im ntu distributed information systems 2004 security -- 1 security yih-kuen tsay dept. of...
TRANSCRIPT
![Page 1: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/1.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 11
Security
Yih-Kuen Tsay
Dept. of Information Management
National Taiwan University
![Page 2: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/2.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 22
Introduction
• Security Needs– Secrecy, integrity, etc.– Arise from the desire to share resources
• Security Policies– Specify who are authorized to access what resources– Independent of the technology used
• Security Mechanisms– Enforce security policies
• Security Models– Help understand and analyze the above
![Page 3: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/3.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 33
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The Evolution of Security Needs
![Page 4: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/4.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 44
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Components of a Security Model
![Page 5: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/5.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 55
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The Enemy in Network Security
![Page 6: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/6.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 66
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Familiar Names in the Security Literature
![Page 7: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/7.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 77
Classes of Security Threats
• Leakage– Acquisition of information by unauthorized
parties
• Tampering (Modification)– Unauthorized alteration of information
• Vandalism– Interference with the proper operation without
gain to the perpetrator
![Page 8: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/8.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 88
Methods of Attack
• Eavesdropping– Release of message contents and traffic
analysis
• Masquerading• Message Tampering (Modification)
– Man-in-the-middle attack
• Replaying• Denial of Service• Mobile Code
![Page 9: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/9.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 99
Designing Secure Systems
• Use best standards available
• Informal analysis and checks
• Formal validation
• Security logs and auditing
![Page 10: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/10.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1010
Security Requirements
• Secrecy (Confidentiality)
• Data Integrity
• Authentication
• Non-repudiation
• Availability
• …
![Page 11: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/11.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1111
Source: W. Stallings, “Cryptography and Network Security”
The Secret-Key Encryption Model
![Page 12: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/12.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1212
Source: W. Stallings, “Cryptography and Network Security”
The Public-Key Encryption Model
![Page 13: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/13.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1313
Source: W. Stallings, “Cryptography and Network Security”
The Public-Key Authentication Model
![Page 14: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/14.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1414
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Notational Conventions
![Page 15: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/15.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1515
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Performance of Cryptographic Algorithms
![Page 16: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/16.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1616
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
A Scheme of Cipher Block Chaining
![Page 17: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/17.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1717
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
A Stream Cipher
![Page 18: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/18.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1818
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Digital Signatures with Secret Keys
![Page 19: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/19.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 1919
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Digital Signatures with Public Keys
![Page 20: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/20.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2020
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Alice’s Bank Account Certificate
![Page 21: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/21.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2121
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
A Public Key Certificate of Bob’s Bank
![Page 22: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/22.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2222
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The Needham-Schroeder Authentication Protocol
![Page 23: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/23.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2323
Kerberos
• Developed at MIT
• For protecting networked services
• Based on the Needham-Schroeder protocol
• Current version: Kerberos Version 5
• Source code available
• Also used in OSF DCE, Windows 2000, ...
![Page 24: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/24.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2424
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Kerberos Architecture
![Page 25: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/25.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2525Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The Kerberos Protocol
![Page 26: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/26.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2626
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
auth(C) contains C,t.
ticket(C,S) contains C,S,t1,t2,KCS.
The Kerberos Protocol (cont.)
![Page 27: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/27.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2727
The Secure Sockets Layer (SSL)
• Originated by Netscape, now a nonproprietary standard (SSLv3)
• Provides secure end-to-end communications
• Operates between TCP/IP (or any other reliable transport protocol) and the application
• Built into most browsers and servers
![Page 28: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/28.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2828
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The SSL Protocol Stack
![Page 29: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/29.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 2929
How SSL Works
• Sessions between a client and a server are established by the Handshake Protocol
• A session defines a set of security parameters, including peer certificate, cipher spec, and master secret
• Multiple connections can be established within a session, each defining further security parameters such as keys for encryption and authentication
• Security parameters dictate how application data are processed by the SSL Record Protocol into TCP segments
![Page 30: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/30.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 3030
Security Functions of SSL
• Confidentiality: using one of DES, Triple DES, IDEA, RC2, RC4, …
• Integrity: using MAC with MD5 or SHA-1
• Authentication: using X.509v3 digital certificates
![Page 31: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/31.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 3131Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The SSL Handshake Protocol
![Page 32: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/32.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 3232
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
The SSL Record Protocol
![Page 33: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/33.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 3333
Micropayments
• The price of some goods may be lower than the standard transaction fees
• Micropayments offer a way for selling small-value products and services
• Technology providers: eCharge (via phone bills), Qpass (monthly bills), Millicent (prepay electronic cash), ...
![Page 34: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/34.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 3434
The Millicent Scrip Scheme
• Scrip is a form of digital cash valid only for a specific vender.
• Format:
• Scrip is generated and distributed by brokers.
![Page 35: IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University](https://reader036.vdocuments.us/reader036/viewer/2022062517/56649f185503460f94c2ef39/html5/thumbnails/35.jpg)
IM NTUIM NTU
Distributed Information Systems Distributed Information Systems 20042004 SecuritySecurity -- -- 3535
Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Third Edition.
Millicent Architecture