CS6223: Distributed Systems

Security

2

Attacks on Distributed Systems

• Eavesdropping. Obtaining copies of data without authority.

• Message tampering. Intercepting messages and altering their contents.

• Impersonating. Sending/receiving messages using other’s identity or imposters of client or server.

• Playback. Storing messages and sending them at a later time to obtain illegal access. (Encryption alone cannot defeat playback attacks).

• Denial of service. Usual security protocols cannot defeat DoS attacks.

3

Outlines

• Cryptography

• Client - Server authentication

• Digital signature

• Email security (a case study)

4

Examples of simple cryptographic systems

1. Substitution ciphers

• Substitute one alphabetic character for another, e.g. Caesar cipher simply shifts the alphabet AD, BE, CF, ... A general method is to shift letters by k, which is the key for encryption / decryption.

• A more complex method is to map each letter to another randomly. The cipher can be broken by counting frequencies of letters in the ciphertext and guessing out the plaintext.

2. Transposition ciphers

• Plaintext remains the same, but the order of characters is shifted around.

• A simple example is to write the plain text as an array, with row first. The ciphertext is read out by columns. To break this cipher, one needs to know: a) it is a transposition cipher, and b) the number of columns.

5

Cryptography and Security Attacks

6

Secret Key ( “symmetric”) Cryptography

• Same key for both encryption and decryption

• Efficient for encryption/decryption

• Difficult to exchange secret keys

• Often use session keys (short-lived) to encrypt/decrypt data after authentication

Plaintext

Encrypted

by K

Ciphertext

Plaintext

Decrypted

by K

7

Public Key ( “asymmetric”) Cryptography

• A pair of keys: a public key K+ (made for public) and a private key K- (kept for private)

• More costly (time, ciphertext size, …) for encryption/decryption

• Easy for public key distribution

• Often used for authentication (for secret key exchange)

Plaintext

Encrypted

by K+

Ciphertext

Plaintext

Decrypted

by K-

normal encryption / decryption

Plaintext

Encrypted

by K-

Ciphertext

Plaintext

Decrypted

by K+

protect messages from tampering

8

Secret Key Encryption/Decryption AlgorithmsDES (Data Encryption Standard)

• Developed by Diffie and Hellman (1976) at IBM and recommended by US Federal (DES) for commercial use, but not for secret government use.

• It uses a 56-bit secret key. Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of cipher text.

• The algorithm has 19 stages. The 16 stages of iteration are parameterized by the 56-bits key.

• It is basically a substitution cipher, using 64-bit chars (it can be broken based on this).

Initial transposition

Iteration 1

Iteration 2

Iteration 16

32 bit swap

Inverse transposition

Generate 16 keys

64 bit plain text

64 bit cipher text

…

56 bit key

9

Secret Key Encryption/Decryption AlgorithmsIDEA (International Data Encryption Algorithm)

• Developed by James L Massey & Xuijia Laia (1990).

• It uses 128-bits secret keys, the strongest secret key algorithm available.

• The basic structure resembles DES. 64-bit plaintext input blocks are mangled in a sequence of 8 iterations (parameterized by the 128-bit key) to produce 64-bit cipher text output bocks.

Iteration 1

Iteration 2

Iteration 7

Iteration 8

Transformation

…64 bit plain text

64 bit plain text

10

Secret Communication with Shared Keys

Alice wishes to send some secret information to Bob. Problems are:

1. How can Alice know the other side is Bob, and how can Bob be sure it is really Alice who makes the request?

2. How does Bob know that the message is not eavesdropped, tampered, or a copy of an earlier encrypted message?

Let Alice and Bob share a secret key KA,B.

11

Authentication based on Shared Secret Key

12

An “Improved Protocol”, but…

Authentication by using 3 messages, instead of 5…

13

Reflection Attack of the “Improved Protocol”

14

Authentication using Key Distribution Center

The principle of using a KDC

15

One-way Authentication using KDC

Using a ticket and letting Alice set up a connection to Bob

But, Bob is not sure if the other side is really Alice …

16

Mutual (two-way) Authentication using KDC Needham-Schroeder authentication protocol

17

Possible attack if no “nonce” in messages 1 & 2 …

Alice

A, B

Ch

un

k

KD

C

KA, KDC(B, KA, B, KB,KDC(A, KA, B))

KA, B(RA2), KB,KDC(A, KA, B)

KA, B(RA2-1, RB)

KA, B(RB-1)

1

2

3

4

5

Chunk

18

Possible attack if no Bob ‘B’ in messages 1&2 …

Alice

RA1, A, B

Ch

un

k

KD

C

KA, KDC(RA1, KA, C, KC,KDC(A, KA, C))

KA, C(RA2), KC,KDC(A, KA, C)

KA, C(RA2-1, RB)

KA, C(RB-1)

1

2

3

4

5

Chunk

RA1, A, C

19

Summary of Needham-Schroeder authentication protocol

20

Possible Replay Attack to the Protocol…

Ch

un

k

BobKA, B(RA2), KB,KDC(A, KA, B)

KA, B(RA2-1, RB)

KA, B(RB-1)

3

4

5

KD

C

Alice

21

Enhanced Authentication defeating replay attack

This protocol was adopted in Kerberos, RB1 is a timestamp t.

22

Public Key Cryptography

RSA (Rivest, Shamir, Aldeman) Algorithm, 1979 at MIT:

• Use a public key and a private key for encryption and decryption. Difficult to deduce private key from public key

• Keys are 500-2,000 bits in length

• Support authentication and digital signatures

23

RSA Algorithm

The RSA method is based on some principles of numbers:• Choose two large primes, p and q ( 10100 ).• Compute n = p q and z = (p - 1) (q - 1).• Choose a number d, which is relatively prime to z.• Find e such that (e d) mod z = 1. One of e or d is public key, the other private key.Encryption• Divide the plaintext into blocks, so that the binary value of each block P < n (i.e.,

block size is k-bits and 2k < n).• Compute C = Pe (mod n), where C is the ciphertext.Decryption• When receiving a block of cipertext C:

compute P = Cd (mod n)• It is proven: (Pe (mod n))d (mod n) = PPublic key: (e, n)Private Key: (d, n)Note: p, q and z are discarded after generating e, n and d. It is very difficult to find p, q

and z from the public key e and n.

24

Mutual Authentication using Public-Key Cryptography

N.B. Alice must be sure K+B is truly the public key of Bob, the same for Bob…

25

Digital Signatures

Digital signatures mimic conventional signatures. It requires:

1. Receiver or third party can verify that this message was produced by the signer.

2. Signer cannot repudiate its signature, i.e. the sender cannot sign a message and then later claim that he did not do this.

3. Message cannot be modified after it has been signed.

4. Signature must be unique for a message, i.e. the signature cannot be electronically “cut” from the original message and “pasted” onto another message.

26

Digital Signatures using Private Keys

A sends B the original message, ID and a copy of the encrypted message (by A’s private key):

A B: M, A, {M}K-A

Correctness verification:• B can verify the signature by decrypting {M}K-

A using K+A.

• The message M cannot be modified after signed and the signature cannot be cut and pasted to another document.

• A cannot repudiate the signature, bcs only he knows K-A.

Security problem: • There is no trusted body to keep record of A’s K-

A and K+A if

A changes its keys after some time.

27

Digital Signatures using Security Server Needham and Schroeder Protocol

Suppose there is a security server S. KA, KB and KS are secret keys.1. A S: A, {M}KA

2. S A: {A, M, t}KS

S makes a signed and dated certificate of A’s document, encrypts the certificate by its secret key, and sends back to A.

3. A B: M, {A, M, t}KS

A sends B the original document and the certificate issued by S.4. B S: B, {A, M, t}KS

B saves the document & certificate for later proof, and sends the certificate to S for decryption.

5. S B: {A, M, t}KB

B decrypts the message, extracts M that is used to verify if or not the document received from A at step 3 is modified.

The protocol satisfies: the signature is verifiable (via S), non-modifiable, and non-repudiatable.

28

Message Digest

• Encryption / decryption is very time consuming.

• Message digest approach does not require encrypting entire document. It uses a “checksum” (usually 128 bits) or “1-way hash function”.

• Internet standard MD5 (RFC 1321) defines the latest checksum algorithm (128-bits)

A hash functions, H(P), has the property that:

• Given P, easy to compute H(P), but not the other direction.

• For P1 P2, the probability of H(P1) = H(P2) is very small.

• The length of H(P) << length of P.

• H(P) is a “message digest” or “message integrity check”.

29

Hash Functions : MD5

• MD5 is a hash function to compute a 128-bit fixed length message digest for any arbitrary length of input string.

• The input string is padded to a length of multiple of 512 bits and divided into a sequence of 512-bit blocks.

• Starting with a 128-bit constant, MD5 has k iterations (k is the number of 512-bit blocks of the input). In each iteration, a new 128-bit digest is computed out of an input data block and the previous digest.

30

Digital signatures using message digests

• To sign a message M, A (or S) computes the message digest, D(M), and encrypts only D(M).

• B stores {M, {D(M)}K-A} (or {D(M)}KS ). B can verify

the signature by computing D(M) and comparing with {{D(M)}K-

A}K+A.

• Everybody must use the same hash function to compute message digest.

31

Security Management

Key Management• Key establishment • Key distribution

32

Key EstablishmentDiffie-Hellman key exchange

How can Alice and Bob reach an agreement on a secret key?

gxy(mod n) is the shared key between Alice and Bob

33

Secret-key distribution

Alice BobAlice

34

Public-key Distribution

Alice BobAlice

35

A Case Study: Email Security Existing Email System

Intermediate relay point Recipient’s mailbox server

Useragent

Editor

Originator

User agent

Recipient

Mail transferAgent

(SMTP relay)

Mail transfer Agent

(SMTP)

SMTP(RFC 821)

Retrieval (e.g. POP3 RFC 1725)

SMTP Server

Submission SMTP (RFC 821)

35

36

Basic Email Security

SMTP/POP3 (RFC821/RFC1725) provides basic email delivery and retrieval services. They are not secure:

• Basic SMTP, as implemented by most sites, has none of the security features – authentication, confidentiality, integrity,...– In particular SMTP does not authenticate the sender,

hence the sender appearing in the field FROM may not be the actual owner of the FROM address at all.

• POP3 provides for userid/password authentication– userid/password sent in clear – subject to eavesdropping– POP3 provides encrypted password option, but this option

is rarely used

36

37

Secure Email Systems

Three widely used secure email systems:

PGP – Pretty Good Privacy

PEM – Privacy Enhanced Mail

S/MIME – Secure Multipurpose Internet Mail Extensions

38

Email Security Requirements and Solutions

• Source authentication. Ensure that the originator of the message is who he/she claims to be.– Solution: require originator to produce a digital signature

for the message, which is then sent with the message.

• Confidentiality of message. Prevent messages from being eavesdropped or tampered.– Solution: encrypt the message.

38

39

Certificates and Email Security

For a brief introduction, see:http://www.joar.com/certificates/

http://www.emailprivacy.info/digital_signatures

Certificates are used to identify people’s identities in the digital world (like your passport or your ID card):

• Certificates are issued by authorities in digital world, called CA (Certificate Authorities).

• Each certificate is signed by the CA who issues it and it can be verified by using public key of the CA. Public keys of CAs are pre-installed in standard email systems.

• A certificate has a pair of keys for the user who requests it, a public key (embedded in the certificate) and a private key (kept in your local PC). It uses public key method for encryption and authentication.

40

Personal Certificate

A certificate (defined in X.509) contains information on:1. The individual who requests the certificate; 2. The CA that issues the certificate.

A certificate has two parts: data, and CA’s signature.The data part contains:• version no. of X.509 standard, serial no. of the certificate (unique to a CA) • signature algorithm used by the CA (e.g, PKCS #1 MD5 with RSA Encryption) • distinguished name of the CA and the certificate subject (in X.500 format)• valid period• information about the public key being certified and the public-key algorithm • Special extensions (optional)The signature of CA includes: signature of the CA and the signature algorithm.

Anyone receiving the certificate can use the signature algorithm and CA's PublicKey to verify it. PublicKeys of the CA is built in outlook.

41

A Sample Certificate

This is a certificate issued by Ace CA:DataVersion: v1 (0x0)Serial Number: 1 (0x1)Signature Algorithm: PKCS #1 MD5 With RSA EncryptionIssuer: OU=Ace Certificate Authority, O=Ace Ltd, C=USValidity: Not Before: Fri Nov 15 00:24:11 1996 Not After: Sat Nov 15 00:24:11 1997Subject: CN=Jane Doe, O=Ace Industry, C=USSubject Public Key Info:Algorithm: PKCS #1 RSA EncryptionPublic Key: 00:d0:e5:60:7c:82:19:14:cf:38: F7:5b:f7:35:4e:14:41:2b:ec:24:

33:73:be:06:aa:3d:8b:dc:0d:06: 35:10:92:25:da:8c:c3:ba:b3:d7:lf:1d:5a:50:6f:9a:86:53:15:f2: 53:63:54:40:88:a2:3f:53:11:ec: 68:fa:e1:f2:57

Public Exponent: 65537 (0x10001)Signature

Algorithm: PKCS #1 MD5 With RSA EncryptionSignature: 12:f6:55:19:3a:76:d4:56:87:a6: 39:65:f2:66:f7:06:f8:10:de:cd:1f:2d:89:33:90:3d:a7:e3:ec:27: ac:e1:c0:29:c4:5a:69:17:51:dc:1e:0c:c6:5f:eb:dc:53:55:77:01: 83:8f:4a:ab:41:46:02:d7:c8:9a: fe:7a:91:5c

42

Obtain a Certificate

Apply a free email certificate from thawte website:http://www.thawte.com/secure-email/personal-email-certificates/index.html

Steps:

1) Fill in your personal details for on-line application.

2) It generates a certificate and a private key (this certificate is associated with your email address, and other optional information). Then, it emails to inform you where to download the certificate.

3) Download (install) the certificate to your local site (your PC).

4) Now, you can use your certificate for signing / encrypting emails.

43

S/MIME Options in Outlook Express

44

Sign an Email and Read a Signed Email

A signed email ensures you the email is really sent by the owner of the email-address (when applying for a certificate, the email address is supplied):

• When you click “sign” to sign an outgoing email, your private key is used to generate a signature. The message, together with this signature and your certificate, will be sent out;

• When the recipient receives your signed email, the mail-reader (e.g., outlook) will:1. Verify the attached certificate, if yes, then2. Verify the message signature by using the certificate (the

certificate will be also saved into recipient’s database).

45

Encrypt / Decrypt Emails

• When you click “encrypt” for an outgoing email, the message will be encrypted by using the recipient’s public key (embedded in the recipient’s certificate).

• You need to have the recipient’s certificate for encrypting a message to him (ask the recipient to send you a signed, not encrypted (why?), message. His certificate will be automatically extracted and stored in your local database).

• When the recipient receives an encrypted email, the mail-system will use his private key to decrypt it.

• An encrypted message may not be signed! It only ensures the message is not eavesdropped or tampered.