security in distributed systems
DESCRIPTION
CS425/CSE424/ECE428 – Distributed Systems. Security in Distributed systems. Some material derived from slides by I. Gupta, M. Harandi , J. Hou , S. Mitra , K. Nahrstedt , N. Vaidya. ISIS algorithm for total ordering. P. 2. 1 Message. 3. 2. P. 2. 4. 2 Proposed Seq. 1. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/1.jpg)
Security in Distributed systems
CS425/CSE424/ECE428 – Distributed Systems
2011-10-27 Nikita Borisov - UIUC 1
Some material derived from slides by I. Gupta, M. Harandi, J. Hou, S. Mitra, K. Nahrstedt, N. Vaidya
![Page 2: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/2.jpg)
ISIS algorithm for total ordering
21
1
2
2
1 Message
2 Proposed Seq
P2
P3
P1
P4
3 Agreed Seq
3
3
Nikita Borisov - UIUC 2
![Page 3: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/3.jpg)
Chord: client to client
N80
0Say m=7
N32
N45
File bad.mp3 with key K42 stored here
At node n, send query for key k to largest successor/finger entry < kif none exist, return successor(n) to requestor
All “arrows” are RPCs
N112
N96
N16
Who has bad.mp3?(hashes to K42)
Nikita Borisov - UIUC 3
![Page 4: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/4.jpg)
Distributed banking transaction
..
BranchZ
BranchX
participant
participant
C
D
Client
BranchY
B
A
participant join
join
join
T
a.withdraw(4);
c.deposit(4);
b.withdraw(3);
d.deposit(3);
openTransaction
b.withdraw(T, 3);
closeTransaction
T = openTransaction a.withdraw(4); c.deposit(4); b.withdraw(3); d.deposit(3); closeTransaction
Note: the coordinator is in one of the servers, e.g. BranchX
Nikita Borisov - UIUC 4
![Page 5: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/5.jpg)
Security Threats Leakage: An unauthorized party gains
access to a service or data.Attacker obtains knowledge of a withdrawal or account
balance, e.g., via eavesdroppingTampering: Unauthorized change of data,
tampering with a serviceAttacker changes the variable holding your personal
checking $$ totalVandalism: Interference with proper
operation, without gain to the attackerAttacker does not allow any transactions to your accountE.g., DOS=denial of service
Nikita Borisov - UIUC 5
![Page 6: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/6.jpg)
More ConcernsAttacks on Communication Channel / Network
Eavesdropping – Obtaining copies of messages without authority.
Masquerading – Sending or receiving messages with the identity of another principal (user or corporation).
Message tampering – Intercepting messages and altering their contents before passing them onto the intended recipient.
Replaying – Intercepting messages and sending them at a later time.
Denial of Service Attack – flooding a channel or other resources (e.g., port) with messages.
Nikita Borisov - UIUC 6
![Page 7: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/7.jpg)
Addressing the Challenges: SecurityLeakage: An unauthorized party gains
access to a service or data.– Confidentiality : protection against disclosure to
unauthorized individuals.Tampering: Unauthorized change of data,
tampering with a service– Integrity : protection against alteration or corruption.
Vandalism: Interference with proper operation, without gain to the attacker– Availability : protection against interference with the
means to access the resources.
Nikita Borisov - UIUC 7
![Page 8: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/8.jpg)
Security Policies & Mechanisms A Security Policy indicates which actions each
entity (user, data, service) is allowed or prohibited to take.E.g., Only an owner is allowed to make transactions to his
account. CIA properties. A Security Mechanism enforces the policy
Encryption and decryption: transform data to a form only understandable by authorized users, and vice-versa.
Authentication: verify the claimed identity of a user, client, service, process, etc.
Authorization: verify access rights for an authenticated entity.
Auditing: make record of and check access to data and resources. Mainly an offline analysis tool, often after the fact.
Nikita Borisov - UIUC 8
![Page 9: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/9.jpg)
Security Tenets
Make worst-case assumptions Network compromised Code / mechanism is known Nothing remains secret forever
Separate policy from mechanism Cryptography for secure channels Identity management (PKI, passwords,
etc.) for authentication Access control lists, capabilities for
authorization2011-10-27 Nikita Borisov - UIUC 9
![Page 10: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/10.jpg)
Cryptography
Science of enciphering data Cryptology (algorithm design) +
cryptanalysis (breaking algorithms) History
First algorithms thousands of years old Encryption driven by military,
intelligence, and financial uses Since 1970’s, subject of much open
research Backbone of most Internet security
mechanisms2011-10-27 Nikita Borisov - UIUC 10
![Page 11: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/11.jpg)
Encryption (symmetric)
Block cipher: EK(P) = C DK(C) = P P: Plaintext C: Ciphertext K: Shared key
Example: AES Result of design competition by NIST AES-128: key, block size are 128 bits Also, AES-192, AES-256
2011-10-27 Nikita Borisov - UIUC 11
![Page 12: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/12.jpg)
Encryption (symmetric)
Stream cipher: Keystream(K)
▪ Produce infinite, unpredictable key stream from key K
C = P xor Keystream(K) P = C xor Keystream(K)
Example: RC4 Used in older version of 802.11, SSL Some security vulnerabilities
2011-10-27 Nikita Borisov - UIUC 12
![Page 13: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/13.jpg)
Security Properties Indistinguishability
Adversary queries encryption, decryption oracles▪ EK(.), DK(.) ▪ Polynomial # of times
Adversary provides M1, M2 Challenger provides EK(Mb) for b = 0 or 1 Adversary queries oracles again Outputs guess for b
Security Adversary can’t win with probability (non-
negligibly) more than 1/22011-10-27 Nikita Borisov - UIUC 13
![Page 14: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/14.jpg)
Encryption mode
Basic encryption primitives insecure Block cipher: C = C’ => P = P’ Stream cipher: C xor C’ = P xor P’
Must use operation mode E.g., CBC C1 = IV (random) C2 = EK(P1 xor C1) C3 = EK(P2 xor C2) …
2011-10-27 Nikita Borisov - UIUC 14
![Page 15: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/15.jpg)
Secure channel
Alice, Bob share key K Each sends EK(M) to send M over secure
channel Security properties?
Confidentiality▪ Guaranteed by security of E
Integrity▪ Not guaranteed
Availability▪ Cannot be guaranteed by cryptography
2011-10-27 Nikita Borisov - UIUC 15
![Page 16: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/16.jpg)
Integrity Protection Message Authentication Code (MAC)
aka Message Integrity Code (MIC) MACK(M) = x Security: unforgeability
Adversary queries MAC oracle ▪ MACK(.)
Adversary produces (M,x) where M has never been queried
Wins if MACK(M) = x Secure if adversary cannot win with probability non-
negligibly more than 0 Examples: HMAC, CBC-MAC2011-10-27 Nikita Borisov - UIUC 16
![Page 17: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/17.jpg)
Secure Channel
Encryption key EK, MAC key MK Send(M) = EEK(M) || MACMK(M) Secure?
Replay Reflection
Solution: Sequence numbers Different keys in different directions
2011-10-27 Nikita Borisov - UIUC 17
![Page 18: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/18.jpg)
Public-key cryptography
Must establish symmetric key with everyone O(N2) keys total Must be exchanged over secure channel!
Public key cryptography Two keys: PK – public, SK – secret C = EPK(P) P = DSK(C) O(N) keys total
2011-10-27 Nikita Borisov - UIUC 18
![Page 19: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/19.jpg)
RSA Example: RSA
Rivest, Shamir, Adleman, 1977 Key generation
N = p*q, for two large primes p e = 3, d = e-1 in ZN
* ▪ d can be computed with knowledge of p, q
PK = (N, e), SK = d▪ Factoring N into p,q currently infeasible if p,q > ~1024 bits
Encryption C = Me (mod N) P = Cd (mod N)
Note: insecure in this form Must use randomization, padding to ensure indistinguishability
2011-10-27 Nikita Borisov - UIUC 19
![Page 20: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/20.jpg)
Key exchange RSA-based key exchange
(roughly what’s used in TLS) Parties: Client, Server Steps:
S->C: PKS, NS C->S: EPKS(NC) K = H(NS||NC)
▪ Encryption, MAC keys derived from K Properties:
Nonces protect from replay One-way authentication No PFS
2011-10-27 Nikita Borisov - UIUC 20
![Page 21: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/21.jpg)
Perfect Forward Secrecy
Goal: if (long-term) keys uncompromised at end of session, session remains secure forever
E.g., Diffie-Hellman S: pick random x, send gx
C: pick random y, send gy
Use (gx)y = (gy)x = gxy to derive shared key
Securely forget secrets (incl. x,y, gxy) after session
Security relies on discrete logarithm problem
2011-10-27 Nikita Borisov - UIUC 21
![Page 22: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/22.jpg)
Digital Signatures
Public-key algorithm Secret signing key SK Public verification key VK
Operation sig = SignSK(M) VerifyVK(M,sig) = True or False
Example: RSA N,e = verification key, d = signature key Sign(M) = H(M)d (mod N)
2011-10-27 Nikita Borisov - UIUC 22
![Page 23: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/23.jpg)
Authenticated Key Exchange Putting things together:
A->B: A, gx, Sign(gx) B->A: B, gy, Sign(gy)
Problems?
2011-10-27 Nikita Borisov - UIUC 23
![Page 24: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/24.jpg)
SIGMA protocol
SIGn-and-MAc, due to Hugo Krawczyk
Used in IKE, part of IPSec A->B: gx
B->A: gy, Sign(gx,gy), MACMK(B) A->B: A, Sign(gy,gx),MACMK(A)
2011-10-27 Nikita Borisov - UIUC 24
![Page 25: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/25.jpg)
Digital Certificates A digital certificate is a statement signed
by a third party principal, and can be reusede.g., Verisign Certification Authority (CA)
To be useful, certificates must have: A standard format, for construction and interpretation A protocol for constructing chains of certificates A trusted authority at the end of the chain
Alice
Bob
Service (S)
Request with digital signature1
{Certificate} 2KS-
KS+
Transaction + {Certificate} KS-
3Certificate=She is Alice
Nikita Borisov - UIUC 25
![Page 26: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/26.jpg)
Alice’s Bank Account Certificate
1. Certificate type: Account number2. Name: Alice3. Account: 62626264. Certifying authority: Bob’s Bank5. Signature: {Digest(field 2 + field 3)}KBpriv
Nikita Borisov - UIUC 26
![Page 27: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/27.jpg)
Public-Key Certificate for Bob’s Bank
1. Certificate type: Public key2. Name: Bob’s Bank3. Public key: KBpub
4. Certifying authority: Fred – The Bankers Federation5. Signature: {Digest(field 2 + field 3)} KFpriv
Eventually KF-, KF+ have to be obtained reliably.
Nikita Borisov - UIUC 27
![Page 28: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/28.jpg)
Control of access to resources of a server. A basic form of access control checks <principal, op,
resource> requests for: Authenticates the principal. Authorization check for desired op, resource.
Access control matrix M (e.g., maintained at server) Each principal is represented by a row, and each resource object is
represented by a column. M[s,o] lists precisely what operations principal s can request to be
carried out on resource o. Check this before carrying out a requested operation. M may be sparse.
Access control list (ACL) Each object maintains a list of access rights of principals, i.e., an ACL is
some column in M with the empty entries left out. Capability List = row in access control matrix, i.e., per-
principal list.
Authorization: Access Control
Nikita Borisov - UIUC 28
![Page 29: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/29.jpg)
Focus of Access Control
• Three approaches for protection against security threats
a) Protection against invalid operations
b) Protection against unauthorized invocations
c) Protection against unauthorized users
Nikita Borisov - UIUC 29
![Page 30: Security in Distributed systems](https://reader036.vdocuments.us/reader036/viewer/2022062410/5681614a550346895dd0c812/html5/thumbnails/30.jpg)
ACL and Capability Usage
Comparison between ACLs and capabilities for protecting objects.
a) Using an ACLb) Using capabilities.
Nikita Borisov - UIUC 30