Post on 27-Dec-2015
transcript
Security
Protection
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Computer Security Triad
• Three key objectives are at the heart of computer security
Data and
services
Availability
Confidentiality
Integrity
The Security EnvironmentThreats
Security goals and threats.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Can We Build Secure Systems?
Two questions concerning security:1.Is it possible to build a secure computer system?2.If so, why is it not done?
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Trusted Computing Base
Reference monitorAccepts all system call security and makes security decisions
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Protection Domains
• Resources to be protected• Domain is a set of (object, rights)pairs.
– Each pair specifies an object and some operation that can be preformed on it.
– Right, in this context, means the permission to perform one of the operations.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Protection Domains (1)
Three protection domains.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Principle of Least Authority
In general,
Security works best when each domain has the minimum objects and privileges to do its work and no more.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Protection Domains (2)
A protection matrix.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Protection Domains (3)
A protection matrix with domains as objects.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Two methods of implementation
• Access Control lists• Capabilities list
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Access control lists: slice by columns
A protection matrix.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Access Control Lists (1)
Use of access control lists to manage file access.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Access Control Lists (2)
• Tana belongs to two groups and requires 2 login • An alternative is to have each entry be a group OR
an individualPigeon_data : debbie:RW, phil: RW, pigfan:RW
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Access Control Lists (2)
• Easy to change permissions with respect to file• Only check at file open.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Capabilities lists: slice by rows
A protection matrix.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Capabilities (1)
When capabilities are used, each process has a capability list.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
• Protect the list from tampering:• A cryptographically protected capability.
• Suited for distributed files
Capabilities (2)
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Cryptographically protected capability list
• Client sends a message to remote serve to create a file object.
• Server creates the object and generates a long random number ‘check field’
• Slot on the server’s table (inode) is reserved
• It is not sent back to the user and never put on the network
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Cryptographically protected capability list
• Sent to the user is the capability entry in the form:
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
• Run object,rights, and check through a one-way function (f).• User sends the capability entry when it wants to access the
file.
Formal Models of Secure Systems
(a) An authorized state. (b) An unauthorized state.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Multilevel Security
• Discretionary Access Control– Operating systems allow individual to determine
who may read and write their files
• Mandatory Access Control– Organizational rules state who can see and modify
what.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Multilevel SecurityBell-LaPadula Model
Bell-LaPadula Model rules for information flow:1.The simple security property
– Process running at security level k can read only objects at its level or lower
2.The * property– Process running at security level k can write only
objects at its level or higher
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Bell-LaPadula Model
The Bell-LaPadula multilevel security model.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Bell-LaPadula Model
• The Bell-LaPadula multilevel security model was devised to keep secrets, not guarantee the integrity of data.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
The Biba Model
To guarantee the integrity of the data:1.The simple integrity principle
– process running at security level k can write only objects at its level or lower (no write up).
2.The integrity * property– process running at security level k can read only
objects at its level or higher (no read down).
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
• BUT… security leaks still can occur
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Covert Channels (1)
(a) The client, server, and collaborator processes. (b) The encapsulated server can still leak to the collaborator via
covert channels.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Covert Channels (2)
Figure 9-13. A covert channel using file locking.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Steganography
• Concealing secrets in plain site
– Hiding secret information in paintings, jpegs, MP3 files… or messages… or the network
Network Security
Steganography example• The German Embassy in Washington, DC, sent these messages in
telegrams to their headquarters in Berlin during World War I (Kahn 1996).
PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY.
• PERSHING SAILS FROM N.Y. JUNE 1
Network Security
“StegTorrent”• Bob sends messages through computers
which he previously established control over. • The order of the messages and which
computer sends them, hides the secret. – Bob commands two computers to request a file from Alice– Alice send message to computer 1 then computer 2
– Alice sends message to computer 2 then compute 1
Network Security
Binary 1
Binary 0
Skyde (Skype Hide)• Skype packs data into audio packets while Alice is talking• Skype continues to send audio packets when Alice is silent.
– This improves the quality of the call and helps data continue to clear firewalls
• ‘Silent’ packets are hijacked contents are replaced with encrypted data– Receiver application just assumes the original silent packets
were lost• 30% of silent packets can be compromised with out notice
Network Security
Steganography
(a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare.
Demo: http://www.cs.vu.nl/~ast/books/mos2/zebras.html
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Basics of Cryptography
Relationship between the plaintext and the ciphertext.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Secret-Key Cryptography
An encryption algorithm in which each letter isreplaced by a different letter.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Network Security
Key Cryptography
symmetric key crypto• requires sender, receiver
know shared secret key• Q: how to agree on key in
first place (particularly if never “met”)?
• Diffie-Hellman Key exchange
• Khan Academy
public key cryptography
radically different approach [Diffie-Hellman76, RSA78]
sender, receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Network Security
Public key cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)
B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
Network Security
Public key encryption algorithms
need K ( ) and K ( ) such thatB B. .
given public key K , it should be impossible to compute private key K
B
B
Requirements:
1
2
RSA: Rivest, Shamir, Adelson algorithm
+ -
K (K (m)) = m BB
- +
+
-
Network Security
Prerequisite: modular arithmetic
• x mod n = remainder of x when divide by n• Facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n[(a mod n) - (b mod n)] mod n = (a-b) mod n[(a mod n) * (b mod n)] mod n = (a*b) mod n
• Thus (a mod n)d mod n = ad mod n• Example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6xd = 142 = 196 xd mod 10 = 6
Network Security
RSA: getting ready
• A message is a bit pattern.• A bit pattern can be uniquely represented by an integer
number. • Thus encrypting a message is equivalent to encrypting a
number.Example• m= 10010001 . This message is uniquely represented by the
decimal number 145. • To encrypt m, we encrypt the corresponding number, which
gives a new number (the ciphertext).
Network Security
RSA: Creating public/private key pair
1. Choose two large prime numbers p, q. (e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
K B+ K B
-
Network Security
RSA: Encryption, decryption0. Given (n,e) and (n,d) as computed above
1. To encrypt message m (<n), compute
c = m mod n
e
2. To decrypt received bit pattern, c, compute
m = c mod n
d
m = (m mod n)
e mod n
dMagichappens!
c
Network Security
RSA example:Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z).
bit pattern m me c = m mod ne
0000l000 12 24832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cd
encrypt:
decrypt:
Encrypting 8-bit messages.
Network Security
RSA: another important property
The following property will be very useful later:
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first, followed
by private key
use private key first,
followed by public key
Result is the same!
Network Security
Why is RSA Secure?• suppose you know Bob’s public key (n,e). How
hard is it to determine d?• essentially need to find factors of n without
knowing the two factors p and q. • fact: factoring a big number is hard.
Generating RSA keys have to find big primes p and q approach: make good guess then apply
testing rules (see Kaufman)
Network Security
Ensuring Networked Message Integrity
• allows communicating parties to verify that received messages are authentic.– Content is not read by anyone other than
intended recipient– Content of message has not been altered – Source of message is who/what you think it is: – Message has not been replayed
Network Security
• Goal: Allow communicating parties to verify that received messages are authentic.– Content is not read by anyone other than
intended recipientEncryption
– Content of message has not been altered – Source of message is who/what you think it is – Message has not been replayed
Ensuring Networked Message Integrity
Network Security
Ensuring Network Message Integrity
• allows communicating parties to verify that received messages are authentic.– Content is not read by anyone other than
intended recipientEncryption
– Content of message has not been alteredMessage Digests
– Source of message is who/what you think it is– Message has not been replayed
Network Security
Message Digests
• function H( ) that takes as input an arbitrary length message and outputs a fixed-length string: “message signature”
• note that H( ) is a many-to-1 function
• H( ) is often called a “hash function”
desirable properties:–easy to calculate– irreversibility: Can’t
determine m from H(m)–collision resistance:
computationally difficult to produce m and m’ such that H(m) = H(m’)
– seemingly random output
large message
m
H: HashFunction
H(m)
Network Security
Hashed Message Digest
• MD5 hash function widely used (RFC 1321) – computes 128-bit message digest in 4-step process.
• SHA-1 is also used.– US standard [NIST, FIPS PUB 180-1]
– 160-bit message digest
Network Security
Message Authentication Code (MAC)m
ess
ag
e
H( )
s
mess
ag
e
mess
ag
e
s
H( )
compare
s = shared secret
• Authenticates sender• Verifies message integrity• No encryption !• Also called “keyed hash”• Notation: MDm = H(s||m) ; send m||MDm
Network Security
Message Integrity• allows communicating parties to verify that
received messages are authentic.– Content is not read by anyone other than
intended recipient– Content of message has not been altered :
Message Digests– Source of message is who/what you think it is:
• Digital Signatures• Certification Authority
– Message has not been replayed
Network Security
REMEMBER: RAS important property
The following property will be very useful later:
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first, followed
by private key
use private key first,
followed by public key
Result is the same!
Network Security
Digital Signatures
cryptographic technique analogous to hand-written signatures.
• sender (Bob) digitally signs document, establishing he is document owner/creator.
• goal is similar to that of MAC, except now use public-key cryptography
verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document (Non-repudiation: Alice can take m, and signature KB(m) to court and prove that Bob signed m. )
Network Security
Digital Signatures
simple digital signature for message m:• Bob signs m by encrypting with his private key KB,
creating “signed” message, KB(m)--
Dear Alice
Oh, how I have missed you. I think of you all the time! …(blah blah blah)
Bob
Bob’s message, m
Public keyencryptionalgorithm
Bob’s privatekey
K B-
Bob’s message, m, signed
(encrypted) with his private key
K B-(m)
Network Security
Digital Signatures (more)
• suppose Alice receives msg m, digital signature KB(m)
• Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m) then checks KB(KB(m) ) = m.
• if KB(KB(m) ) = m, whoever signed m must have used Bob’s private key.
+ +
-
-
- -
+
Alice thus verifies that: Bob signed m. no one else signed m. Bob signed m and not m’.
Non-repudiation: Alice can take m, and signature KB(m) to court and prove that
Bob signed m. -
Network Security
Ensuring Message Integrity– Content is not read by anyone other than intended
recipientEncryption
– Content of message has not been alteredMessage Digests
– Source of message is who/what you think it isDigital SignaturesCertification Authority
– Message has not been replayed
Network Security
Public-key certification• motivation: Trudy plays pizza prank on Bob
– Trudy creates e-mail order: Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob
– Trudy signs order with her private key– Trudy sends order to Pizza Store– Trudy sends to Pizza Store her public key, but says it’s Bob’s
public key.– Pizza Store verifies signature; then delivers four pizzas to
Bob.– Bob doesn’t even like Pepperoni
Network Security
Certification Authorities
• Certification authority (CA): binds public key to particular entity, E.
• E (person, router) registers its public key with CA.– E provides “proof of identity” to CA. – CA creates certificate binding E to its public key.– certificate containing E’s public key digitally signed by CA – CA says
“this is E’s public key”
Bob’s public
key K B+
Bob’s identifying informatio
n
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bob’s public
key, signed by CA
Network Security
Certification Authorities• when Alice wants Bob’s public key:
– gets Bob’s certificate (Bob or elsewhere).– apply CA’s public key to Bob’s certificate, get
Bob’s public key
Bob’s public
key K B+
digitalsignature(decrypt)
CA public
key K CA+
K B+
Network Security
Certificates: summary
• primary standard X.509 (RFC 2459)• certificate contains:
– issuer name– entity name, address, domain name, etc.– entity’s public key– digital signature (signed with issuer’s private key)
• Public-Key Infrastructure (PKI)– certificates, certification authorities– often considered “heavy”
Network Security
Ensuring Message Integrity– Content is not read by anyone other than intended
recipientEncryption
– Content of message has not been alteredMessage Digests
– Source of message is who/what you think it isDigital SignaturesCertification Authority
– Message has not been replayedNonce
Network Security
End-point authentication
• want to be sure of the originator of the message – end-point authentication
• assuming Alice and Bob have a shared secret, will MAC provide end-point authentication?– we do know that Alice created message. – … but did she send it?
Network Security
“I am Alice”
R
MACTransfer $1M from Bill to Susan
MAC =f(msg,s,R)
Defending against playback attack: nonce
Authentication (1)
Methods of authenticating users when theyattempt to log in based on one of three general principles:1.Something the user knows.2.Something the user has.3.Something the user is.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Authentication (2)
(a) A successful login. (b) Login rejected after name is entered. (c) Login rejected after name and password are typed.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
UNIX Password Security
The use of salt to defeat precomputation of encrypted passwords.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Challenge-Response Authentication
Questions should be chosen so that the user does not need to write them down. Examples:1.On what street was your elementary school?2.What did Mrs. Ellis teach?
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Authentication Using a Physical Object
Use of a smart card for authentication.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Authentication Using Biometrics
A device for measuring finger length.
Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.