Naming System Design Tradeoffs2 Goal Learn about fundamental security mechanisms such as encryption,...

Copyright 2012 & 2015 – Noah Mendelsohn

Security Fundamentals

Noah Mendelsohn Tufts University Email: [email protected] Web: http://www.cs.tufts.edu/~noah

COMP 150-IDS: Internet Scale Distributed Systems (Spring 2015)

mailto:[email protected]

© 2010 Noah Mendelsohn 2

Goal

Learn about fundamental security mechanisms such as encryption, PKI, TLS, and related technologies such as rootkits, etc.

Non Goal This presentation does not attempt to explore broader

issues relating to good security architecture including requirements gathering, threat analysis, design for security, penetration testing, etc.

© 2010 Noah Mendelsohn

Encryption Basics


Simple Encryption

4

Encryption Function

Data

Encrypted Data


Decryption

5

Decryption Function

Data

Encrypted Data


Encryption/Decryption are functions over data+key

6

Data = Fdecrypt (key, Fencrypt(key, data))

EncryptedData = Fencrypt(key, data)

Data = Fdecrypt (key, EncryptedData)


Encryption/Decryption are functions over data+key

7

EncryptedData = Fencrypt(key, data)

Data = Fdecrypt (key, EncryptedData)

Same key for encryption and decryption


What’s secret?

8

Decryption Function

Data

Encryption Function

Data

Encrypted Data

Encryption & Decryption Functions Usually not Secret


What’s secret?

9

Decryption Function

Data

Encryption Function

Data

Encrypted Data

Same secret key needed by sender & receiver

Key distribution/protection is

a big problem


Public Key Basics


Ordinary Encryption

11

Decryption Function

Data

Encryption Function

Data

Encrypted Data

Same secret key for sender and receiver


Data

Encrypted Data Decryption Function

Data

Asymmetric Key Crypto

12

Encryption Function

Key Pairs Different Keys

for Encryption & Decryption!!

Note: the encryption key cannot decrypt…only its pair can Either key can serve to encrypt, then the other decrypts.


Digital Signatures


Public Key Crypto

Built on asymmetric crypto

Pair: one part public, one part private – Private cannot be derived from public

To send me a message: – Encrypt it with my public key, which everyone knows is mine

– Only I have the private key to decrypt

Avoids need to distribute secret keys!

…but, we do need to watch for fraudulent public keys

14


Digital signatures: non-repudiation

Prove that these bits were from me

Step 1: I hash the content yielding a small number unique to the content

Step 2: I encrypt that hash using my private key, resulting in a digital signature

Step 3: I send you the bits and the signature

Step 4: You decrypt the signature using my public key, and compare to hash you compute on bits you’ve received

15

Signature check: you have confidence the message came from me Non-repudiation: I can’t deny having signed those bits!


Public Key Infrastructure

(PKI)


Certificates

How do you know the public key is mine?

Certificate: a public key signed by someone you trust!

Their signature asserts: this key is Noah’s public key

Whom do you trust? – The organization you work for (E.g. Tufts University) – Well known signing organizations (Verisign, Thawt, Equifax, etc.) – Yourself (self-signed certs…usually a kludge only for testing)

Trust hierarchies – I am Noah as vouched for by Tufts as vouched for by Equifax – Your browser comes with a trusted set of root certificates

The PKI hierarchy has become fundamental to the integrity of the Web – used to establish identity of https: Web sites!

17


Identity and Authentication


PKI and identity management

PKI works best in hierarchical organizations of medium size

Nonetheless, it is the most common framework for authenticating the identity of Web sites

Some systems use PKI to authenticate down to the user-level

In practice, most Web sites use ordinary passwords, with sites authenticated using HTTPS (PKI)

There are ongoing problems with the operational integrity (and business motivations of) the some CA providers

19


HTTPS and TLS

Warning: the protocol on the following slide is greatly simplified. Actual TLS has many crypto and PKI options, and uses a much more elaborate and robust setup protocol. This is close enough in spirit to give the general idea.


Transport Level Security (TLS and SSL)

CPU Memory Storage

CPU Memory Storage

I want an encrypted connection to Tufts, and I want to be sure it’s Tufts

Tufts.edu



CPU Memory Storage

CPU Memory Storage


Tufts.edu Connection setup

Certificate from Tufts

Certificate from Tufts checked against cert hierarchy up to root



CPU Memory Storage

CPU Memory Storage


Tufts.edu

Problem:

Public key encryption much too slow for bulk data transfer.



CPU Memory Storage

CPU Memory Storage

Result: an authenticated, encrypted, high-performance connection.

Tufts.edu

Solution:

TLS/SSL use PKI to authenticate server (and optionally client) and to establish

agreement on a private (symmetric) key used to encrypt actual session data.



CPU Memory Storage

CPU Memory Storage


Tufts.edu Connection setup

Certificate from Tufts


HTTPS: HTTP over TLS or SSL

E.g. Firefox E.g. Apache

Browser

Web Server

Many commercial applications work this way




Your browser keeps a list of root certs (Verisign, etc.)

These companies control the

verification of secure connections you make on the Web!

Web Server





If someone can get a bogus cert for google.com or microsoft.com,

that’s a big deal!

Web Server





Some Cert Authorities (Cas) aren’t nearly careful enough in

when issuing certs

Web Server





Some Cert Authorities (Cas) aren’t nearly careful enough in

when issuing certs

Web Server


News Reports on Lax CA Administration 2015 http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/

2011 http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/

http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/


The Web itself is a 2 or 3 Tier system

E.g. Squid E.g. Firefox E.g. Apache

Browser

Proxy Cache

Web Server




Browser HTTP CONNECT header used to

make proxy transparent to TLS…benefits of proxy are lost!

Web Server




Browser A malicious proxy with a

trusted cert can implement “man-in-the-middle” attacks

Web Server


Trust


What must be trusted?

36

Decryption Function

Data

Encryption Function

Data

Encrypted Data

Storage and filesystem for data in the clear at

source



37

Decryption Function

Data

Encryption Function

Data

Encrypted Data

Encryption software and OS on which it

runs



38

Decryption Function

Data

Encryption Function

Data

Encrypted Data

The compiler and linker used to build the

OS & encryption (per K. Thompson)



39

Decryption Function

Data

Encryption Function

Data

Encrypted Data

Key store at source



40

Decryption Function

Data

Encryption Function

Data

Encrypted Data

The CPU, device HW and microcode used to

run the system



41

Decryption Function

Data

Encryption Function

Data

Encrypted Data

All the equivalent at the receiver


Trust is a key system design issue

Always consider: what/who is being trusted?

What is the consequence if trust is misplaced?

Can we tell if trust is misplaced – Reflections on Trusting Trust tells us “it’s at best really hard to be sure”

Can we change our minds (revoke trust)?

Watch for: – Any place where information is stored “in the clear”

– Any place where “capabilities” are stored or given out

– Note that keys are a kind of capability

42


Some actual attacks that have worked

Freezing (I.e. chilling) RAM chips to retain data after power down

Timing attack: SSH password cracking facilitated by keystroke timing

Timing attack: SSL private keys revealed!! – Demonstrated on production Web servers*

Rootkits, bootkits & VM attacks

43

* SSL timing paper: http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf


A Bit about Operating Systems and Virtual Machines


Unix Kernel

Operating Systems and Virtual Machines

Sector

Ap

pli

cati

on

File

syst

em Sector

In-memory Block Cache B

lock

Dev

ice

Dri

ver

Raw

Dev

ice

Dri

ver

TTY

Dri

ver



Sector

Dis

k vi

rtu

aliz

atio

n

Network virtualization

Dis

pla

y V

irtu

aliz

atio

n

Memory virtualization

Virtual Machine “Hypervisor”



Sector

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector

In-memory Block Cache

Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

TTY

Dri

ver

Dis

k vi

rtu

aliz

atio

n


Dis

pla

y V

irtu

aliz

atio

n





Sector

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

TTY

Dri

ver

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

Dis

k vi

rtu

aliz

atio

n


Dis

pla

y V

irtu

aliz

atio

n


TTY

Dri

ver




Sector

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

TTY

Dri

ver

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

Dis

k vi

rtu

aliz

atio

n


Dis

pla

y V

irtu

aliz

atio

n


TTY

Dri

ver


The Virtual Machine “Hypervisor” provides the illusion of a complete CPU

+ memory +I/O to each virtual machine


Virtual Machines and Trust

Sector

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

TTY

Dri

ver

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

Dis

k vi

rtu

aliz

atio

n


Dis

pla

y V

irtu

aliz

atio

n


TTY

Dri

ver


The Hypervisor has access to all resources of the VM’s, including RAM, disk, running program images, etc.

… Experimental exploits have been

implemented as hypervisors



Sector

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

TTY

Dri

ver

Unix Kernel

Ap

pli

cati

on

File

syst

em

Sector


Blo

ck D

evic

e D

rive

r

Raw

Dev

ice

Dri

ver

Dis

k vi

rtu

aliz

atio

n


Dis

pla

y V

irtu

aliz

atio

n


TTY

Dri

ver


Timing attacks have been attempted across VMs.


Summary


Summary

Typical security mechanisms are build on core technologies like simple encryption & PKI

Those are just building blocks: security must be considered in all aspects of system design

Abstractions leak: (computation can be timed, etc.)

Many vulnerabilities are operational, not technical

There are serious vulernabilities in the Interent infrastructure and the Web – it’s not entirely clear how severe the consequences will be

Naming System Design Tradeoffs2 Goal Learn about fundamental security mechanisms such as encryption,...

Documents

Transcript of Naming System Design Tradeoffs2 Goal Learn about fundamental security mechanisms such as encryption,...