Security and Authentication
CS-4513, D-Term 2007 1
Security and Authentication(continued)
CS-4513D-Term 2007
(Slides include materials from Operating System Concepts, 7th ed., by Silbershatz, Galvin, & Gagne, Modern Operating Systems, 2nd ed., by Tanenbaum, and Distributed Systems: Principles & Paradigms, 2nd
ed. By Tanenbaum and Van Steen)
Security and Authentication
CS-4513, D-Term 2007 2
Review
• Authentication• How to identify someone• How to establish that they are who they say they are
• Fundamental to establishing authority in Distributed Systems
• Everything else is based on trust that the person or agent doing something has the authority to do it
• Threats• Masquerading as someone else• Intercepting / corrupting communications
Security and Authentication
CS-4513, D-Term 2007 3
Review (continued)
• Passwords• Easy to steal
• Easy to guess or “crack”
• Human frailties• Errors
• Dilemmas (“social engineering”)
Security and Authentication
CS-4513, D-Term 2007 4
Video
Security and Authentication
CS-4513, D-Term 2007 5
Reading Assignments
• Allman, Eric, “E-mail Authentication: what? Why? How?,” ACM Queue, November 2006, pp 30-34. (.pdf)
• One of– Tanenbaum, MOS, Chapter 9– Silbershatz, OSP, Chapters 14-15– Tanenbaum & van Steen, Chapter 9
Security and Authentication
CS-4513, D-Term 2007 6
Fun with Cryptography
• What is cryptography about?
• General Principles of Cryptography
• Basic Protocols– Single-key cryptography– Public-key cryptography
• A short intro to key distribution
Security and Authentication
CS-4513, D-Term 2007 7
Cryptography as a Security Tool
• Broadest security tool available– Fundamental foundation for secure storage and
communication– Basis for establishing trust– Means to constrain potential senders (sources)
and / or receivers (destinations) of messages– Means to detect/prevent intrusion or corruption
– (Cannot prevent denial of service attacks)
Security and Authentication
CS-4513, D-Term 2007 8
Principles
• Cryptography is about the exchange of messages
• The key to success is that all parties to an exchange trust that the system will both protect them from threats and accurately convey their message
• TRUST is essential
Security and Authentication
CS-4513, D-Term 2007 9
Note
• Data storage is just another means of communication
• Writing data Sending message
• Reading data Receiving message• Perhaps much, much later!
• Integrity of data Integrity of message
Security and Authentication
CS-4513, D-Term 2007 10
Basic Premise of Cryptography
• Algorithms are (usually) public• Orders of magnitude easier to compute in forward
(normal) direction than in reverse (attack) direction
• Keys are always secret• Enough bits to prevent trying all key values
• Key management is a very big deal• Heart of all successful cryptographic systems
Security and Authentication
CS-4513, D-Term 2007 11
Conventional Wisdom
• Algorithms must be public and verifiable
• We need to be able to estimate the risk of compromise
• The solution must practical for its users, and impractical for an attacker to break
Security and Authentication
CS-4513, D-Term 2007 12
Public Policy Dilemma
• Algorithm intended to be a public standard must be subject to scrutiny of its users
• I.e., banks, industry, commerce, etc.
• To establish trust that it is good enough!
• Any algorithm good enough to protect billions of $$ of funds & commerce will be too hard for governments to penetrate!
• Crime, terrorism, etc.
Security and Authentication
CS-4513, D-Term 2007 13
Ergo …
• Governments tend to use secret encryption methods and algorithms for the most secure communications
• Sometimes, confidence in such algorithms is misplaced!
Security and Authentication
CS-4513, D-Term 2007 14
History
• Most secret algorithms have been broken• Prior to computing age, at least
• Vulnerabilities• Redundancy in human languages
• Repeatability or lack of randomness in algorithm
• Repeatability or lack of randomness in keys
Security and Authentication
CS-4513, D-Term 2007 15
Guidelines
• Cryptography is always based on algorithms which are orders of magnitude easier to compute in the forward (normal) direction than in the reverse (attack) direction.
• The attacker’s problem is never harder than trying all possible keys
• The more material the attacker has the easier his task
Security and Authentication
CS-4513, D-Term 2007 16
Example
• What is 314159265358979 314159265358979?
vs.
• What are prime factors of3912571506419387090594828508241?
Security and Authentication
CS-4513, D-Term 2007 17
Caveat
• We cannot mathematically PROVE that the inverse operations are really as hard as they seem to be…It is all relative…
The Fundamental Tenet of Cryptography:
If lots of smart people have failed to solve a problem, it won’t be solved (soon)
Security and Authentication
CS-4513, D-Term 2007 18
Time marches on…
• We must assume that there will always be improvements in computational power, mathematics and algorithms.– Messages which hang around get less secure
with time!
• Increases in computing power help the good guys and hurt the bad guys for new and short-lived messages
Security and Authentication
CS-4513, D-Term 2007 19
Two fundamental approaches
• Symmetric• Sender and receiver must share the key
• Asymmetric• Keys are paired
• Sender uses one, receiver uses its mate
Security and Authentication
CS-4513, D-Term 2007 20
Two fundamental approaches
• Symmetric• Sender and receiver must share the key there must be a secure way to get key from one to
the other
• Asymmetric• Keys are paired
• Sender uses one, receiver uses its mate there must be a secure way to get key from one to
the other
Security and Authentication
CS-4513, D-Term 2007 21
Secret key cryptography(Symmetric)
f (T,K) g (C,K)Cleartext Cleartext
K K
CyphertextT TC
Security and Authentication
CS-4513, D-Term 2007 22
Secret Key Methods
• DES (56 bit key)
• IDEA (128 bit key)• http://www.mediacrypt.com/community/index.asp
• Triple DES (three 56 bit keys)
• AES– From NIST, 2000– choice of key sizes up to 256 bits and more– Commercial implementations available
Security and Authentication
CS-4513, D-Term 2007 23
Reducing the Vulnerability
• Minimize the amount of information encrypted with shared key K
• Use K to encrypt a random number to obtain a session key
• I.e., used for one connection, conversation, exchange, etc.
• Discarded when channel is ended.
Security and Authentication
CS-4513, D-Term 2007 24
Diffie – Hellman
Alice Agree on p,g Bob
choose random A choose random BTA = gA mod p
TB = gB mod p
compute (TB)A compute (TA)B
Shared secret key for this session is gAB mod p
The shar
ed key
!
Security and Authentication
CS-4513, D-Term 2007 25
D–H Problems
• Not in itself an encryption method – we must still do a secret key encryption
• The body of the message
• Still must distribute the shared key safely
• Subject to a “man in the middle” attack• (Alice thinks she is talking to Bob, but actually
Trudy is intercepting all of the messages and substituting her own)
Security and Authentication
CS-4513, D-Term 2007 26
Questions about Secret Key Methods?
Security and Authentication
CS-4513, D-Term 2007 27
RSA Public Key Cryptography(Asymmetric Keys)
f () f ()Cleartext Cleartext
Key #1 Key #2
Cyphertext
Key #1 can be either a Public Key or a Private Key.Key #2 is then the corresponding Private Key or Public Key.
T C T
Security and Authentication
CS-4513, D-Term 2007 28
RSA Public Key Cryptography
• Rivest, Shamir and Adelman (1978)
• I can send messages that only you can read
• I can verify that you and only you could have sent a message
• I can use a trusted authority to distribute my public key – The trusted authority is for your benefit!
Security and Authentication
CS-4513, D-Term 2007 29
RSA Details
• Uses same operation to encrypt and decrypt
• To encrypt, we will use “e” as a key, to decrypt we will use “d” as a key
• e and d are inverses with respect to the chosen algorithm
Security and Authentication
CS-4513, D-Term 2007 30
RSA Details (continued)
• Based on mathematical premise that finding prime factors of large numbers is difficult computationally
• No known solution despite 100’s of years of trying!
• Note: Finding primes is also hard
Security and Authentication
CS-4513, D-Term 2007 31
RSA Details (continued)
• Let p and q be two large primes• 500-700 bits in length
• Let n = p qLet z = (p – 1) (q – 1)
• Choose d to be relatively prime to z
• Choose e such that d e = 1 mod z
• Publish n and either d or e (but not both!)
Security and Authentication
CS-4513, D-Term 2007 32
RSA Details (continued)
• Encryption: Cyphertext = (Cleartext)e mod n• Decryption: Cleartext = (Cyphertext)d mod n
• Typical d will be on the order of 500 to 700 bits• The cost of the algorithm is between 1 and 2
the size of n, – Each operation is a giant shift and add (multiply by a
power of 2)
Security and Authentication
CS-4513, D-Term 2007 33
RSA Details (continued)
• References– Tanenbaum & van Steen, §9.1.3– Silbershatz, §15.4.1.2
Security and Authentication
CS-4513, D-Term 2007 34
RSA Problems
• It is computationally much more costly than typical secret-key methods
• Impractical to use for message encryption• Use RSA to encrypt a random session key
• Encrypt the message with the session key and append/prefix the RSA encrypted key
• Requires a “Public Key Infrastructure” for effective key generation and distribution
• Chain of trust thing again!
Security and Authentication
CS-4513, D-Term 2007 35
Questions about Public Key Encryption?
Security and Authentication
CS-4513, D-Term 2007 36
Authentication using Secure Channels
Security and Authentication
CS-4513, D-Term 2007 37
Authentication using Secure Channels
At this
point,
Bob knows he
is talking w
ith
Alice
Security and Authentication
CS-4513, D-Term 2007 38
Authentication using Secure Channels
At this
point,
Bob knows he
is talking w
ith
Alice
Not until this point,
does Alice know she
is talking with Bob
Security and Authentication
CS-4513, D-Term 2007 39
What is wrong with this “Optimization”?
Security and Authentication
CS-4513, D-Term 2007 40
Subject to “Reflection Attack”
• Attacker cons Bob into encrypting RB for him
• “Reflection” attack
Security and Authentication
CS-4513, D-Term 2007 41
Reflection Attack
Security and Authentication
CS-4513, D-Term 2007 42
Key Distribution Server
• Alice requests secure channel to Bob
• KDC generates session key KA,B
• KDC sends secure messages to both Alice and Bob containing KA,B
Security and Authentication
CS-4513, D-Term 2007 43
Key Distribution Server (continued)
• Alice requests secure channel to Bob
• KDC generates session key KA,B and ticket to speak with Bob
• Alice uses ticket to contact Bob
Security and Authentication
CS-4513, D-Term 2007 44
Needham-Schroeder Protocol
• Nonce – a random number that is never re-used• E.g., RA1, RA2, and RB
• Prevents intruder from replaying old tickets
Security and Authentication
CS-4513, D-Term 2007 45
Kerberos
• Single sign-on system• One login used to generate tickets for authenticating
shared services on distributed system
• No passwords maintained by any client
• Two parts• AS – Authentication Service
• TGS – Ticket Granting Service
• Once authenticated, user may ask TGS for a ticket for a session with any service.
Security and Authentication
CS-4513, D-Term 2007 46
Kerberos (continued)
Security and Authentication
CS-4513, D-Term 2007 47
Kerberos (continued)
• With ticket, Alice can communicate securely with Bob.
• Alice knows it is Bob because only Bob could descript ticket
• Bob knows that it is Alice because TGS said it was
• Timestamp prevents replaying old sessions
Security and Authentication
CS-4513, D-Term 2007 48
Key Distribution
• Many variations– Secret (symmetric) keys– Public (asymmetric) keys
• Always based on trust
• Central part of any distributed system that requires authentication
Security and Authentication
CS-4513, D-Term 2007 49
Questions?