Chapter 20 - Distributed system security. This chapter discusses authentication and message security measures used in distributed operating systems to thwart such attacks. Methods of verifying authenticity of data are also discussed.
PROPRIETARY MATERIAL. © 2007 The McGrawHill Companies, Inc. All rights reserved. No part of this PowerPoint slide may be displayed, reproduced or distributed in any form or by any means, without the prior written permission of the publisher, or used beyond the limited distribution to teachers and educators permitted by McGrawHill for their individual course preparation. If you are a student using this PowerPoint slide, you are using it without permission. Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 1 Copyright © 2008 Security issues in distributed systems • Interprocess messages travel over the network – Hence intruders can perpetrate attacks through messages Chapter 20: Distributed System Security Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:2 Copyrightâ2008 Security threats in distributed systems Following threats can be posed through messages – Leakage * Message contents are read by intruder – Tampering * Messages are corrupted or altered – Stealing * Resources are accessed without authorization – Denial of service * Authorized users are prevented from accessing resources Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 3 Copyright © 2008 Mechanisms and policies for distributed system security • Encryption ensures secrecy and integrity of meta data and messages • Key distribution center generates encryption keys for communication • Authentication is used to prevent masquerading Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 4 Copyright © 2008 Classes of security attacks • Four classes of attacks – Eavesdropping * Intruder listens to messages on the network – Message tampering * Intruder corrupts or alters messages – Message replay * Intruder inserts copies of old messages in message communication to fool processes – Masquerading * Intruder is able to pass off as an authorized user to perform computations and use resources Chapter 20: DistributedSystemSecurity Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:5 Copyrightâ2008 Message security Three techniques are used for message security – Private key encryption * All messages sent to a process are encrypted with its private key Problems: Private key is exposed to attacks all through process lifetime Difficult for user processes to know each other’s keys Used for communication from OS to user processes – Public key encryption * A process has a (public key, private key) pair Encryption is asymmetric: Messages sent to it are encrypted using its public key; it decrypts them using its private key – Session key encryption * A session key is generated for each communication session between processes Limits exposure of the encryption key Chapter20: DistributedSystemSecurity Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:6 Copyrightâ2008 Encryption techniques Public key encryption – Pi has a pair (Ui, Vi), where Ui, Vi are public, private keys * Vi cannot be guessed from Ui * For any message m, Dvi(EUi(Pm)) = Pm for all Ui, Vi * Sender encrypts using Ui, Pi decrypts using Vi * Rivest-Shamir-Adelman (RSA) algorithm is used to generate (Ui, Vi) Let (u, v) be the pair of keys and x, y < n » Eu(x) = xu mod n » Dv(y) = yv mod n n is a product of two large prime numbers p and q » v should be relatively prime to (p – 1) x (q – 1) » u x v mod [(q – ) x ( q – )] = – Keys are longer than private keys and encryption / decryption is slower Chapter 20: Distributed System Security Dhamdhere: Operating Systems— AConceptưBasedApproach,2ed SlideNo:7 Copyrightâ2008 Distribution of encryption keys Processes have to know which keys to use for encrypting messages to other processes – A key distribution center (KDC) is a trusted service which provides the keys securely to processes – When process Pi wishes to communicate with Pj * It makes a request to KDC, passing Pj’s id * KDC actions: Public key encryption: Provides public key of Pi Session key encryption: Generates a session key and provides it to Pi Also enables Pi to pass the key securely to Pj Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 8 Copyright © 2008 Distribution of public keys • Steps – Step 1: Pi → KDC : EUkdc (Pi, Pj) – Step 2: KDC → Pi : EUi (Pj, Uj) Encryption is employed merely to prevent message tampering Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 9 Copyright © 2008 Distribution of session keys • Steps – Step 1: Pi → KDC : Pi, Pj – Step 2: KDC → Pi : EVi(Pj, Ski,j, EVj(Pi,Ski,j)) – Step 3: Pi → Pj Chapter 20: Distributed System Security : EVj(Pi, Ski,j), ESKi,j (< message >) Dhamdhere: Operating Systems— AConceptưBasedApproach,2ed SlideNo:10 Copyrightâ2008 Obtaining a session key In a public key system, a process can itself choose a session key to communicate with another process – Step 1: Pi → KDC : EUkdc (Pi, Pj) – Step 2: KDC → Pi : EUi (Pj, Uj) – Step 3: Pi → Pj : EUj(Pi, Ski,j), ESKi,j(< message >) Pi requests public key of Pj in step and obtains it in step In step 3, it communicates the selected session key to Pj Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 11 Copyright © 2008 Preventing message replay attacks • How to check whether message m received by Pj from Pi is a genuine message – Check whether m was sent by a Pi in ‘real time’ – The Challenge-response protocol is used for this purpose Chapter20: DistributedSystemSecurity Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:12 Copyrightâ2008 Challengeresponse protocol Steps – Challenge * Pj throws a challenge to the message sender to prove that it is Pi It sends a challenge string encrypted using Pi’s key The string is called a nonce – Response * Message performs following actions Decrypts the message Transforms the challenge string in expected manner Encrypts result so that only Pj can decrypt it and sends it back – Detect * Pj decrypts and checks whether the reply is as expected Chapter20: DistributedSystemSecurity Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:13 Copyrightâ2008 Mutual authentication Processes must authenticate each other before entering into communication – Pi chooses and communicates a session key to another process * Step 1: Pi → KDC : EUkdc (Pi, Pj) * Step 2: KDC → Pi : EUi (Pj, Uj) * Step 3: Pi → Pj : EUj(Pi, Ski,j), ESKi,j(< message >) – The recipient process must authenticate the sender using the challenge–response protocol * Step 4: Pj → Pi : EUi (Pj, n) * Step 5: Pi → Pj : EUj(n+1) – Now the communication can begin Chapter 20: * Step 6: Pi Distributed System Security → Pj :Dhamdhere: Operating Systems— ESKi,j(< message >) AConceptưBasedApproach,2ed SlideNo:14 Copyrightâ2008 Authentication of data and messages Authenticity and integrity of data – Authenticity * Implies that data was originated or sent by a claimed person, and that it has not been tampered with – Integrity * Implies that data has not been tampered with Chapter 20: Distributed System Security Dhamdhere: Operating Systems— AConceptưBasedApproach,2ed SlideNo:15 Copyrightâ2008 Integrity of data Integrity is ensured through use of a message digest – Message digest v of data d is a fixed length hash value obtained from d * It is obtained by employing a one-way hash function * Given v, it should be impossible to construct a data d’ such that v is its message digest It is called a birthday attack – The pair < d, v > is stored * To check whether d has been tampered with, the hash value of d is obtained and compared with v – v or < d, v > is encrypted to protect against tampering * It makes the integrity check foolproof Chapter 20: Distributed System Security Dhamdhere: Operating Systems— AConceptưBasedApproach,2ed SlideNo:16 Copyrightâ2008 Authenticity of data Authenticity has two requirements – Integrity of data * It is ensured through use of the message digest (see previous slide) – Successful decryption of v or < d, v > should verify that it was originated or sent by the claimed entity * It is ensured by encrypting v or < d, v > with the encryption key of the originator or sender of d * The process wishing to verify authenticily of d must obtain encryption key of the data’s originator or sender A certification authority is used to securely obtain the encryption key of the originator or sender of d * Successful decryption of d or < d, v > now implies authenticity of data Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed SlideNo:17 Copyrightâ2008 Certification authority (CA) CA assigns public and private keys to an entity after ascertaining its identity though physical verification – It issues a public key certificate containing following information * Serial no, owner’s distinguishing name, identification information * Owner’s public key * Date of issue and expiry * Digital signature by the CA – A process obtains the certificate of the server it wishes to use – It authenticates the server to prevent a man-in-the-middle attack * In this attack, an intruder masquerades as a server Intercepts messages, provides fake certificate Digital signature thwarts such attacks Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 18 Copyright © 2008 Message authentication code (MAC) and Digital signature • MAC is used to check integrity of data, digital signature is used to ensure authenticity of data – Message authentication code (MAC) * Message digest v of data d is obtained using a one-way hashing fn * v is encrypted so that only the intended receiver of d can decrypt it – Digital signature * Pi, the originator or sender of d encrypts it to obtain v * Encrypts v and, optionally, a time stamp with its own private key to obtain the DSd, the digital signature for d * The pair < d, DSd > is stored or transmitted * Recipient of < d, DSd > decrypts it using public key of Pi Successful decryption guarantees authenticity P cannot deny having originated or sent d (non-repudiability) i Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 19 Copyright © 2008 Use of a digital signature Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed SlideNo:20 Copyrightâ2008 Third party authentication How does a server know that a process that wishes to use its services was created by an authorized user? – A third party authenticator performs two functions to facilitate answering of this question * Authentication It authenticates a user * Secure arrangement to introduce an authorized user to a server This way, a server knows that a user is genuine Chapter 20: DistributedSystemSecurity Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:21 Copyrightâ2008 Kerberos Features of Kerberos – Authentication is performed through an authentication data base – Authorization is performed by providing tickets to processes * A ticket is like a capability, it authorizes a process to use a service * It contains the process and server ids, a session key for communication, and the lifetime over which it is valid * At log in time, each process gets a ticket to a ticket granting server (TGS); TGS generates tickets for other servers – When a process wishes to use a server * It submits a ticket for the server and an authenticator containing a time-stamp encrypted with the session key * Server checks validity of ticket, extracts the session key and checks the authenticator to ensure that the request is made in ‘real time’ Chapter 20: Distributed System Security Dhamdhere:OperatingSystems AConceptưBasedApproach,2ed SlideNo:22 Copyrightâ2008 Kerberos Clientisaprocessthatoperateson userscomputerandobtainsservices onbehalfoftheuser Step1.3providessessionkeyand ticketforTGS • Step 2.1 provides session key and ticket for a server • Steps 3.1, 3.2 implement invocation of a service Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 23 Copyright © 2008 Secure sockets layer (SSL) • SSL is a message security protocol providing authentication and communication privacy – SSL handshake protocol is used before a client-server session starts * It uses RSA public-key encryption to authenticate the server * It also optionally authenticates the client * Generates symmetric session keys for the session – SSL record protocol * Performs actual message exchange using the session key – Message integrity is provided through MAC and authenticity through digital signature Chapter 20: Distributed System Security Dhamdhere: Operating Systems— AConceptưBasedApproach,2ed SlideNo:24 Copyrightâ2008 Secure sockets layer (SSL) SSL Handshake protocol – Client sends client-hello message containing the string nclient – Server sends server-hello message containing nserver – Server sends its digital certificate; optionally asks for the client’s – Client sends encrypted premaster secret message containing a 48-byte premaster secret encrypted with server’s public key – Both client and server now generate master secret from the premaster secret, nclient and nserver using a standard one-way function – Four keys are generated from the premaster secret * two are used for encryption of messages between the client and the server, and two are used for generating MACs Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 25 Copyright © 2008 ... authenticates the server to prevent a man-in-the-middle attack * In this attack, an intruder masquerades as a server Intercepts messages, provides fake certificate Digital signature thwarts such attacks... implies authenticity of data Chapter 20: Distributed System Security Dhamdhere: Operating Systems— AConceptưBasedApproach,2ed SlideNo:17 Copyright 200 8 Certification authority (CA) CA assigns... attacks Chapter 20: Distributed System Security Dhamdhere: Operating Systems— A ConceptBased Approach , 2 ed Slide No: 18 Copyright © 200 8 Message authentication code (MAC) and Digital signature