Professional Documents
Culture Documents
based on Distributed
Systems: Concepts
and Design, Edition 3,
AddisonWesley 2001. Distributed Systems Course
Security
Copyright © George
Coulouris, Jean Dollimore,
Tim Kindberg 2001
Chapter 2 Revision: Security model
email: authors@cdk2.net
This material is made
available for private study
Chapter 7:
and for direct use by
individual teachers. 7.2 Overview of security techniques
It may not be included in any
product or employed in any
service without the written
7.3 Cryptographic algorithms
permission of the authors.
7.4 Digital signatures
Viewing: These slides
must be viewed in 7.5 Cryptography pragmatics
slide show mode.
7.6 Case studies
Learning objectives
Security model
– Types of threat
Basic techniques
– Cryptographic techniques
Secrecy
Authentication
Certificates and credentials
Access control
– Audit trails
Client
result Server
Principal
– User or process that has authority (rights) to perform actions
– Identity of principal is important
3
Chapter 2 Revision: The enemy
The enemy
m’
Process p m Process q
Communication channel
Attacks
– On applications that handle financial transactions or other information
whose secrecy or integrity is crucial
Ownership of secrets:
Properties
Cryptographic concealment is based on:
Conventional shared crypto keys
Each process is sure of the identity of the other
Confusion and diffusion
Data is private and protected against tampering
Public/private key pair
Protection against repetition and reordering of data
Employs cryptography
Secrecy based on cryptographic concealment
Authentication based on proof of ownership of secrets
5
Threats and forms of attack
Eavesdropping
– obtaining private or secret information
Masquerading
– assuming the identity of another user/principal
Message tampering
– altering the content of messages in transit
man in the middle attack (tampers with the secure channel mechanism)
Replaying
– storing secure messages and sending them at a later date
Denial of service
– flooding a channel or other resource, denying access to others
6
Threats not defeated by secure channels
or other cryptographic techniques
Alice and Bob share a secret key KAB.
1. Alice uses KAB and an agreed encryption function E(KAB, M) to
encrypt and send any number of messages {Mi}KAB to Bob.
2. Bob reads the encrypted messages using the corresponding
decryption function D(KAB, M).
Alice and Bob can go on using KAB as long as it is safe to assume that KAB has not been
compromised.
Issues:
Key distribution: How can Alice send a shared key KAB to Bob securely?
Freshness of communication: How does Bob know that any {Mi} isn’t a copy of an
earlier encrypted message from Alice that was captured by Mallory and
replayed later?
9
*
Scenario 2:
Authenticated communication with a server
Bob is a file server; Sara is an authentication service. Sara shares secret key K A
with Alice and secret key KB with Bob.
1. Alice sends an (unencrypted) message to Sara stating her identity and
requesting a ticket for access to Bob.
A ticket is an encrypted item containing the identity of the principal
2. Sara sends a response to Alice. {{Ticket}KB, KAB}KA. It is encrypted in KA
to whom it is issued and a shared key for a communication session.
and consists of a ticket (to be sent to Bob with each request for file access)
encrypted in KB and a new secret key KAB.
3. Alice uses KA to decrypt the response.
4. Alice sends Bob a request R to access a file: {Ticket} KB, Alice, R.
5. The ticket is actually {KAB, Alice}KB. Bob uses KB to decrypt it, checks that
Alice's name matches and then uses KAB to encrypt responses to Alice.
This is a simplified version of the Needham and Schroeder (and Kerberos) protocol.
Timing and replay issues – addressed in N-S and Kerberos.
Not suitable for e-commerce because authentication service doesn't scale…
10
*
Scenario 3:
Authenticated communication with public keys
Bob has a public/private key pair <KBpub, KBpriv>
1. Alice obtains a certificate that was signed by a trusted authority
stating Bob's public key KBpub
2. Alice creates a new shared key KAB , encrypts it using KBpub using a
publickey algorithm and sends the result to Bob.
3. Bob uses the corresponding private key KBpriv to decrypt it.
(If they want to be sure that the message hasn't been tampered with, Alice can add an
agreed value to it and Bob can check it.)
Mallory might intercept Alice’s initial request to a key
distribution service for Bob’s public-key certificate and send a
response containing his own public key. He can then intercept
all the subsequent messages.
11
*
Scenario 4:
Digital signatures with a secure digest function
Alice wants to publish a document M in such a way that anyone can
verify that it is from her.
1. Alice computes a fixedlength digest of the document Digest(M).
2. Alice encrypts the digest in her private key, appends it to M and
makes the resulting signed document (M, {Digest(M)}KApriv)
available to the intended users.
3. Bob obtains the signed document, extracts M and computes
Digest(M).
4. Bob uses Alice's public key to decrypt {Digest(M)}KApriv and
compares it with his computed digest. If they match, Alice's
signature is verified.
The digest function must be secure against the birthday attack
12
*
Birthday attack
Birthday paradox
1. Alice prepares two versions M and M' of a contract for Bob. M is favourable
to Bob and M' is not.
Statistical result: if there are 23 people in a room, the chances are
2. Alice makes several subtly different versions of both M and M' that are
even that 2 of them will have the same birthday.
visually indistinguishable from each other by methods such as adding spaces
at the ends of lines. She compares the hashes of all the versions of M with all
the versions of M'. (She is likely to find a match because of the Birthday
Paradox).
3. When she has a pair of documents M and M' that hash to the same value, she
gives the favourable document M to Bob for him to sign with a digital
signature using his private key. When he returns it, she substitutes the
matching unfavourable version M', retaining the signature from M.
– If our hash values are 64 bits long, we require only 2 32 versions of M
and M’ on average.
– This is too small for comfort. We need to make our hash values at least
128 bits long to guard against this attack.
13
*
Certificates
Certificate: a statement signed by an appropriate authority.
Figure 7.4 Alice’s bank account certificate
Certificates require:
1. Certificate type: Account number
• An agreed standard format
2. Name: Alice
• Agreement on the construction of chains of trust (see Section 7.4.4).
3. Account: 6262626
• Expiry dates, so that certificates can be revoked.
4. Certifying authority : Bob’s Bank
5. Signature: {Digest(field 2 + field 3)} KBpriv
Subject Distinguished Name, Public Key
Issuer Distinguished Name, Signature
Period of validity Not Before Date, Not After Date
Administrative information Version, Serial Number
Extended Information
15
Certificates as credentials
Protection domain
– A set of <resource, rights> pairs
17
Credentials
18
*
Delegation
19
*
Cryptographic Algorithms
20
*
Cipher blocks, chaining and stream ciphers
ciphertext
plaintext
stream
stream
21
*
Symmetric encryption algorithms
These are all programs that perform confusion and diffusion operations on blocks of
binary data
TEA: a simple but effective algorithm developed at Cambridge U (1994) for teaching
and explanation. 128-bit key, 700 kbytes/sec
DES: The US Data Encryption Standard (1977). No longer strong in its original form.
56-bit key, 350 kbytes/sec.
Triple-DES: applies DES three times with two different keys. 112-bit key, 120
Kbytes/sec
IDEA: International Data Encryption Algorithm (1990). Resembles TEA. 128-bit key,
700 kbytes/sec
AES: A proposed US Advanced Encryption Standard (1997). 128/256-bit key.
There are many other effective algorithms. See Schneier [1996].
The above speeds are for a Pentium II processor at 330 MHZ. Today's PC's (January 2002)
should achieve a 5 x speedup.
22
*
TEA encryption function
Figure 7.8 key 4 x 32 bits
void encrypt(unsigned long k[], unsigned long text[]) { plaintext
unsigned long y = text[0], z = text[1]; and result 2 x 32
unsigned long delta = 0x9e3779b9, sum = 0; int n;
for (n= 0; n < 32; n++) {
sum += delta;
y += ((z << 4) + k[0]) ^ (z+sum) ^ ((z >> 5) + k[1]); 5
z += ((y << 4) + k[2]) ^ (y+sum) ^ ((y >> 5) + k[3]); 6
}
text[0] = y; text[1] = z;
}
Exclusive OR
logical shift
Lines 5 & 6 perform confusion (XOR of shifted text)
and diffusion (shifting and swapping)
23
TEA decryption function
Figure 7.9
void decrypt(unsigned long k[], unsigned long text[]) {
unsigned long y = text[0], z = text[1];
unsigned long delta = 0x9e3779b9, sum = delta << 5; int n;
for (n= 0; n < 32; n++) {
z = ((y << 4) + k[2]) ^ (y + sum) ^ ((y >> 5) + k[3]);
y = ((z << 4) + k[0]) ^ (z + sum) ^ ((z >> 5) + k[1]);
sum = delta;
}
text[0] = y; text[1] = z;
}
24
TEA in use
Figure 7.10
void tea(char mode, FILE *infile, FILE *outfile, unsigned long k[]) {
/* mode is ’e’ for encrypt, ’d’ for decrypt, k[] is the key.*/
char ch, Text[8]; int i;
while(!feof(infile)) {
i = fread(Text, 1, 8, infile); /* read 8 bytes from infile into Text */
if (i <= 0) break;
while (i < 8) { Text[i++] = ' ';} /* pad last block with spaces */
switch (mode) {
case 'e':
encrypt(k, (unsigned long*) Text); break;
case 'd':
decrypt(k, (unsigned long*) Text); break;
}
fwrite(Text, 1, 8, outfile); /* write 8 bytes from Text to outfile */
}
}
25
*
Asymmetric encryption algorithms
RSA: The first practical algorithm (Rivest, Shamir and Adelman 1978) and
still the most frequently used. Key length is variable, 512-2048 bits.
Speed 1-7 kbytes/sec.
A trapdoor provides a (350 MHz PII processor)
secret way into a room. If
Elliptic you're
curve: A recently-developed
inside, the way out method, shorter keys and faster.
is obvious, if you're
Asymmetric
outside,algorithms
you need to are
know~1000 x slower and are therefore not practical for
bulkaencryption, but their other properties make them ideal for key
secret to get in.
distribution and for authentication uses.
See Section 7.3.2 for a description and example of the RSA algorithm.
26
*
Digital signatures
Requirement:
– To authenticate stored document files as well as messages
– To protect against forgery
– To prevent the signer from repudiating a signed document (denying their
responsibility)
29
*
Secure digest functions
M
Verifying h = h'?authentic:forged
H(doc) h
31
MACs: Low-cost signatures with a shared secret key
Figure 7.12
M
MAC: Message Authentication Code
signed doc
H(M+K) h
Signing
M
K
M
h
H(M+K)
Verifying h = h'?authentic:forged
h'
K
32
*
Performance of encryption and secure digest algorithms
Figure 7.14 speeds are for a Pentium II processor at 330 MHZ
33 PRB = Preneel, Rijmen and Bosselaers [Preneel 1998]
*
Case study: Needham - Schroeder protocol
34
*
The Needham–Schroeder secret-key authentication protocol
Weakness: Message 3 might not be fresh and K
Figure 7.15 AB could have been
compromised in the store of A's computer. Kerberos (next case
Header Message Notes
study) addresses this by adding a timestamp or a nonce to message 3.
1. A>S: A, B, NA A requests S to supply a key for communication
with B.
2. S>A: {NA , B, KAB, S returns a message encrypted in A’s secret key,
NA is a nonce. Nonces are integers that are added to messages to
containing a newly generated key KAB and a
{KAB, A}KB}KA ‘ticket’ encrypted in B’s secret key. The nonce NA
demonstrate the freshness of the transaction. They are generated
Ticket
demonstrates that the message was sent in response
by the sending process when required, for example by
to the preceding one. A believes that S sent the
message because only S knows A’s secret key.
incrementing a counter or by reading the (microsecond resolution)
A sends the ‘ticket’ to B.
system clock.
3. A>B: {KAB, A}KB
4. B>A: {N }K B decrypts the ticket and uses the new key KAB to
B AB encrypt another nonce NB.
5. A>B: {NB 1}KAB A demonstrates to B that it was the sender of the
previous message by returning an agreed
transformation of NB.
35
Case study: Kerberos authentication and key distribution service
37
*
Kerberized NFS
38
*
Case study: The Secure Socket Layer (SSL)
Design requirements
– Secure communication without prior negotation or help from 3rd parties
– Free choice of crypto algorithms by client and server
– communication in each direction can be authenticated, encrypted or both
39
SSL protocol stack
Figure 7.17
changes the
secure channel
to a new spec
negotiates cipher
SSL
suite, exchanges SSL Change SSL Alert
certificates and key Handshake HTTP Telnet
Cipher Spec Protocol
masters protocol
implements the
SSL Record Protocol
secure channel
Certificate
Cipher suite Optionally send server certificate and
Certificate Request
request client certificate
Component Description
ServerHelloDone
Example
Key exchange
Client
the method to be used for
Certificate Server
RSA with publickey
Send client certificate response if
method A exchange of a session key
Certificate Verify B certificates
requested
Cipher for data the block or stream cipher to be IDEA
transfer used for data
Change Cipher Spec
Change cipher suite and finish
Message digest for creating message
Finished
SHA
handshake
function authentication codes (MACs)
Change Cipher Spec Includes key master exchange.
Key master is used by both A and B
Finished to generate:
2 session keys 2 MAC keys
KAB MAB
41 KBA MBA
*
SSL handshake configuration options
Figure 7.19
42
*
SSL record protocol
Figure 7.20
abcdefghi
Application data
Fragment/combine
Compress
Compressed units
Hash
MAC
Encrypt
Encrypted
Transmit
TCP packet
43
*
Summary
44
Worst case assumptions and design guidelines
[p. 260]
45