PROPRIETARY MATERIAL. © 2007 The McGrawHill Companies, Inc. All rights reserved. No part of this PowerPoint slide may be displayed, reproduced or distributed
in any form or by any means, without the prior written permission of the publisher, or used beyond the limited distribution to teachers and educators permitted by McGrawHill
for their individual course preparation. If you are a student using this PowerPoint slide, you are using it without permission.
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 1
Copyright © 2008
Security issues in distributed systems
• Interprocess messages travel over the network
– Hence intruders can perpetrate attacks through messages
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 2
Copyright © 2008
Security threats in distributed systems
•
Following threats can be posed through messages
– Leakage
* Message contents are read by intruder
– Tampering
* Messages are corrupted or altered
– Stealing
* Resources are accessed without authorization
– Denial of service
* Authorized users are prevented from accessing resources
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 3
Copyright © 2008
Mechanisms and policies for
distributed system security
• Encryption ensures secrecy and integrity of meta data and messages
• Key distribution center generates encryption keys for communication
• Authentication is used to prevent masquerading
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 4
Copyright © 2008
Classes of security attacks
•
Four classes of attacks
– Eavesdropping
* Intruder listens to messages on the network
– Message tampering
* Intruder corrupts or alters messages
– Message replay
* Intruder inserts copies of old messages in message communication
to fool processes
– Masquerading
* Intruder is able to pass off as an authorized user to perform
computations and use resources
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 5
Copyright © 2008
Message security
•
Three techniques are used for message security
– Private key encryption
* All messages sent to a process are encrypted with its private key
Problems: Private key is exposed to attacks all through
process lifetime. Difficult for user processes to know each
other’s keys.
Used for communication from OS to user processes
– Public key encryption
* A process has a (public key, private key) pair
Encryption is asymmetric: Messages sent to it are encrypted
using its public key; it decrypts them using its private key
– Session key encryption
* A session key is generated for each communication session
between processes
Limits exposure of the encryption key
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 6
Copyright © 2008
Encryption techniques
•
Public key encryption
– Pi has a pair (Ui, Vi), where Ui, Vi are public, private keys
* Vi cannot be guessed from Ui
* For any message m, Dvi(EUi(Pm)) = Pm for all Ui, Vi
* Sender encrypts using Ui, Pi decrypts using Vi
* Rivest-Shamir-Adelman (RSA) algorithm is used to generate (Ui, Vi)
Let (u, v) be the pair of keys and x, y < n
» Eu(x) = xu mod n
» Dv(y) = yv mod n
n is a product of two large prime numbers p and q
» v should be relatively prime to (p – 1) x (q – 1)
» u x v mod [(q – 1 ) x ( q – 1 )] = 1
– Keys are longer than private keys and encryption / decryption is
slower
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 7
Copyright © 2008
Distribution of encryption keys
•
Processes have to know which keys to use for
encrypting messages to other processes
– A key distribution center (KDC) is a trusted service which
provides the keys securely to processes
– When process Pi wishes to communicate with Pj
* It makes a request to KDC, passing Pj’s id
* KDC actions:
Public key encryption: Provides public key of Pi
Session key encryption: Generates a session key and provides
it to Pi. Also enables Pi to pass the key securely to Pj
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 8
Copyright © 2008
Distribution of public keys
•
Steps
– Step 1: Pi → KDC : EUkdc (Pi, Pj)
– Step 2: KDC → Pi : EUi (Pj, Uj)
Encryption is employed merely to prevent message tampering
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 9
Copyright © 2008
Distribution of session keys
•
Steps
– Step 1: Pi → KDC : Pi, Pj
– Step 2: KDC → Pi : EVi(Pj, Ski,j, EVj(Pi,Ski,j))
– Step 3: Pi → Pj
Chapter 20:
Distributed System Security
: EVj(Pi, Ski,j), ESKi,j (< message >)
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 10
Copyright © 2008
Obtaining a session key
•
In a public key system, a process can itself choose a
session key to communicate with another process
– Step 1: Pi → KDC : EUkdc (Pi, Pj)
– Step 2: KDC → Pi : EUi (Pj, Uj)
– Step 3: Pi → Pj
: EUj(Pi, Ski,j), ESKi,j(< message >)
Pi requests public key of Pj in step 1 and obtains it in step 2. In
step 3, it communicates the selected session key to Pj
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 11
Copyright © 2008
Preventing message replay attacks
•
How to check whether message m received by Pj from
Pi is a genuine message
– Check whether m was sent by a Pi in ‘real time’
– The Challenge-response protocol is used for this purpose
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 12
Copyright © 2008
Challenge–response protocol
•
Steps
– Challenge
* Pj throws a challenge to the message sender to prove that it is Pi
It sends a challenge string encrypted using Pi’s key
The string is called a nonce
– Response
* Message performs following actions
Decrypts the message
Transforms the challenge string in expected manner
Encrypts result so that only Pj can decrypt it and sends it back
– Detect
* Pj decrypts and checks whether the reply is as expected
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 13
Copyright © 2008
Mutual authentication
•
Processes must authenticate each other before entering
into communication
– Pi chooses and communicates a session key to another process
* Step 1: Pi → KDC : EUkdc (Pi, Pj)
* Step 2: KDC → Pi : EUi (Pj, Uj)
* Step 3: Pi → Pj
: EUj(Pi, Ski,j), ESKi,j(< message >)
– The recipient process must authenticate the sender using the
challenge–response protocol
* Step 4: Pj → Pi : EUi (Pj, n)
* Step 5: Pi → Pj : EUj(n+1)
– Now the communication can begin
Chapter 20: * Step 6: Pi
Distributed System Security
→ Pj :Dhamdhere: Operating Systems—
ESKi,j(< message >)
A ConceptBased Approach , 2 ed
Slide No: 14
Copyright © 2008
Authentication of data and messages
•
Authenticity and integrity of data
– Authenticity
* Implies that data was originated or sent by a claimed person, and
that it has not been tampered with
– Integrity
* Implies that data has not been tampered with
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 15
Copyright © 2008
Integrity of data
•
Integrity is ensured through use of a message digest
– Message digest v of data d is a fixed length hash value obtained
from d
* It is obtained by employing a one-way hash function
* Given v, it should be impossible to construct a data d’ such that v is
its message digest
It is called a birthday attack
– The pair < d, v > is stored
* To check whether d has been tampered with, the hash value of d is
obtained and compared with v
– v or < d, v > is encrypted to protect against tampering
* It makes the integrity check foolproof
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 16
Copyright © 2008
Authenticity of data
•
Authenticity has two requirements
– Integrity of data
* It is ensured through use of the message digest (see previous slide)
– Successful decryption of v or < d, v > should verify that it was
originated or sent by the claimed entity
* It is ensured by encrypting v or < d, v > with the encryption key of
the originator or sender of d
* The process wishing to verify authenticily of d must obtain
encryption key of the data’s originator or sender
A certification authority is used to securely obtain the
encryption key of the originator or sender of d
* Successful decryption of d or < d, v > now implies authenticity of
data
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 17
Copyright © 2008
Certification authority (CA)
•
CA assigns public and private keys to an entity after
ascertaining its identity though physical verification
– It issues a public key certificate containing following information
* Serial no, owner’s distinguishing name, identification information
* Owner’s public key
* Date of issue and expiry
* Digital signature by the CA
– A process obtains the certificate of the server it wishes to use
– It authenticates the server to prevent a man-in-the-middle attack
* In this attack, an intruder masquerades as a server
Intercepts messages, provides fake certificate
Digital signature thwarts such attacks
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 18
Copyright © 2008
Message authentication code (MAC)
and Digital signature
•
MAC is used to check integrity of data, digital signature
is used to ensure authenticity of data
– Message authentication code (MAC)
* Message digest v of data d is obtained using a one-way hashing fn
* v is encrypted so that only the intended receiver of d can decrypt it
– Digital signature
* Pi, the originator or sender of d encrypts it to obtain v
* Encrypts v and, optionally, a time stamp with its own private key to
obtain the DSd, the digital signature for d
* The pair < d, DSd > is stored or transmitted
* Recipient of < d, DSd > decrypts it using public key of Pi
Successful decryption guarantees authenticity
P cannot deny having originated or sent d (non-repudiability)
i
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 19
Copyright © 2008
Use of a digital signature
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 20
Copyright © 2008
Third party authentication
•
How does a server know that a process that wishes to
use its services was created by an authorized user?
– A third party authenticator performs two functions to facilitate
answering of this question
* Authentication
It authenticates a user
* Secure arrangement to introduce an authorized user to a server
This way, a server knows that a user is genuine
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 21
Copyright © 2008
Kerberos
•
Features of Kerberos
– Authentication is performed through an authentication data base
– Authorization is performed by providing tickets to processes
* A ticket is like a capability, it authorizes a process to use a service
* It contains the process and server ids, a session key for
communication, and the lifetime over which it is valid
* At log in time, each process gets a ticket to a ticket granting server
(TGS); TGS generates tickets for other servers
– When a process wishes to use a server
* It submits a ticket for the server and an authenticator containing a
time-stamp encrypted with the session key
* Server checks validity of ticket, extracts the session key and checks
the authenticator to ensure that the request is made in ‘real time’
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 22
Copyright © 2008
Kerberos
• Client is a process that operates on
user’s computer and obtains services
on behalf of the user
• Step 1.3 provides session key and
ticket for TGS
• Step 2.1 provides session key and
ticket for a server
• Steps 3.1, 3.2 implement invocation
of a service
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 23
Copyright © 2008
Secure sockets layer (SSL)
•
SSL is a message security protocol providing
authentication and communication privacy
– SSL handshake protocol is used before a client-server session
starts
* It uses RSA public-key encryption to authenticate the server
* It also optionally authenticates the client
* Generates symmetric session keys for the session
– SSL record protocol
* Performs actual message exchange using the session key
– Message integrity is provided through MAC and authenticity
through digital signature
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 24
Copyright © 2008
Secure sockets layer (SSL)
•
SSL Handshake protocol
– Client sends client-hello message containing the string nclient
– Server sends server-hello message containing nserver
– Server sends its digital certificate; optionally asks for the client’s
– Client sends encrypted premaster secret message containing a
48-byte premaster secret encrypted with server’s public key
– Both client and server now generate master secret from the
premaster secret, nclient and nserver using a standard one-way
function
– Four keys are generated from the premaster secret
* two are used for encryption of messages between the client and the
server, and two are used for generating MACs
Chapter 20:
Distributed System Security
Dhamdhere: Operating Systems—
A ConceptBased Approach , 2 ed
Slide No: 25
Copyright © 2008