CS542: Topics inDistributed Systems

CS542: Topics inDistributed Systems

Security

Why are Distributed Systems insecure?

Distributed component rely on messages sent and received from network.

Is network (especially WAN networks) secure?» Packets can be intercepted and modified at network layer!

Is client component secure? Is client component who it claims to be? Are users of calling components really who they claim

to be?

Security Threats Security Threats

Leakage: An unauthorized party gains access to a service or data.Attacker obtains knowledge of a withdrawal or account

balance, e.g., via eavesdropping

Tampering: Unauthorized change of data, tampering with a serviceAttacker changes the variable holding your personal data

Vandalism: Interference with proper operation, without gain to the attackerAttacker does not allow any transactions to your accountE.g., DOS=denial of service

How Attacks are Carried OutHow Attacks are Carried Out

Attacks on Communication Channel / Network

Eavesdropping – Obtaining copies of messages without authority.

Masquerading – Sending or receiving messages with the identity of another principal (user or corporation). Identity theft.

Message tampering – Intercepting messages and altering their contents before passing them onto the intended recipient.

Replaying – Intercepting messages and sending them at a later time.

Denial of Service Attack – flooding a channel or other resources (e.g., port) with messages.

Addressing the ChallengesAddressing the Challenges

Leakage: An unauthorized party gains access to a service or data.

– Confidentiality : protection against disclosure to unauthorized individuals.

Tampering: Unauthorized change of data, tampering with a service

– Integrity : protection against alteration or corruption.

Vandalism: Interference with proper operation, without gain to the attacker

– Availability : protection against interference with the means to access the resources.

Security Requirements

Authentication: ensures that sender and receiver are who they are claiming to be

Data integrity: ensure that data is not changed from source to destination

Confidentiality: ensures that data is read only by authorized users

Non-repudiation: ensures that the sender has strong evidence that the receiver has received the message, and the receiver has strong evidence of the sender identity. The sender cannot deny that it has sent the message and the receiver cannot deny that it has received the message

Security Policies & Mechanisms Security Policies & Mechanisms

A Security Policy indicates which actions each entity (user, data, service) is allowed or prohibited to take.

E.g., Only an owner is allowed to make transactions to his account.

A Security Mechanism implements and enforces the policy

Security Mechanisms

Encryption / decryption: transforming data into something an attacker cannot understand and vice-versa, i.e., providing a means to implement confidentiality, as well as allowing user to check whether data have been modified.

Authentication: verifying the claimed identity of a subject, such as user name, password, etc.

Authorization: checking whether the subject has the right to perform the action requested. verify access rights of principal for resource.

Auditing: tracing which subjects accessed what, when, and which way. In general, auditing does not provide protection, but can be a tool for analysis of problems. Mainly an offline analysis tool, often ex-post.

Designing Secure SystemsDesigning Secure Systems

• Need to make worst-case assumptions about attackers:

– exposed interfaces, insecure networks, algorithms and program code available to attackers, attackers may be computationally very powerful

– Typically design system to withstand a known set of attacks (Attack Model or Attacker Model)

– Tradeoff between security and performance impact

• Designing Secure Systems– Traditionally done as a layer on top of existing protocols.

Three phases:

– Design security protocol

– Analyze Protocol Behavior when under attacks

– Measure effect on overall performance if there were no attacks (the common-case)

Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.

Familiar Names in the Security Literature

Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.

Notational Conventions

Cryptographic Terminology

Plain text: the message before encryption. Cipher text: the message after encryption. Key: information needed to convert from plain

text to cipher text (or vice-versa). Function: the encryption or decryption

algorithm used, in conjunction with key, to encrypt or decrypt message.

Key distribution: How to distribute keys between senders and receivers

Requirements for modern cryptography

Kerkhoff’s principle: knowledge of encryption algorithm should not be an advantage

With computers a brute force attempt is possible, i.e. try every possible substitution until a valid message is produced.

Computers are good at this, modern schemes must be computationally hard to solve to remain secure.

15 May 1973 American National Bureau of standards requests proposals for encryption standard

Data Encryption Standard, DES, developed. Standard describes DEA, Data Encryption Algorithm

Since November 26, 2001, there’s AES, based on Rijndael

Encryption

Plain Text (M)

Encryption KBpub, E

Cryptography Cryptography Encoding (encryption) of a message that can only be read

(decryption) by a key.

In shared key cryptography (symmetric cryptography) the sender and the recipient know the key, but no one else does.E.g., DES (Data Encryption Standard) – 56 b key operates on 64 b blocks

of data. Notation: KAB (M).

How do Alice and Bob get the shared key KAB to begin with?

In public/private key pairs messages are encrypted with a published public key, and can only be decrypted by a secret private decryption key.

E.g., RSA / PGP keys – at least 512 b long

Plain Text (M)

Decryption KBpriv, D

DecryptionAlice BobE(K,M)={M}K

D(K, {M}K)=M{M}K

Code for E & Dis “open-source”

(hence known to attacker)

Cryptography Cryptography

Shared versus public/private:

Shared reveals information to too many principles; may need key distribution and revocation/repudiation mechanisms

In electronic commerce or wide area applications, public/private key pairs are preferred to shared keys.

Public/private key encrypt/decrypt ops are costly

May use hybrid: pub/pri generates a shared key.

Presentation of many next few protocols independent of which keying scheme, viz., shared or pub/priv

Symmetric Key

Both the sender and the receiver use the same secret keys

InternetEncrypt withsecret key

Decrypt withsecret key

Plaintext Plaintext

Ciphertext

DES/AES: Symmetric Encryption

One key is used to both encrypt and decrypt data Encryption and decryption functions are often

chosen to be the same Security should not be compromised by making

function well-known as security comes from secret keys

DES/AES: Using Secret Keys

Sender and recipient exchange keys through some secure, trusted, non-network based means.

Sender encodes message using function and sends, knowing that only the holder of the key (the intended recipient) can make sense of it.

Recipient decodes message & knows that only a key-holding sender could have generated it.

Message can be captured but is of no use.

Data Encryption Standard (DES)

DES encrypts a 64-bit block of plain text using a 56-bit key

Three phases1. Permute the 64 bits in the

block

2. Apply a given operation 16 times on the 64 bits

3. Permute the 64 bits using the inverse of the original permutation

Round 1

Round 16

... key

1st phaseIP(input)

3rd phaseIP-1(input)

2nd phase

Initial Permutation (IP)

IP: bit 58 of input becomes 1st bit, bit 50 becomes 2nd bit, etc

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 462 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

IP-1: inverse of IP, e.g., IP(1) = 58, IP-1 (58) = 140 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

2nd Phase: Operation in each round

16 rounds Each round i select a 48

bit key Ki from the original 56 bit key K. Perform (F is a given function):

+

F

63 0

63 32 31 0

Ki

Li-1 Ri-1

Li Ri

),( 11

1

iiii

ii

KRFLR

RL

Discussion of DES

Even through the DES algorithm is well known, but the key or cipher is difficult to break using analytical methods.

Using a brute-force attack by simply searching for a key is possible. However, for 56-bit key, there are 256 possible key combinations, if we could search one key in 1 µs, then we need 2283 years to try all keys. (Distributed.net broke a DES-56 within 22 hours and 15 minutes, by using 100,000 PCs).

Use 3DES (K1, K2, K3), or DES-128 for high security.

Encrypting Larger Messages

Initialization Vector (IV) is a random number generated by sender and sent together with the ciphertext

+

Block1

Cipher1

DES

+

Block2

DES

+

Block3

DES

+

Block4

DES

Cipher2 Cipher3 Cipher4

IV

Cipher block chaining (CBC)

Each plaintext block is combined with the preceding ciphertext block using XOR

i.e., ciphertextn+1 = plaintextn+1 ciphertextn

For decryption, the opposite is done, since XOR is idempotent, it works.

Weaknesses: if the same message is sent to multiple locations, they’ll be the same and the attacker may infer.

To add different piece of plaintext at the beginning of each message

Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.

A Scheme of Cipher Block Chaining

Stream ciphers

CBC is inappropriate for some apps., e.g., encryption of telephone conversations

==> Stream ciphers solve this problem

Main idea is to construct a keystream generator.It’s analogous to adding “noise” to the system

Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.

A Stream Cipher

DES Properties

Provide confidentiality» No mathematical proof, but practical evidence

suggests that decrypting a message without knowing the key requires exhaustive search

» To increase security use triple-DES, i.e., encrypt the message three times

Secret Key Encryption

Disadvantage: Number of keys needed increases quadratically by number of objects (one key per pair of communicating objects…)

Another problem with private key:Key distribution

Public Key (Asymmetric) Encryption overcomes these problem

Public-Key Cryptosystems: RSA

Asymmetric algorithm: a private and a public key are used

First proposed by Diffie and Hellman Basis: Trap-door functions

Are special type of one-way-functions that has a secret exit, it is easy to compute it in one-way but it is infeasible to compute the inverse if the secret is unknown

Two keys, Ke and Kd

D(Kd, E(Ke, M)) = M RSA (Rivest, Shamir, and Adelman) Algorithm

Public-Key Cryptography: RSA (Rivest, Shamir, Adleman)

Sender uses a public key» Advertised to everyone

Receiver uses a private key

InternetEncrypt withpublic key

Decrypt withprivate key

Plaintext Plaintext

Ciphertext

Asymmetric Encryption

Gives 'one-way' security. Two keys generated, one used with decryption

algorithm (private key) and one with encryption algorithm (public key).

Generation of private key, given public key is computationally hard.

Does not need secure key transmission mechanism for key distribution.

Asymmetric Encryption: Using Public Keys

Recipient generates key pair. Public key is published by trusted service. Sender gets public key, and uses it to encode

message. Recipient decrypts message with its private

key. Replies can be encoded using sender’s public

key from the trusted distribution service. Message can be captured but is of no use.

RSA Algorithm

Generating the private and public key requires four steps:Choose two very large prime numbers, p and q

Compute n = p x q and z = (p – 1) x (q – 1)

Choose a number d that is relatively prime to z

Compute the number e such that e x d = 1 mod z

Generating Public and Private Keys

Public key consist of pair (n, e) Private key consists of pair (n, d)

RSA Encryption and Decryption

Encryption of message block m: » c = me mod n

Decryption of ciphertext c: » m = cd mod n

Example (1/2)

Choose p = 7 and q = 11 n = p*q = 77

Compute encryption key e: (p-1)*(q-1) = 6*10 = 60 chose e = 13 (13 and 60 are relatively prime numbers)

Compute decryption key d such that 13*d = 1 mod 60 d = 37 (37*13 = 481)

Example (2/2)

n = 77; e = 13; d = 37

Send message block m = 7

Encryption: c = me mod n = 713 mod 77 = 35

Decryption: m = cd mod n = 3537 mod 77 = 7

Properties

Confidentiality A receiver B computes n, e, d, and sends out (n, e)

» Everyone who wants to send a message to A uses (n, e) to encrypt it

How difficult is to recover d ? (Someone that can do this can decrypt any message sent to B!)

Recall that

d is relatively prime to (p-1)*(q-1) So to find d, you need to find prime factors p and q

» This is provably very difficult

Public Key Encryption

Transmission of message is secure » as only B has the matching private key to decrypt message

Differences between public and secret key» One pair of keys generated for every object, so number

of keys is linear to number of objects

Because different functions:» use of public keys is more complicated for reply messages. A

must generate pair of keys and publish its public key, which B acquires to encrypt reply message

Pretty Good Privacy

Public Key encryption used in PGP Generally available, and can be used for

» encryption of messages » digital signatures.

PGP combines DES and RSA» DES fast, but symmetric, hence key distribution

problem» RSA slower, but no key distribution problem» Solution: Use RSA to encrypt and distribute key

for DES encryption!!!