--Distributed computer security
-
Upload
russell-ryan -
Category
Documents
-
view
38 -
download
2
description
Transcript of --Distributed computer security
--DISTRIBUTED COMPUTER SECURITY
Summary For Chapter 8
Student: Zhibo WangProfessor: Yanqing Zhang
Why there are problems in the Distributed System[1]
In the most abstract sense, we can describe a distributed system as a collection of clients and servers communicating by exchange of messages.
Reason:
System is under an open environment
Need to communicate with other heterogeneous systems
How to build a “strong” System
Secrecy : protection from unauthorized
disclosure
Integrity: only authorized user can modify the
system
Availability :Authorized users are not prevented
from accessing respective objects (Like DoS)
Reliability: fault tolerance
Safety: tolerance of user faults
Security Threats[2][3]
They may come fromexternal intruder
internal intruder
unintentional system faults or user faults
Cont’d
Four categories Interruption (attack against the availability of the network) Interception(attack against the confidentiality)
Modification(attack against integrity of the network) Fabrication(attacks against the authentication, access control,
and authorization capabilities of the network)
Security Threat Prevention Authentication & verification
Exclude external intruders
Authorization validation Exclude internal intruders
Fault-tolerance Mechanisms Unintentional faults
Data encryption Prevents the exposure of information & maintain privacy
Auditing Passive form of protection
Discretionary Access Control ModelsConcept of the Access Control Matrix
(ACM)
The Access Control Matrix (ACM) is the most fundamental and widely used discretionary access control model for simple security policies.
Access control is a function that given a subject and object pair, (s, o) and a requested operation, r from s to o, return true if the request is permitted.
Cont’d Utility Of ACM [4]
Because it does not define the granularity of protection mechanisms, the Access Control Matrix can be used as a model of the static access permissions in any type of access control system. It does not model the rules by which permissions can change in any particular system, and therefore only gives an incomplete description of the system's access control security policy
Cont’d
Why is it necessary since we have discretionary security model?
With the advances in networks and distributed systems, it is necessary to broaden the scope to include the control of information flow between distributed nodes on a system wide basis rather than only individual basis like discretionary control.
Mandatory Flow Control ModelsWhat is Mandatory Flow Control Model Mandatory access control refers to a
type of access control by which the operating system constrains the ability of a subject to access or generally perform some sort of operation on an object or target.
Information Flow Control
What is Information Flow Control
Information Flow control is concerned with how information is disseminated or propagated from one object to another.
The security classes of all entities must be specified explicitly and the class of an entity seldom changes after it has been created
Why we have Cryptography
Security RequirementsConfidentialityProtection from disclosure to unauthorized personsIntegrityMaintaining data consistencyAuthenticationAssurance of identity of person or originator of
dataAvailabilityLegitimate users have access when they need itAccess controlUnauthorized users are kept out
What is Authentication ?
Authentication is the process of verifying the identity of an object entity. Password verification: one-way
verification Two way authentication: both
communicating entities verify each other’s identityThis type of mutual authentication is important for communication between autonomous principals under different administrative authorities in a client/server or peer-to-peer distributed environment.
Authentication Protocols
Authentication protocols are all about distribution and management of secret keys.
Key distribution in a distributed environment is an implementation of distributed authentication protocols.
Design of Authentication ProtocolsMany authentication protocols have been
proposed All protocols assume that some secret
information is held initially by each principal.
Authentication is achieved by one principal demonstrating the other that it holds that secret information.
All protocols assume that system environment is very insecure and is open for attack. So any message received by a principal must have its origin authenticity, integrity and freshness verified.
University Network [10]
Disadvantage of the network
Proposed network
Reference
[1] Randy Chow, Theodore Jognson. “Distributed Operating Systems and Algorithms”, Addison-Wesley 1997
[2] Samarati, P.; Bertino, E.; Ciampichetti, A.; Jajodia, S.; “Information flow control in object-oriented systems”. Knowledge and Data Engineering, IEEE Transactions on Volume 9, Issue 4, July-Aug. 1997 Page(s):524 - 538
[3] Izaki, K.; Tanaka, K.; Takizawa, M.; “Access control model in object-oriented systems” Parallel and Distributed Systems: Workshops, Seventh International Conference on, 2000 4-7 July 2000 Page(s):69 - 74
[4] http://en.wikipedia.org/wiki/[5] Lin, Tsau Young (T. Y.); “Managing Information Flows on
Discretionary Access Control Models” Systems, Man and Cybernetics, 2006. ICSMC '06. IEEE International Conference on Volume 6, 8-11 Oct. 2006 Page(s):4759 - 4762
Cont’s
[6] Solworth, J.A.; Sloan, R.H.; “A layered design of discretionary access controls with decidable safety properties” Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on 9-12 May 2004 Page(s):56 - 67
[7] Robles, R.J.; Min-Kyu Choi; Sang-Soo Yeo; Tai-hoon Kim, "Application of Role-Based Access Control for Web Environment”, Ubiquitous Multimedia Computing, 2008. UMC '08. International Symposium on , vol., no., pp.171-174, 13-15 Oct. 2008
[8] Ravi Sandhu, The PEI Framework for Application-Centric Security, 2009
Cont’d
[9] Krishnan, Ram and Sandhu, Ravi and anganathan, Kumar, ”PEI models towards scalable, usable and high-assurance information sharing”, Proceedings of the 12th ACM symposium on Access control models and technologies
[10] Al-Akhras, M.A, “Wireless Network Security Implementation in Universities”, information and Communication Technologies, 2006. ICTTA '06. 2nd , Volume 2, 0-0 0 Page(s):3192 - 3197
Q& A?
Thanks!