COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 9: Security...
-
Upload
louise-sharleen-houston -
Category
Documents
-
view
215 -
download
0
Transcript of COMP 655: Distributed/Operating Systems Summer 2011 Dr. Chunbo Chu Week 9: Security...
COMP 655:Distributed/Operating
SystemsSummer 2011
Dr. Chunbo ChuWeek 9: Security
04/21/23 1Distributed Systems - COMP 655
04/21/23 Distributed Systems - COMP 655 2
Agenda• Security basics• Encryption• Major functions of a security
system
04/21/23 Distributed Systems - COMP 655 3
Types of security• Confidentiality
– Information disclosed only to authorized parties
• Integrity– Information can be created, changed,
or deleted only in authorized ways
04/21/23 Distributed Systems - COMP 655 4
Types of threats• Interception (confidentiality)• Interruption (integrity)• Modification (integrity)• Fabrication (integrity)
04/21/23 Distributed Systems - COMP 655 5
Major functions of a security system
• Authentication• Authorization• Administration• Journaling• Intrusion detection
04/21/23 Distributed Systems - COMP 655 6
Security basicsGeneral advice when dealing with
security:• Always stay in touch with the basic
question: what is the problem you are trying to solve?
• Compare the cost of security to the cost of loss
These should be covered in a security policy
04/21/23 Distributed Systems - COMP 655 7
Security policy basics• A security policy defines the security
requirements for a system• A security policy identifies
– Types of entities in the systemFor example, “instructor”, “student”,
“gradebook application”
– Types of actions supported by the systemFor example, “view grades”, “assign grades”
– Which types of entities are allowed to perform which types of actions
04/21/23 Distributed Systems - COMP 655 8
More about security policyExamples of security policy statements:• An instructor is allowed to assign and
view grades for all students in sections taught by the instructor
• An instructor is not allowed to assign or view grades for any section that he or she did not teach
• A student is allowed to view all of his or her grades
• A student is not allowed to assign grades
04/21/23 Distributed Systems - COMP 655 9
Yet more security policy• Policy deals with roles, not individuals.
For example, some Franklin students are also instructors
• Policy must be specific to a system– “users may perform only authorized actions” is
NOT useful policy– “instructors and administrators may assign
grades” is much more useful
• Writing a good policy is usually hard– Can any administrator assign a grade?– Or only department chairs and deans with
responsibility for the course?– Can the college president assign a grade?
04/21/23 Distributed Systems - COMP 655 10
Activity: DiNo Security policy• Imagine that DiNo needs to support
confidential notebooks• Discuss the security aspects of DiNo
– What types of entities and operations are important?
• What should the security priorities be?– List at least five policies about who’s allowed to
do what
• NOTE: “all users must be authenticated” does NOT belong in a security policy – it’s about implementation, not requirements
04/21/23 Distributed Systems - COMP 655 11
Kevin Mitnick’s work today• The simple fact is this: People are, and
always have been, the most vulnerable aspect of any organization's security infrastructure …
http://www.mitnicksecurity.com/
Interview on 60 Minutes
04/21/23 Distributed Systems - COMP 655 12
Security – human aspects• “Human engineering” is the most
effective way to gain unauthorized access to systems– Helpfulness can be abused– Garbage can be sifted– Etc
• Basically, it’s a never-ending dialog between builders and crackers If you remember nothing else from tonight …
04/21/23 Distributed Systems - COMP 655 13
Tools for the security provider
• Encryption• Explicit, well-considered policy• QA for code• Security education for developers (for
example, see http://www.sans.org/)• Security education for others with
access to sensitive information• Firewalls• Audits• Monitoring
04/21/23 Distributed Systems - COMP 655 14
More security tools• Research• Former crackers with changed
motives• Good system administration,
including keeping up with patches• Virus checkers (pattern, heuristic)
04/21/23 Distributed Systems - COMP 655 15
Resources• CERT: www.cert.org/• CSRC (NIST): csrc.nist.gov/• Steve Gibson: grc.com/default.htm
• Counterpane: www.counterpane.com/crypto-gram.html
• And 400,000,000 others …
04/21/23 Distributed Systems - COMP 655 16
Activity – implementing your policy
• For each of the five statements in your security policy exercise, identify one or more techniques that could be used to enforce it.
04/21/23 Distributed Systems - COMP 655 17
Comp 655 - Security• Security basics• Encryption• Major functions of a security
system
04/21/23 Distributed Systems - COMP 655 18
Encryption - general
04/21/23 Distributed Systems - COMP 655 19
More terminology• Symmetric cryptosystem
– aka secret-key, shared-key
• Asymmetric cryptosystem– aka public-key
• Computational infeasibility• Hash function• Block cipher• Stream cipher
04/21/23 Distributed Systems - COMP 655 20
Important encryption algorithms
• DES• AES• RSA• MD5• SHA-1
04/21/23 Distributed Systems - COMP 655 21
Data Encryption Standard (DES)
04/21/23 Distributed Systems - COMP 655 22
DES key generation
04/21/23 Distributed Systems - COMP 655 23
Attacks on DES• Analytical
– DES has held up pretty well
• Brute force– Hardware is now fast enough to allow
practical guess-and-check attacks on 56-bit DES
• Triple DES “appears to be safe for the moment”
• To be replaced by Rijndael algorithm
04/21/23 Distributed Systems - COMP 655 24
AES
• NIST selection process, 1997-2000, whose goal was a symmetric block cipher to replace DES for protection of sensitive unclassified information. AES is– unclassified– publicly disclosed encryption– available royalty-free, worldwide– supports block sizes of at least 128 bits– supports key sizes of 128, 192, and 256 bits.
04/21/23 Distributed Systems - COMP 655 25
AES Selection criteria1. Security was the most important factor, including
– resistance to cryptanalysis
– soundness of mathematical basis
– randomness of the algorithm output
– relative security as compared to other candidates.
2. Cost was a second important area – licensing requirements
– speed on various platforms
– memory requirements
04/21/23 Distributed Systems - COMP 655 26
AES Selection Criteria continued
• Algorithm characteristics – Adaptability to larger key sizes– Adaptability to other applications,
including stream cipher, hash– Adaptability to various
implementation environments including software, firmware, hardware
– Overall simplicity
04/21/23 Distributed Systems - COMP 655 27
AES continued
• Winner was Rijndael (“Rhine-doll”)• NIST evaluation tested C and Java
implementations of the candidates• Implementations have also appeared
in Lisp, Pascal, JavaScript, C++, hardware, etc
• See the NIST crypto toolkit web site:http://csrc.nist.gov/CryptoToolkit/
04/21/23 Distributed Systems - COMP 655 28
RSA
• Widely used for public-key cryptosystems
• Relies on computational infeasibility of factoring a product of large primes
• A key set includes– d (decryption key)– e (encryption key)– n (product of large primes)
04/21/23 Distributed Systems - COMP 655 29
RSA continued• Publish n and one key, keep the other
key private• Which key gets published depends on
the problem you’re trying to solve– Publish encryption key for data
protection– Publish decryption key for authentication
• Expensive! (2-3 orders of magnitude slower than DES)
04/21/23 Distributed Systems - COMP 655 30
Cryptographic hash functions
• With encryption, they guard against modification
• (kind of like a checksum or check digit)• A hash computes a fixed-length summary
(or digest) of a string (message) that is hard to reproduce– Given a message m, it’s computationally
infeasible to find another message m’ such that H(m’) = H(m).
– And it’s even harder to find such an m’ that says what you want …
04/21/23 Distributed Systems - COMP 655 31
Using a cryptographic hash:digital signature
04/21/23 Distributed Systems - COMP 655 32
MD5
‘<<<‘ is a “circular shift”:10110001 <<< 3 = 10001101
04/21/23 Distributed Systems - COMP 655 33
SHA-1(from Adam Back’s web site)• SHA1 (Secure Hash Algorithm 1) is a
cryptographic message digest algorithm.• It is considered to be more secure than
MD5– it has longer hash size– Hans Dobbertin discovered a partial weakness
in the MD5 collision function.
• There was a SHA0 but it had some security problems which were fixed in SHA1.
http://www.cypherspace.org/adam/rsa/sha.html
04/21/23 Distributed Systems - COMP 655 34
Comp 655 - Security• Security basics• Encryption• Major functions of a security
system
04/21/23 Distributed Systems - COMP 655 35
Major functions of a security system
• Authentication• Authorization• Administration• Journaling• Intrusion detection
04/21/23 Distributed Systems - COMP 655 36
Authentication is …Checking that you are who you say
you are
04/21/23 Distributed Systems - COMP 655 37
Implementation – authentication in Kerberos
Kerberos• is a network authentication protocol• provides strong authentication for
client/server applications by using secret-key cryptography
• implementations are available commercially and free from MIT
• assumes black-hats are sniffing and spoofing everywhere
04/21/23 Distributed Systems - COMP 655 38
How Kerberos authentication works
TG Ticket Secret keySession key
Service ticket
04/21/23 Distributed Systems - COMP 655 39
Setting up a secure channel with Kerberos
How does Bob know KB,TGS?
It’s the session key he got at his login
04/21/23 Distributed Systems - COMP 655 40
Activity - authentication• When you talk to someone on the
phone, how do you know who it is?– List at least three ways– For each way, how can it be spoofed?
• If you suspect you’re being spoofed, how can you verify the other person’s identity?
• Same two questions for instant messaging
04/21/23 Distributed Systems - COMP 655 41
Major functions of a security system
• Authentication• Authorization• Administration• Journaling• Intrusion detection
04/21/23 Distributed Systems - COMP 655 42
Authorization is …Granting access to resources so that
the ability to create, read, update, or delete things is available only to those who are authorized.
04/21/23 Distributed Systems - COMP 655 43
Authorization - General
How will it decide?What data will it use?How will it enforce its decision?
04/21/23 Distributed Systems - COMP 655 44
ACLs vs Capabilities
04/21/23 Distributed Systems - COMP 655 45
Java Security• Top-priority problem: protect hosts
from damage or eavesdropping by mobile Java code.
• For applets, security is built on a co-ordinated authorization system called a “sandbox”.
04/21/23 Distributed Systems - COMP 655 46
Java Sandbox overview
04/21/23 Distributed Systems - COMP 655 47
SecurityManager
04/21/23 Distributed Systems - COMP 655 48
SecurityManager security = System.getSecurityManager();
if (security != null) { security.checkXXX(argument, . . . ); }
SecurityManager
04/21/23 Distributed Systems - COMP 655 49
Sandbox vs Playground
04/21/23 Distributed Systems - COMP 655 50
Leaning out of the sandbox …
• Object references as capabilities• Stack introspection• Name space management (bait-n-
switch based on class names)
04/21/23 Distributed Systems - COMP 655 51
Object reference as capability
04/21/23 Distributed Systems - COMP 655 52
Stack introspection
1. Method invocation forces a call to enable_privilege
2. enable_privilege examines the stack for a suitable privilege or prohibition
3. If OK, enable_privilege pushes a disable_privilege frame onto the stack
4. When method returns, disable_privilege turns privileges off
04/21/23 Distributed Systems - COMP 655 53
Major functions of a security system
• Authentication• Authorization• Administration• Journaling• Intrusion detection
04/21/23 Distributed Systems - COMP 655 54
Administrative functions• Setting up
– Exchanging secret keys– Publishing public keys– Granting privileges
• Tearing down– Removing privileges– Changing compromised secret keys– Revoking compromised public keys
• Managing trust– Adding or removing a server– Delegating privileges
04/21/23 Distributed Systems - COMP 655 55
Setup: Diffie-Hellman Key Exchange
For gory details: http://www.faqs.org/rfcs/rfc2631.html
Commercial application: Cisco’s IKE
IKE standard: RFC 2409(the patent expired in 1997)
04/21/23 Distributed Systems - COMP 655 56
Setup: exchanging secret keys
setup
04/21/23 Distributed Systems - COMP 655 57
Setup: publishing keys
If you have K+, how can you know that K- is actually possessed by the person or company you think it is?
04/21/23 Distributed Systems - COMP 655 58
Setup: establishing trust in public keys
• Usually, public keys are published in a certificate, consisting of– Public key– String identifying the owner– Digital signature of a certificate
authority
04/21/23 Distributed Systems - COMP 655 59
Example: “secure” web site
04/21/23 Distributed Systems - COMP 655 60
Example: certificates
04/21/23 Distributed Systems - COMP 655 61
Certificates on the path
04/21/23 Distributed Systems - COMP 655 62
Certification practice statement
https://www.verisign.com/repository/CPS2.1/cps2-1.pdf
Why is this such an elaborate document?
The simple fact is this: People are, and always have been, the most vulnerable aspect of any organization's security infrastructure …
and that means lawsuits
04/21/23 Distributed Systems - COMP 655 63
Certificate Revocation Lists
• The certificate was good at one time, but not anymore
• CAs publish their revocation lists, usually daily
• But clients rarely check
04/21/23 Distributed Systems - COMP 655 64
Major functions of a security system
• Authentication• Authorization• Administration• Journaling• Intrusion detection
http://www.informit.com/articles/article.asp?p=174342