Khoa học máy tính - Chapter 21: Distributed system security

Chapter 21Distributed System SecurityCopyright © 20081Operating Systems, by Dhananjay Dhamdhere*IntroductionIssues in Distributed System SecurityMessage SecurityAuthentication of Data and MessagesThird-Party Authentication2Operating Systems, by Dhananjay Dhamdhere*Issues in Distributed System SecurityKinds of security threats in distributed OSs:Leakage  of message contentsTampering  of message contentsStealing  use of resources without authorizationDenial of service to authorized usersLeakage and tampering are threats to message securityThreats addressed through two means:Message security techniquesAuthentication of remote users3Operating Systems, by Dhananjay Dhamdhere*Security Mechanisms and Policies4Operating Systems, by Dhananjay Dhamdhere*Security Attacks in Distributed SystemsAdditionally, security attacks can be classified into: Passive attacks and active attacks5Operating Systems, by Dhananjay Dhamdhere*Message SecurityApproaches to message security can be:Link-orientedTends to be expensiveCost depends on the number of links over which a message travelsEnd-to-endApproach assumed in following discussionsThree approaches to message security:Private (or secret) key encryptionPublic key encryptionSession keys6Operating Systems, by Dhananjay Dhamdhere*Message Security (continued)7Operating Systems, by Dhananjay Dhamdhere*Distribution of Encryption KeysKDC: Key distribution centerFor public key encryption, KDC maintains a directory containing public keys of all entities in the systemWhen session keys are used, KDC generates a new session key on demand8Distribution of Public KeysSteps Step 1: Pi → KDC : EUkdc (Pi, Pj)Step 2: KDC → Pi : EUi (Pj, Uj)Encryption is employed merely to prevent message tamperingOperating Systems, by Dhananjay Dhamdhere*9Distribution of Session KeysStepsStep 1: Pi → KDC : Pi, PjStep 2: KDC → Pi : EVi(Pj, Ski,j, EVj(Pi,Ski,j))Step 3: Pi → Pj : EVj(Pi, Ski,j), ESKi,j ()Operating Systems, by Dhananjay Dhamdhere*10Operating Systems, by Dhananjay Dhamdhere*Preventing Message Replay AttacksMessage replay attack: intruder copies messages passing over network and “plays them back” laterReplayed message may mislead recipient into taking wrong or duplicate actionsMay affect data consistencyMay reveal confidential informationSolution: use challenge-response protocol to check whether message exchange is in real timeSteps: challenge, response, detect Pj → Pi : ESKi,j(n) Pj → Pi : ESKi,j(n+1)Challenge string n is called a nonce11Operating Systems, by Dhananjay Dhamdhere*Mutual AuthenticationProcesses in a communication session should validate each other’s identity at start of sessionDefeats masquerading attacks12Operating Systems, by Dhananjay Dhamdhere*Authentication of Data and MessagesAuthenticity: requires process to verify that data was originated/sent by a claimed person or processAnd that it has not been tampered with by intruderLatter aspect implies integrity of dataTo ensure integrity, use a hash or message digestOne-way hash function for which a birthday attack is infeasibleCertification authority (CA) provides information concerning encryption keys used by persons or processes in a secure manner13Operating Systems, by Dhananjay Dhamdhere*Certification Authorities and Digital CertificatesA certification authority (CA):Assigns public and private keys to an entityAfter ascertaining its identity by using some means of physical verificationKeys are valid for a specific period of timeActs like a key distribution centerKeeps a record of keys assigned by itIssues public key certificatesUsed to avoid man-in-the-middle attacks14Operating Systems, by Dhananjay Dhamdhere*Certification Authorities and Digital Certificates (continued)A public key certificate includes:Serial number of the certificateOwner’s distinguished name (DN)DNS name of the owner, and owner’s name, unit, locality, state, and country in a textual formIdentifying information of ownerE.g., addressOwner’s public keyDate of issue and date of expiry, and issuer’s DNDigital signature on the above information by CA15Operating Systems, by Dhananjay Dhamdhere*Message Authentication Codes and Digital SignatureA message authentication code (MAC) is used to check the integrity of dataA one-way hashing function is used to obtain a message digest of dataIt is encrypted using a secret key known only by sender and intended recipientA digital signature is used to verify authenticity of dataThis identification is non-repudiableCan also be used to detect any modifications of data after the data was created or sent by a processBoth are achieved through use of private keys16Operating Systems, by Dhananjay Dhamdhere*Message Authentication Codes and Digital Signature (continued)17Operating Systems, by Dhananjay Dhamdhere*Third-Party AuthenticationHow does a server know whether a process wishing to act as its client was created by an authorized user?Require each server to authenticate every user through a passwordInconvenientUse a third-party authenticator and a secure arrangementKerberos  uses an authentication databaseSSL  decentralized18KerberosDeveloped in project Athena at MITKerberos authentication server (KAS) uses an authentication data baseAuthorization is performed by giving tickets to processesA ticket is like a capability, it authorizes a process to use a serviceIt contains the process and server ids, a session key for communication, and the lifetime over which it is validAt log in time, each process gets a ticket to a ticket granting server (TGS); TGS generates tickets for other serversOperating Systems, by Dhananjay Dhamdhere*19Kerberos (continued)When a process wishes to use a serverIt submits a ticket for the server and an authenticator containing a time-stamp encrypted with the session keyServer checks validity of ticket, extracts the session key and checks the authenticator to ensure that the request is made in ‘real time’Operating Systems, by Dhananjay Dhamdhere*20Operating Systems, by Dhananjay Dhamdhere*Kerberos (continued)Initial authentication:Obtaining ticket for server:Obtaining service:21Operating Systems, by Dhananjay Dhamdhere*Secure Sockets Layer (SSL)SSL is a message security protocol providing authentication and communication privacyWorks on top of a reliable transport protocol such as TCP/IPTransport layer security (TLS) protocol is based on SSL 3.0Two phases:SSL handshake protocolSSL record protocol22Operating Systems, by Dhananjay Dhamdhere*Secure Sockets Layer (SSL)Handshake protocol:Performs server authenticationSelection of session’s cryptographic algorithms(Optionally) performs client authenticationEnables client and server to generate shared secretUsed to generate session keysRecord protocol: securely sent using a session key, where m is text of messageTo avoid man-in-the-middle attacks, certificate is verified and challenge-response protocol used to authenticate client23Operating Systems, by Dhananjay Dhamdhere*SummaryIntruders can launch a variety of attacks: leakage, tampering, masquerading, or denial of serviceLeakage/tampering are threats to message securitySolution: Use encryptionPrivate, public and session keysSession keys are typically usedMessage replay attacks can be avoided using challenge-response protocolThird-party authenticators: Kerberos, SSLDigital signature: used to verify authenticity of dataPublic key certificate used to securely distribute public key24