Key exchange
RSA-based key exchange (roughly what’s used in TLS)
Parties: Client, Server Steps:
S->C: PKS, NS
C->S: EPKS(NC)
K = H(NS||NC)▪ Encryption, MAC keys derived from K
Properties: Nonces protect from replay One-way authentication No PFS
2011-10-27 Nikita Borisov - UIUC 20
![Page 21: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/21.jpg)
Perfect Forward Secrecy
Goal: if (long-term) keys uncompromised at end of session, session remains secure forever
E.g., Diffie-Hellman S: pick random x, send gx
C: pick random y, send gy
Use (gx)y = (gy)x = gxy to derive shared key
Securely forget secrets (incl. x,y, gxy) after session
Security relies on discrete logarithm problem
2011-10-27 Nikita Borisov - UIUC 21
![Page 22: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/22.jpg)
Digital Signatures
Public-key algorithm Secret signing key SK Public verification key VK
Operation sig = SignSK(M)
VerifyVK(M,sig) = True or False Example: RSA
N,e = verification key, d = signature key Sign(M) = H(M)d (mod N)
2011-10-27 Nikita Borisov - UIUC 22
![Page 23: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/23.jpg)
Authenticated Key Exchange
Putting things together: A->B: A, gx, Sign(gx) B->A: B, gy, Sign(gy)
Problems?
2011-10-27 Nikita Borisov - UIUC 23
![Page 24: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/24.jpg)
SIGMA protocol
SIGn-and-MAc, due to Hugo Krawczyk
Used in IKE, part of IPSec A->B: gx
B->A: gy, Sign(gx,gy), MACMK(B)
A->B: A, Sign(gy,gx),MACMK(A)
2011-10-27 Nikita Borisov - UIUC 24
![Page 25: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/25.jpg)
Digital Certificates
A digital certificate is a statement signed by a third party principal, and can be reusede.g., Verisign Certification Authority (CA)
To be useful, certificates must have: A standard format, for construction and interpretation A protocol for constructing chains of certificates A trusted authority at the end of the chain
Alice
Bob
Service (S)
Request with digital signature1
{Certificate} 2KS-
KS+
Transaction + {Certificate}KS-
3Certificate=She
is Alice
Nikita Borisov - UIUC 25
![Page 26: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/26.jpg)
Alice’s Bank Account Certificate
1. Certificate type: Account number2. Name: Alice3. Account: 62626264. Certifying authority: Bob’s Bank5. Signature: {Digest(field 2 + field 3)}KBpriv
Nikita Borisov - UIUC 26
![Page 27: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/27.jpg)
Public-Key Certificate for Bob’s Bank
1. Certificate type: Public key
2. Name: Bob’s Bank
3. Public key: KBpub
4. Certifying authority: Fred – The Bankers Federation
5. Signature: {Digest(field 2 + field 3)} KFpriv
Eventually KF-, KF+ have to be obtained reliably.
Nikita Borisov - UIUC 27
![Page 28: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/28.jpg)
Control of access to resources of a server. A basic form of access control checks <principal, op,
resource> requests for: Authenticates the principal. Authorization check for desired op, resource.
Access control matrix M (e.g., maintained at server) Each principal is represented by a row, and each resource object is
represented by a column. M[s,o] lists precisely what operations principal s can request to be
carried out on resource o. Check this before carrying out a requested operation. M may be sparse.
Access control list (ACL) Each object maintains a list of access rights of principals, i.e., an ACL is
some column in M with the empty entries left out.
Capability List = row in access control matrix, i.e., per-principal list.
Authorization: Access Control
Nikita Borisov - UIUC 28
![Page 29: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/29.jpg)
Focus of Access Control
• Three approaches for protection against security threats
a) Protection against invalid operations
b) Protection against unauthorized invocations
c) Protection against unauthorized users
Nikita Borisov - UIUC 29
![Page 30: CS425/CSE424/ECE428 – Distributed Systems 2011-10-27Nikita Borisov - UIUC1 Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra,](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d4e5503460f94a2dc69/html5/thumbnails/30.jpg)
ACL and Capability Usage
Comparison between ACLs and capabilities for protecting objects.
a) Using an ACL
b) Using capabilities.
Nikita Borisov - UIUC 30