DISTRIBUTED SYSTEMS
Principles and Paradigms
Second Edition
ANDREW S. TANENBAUM
MAARTEN VAN STEEN
Chapter 9
Security
Security Threats
Types of security threats to consider:
•
•
•
•
Interception
Interruption
Modification
Fabrication
A
B
E
A
B
E
A
B
E
A
B
E
•
•
Replay
Reflection
A
B
E
A
B
E
Security Mechanisms
Types of security mechanisms used
in controls:
•
•
•
•
Encryption
Identification and Authentication
Authorization
Auditing
Example: The Globus Security
Architecture (1)
1. The environment consists of multiple
administrative domains.
2. Local operations are subject to a local domain
security policy only.
3. Global operations require the initiator to be
known in each domain where the operation is
carried out.
Example: The Globus Security
Architecture (2)
1. Operations between entities in different
domains require mutual authentication.
2. Global authentication replaces local
authentication.
3. Controlling access to resources is subject to
local security only.
4. Users can delegate rights to processes.
5. A group of processes in the same domain can
share credentials.
Example: The Globus
Security Architecture (2)
Figure 9-1. The
Globus security
architecture.
Focus of Control (1)
Checking:
Syntactic
Semantic
Focus:
Consistency
Figure 9-2. Three approaches for protection against security
threats. (a) Protection against invalid operations
Focus of Control (2)
Access control
at invocation
level
Prevent legit
users from
unauthorized
actions
Figure 9-2. Three approaches for protection against security
threats. (b) Protection against unauthorized invocations.
Focus of Control (3)
Access control
at application
access level
Prevent illegit
users from any
access, legit
users from
access to
unauthorized
applications
Figure 9-2. Three approaches for protection against security
threats. (c) Protection against unauthorized users.
Layering of Security Mechanisms (1)
confidentiality,
integrity,
authentication,
audit
confidentiality, integrity,
authentication
confidentiality, integrity
confidentiality
TCB = Trusted computing base – components needed to enforce security policy
Figure 9-3. The logical organization of a
distributed system into several layers.
Layering of Security Mechanisms (2)
H/W device in-line = “dongle”
Figure 9-4. Several sites connected through a wide-area
backbone service (Switched Multi-megabit Data Services).
Distribution of Security Mechanisms
Minimize services, utilities on servers
Figure 9-5. The principle of RISSC
(Reduced Interfaces for Secure Systems Components)
as applied to secure distributed systems.
Cryptography (1)
encryption
hash
Hash
key
Signing
key
integrity checking
authentication
hash
Hash
key key
Verification
Figure 9-6. Intruders and eavesdroppers in communication.
Cryptography (2)
Encryption to A
Verification of A
Decryption by A
Signing by A
Figure 9-7. Notation used in this chapter.
Cryptography Basics
Types of information hiding
• Ciphers – scramble data so attacker cannot get
meaning, but knows it is there
• Codes – substitute codewords for significant
words or phrases
• Steganography – hide embedded message in a
cover object so noone knows it's there
Two types of cryptography:
• Symmetric ciphers – same key used for
encryption and decryption
• Asymmetric ciphers – public key cryptography,
two keys – one kept secret, the other made public
Symmetric Encryption
Two types of symmetric cipher:
• Block ciphers – encrypt fixed sized blocks
• Stream ciphers – encrypt symbols on the fly
Two basic approaches:
• Substitution ciphers – replace occurrences of one
symbol with another symbol
• Transposition ciphers – shuffle symbols in a
message around without changing them
Product cipher:
• compose multiple ciphers; can be much more
powerful (esp. substitution and transposition)
Symmetric Cryptosystems: DES (1)
Figure 9-8. (a) The
principle of DES.
Symmetric Cryptosystems: DES (2)
Feistel structure:
f does not have to
be invertable
f uses substitution
and permutation
internally
Figure 9-8. (b) Outline of
one encryption round.
Symmetric Cryptosystems: DES (3)
Figure 9-9. Details of per-round key generation in DES.
Block Cipher Modes
NIST defines several block cipher modes:
• ECB – electronic code book: blocks are
encrypted independently
• CBC – cipher block chaining: plaintext block
is XORed with previous ciphertext block
before applying block encryption
• OFB – output feedback: use block cipher to
generate stream keys, XOR with plaintext
• CFB – cipher feedback: like OFB except use
earlier ciphertext in stream key generation
• CTR – counter: generate stream keys by
encrypting counter values
Public-Key Cryptosystems: RSA
Generating the private and public keys requires
four steps:
• Choose two very large prime numbers, p
and q.
• Compute n = p × q and z = (p − 1) × (q − 1).
• Choose a number d that is relatively prime
to z.
• Compute the number e such that
e × d = 1 mod z.
Public-Key Cryptosystems: RSA
Encryption and decryption:
• To encrypt message m < n,
c = me modulo n
• To decrypt ciphertext c,
m = cd modulo n = (me)d modulo n
= med modulo n = m1 modulo n = m
• Number theory based on Fermat's theorem
and Euler totient function
Public Key Crypto and Hashes
Asymmetric crypto is versatile
•
Encrypt with public key for confidentiality
– Anyone can encrypt with public key
– Only holder of private key can decrypt
•
Encrypt with private key for authenticity
– Only holder of private key can sign
– Anyone with public key can verify signature
But asymmetric crypto is very slow
•
Large integer arithmetic (100's to 1000's of bits per
operand) – must be done in software
•
(Lack of) speed makes it undesirable for bulk
encryption, signing large objects
•
Use with symmetric crypto and hashes
Hash Functions: MD5 (1)
Figure 9-10. The structure of MD5.
Roles of Crypto Mechanisms
•
•
•
Symmetric cryptography: bulk encryption,
weak authentication, integrity
Asymmetric cryptography: key distribution,
strong authentication, non-repudiation,
small payload encryption
Cryptographic hashes: authentication,
integrity, non-repudiation, can be used to
generate key stream for encryption
Authentication Based on a Shared
Secret Key (1)
Figure
9-12.
Authentication
based
on a can
shared
key.
Can
you
figure
out how this
protocol
be secret
defeated?
Authentication Based on a Shared
Secret Key (2)
Does this
protocol
suffer from
flaw as
Figure
9-13.
Authentication
basedthe
onsame
a shared
to fix
secretthe
key,previous
but usingone?
threeHow
instead
of this?
five messages.
Authentication Based on a Shared
Secret Key (3)
Something to watch out for: encryption/decryption oracles
Figure 9-14. The reflection attack.
Fixing the challenge-response
authentication protocol
•
•
•
Bind message numbers to messages
doesn't work with 3-message protocol
Asymmetric challenges
partition challenge space into one for
initiator, one for responder
Distribute session key with authentication
ensure only principal with authentication
key can obtain session key –
authentication by itself does little good
Authentication Using a
Key Distribution Center (1)
Figure 9-15. The principle of using a KDC.
Authentication Using a
Key Distribution Center (2)
Kerberos approach
Helps security, scaling, etc.
Figure 9-16. Using a ticket and letting
Alice set up a connection to Bob.
Authentication Using a
Key Distribution Center (3)
Figure 9-17. The Needham-Schroeder authentication protocol.
Attacking the Needham-Schroeder
authentication protocol
•
•
Bob receives nothing that he knows is fresh
Attacker can replay old key distribution msg
looks the same as a new one to Bob
Authentication Using a
Key Distribution Center (4)
Figure 9-18. Protection against malicious reuse of a previously
generated session key in the Needham-Schroeder protocol.
Insuring freshness in
authentication protocols
•
•
•
Goal: Defeat replay attacks
All parties generate a (fresh) nonce
nonce included (and bound) to later
messages to each party
All parties share a common time base
timestamp all messages
must ensure (reasonable) synchronization
must protect time base
Example: Kerberos (1)
Distribute workload, improve response time, survive partition, better protect AS
Figure 9-23. Authentication in Kerberos.
Example: Kerberos (2)
Bob sees timestamp from Alice
Alice sees her nonce from Bob
What are nonces here?
But how does Bob know ticket is fresh?
Timestamp on ticket not shown here...
Figure 9-24. Setting up a secure channel in Kerberos.
Authentication Using a
Key Distribution Center (5)
Only Bob can see RA
Only Alice can see RB
Figure 9-19. Mutual authentication in a public-key cryptosystem.
Digital Signatures (1)
Figure 9-20. Digital signing a message
using public-key cryptography.
Digital Signatures (2)
Figure 9-21. Digitally signing a message using a message digest.
Practical use of PKC
•
•
•
•
Signature: encrypt message digest with
private key of signer
Encryption: encrypt (bulk) message with
random message key, then ...
... encrypt random message key with public
key of recipient
RSA Labs PKCS standards for how to do
these “right” so to avoid common mistakes
Secure Replicated Servers
(m,n)-threshold scheme used for multi-party signature
Figure 9-22. Sharing a secret signature
in a group of replicated servers.
Bigger Issue: Access Control
•
•
•
Confidentiality = read access; use encryption
to enforce that only keyholder can read
Integrity = write access; use identification and
authentication along with access policy to
allow only authorized modifications
Availability = any kind of access; use I&A to
restrict load on system to authorized users,
use asymmetric challenges to minimize work
on servers until client has done harder work
General Issues in Access Control
Figure 9-25. General model of controlling access to objects.
Access Control Matrix (ACM)
•
•
•
•
•
•
Conceptual model
Rows = subjects or domains (requesters)
Columns = objects (being acted upon)
Cell [i,j] contains access rights (privileges) that
subject (or domain) i has to object j
ACM is big! (1000's to millions of domains and
millions of objects) and sparse (or redundant)
In practice, use ACLs and/or capability lists
Access Control Matrix (1)
ACL is associated with object, contains list of subject, right set pairs (s,R)
Request must be verifiably authentic (know who requester is)
Figure 9-26. Comparison between ACLs and capabilities for
protecting objects. (a) Using an ACL.
Access Control Matrix (2)
CL is associated with subject, contains list of object, right set pairs (o,R)
Capability must not be forgeable, may be able to delegate
Figure 9-26. Comparison between ACLs and capabilities for
protecting objects. (b) Using capabilities.
Protection Domains
RBAC – Role-Based Access Control – hierarchical rights management
Makes management of access rights easier, more natural
Figure 9-27. The hierarchical organization of
protection domains as groups of users.
Firewalls
Figure 9-28. A common implementation of a firewall.
Protecting the Target (1)
Figure 9-29. The organization of a Java sandbox.
Protecting the Target (2)
Figure 9-30. (a) A sandbox. (b) A playground.
Protecting the Target (3)
Figure 9-31. The principle of using Java object
references as capabilities.
Protecting the Target (4)
Figure 9-32. The principle of stack introspection.
Key Establishment
Figure 9-33. The principle of Diffie-Hellman key exchange.
Key Distribution (1)
Figure 9-34. (a) Secret-key distribution.
[see also Menezes et al. (1996)].
Key Distribution (2)
Figure 9-34. (b) Public-key distribution
[see also Menezes et al. (1996)].
Secure Group Management
Figure 9-35. Securely admitting a new group member P.
G=group ID, P=requester's PID, T=P's local time, RP=Reply Pad
(generated),KP,G=Symmetric Key (generated)
N=nonce (generated), CKG=G's communication key
Capabilities and Attribute Certificates (1)
Figure 9-36. A capability in Amoeba.
Server port is machine-independent server identifier
(SP,Object) form system-wide unique object identifier
Check is generated by server when Object is created
Capabilities and Attribute Certificates (2)
Figure 9-37. Generation of a restricted capability
from an owner capability.
Delegation (1)
Figure 9-38. The general structure of a
proxy as used for delegation.
Delegation (2)
Figure 9-39. Using a proxy to delegate and
prove ownership of access rights.