54
C. Xu, 2002-2009 1 Security in Distributed Systems ECE7610/ECE7650 Cheng-Zhong Xu
C. Xu, 2002-2009 1
Security in Distributed Systems
ECE7610/ECE7650Cheng-Zhong Xu
C. Xu, 2002-2009 2
Outline• General Security Requirements
• Cryptography
• Secure Channel
• Access Control
• Security in Mobile Codes
• Case Studies– Kerberos Systems– SSL – SET
C. Xu, 2002-2009 3
General Security Requirements
• Confidentiality (Privacy, Secrecy) – Protection from disclosure to unauthorized parties– E.g. overhear talk, illegal data copy (Interception)
• Integrity– Protection from unauthorized change of data/tampering
of services– Violations be detectable and recoverable– E.g. Message relay (Fabrication, Modification)
• Availability– Legitimate users have access anytime– E.g. Denial of Service Attack (Interrupt)– One facet of dependable systems, as well
C. Xu, 2002-2009 4
Security Policy vs Mechanism
• Policy specifies which actions the entities of a system can or can’t take– Entities: users, services, data, machines, etc
• Mechanism facilitates policy enforcement– Encryption: transform data into unreadable – Authentication: verify claimed identify– Authorization: – Auditing: help detect security breach
C. Xu, 2002-2009 5
Security in Distributed Systems• Security threats in isolated systems
– Assumption: Isolated systems are secure– Security Mechanism: Protect from physical break-in
• Security in networked systems within an administrative domain but isolated from Internet– Identity Assumption:
• Whenever a program attempts some action, we can easily identify a person to whom that action can be attributed, and it is safe to assume that that person intends the action to be taken.
– Optimistic Assumption about Trojan Horse Attack • Users are responsible for actions of their programs
– Mechanisms:• Cryptographic Password• Authorized users with different privilege levels
C. Xu, 2002-2009 6
Security in Distrib. Systems (cont’)
• Security in systems cross admini. domains– Assumptions
• Untrusted users in open systems, but protection domain per user
• Insecure communication
• Rare code migration becomes common
Communication channel
Process p Process q
The enemym’
Copy of m
m
C. Xu, 2002-2009 7
Security in Distributed Systems (cont’)
• Examples of Mechansims (e-Commerce):– Authentication: verify claimed identify (CA) – Secure comm. channel (SSL based https)– Firewall: packet filtering, authorization check– Resource access control: client access resources via
server ops; access right checking during invocations.
Principal A
Secure channelProcess p Process q
Principal BThe enemyCryptography
C. Xu, 2002-2009 8
Threats not defeated by secure channels or other cryptographic techniques
• Denial of service attacks– Deliberately excessive use of resources to the extent that they are
not available to legitimate users• E.g. the Internet 'IP spoofing' attack, February 2000
• Trojan horses and other viruses– Viruses can only enter computers when program code is imported.
– But users often require new programs, for example:• New software installation
• Mobile code downloaded dynamically by existing software (e.g. Java applets)
• Accidental execution of programs transmitted surreptitiously
– Defences: code authentication (signed code), code validation (type checking, proof), sandboxing.
*
Taxonomy 1-9
Recap: Network Security attacks on Internet infrastructure:
infecting/attacking hosts: spyware, virus, worms, Trojan Horse, unauthorized access, and malware in geneal
• Malware: sw designed to infiltrate or damage a computer system w/o the owner’s informed consent [Wikipedia]; based on intention of its creator, rather than any features
• In law, malware is defined as a computer contaminant denial of service: deny access to resources (servers, link
BW)• Vulnerability attack; BW flooding; Connection flooding
Internet not originally designed with security in mind original vision: “a group of mutually trusting users attached
to a transparent network” Internet protocol designers playing “catch-up” Security considerations in all layers!
Taxonomy 1-10
What can bad guys do: malware? Spyware:
infection by downloading web page with spyware
records keystrokes, web sites visited, upload info to collection site
Virus infection by receiving
object (e.g., e-mail attachment), actively executing
self-replicating: propagate itself to other hosts, users
Worm: infection by passively
receiving object that gets itself executed
self- replicating: propagates to other hosts, users
Sapphire Worm in 2003: aggregate scans/sec in first 5 minutes of outbreak (CAIDA, UWisc data)
Double in every 8.5 sec90% infected in 10 min
Taxonomy 1-11
Denial of service attacks attackers make resources (server, bandwidth)
unavailable to legitimate traffic by overwhelming resource with bogus traffic
1. select target
2. break into hosts around the network (collectively, known as botnet)
3. send packets toward target from compromised hosts
target
Taxonomy 1-12
Sniff, modify, delete your packetsPacket sniffing:
broadcast media (shared Ethernet, wireless) promiscuous network interface reads/records all packets
(e.g., including passwords!) passing by
A
B
C
src:B dest:A payload
Ethereal (Wireshark) software used for end-of-chapter labs is a (free) packet-sniffer
Taxonomy 1-13
Masquerade as you IP spoofing: send packet with false source
address
A
B
C
src:B dest:A payload
Taxonomy 1-14
Masquerade as you Man-in-the-middle attack
IP spoofing: send packet with false source address record-and-playback: sniff sensitive info (e.g., password),
and use later password holder is that user from system point of view
A
B
C
src:B dest:A user: B; password: foo
Taxonomy 1-15
Masquerade as you IP spoofing: send packet with false source address record-and-playback: sniff sensitive info (e.g., password),
and use later password holder is that user from system point of view
A
B
later …..C
src:B dest:A user: B; password: foo
C. Xu, 2002-2009 16
Threats and forms of attack• Eavesdropping
– obtaining private or secret information
• Masquerading– assuming the identity of another user/principal
• Message tampering– altering the content of messages in transit
• man in the middle attack (tampers with the secure channel mechanism)
• Replaying– storing secure messages and sending them at a later date
• Denial of service– flooding a channel or other resource, denying access to others
*
C. Xu, 2002-2009 17
Key Issues
• Secure Channels– Authentication: Verify of claimed identify
– Message Integrity: Detect of any alteration
– Confidentiality: Inf exposes to authorized parties only
• Access Control– Authorization
Cryptography is fundamental
C. Xu, 2002-2009 18
Cryptography
• Three possible ways of attack– Intruders (eavesdroppers) intercept the msg silently – Modify the msg– Insert the msg, attempting to make R believe these msgs come from S.
C. Xu, 2002-2009 19
Cryptosystems• Symmetric Cryptosystem: same key to encrypt/decrypt
P = Dk( Ek(P) )– 56-bit Data Encryption Standard (DES), 128-bit IDEA and triple-DES
– New U.S. standard: 128, 192, 256-bit AES based Rijndael algorithm (Joan Daemen and Vincent Rijmen (Effective May 26, 2002)
• Asymmetric Cryptosystem. Two keys form a pair. e.g. RSA
P = Dkd( Eke(P) )
Public-key systems: K+ as public key and K- as private key
For example: – (1) How can Alice send a confidential msg to Bob ?
– (2) How can Bob verify if the msg come from Alice
C. Xu, 2002-2009 20
Symmetric Key Crypto: two basic ops
Substitution: substituting one thing for another– monoalphabetic cipher: substitute one letter for another
translation:abcdefghijklmnopqrstuvwxyz
table : mnbvcxzasdfghjklpoiuytrewq
Plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc
E.g.:
Permutation: rearrange (shuffle) the input
C. Xu, 2002-2009 21
Symmetric encryption algorithmsThese are all programs that perform confusion and diffusion operations on
blocks of binary data
TEA: a simple but effective algorithm developed at Cambridge U (1994) for teaching and explanation. 128-bit key, 700 kbytes/sec
DES: The US Data Encryption Standard (1977). No longer strong in its original form. 56-bit key, 350 kbytes/sec.
Triple-DES: applies DES three times with two different keys. 112-bit key, 120 Kbytes/sec
IDEA: International Data Encryption Algorithm (1990). Resembles TEA. 128-bit key, 700 kbytes/sec
AES: A proposed US Advanced Encryption Standard (1997). 128/256-bit key.
There are many other effective algorithms. See Schneier [1996].The above speeds are for a Pentium II processor at 330 MHZ. Today's PC's (January
2002) should achieve a 5 x speedup.
*
C. Xu, 2002-2009 22
TEA encryption function
void encrypt(unsigned long k[], unsigned long text[]) {unsigned long y = text[0], z = text[1]; unsigned long delta = 0x9e3779b9, sum = 0; int n; for (n= 0; n < 32; n++) {
sum += delta; y += ((z << 4) + k[0]) ^ (z+sum) ^ ((z >> 5) + k[1]); 5z += ((y << 4) + k[2]) ^ (y+sum) ^ ((y >> 5) + k[3]); 6
}text[0] = y; text[1] = z;
}
• Lines 5 & 6 perform confusion (XOR of shifted text)and diffusion (shifting and swapping)
key 4 x 32 bits
plaintextand result 2 x 32
Exclusive OR
logical shift
C. Xu, 2002-2009 23
TEA decryption function
void decrypt(unsigned long k[], unsigned long text[]) {unsigned long y = text[0], z = text[1];unsigned long delta = 0x9e3779b9, sum = delta << 5; int n;for (n= 0; n < 32; n++) {
z -= ((y << 4) + k[2]) ^ (y + sum) ^ ((y >> 5) + k[3]);y -= ((z << 4) + k[0]) ^ (z + sum) ^ ((z >> 5) + k[1]);sum -= delta;
}text[0] = y; text[1] = z;
}
C. Xu, 2002-2009 24
TEA in usevoid tea(char mode, FILE *infile, FILE *outfile, unsigned long k[]) {/* mode is ’e’ for encrypt, ’d’ for decrypt, k[] is the key.*/
char ch, Text[8]; int i;while(!feof(infile)) {
i = fread(Text, 1, 8, infile); /* read 8 bytes from infile into Text */if (i <= 0) break;while (i < 8) { Text[i++] = ' ';) /* pad last block with spaces */switch (mode) {case 'e':
encrypt(k, (unsigned long*) Text); break;case 'd':
decrypt(k, (unsigned long*) Text); break;}fwrite(Text, 1, 8, outfile); /* write 8 bytes from Text to outfile */
}}
C. Xu, 2002-2009 25
Classical Feistel Structure• Virtually all conventional block
encryption algorithms, including Data Encryption Standard (DES) have a structure first described by Horst Feistel of IBM in 1973
• Properties– a particular structure of permutation
and substitution of input; the structure is made public
– the most important component is the F function
– the F function does not even need to be one-to-one to decrypt message so long the receiver knows the key
C. Xu, 2002-2009 26
DES: Data Encryption Standard• US encryption standard [NIST 1993]• 56-bit symmetric key, 64 bit plaintext input• Use a 16 round Feistel Network
input processing key generation
C. Xu, 2002-2009 27
Security of DES• Intuitively, the design of F is to make it hard to inverse the
function (by any crypto analysis technique), i.e., security by confusion and obfuscation– the design philosophy of the F function of DES is not known– thus the “best known” attack is to try all possible 56-bit keys on the
ciphertext to see if a key generates a “reasonable” plaintext
• However, 56 bit keys appear to be too short
ChallengeWinner(s)
AnnouncedKey Size / Encryption
TypeCracked
in...
RSA's DES Challenge June 1997 56-bit / DES 96 Days
RSA's DES Challenge II-1 February 1998 56-bit / DES 41 Days
RSA's DES Challenge II-2 July 1997 56-bit / DES 56 Hours
RSA's DES Challenge III January 1999 56-bit / DES 22 Hours
C. Xu, 2002-2009 28
Making DES More Secure
• Use three keys sequentially (3-DES) on each datum
• C = ciphertext• P = Plaintext• EK[X] = encryption of X using key K• DK[Y] = decryption of Y using key K
notation: EK[X], {X}K both mean encrypt X using key K
• Replaced by Advanced Encryption Standard [NIST 2000]:http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
C = EK3[DK2[EK1[P]]]
C. Xu, 2002-2009 29
Advanced Encryption Standard (AES)
ByteSub
ShiftRow
MixColumn
C. Xu, 2002-2009 30
Cipher blocks, chaining and stream ciphers
n
n+3 n+2 n+1 XOR
E(K, M)
n-1n-2n-3
plaintext blocks
ciphertext blocks
Cipher block chaining (CBC)
XOR
E(K, M)number generator n+3 n+2 n+1
plaintext stream
ciphertext stream
buffer
keystream Stream cipher
Most algorithms work on 64-bit blocks.Weakness of simple block cipher:- repeated patterns can be detected.
C. Xu, 2002-2009 31
Asymmetric encryption algorithms
RSA: The first practical algorithm (Rivest, Shamir and Adelman 1978) and still the most frequently used. Key length is variable, 512-2048 bits. Speed 1-7 kbytes/sec. (350 MHz PII processor)
Elliptic curve: A recently-developed method, shorter keys and faster.
Asymmetric algorithms are ~1000 x slower and are therefore not practical for bulk encryption, but their other properties make them ideal for key distribution and for authentication uses.
They all depend on the use of trap-door functionsA trap-door function is a one-way function with a secret exit - e.g. product of two large numbers; easy to multiply, very hard (infeasible) to factorize.
C. Xu, 2002-2009 32
RSA (1)To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and form:
N = P x Q Z = (P–1) x (Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).We illustrate the computations involved using small integer values for P and Q:
P = 13, Q = 17 –> N = 221, Z = 192 d = 5
3.To find e solve the equation: e x d = 1 mod ZThat is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .
e x d = 1 mod 192 = 1, 193, 385, ...385 is divisible by de = 385/5 = 77
4. (e, N) is an encryption key and (d, N) is corresponding descryption key
C. Xu, 2002-2009 33
RSA (2)To encrypt text using the RSA method, the plaintext is divided into equal blocks of
length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024).
k = 7, since 27 = 128 The function for encrypting a single block of plaintext M is:
E'(e,N,M) = Me mod Nfor a message M, the ciphertext is M77 mod 221
The function for decrypting a block of encrypted text c to produce the original plaintext block is:
D'(d,N,c) = cd mod NRivest, Shamir and Adelman proved that E' and D' are mutual inverses
(that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ N.The two parameters e,N can be regarded as a key for the encryption function, and
similarly d,N represent a key for the decryption function. So we can write Ke
= <e,N> and Kd = <d,N>
C. Xu, 2002-2009 34
RSA Another Example
Bob chooses P=5, Q=7. Then N=35, Z=24.e=5 (so e, Z relatively prime)d=29 (so ed-1 exactly divisible by Z)
letter m me c = m mod ne
L 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
L
encrypt:
decrypt:
C. Xu, 2002-2009 35
Digital signatures
Requirements:– To authenticate stored document files as well as messages
– To protect against forgery
– To prevent the signer from repudiating a signed document (denying their responsibility)
Encryption of a document in a secret key constitutes a signature- impossible for others to perform without knowledge of the key
- strong authentication of document
- strong protection against forgery
- weak against repudiation (signer could claim key was compromised)
*
C. Xu, 2002-2009 36
Secure Digest Function• h = H(m): take a msg of arbitrary length and produce a bit
string of a fixed length. • Example:
– 128-bit MD5 (Rivest’92): generate 128 bit fixed length msg digest from an arbitrary length binary input string
– 160-bit SHA (NIST’95), based on Rivest’s MD4, but made more secure by producing a 160-bit digest.
– Any symmetric encryption algorithm in the CBC (cipher block chaining) mode. The last block in the chain is H(m)
• Properties:– One-way function: Given h, it’s computationally infeasible to compute m– weak collision resistance: Given an input m and its associated output h, it’s
computationally infeasible to find another m’ that is not equal to m but H(m)=H(m’)
– strong collision resistance: Given only H, it’s computationally infeasible to find any two different inputs m and m’, such that H(m) = H(m’)
• Both MD5 and SHA are shown to be broken lately!!http://www.schneier.com/blog/archives/2005/06/more_md5_collis.htmlhttp://www.schneier.com/blog/archives/2005/02/sha1_broken.html
C. Xu, 2002-2009 37
Digital Signature for Message Integrity
• DA using public-key crypto, like RSA
• Bob verifies msg m by comparison• Alice is protected against Bob’s modification because
of her signature. • But, what if Alice wants to change her key?
Need central authority to keep records
C. Xu, 2002-2009 38
Digital Signatures (cont’)• Encryption of an entire message with a private key
is very time-consuming• Using hash function, H, to generate a message
digest and encrypting the digest instead
C. Xu, 2002-2009 39
MACs: Low-cost signatures with a shared secret key
Signing
Verifying
M
K
M
K
h = h'?authentic:forged
h
M
signed doc
H(M+K) h
h'
H(M+K)
Signer and verifier share a secret key K
MAC: Message Authentication Code
C. Xu, 2002-2009 40
Perf of encryption and secure digest algs
Key size/hash size(bits)
Extrapolatedspeed
(kbytes/sec.)
PRB optimized speed
(kbytes/s)
TEA 128 700 -
DES 56 350 7746
Triple-DES 112 120 2842
IDEA 128 700 4469
RSA 512 7 -
RSA 2048 1 -
MD5 128 1740 62425
SHA 160 750 25162
PRB = Preneel, Rijmen and Bosselaers [Preneel 1998]
Algorithm
Publickey
Secret key
Digest
speeds are for a Pentium II processor at 330 MHZFigure 7.14
C. Xu, 2002-2009 41
Outline• General Security Requirements• Cryptography• Secure Communication Channel
– Authentication– Message integrity and confidentiality
• Access Control• Security in Mobile Codes• Case Studies
– Kerberos Systems– SSL – E-Cash and SET
C. Xu, 2002-2009 42
Secure Channel
• Authentication
• Message Integrity: msg is protected against modification– More than authentication of communication
parties. e.g. protection of the integrity of on-line transaction agreement
• Confidentiality: Msg won’t be intercepted and read by evaesdroppers– Cryptographic keys are not enough
C. Xu, 2002-2009 43
Secure Channel: Authentication• Alice initiates in setting up a channel between
Alice and Bob. Once it is done, Alice and Bob know for sure whom they are talking to.
• Authentication based on shared secrete keys (Session Keys): Challenge-Response Protocol
1: identify of A2: Challenge of B3: Encrypted challenge4: Challenge of A5: Encrypted challenge
C. Xu, 2002-2009 44
Optimized Authentication ?
• Authentication based on a shared secret key, but using three instead of five keys
C. Xu, 2002-2009 45
Reflection Attack
• Two comm parties use the same challenge in different runs of the protocol
• Also, valuable info. Ka,b(Rc) is released to unknown person
C. Xu, 2002-2009 46
Key Distributed Center• Shared-key based authentication is not scalable. In a
system with n hosts, n(n-1)/2 keys are needed and each host needs to manage n-1 keys
• Alternative is to assume a trusted third party,like KDC, which shares a secret key with each host
• The message KB,KDC(KA,B) is called a ticket• Alice uses this ticket to establish connection with Bob
C. Xu, 2002-2009 47
Needham-Schroeder Protocol
• RA1 is a nonce (random number, “number use for once”) to uniquely related msg 1 and msg 2 to each other.
• The identify B of Bob is included in msg 2 to confirm the return ticket between A and B.
• Returning RA2-1 in msg 4 proves Bob knows the shared key and he actually has used the key to decrypted the challenge.
C. Xu, 2002-2009 48
Improved Needham-Schroeder Protocol
• Using an extra nonce RB1 to protect against malicious reuse of a previously generated session key
C. Xu, 2002-2009 49
Shared Key Setup by Public-Key• Mutual authentication, assuming knowledge
of public keys of each other
Be assured that Alice is actually using Bob’s public keyHow??
C. Xu, 2002-2009 50
Initial Key Establishment• Diffie-Hellman Key Exchange
– Alice and Bob agree on two large public numbers n and g
– Alice and Bob pick up two large random numbers, x and y, as their private keys
– Alice send gx mod n to Bob and Bob sends gy mod n to Alice, along with n ang g
• gx mod n is one-way function: x is impossible to be computed
– Established shared key: (gx mod n)y = gxy mod n
Diffie-Hellman can also be viewed as a public-key cryptography,
where x and y are private keys, gx mod n and gy mod n are public keys.
C. Xu, 2002-2009 51
Session key for Confidentiality
• Confidentiality: msg won’t be intercepted and read by eavesdroppers
• Cryptogrphaic keys are subject to “wear and tear” (A frequently used key tends to be stolen)
• Lose of cryptographic keys leads to replay attacks• Replacing cryptographic keys are expensive
Create a unique session key for each secure communication channel
Example in Java (http://www.javaworld.com)import java.io.*; import java.security.*; class GenSig { public static void main(String[] args) { /* java GenSig data-be-signed */ try{ /* Initialize the Key-Pair Generator */
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA", "SUN");
keyGen.initialize(1024,SecureRandom.getInstance(“SHA1PRNG”,”SUN”)); /* Generate the Pair of Keys */
KeyPair pair = keyGen.generateKeyPair(); PrivateKey priv = pair.getPrivate(); PublicKey pub =
pair.getPublic(); /* Create a Signature and initialize it with the private key */
Signature dsa = Signature.getInstance("SHA1withDSA", "SUN");
dsa.initSign(priv); /* Update and sign the data */ FileInputStream fis = new FileInputStream(args[0]); BufferedInputStream bufin = new
BufferedInputStream( fis ); byte[] buffer = new byte[1024]; int len; while (bufin.available() != 0) { len = bufin.read(buffer); dsa.update(buffer, 0, len); }; bufin.close(); … …
52
C. Xu, 2002-2009 53
Example in Java (Cont’)try { … … /* Generate a signature for the data */ byte[] realSig = dsa.sign(); /* Save the signature in a file */ FileOutputStream sigfos = new FileOutputStream("sig"); sigfos.write(realSig); sigfos.close();
/* Save the public key in a file */ byte[] key = pub.getEncoded(); FileOutputStream keyfos = new FileOutputStream("suepk"); keyfos.write(key); keyfos.close(); } catch (Exception e) { System.err.println("Caught exception " + e.toString()); } };
C. Xu, 2002-2009 54
Summary• General Security Requirements• Cryptography• Secure Communication Channel
– Authentication– Message integrity and confidentiality
• To be discussed– Access Control– Security in Mobile Codes– Case Studies
• Kerberos Systems• SSL • SET
