Post on 03-Jan-2016
D u k e S y s t e m s
Servers and secure communication
Jeff ChaseDuke University
Shell lab
• We need to understand a little about:– job states: foreground and background
– process states
– blocking or sleep states: waiting for an external event
• Shell exposes a fundamental problem:– Many programs monitor/control asynchronous activities.
– E.g., shell manages children, apps wait for clicks, servers wait for requests, everyone waits for I/O to complete.
– How should a program wait for the next event, if there are many possible events to wait for?
– Wait for a specific event may miss others.
• Good event handling mechanisms are important.
Unix was wrong
• Unix was designed around blocking system calls.– read from tty
– wait* for child process
– listen for arriving server connection
– Blocked process makes no progress until event occurs.
– signals an afterthought to “kill” a process
• Unix got it wrong.– Evolving signal mechanisms for better shells.
– Evolving designs for high-performance servers.
• Newer systems (and Ux variants) have better event handling mechanisms.– Kqueue, epoll, Android component interfaces
Wait (Unix)
Wait*
fork
execargv[0]=“echo”argv[1]=“y”argc = 2
wait
“echo y”
dsh
If a child is running in the foreground, the parent shell
“suspends execution” (blocks or sleeps) until the child
changes state (e.g., exits).
Child process continues on to execute “echo” program independently of parent.
Shell waits in read call for next command from tty.
Parent/child interaction
fork
exit
exec
STOP
wait
“echo y”
dsh
“<ctrl-z>” SIGSTOP
“fg” kill SIGCONT
wait EXIT
A wait returns when the status of the child
changes (e.g., STOP).
Child blocks when it receives a STOP signal (e.g., resulting from ctrl-z on
keyboard).
Child wakes up when it receives
a CONTINUE signal (e.g., sent
by shell).
The awakened shell blocks in read to accept
the next command.
What if a foreground job exits before the parent
calls wait?
Job states and transitions
fg
bgstop
exited
exit
exit
tty intty out
SIGCONT
SIGCONTset-fg
ctrl-z (SIGSTP)
Monitoring background jobs
fork
exec
EXIT
“echo y&”
dsh
“jobs”
wait
How should a parent learn of status changes to a child if it’s busy doing something else and does not poll?
“Do you know where your children are?”
Parent can use a non-blocking wait to poll the
status of a child.
Monitoring background jobs
fork
exec
EXIT
“echo y&”
dsh
Parent is waiting for read to return the next input command.
How should parent learn of the child exit event?
coffee….
What if a child changes state while the shell is blocked on some other event, e.g., waiting for input, or waiting for a foreground job to
complete?
A “real” shell should notice and inform the user immediately. But
dsh will not.
Shell and children
Job 1
Job 2
Job 3
P1A P1B
P2A
P3A
dsh
Any of these child jobs/processes could
exit or stop at any time.
Monitoring background jobs
fork
exec
EXIT
“echo y&”
dsh
SIGCHLD
Event notificationsSTOP
SIGCHLD
coffee….
A “real” shell receives SIGCHLD signals from the kernel when a
child changes state.
If the shell is blocked on some other system call (e.g., read), then SIGCHLD interrupts the
read.
Key point: many programs need to be able to receive and handle multiple
event types promptly, regardless of what order they arrive in. Unix has grown some funky mechanisms to deal with
that.
Process states and transitions
running
readyblocked
exitedfg or bg
fg or bg
The kernel process/thread scheduler governs these transitions.
exit
wait, STOP, read, write, listen, receive, etc.
sleep
STOP wait
wakeup
Sleep and wakeup are internal primitives (later).
EXIT
while (1) {
Char *cmd = getcmd();
int retval = fork();
if (retval == 0) {
// This is the child process
// Setup the child’s process environment here
// E.g., where is standard I/O, how to handle signals?
exec(cmd);
// exec does not return if it succeeds
printf(“ERROR: Could not execute %s\n”, cmd);
exit(1);
} else {
// This is the parent process; Wait for child to finish
int pid = retval;
wait(pid);
}
}
Inside the Shell
Communication: endpoints and channels
channelpipe
bindingconnection
endpointport
data transferstream
flowmessages
request/reply RPC
events
operationsadvertise (bind)listenconnect (bind)close
write/sendread/receive
If one side advertises a named endpoint, we call it a server.
If one side initiates achannel to a named endpoint, we call it a client.
Protection systems
• Every process (or other entity) has a label that governs its access rights on the system.
• The label is a list of named attributes and optional values.
• Each system defines the space of attributes and their interpretation.
• Some attributes and values represent an identity bound to the process.
• E.g.: uid=“alice”
login
shell
tool
log in
fork, setuid(“alice”), exec
fork/exec
uid=“alice”
Every file and every process is labeled/tagged with a user ID. A root process may change its user ID.
A process inherits its userID from its parent process.
Alice
Android permissions
http://source.android.com/tech/security/
Services
RPC
GET (HTTP)
Binding to a service (Android)
public abstract boolean bindService (Intent service, ServiceConnection conn, int flags)
Connect to an application service, creating it if needed. …The given conn will receive the service object when it is created and be told if it dies and restarts. …
This function will throw SecurityException if you do not have permission to bind to the given service.
Networking
channelbinding
connection
endpointport
Some IPC mechanisms allow communication across a network.E.g.: sockets using Internet communication protocols (TCP/IP).Each endpoint on a node (host) has a port number.
Each node has one or more interfaces, each on at most one network.Each interface may be reachable on its network by one or more names.
E.g. an IP address and an (optional) DNS name.
node A node B
operationsadvertise (bind)listenconnect (bind)close
write/sendread/receive
Networking and distributed systems
channelbinding
connection
endpointport
node A node B
1.Nodes may crash (fail-stop).2.They may lie, cheat, or steal (“Byzantine” failure)3.They may run different software.4.Networks might not be reliable or safe.
Issues:
Real networks are insecure
Alice
Bob
Mallory
attack
Crypto primitives
Encrypt/Decrypt
Signing
Secure hashing
Use a shared secret key(symmetric)
oruse a keypair
one public, one private(asymmetric)
useful forfingerprinting data
Cryptography for Busy People
• Standard crypto functions parameterized by keys.– Fixed-width “random” value (length matters, e.g., 256-bit)
– Symmetric (DES: fast, requires shared key K1 = K2)
– Asymmetric (RSA: slow, uses two keys)
• “Believed to be computationally infeasible” to break
E
D
EncryptEncrypt
DecryptDecrypt
K1
K2
M
M
[Image: Landon Cox]
Symmetric Crypto
• “Secret key” or “private key” cryptography.– DES, 3DES, DESX, IDEA, AES
• Sender and receiver must possess a shared secret
– Shared key K
– K = K1 = K2
• Message M, Key K{M}K = Encrypt(M, K)
M = Decrypt({M}K , K)
Example: Java KeyGenerator class
“A key generator is used to generate secret keys for symmetric algorithms.” [oracle.com]
Example: Java Cipher class
“The Cipher class provides the functionality of a cryptographic cipher used for encryption and decryption. Encryption is the process of taking data (called cleartext) and a key, and producing data (ciphertext) meaningless to a third-party who does not know the key. Decryption is the inverse process: that of taking ciphertext and
a key and producing cleartext.” [oracle.com]
Simple shared-secret based cryptographic authentication
shuque@isc.upenn.edu
Add mutual authentication
shuque@isc.upenn.edu
Two “Key points”
• The random challenge is a nonce.– “number used once”
• Understand why the protocol uses a nonce.
• In order for this protocol to work, Alice and Bob need a shared secret.
• How can they establish this shared secret safely?
Asymmetric Crypto
• Sometimes called “public key” cryptography.
• Each subject/principal possesses a keypair: K-1 and K– Decrypt(K, Encrypt(K-1, M)) = M
• Each principal keeps one key private.
• The inverse key may be public.
• Either key can be used to encrypt/decrypt.
Example: Java KeyPairGenerator class
“The KeyPairGenerator class is an engine class used to generate pairs of public and private keys.” [oracle.com]
E
D
CryptCrypt
CryptCrypt
Asymmetric crypto works both ways
[Image: Landon Cox]
A’s private keyor
A’s public key A’s public keyor
A’s private key
Q
• If Alice knows Bob’s public key, how can Alice use it to verify that the party on the other end of a channel is Bob?
• What could go wrong?
• How is this “better” than symmetric crypto?
• How is it “worse”?
Cryptographic hashes
• Also called a secure hash or one-way hash– E.g., SHA1, MD5
• Result called a hash, checksum, fingerprint, digest
• Very efficient
SHA1 hashSHA1 hash
160 bitsArbitrarily large
“Hash digest”
[Image: Landon Cox]
Properties of Secure Hashing
• Collision-resistant– There exist distinct M1 and M2 such that h(M1) == h(M2).
– Such collisions are “hard” to find.
• One way– Given digest, cannot generate an M with h(M) == digest.
– Such collisions are “hard” to find.
• Secure– The digest does not help to discover any part of M.
Properties of Secure Hashing
• Collision-resistant– There exist distinct M1 and M2 such that h(M1) == h(M2).
– Such collisions are “hard” to find.
• One way– Given digest, cannot generate an M with h(M) == digest.
– Such collisions are “hard” to find.
• Secure– The digest does not help to discover any part of M.
Haven’t SHA-1 and MD5 been broken?
Sort of…it turns out collisions are easier to find than thought, at least in some instances.
Digital Signature
• A hash digest of M encrypted with a private key is called a digital signature– “Proves” that a particular identity sent M.
• “Proves” M has not been tampered.• “Unforgeable”
– The sender cannot deny sending M.• “non-repudiable”
– Can be legally binding in the United States
http://pst.libre.lu/mssi-luxmbg/p1/04_auth-art.html
Digital signatures with public keys
{h}Kpri
M
Signing
Verifying
E(Kpri , h)
128 bits
H(M) h
M
hH(doc)
D(Kpub ,{h}) {h}Kpri h'
h = h'?
M
signed doc
Key point: understand how/why digital
signatures use digests and asymmetric crypto
together.
Two “key points”
• Digital signatures are “stronger” than physical signatures, because they are bound to the document contents.– Attacker cannot change the document contents without
invalidating the signature.
• To verify a signature, the receiver must already know the public key of the signer.– And it must be right.
– But how to know for sure?
Two Flavors of “Signature”
• A digest encrypted with a private asymmetric key is called a digital signature– “Proves” that a particular identity sent the message.
• “Proves” the message has not been tampered.• “Unforgeable”
– The sender cannot deny sending the message.• “non-repudiable”
– Can be legally binding in the United States
• A digest encrypted with a shared symmetric key is called a message authentication code (MAC).
• faster, but…
MAC
“Similar to a MessageDigest, a Message Authentication Code (MAC) provides a way to check the integrity of information transmitted over or stored in an unreliable medium, but uses a [symmetric secret] key in the calculation. Only someone with the proper key will be able to verify the received message. Typically, message authentication codes are used between two parties that share a secret key in order to validate information transmitted between these parties.” [oracle.com]
What happens…
• How to authenticate shop.com?
• How to assure integrity/privacy of communications?
• How to prevent man-in-the-middle attack?
• How does shop.com authenticate you?
• Answer: Secure Sockets (SSL) or Transport-Layer Security (TLS)
https://www.shop.com/shop.html
Symmetric and Asymmetric Crypto: Better Together• Use asymmetric crypto to “handshake” and establish a secret
session key (slow, but allows for key distribution).
• Then use the key to talk with symmetric crypto (fast and cheap)
• Example: Secure Sockets Layer (SSL) or Transport-Layer Security (TLS), used in HTTPS (Secure HTTP), SSH, SCP, etc.
“SYN, etc.”
“My public key is K.”
Client Server“Let’s establish a session key: {S}K .”
{M}S
…
[encrypted data or content]
What are we missing?
• Does C know (believe) that K really is the public key of S?
• How to authenticate S?
Example: Certificate
Certificates allow A to endorse the public key of B. The endorsement can be validated by anyone who knows and trusts A.
A Digital Certificate (X.509)
Trust management and PKI• An entity A delegates trust to another by endorsing its public
key for possession of an attribute or role.
• The delegation is a fact written as a logic statement and issued in a certificate that is digitally signed by A.
• In a standard x.509 identity certificate (e.g., issued by a PKI CA for web), the attribute is a distinguishing name.
– e.g., “Alice” or “amazon.com”
• But it could be more…
trustsA B
A.trusts B CertificateTerm of validity
Issuer’s name (or key)
Signature
Payload: statement
Take a breath
• Your browser can verify the server identity if it knows the “real” server’s public key.
• The server presents a certificate endorsed by a third party (CA).
• Your browser can verify the certificate if it knows the CA’s public key.
• How does your browser know the CA’s public key?
SSL is not so simple…
• How do we know who we are talking to?– Do we care? Somebody does…
– In SSL, either party MAY present a certificate.
– At least one MUST (e.g., server to validate key K).
• How to prevent replays of encrypted content?– Nonces, serial numbers, timestamps
• SSL/TLS uses this basic handshake protocol, but there are some subtleties:– Hashes and MACs
Secure HTTP
• Uses SSL/TLS over TCP for “end-to-end” security.
• Browser always authenticates the server.– Server presents certificate signed by root CA.
– Domain name must match the certificate, etc.
– Browser has some set of public keys for root CAs wired into it, so it can check the signature.
• Server optionally requests to authenticate the browser (user or user agent).– Browser presents certificate, OR
– Password authentication is much more common. (why?)
• Browser and server negotiate a bulk cipher and secret session key as in “Better Together” above.
SSL in detail
http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html
Public Key Infrastructure (PKI)
• Assumption: everyone trusts some root CAs.
• Institutions/organizations set up their own CAs, and the root CAs endorse them to issue certificates for their members.– $$$
• Recursively, to form a hierarchy like DNS.– Delegation of Authority
• Network applications will have access to the keypairs and certificates of their users, and will validate the certificates of servers.
– Any day now…
Distributing session keys
• We want to use symmetric crypto because it is cheap.
• But we need a way to negotiate and distribute a shared secret (session key).
• Two examples to looks at:– SSL/TLS/HTTPS
– Kerberos (Needham/Schroeder) authentication protocol
– Shibboleth single-sign-on (SSO)