Transcript Lecture 10 - Nipissing University Word

Lecture 10
Security of
Distributed and Network Systems
Ref. Chapter 10 and 13
1
Objectives





Clarify the fundamental security problems that arise in
distributed systems.
Show how distributed system security has changed
over the years becoming more ambitious in its goals.
Examine which system layer is best suited for
implementing security mechanisms in a distributed
system
Get an introduction of the design of network security
protocols, using the basic Internet security protocols
IPSC and SSL/TLS
Understand the principles of various firewall
technologies
2
Contents


Introduction
Authentication
Kerberos
 DSSA/SPX





Network Security
TCP/IP Security
SSL/TLS
Firewalls
3
Introduction


How do you authenticate a user?
What is the basis for access control?
User identity
 The network address
 The distributed services



Where do you authenticate a user?
Where do you make an access control decision?
4
Delegation


Delegation: A user may login at a local and then
execute a program on a remote node. To obtain
access to resources at the remote node, the program
will need the relevant access rights. Typically, the
program would be endowed with the access rights of
the user and then run with these access rights on the
remote node.
This mentions controlled invocation.
5
Authentication requirements


The goal is to provide the communication parties
with some assurance about other’s true identity
Password sniffers might listen to network traffic and
extract packets containing passwords and other
security-relevant information.
6
Kerberos authentication and key
distribution service

Secures communication with servers on a local network
Developed at MIT in the 1980s to provide security across a large
campus network > 5000 users
 based on Needham - Schroeder protocol
Standardized and now included in many operating systems
 Internet RFC 1510, OSF DCE
 BSD UNIX, Linux, Windows 2000, NT, XP, etc.
 Available from MIT
Kerberos server creates a shared secret key for any required server and
sends it (encrypted) to the user's computer
User's password is the initial secret shared with Kerberos




7
*
Kerberos Terminology


Kerberos authentication server (KAS): authenticates
principles at login and issues tickets, which is in
general are valid for one login session and enable
principals to obtain other tickets form ticket-granting
servers. Also called KDC
Ticket granting servers (TGSs): issue tickets that give
principals access to network services demanding
authentication.
8
Kerberos conventions











Ka : the secret cryptographic key of user A, derived from A’s password
with a one-way algorithm; KAS has copy of K a
Ktgs : a secret key shared by TGS and KAS
Kb : a secret key shared by the server B and TGS
Ka,tgs: a session key created by KAS for use between A and TGS
Ka,b: a session key created by TGS for use between A and B
eK(X): data packet X encrypted under key K;
N1, N2 : nonce (random challenges) to prevent replay attacks
L1, L2 : expiry date (lifetime) of tickets.
T1, T2,T3, T4: creation time of tickets or authenticators
Ticketa, tgs: ticket for A to use with TGS, created by KAS
Ticketa,b: ticket for A to use with B, created by TGS
9
System architecture
of Kerberos
Authentication
database
Authentication Service- KAS
Ticketgranting
service -TGS
2. TGS
ticket
Login
session setup
Step B
3. Request for
server ticket
4. Server ticket
•
•
tgs,,
L 1, N 1)
A->TGS: A, B, L2, N2, Ticketa, tgs,
eKa, tgs(A, T3)
TGS->A: eK a, tgs(B, Ka,b, Ticketa,
b, L2, N2)
A->B: eKa,b(A, T4), Ticketa,b
B->A: eKa,b (T4)
Ticketa, tgs =eKtgs(Ka, tgs, A, T1, L1)
Ticketa,b =eKb(Ka,b, A, T1, L1)
Step C
5. Service
request
Server
session setup
Request encrypted with session key
DoOperation
Reply encrypted with session key
Step A once per login session
Service
function
Step B once per server session
Step C once per server transaction
6. Service reply
A
•
•
Kerberos Key Distribution Centre
Step A
1. Request for
TGS ticket
Needham-Schroeder Protocol
• A-> KAS: A, TGS, L1, N1
• KAS->A: eK a(TGS, Ka, tgs, Ticketa,
B
10
*
Kerberized NFS


Kerberos protocol is too costly to apply on each NFS operation
Kerberos is used in the mount service:



For each file request:




to authenticate the user's identity
User's UserID and GroupID are stored at the server with the client's IP address
UserID and GroupID are sent encrypted in the shared session key
The UserID and GroupID must match those stored at the server
IP addresses must also match
This approach has some problems


can't accommodate multiple users sharing the same client computer
all remote filestores must be mounted each time a user logs in
11
*
Revocation




Update the database so that the access rights are no
longer available.
Next session, the principle is revoked.
The current ticket is valid until they expire.
Expire period trade-off:
Long: less security, more convenience for the principle
 Short: more security, less convenience for the principle

12
Realms





KAS is the heart
Principals, Keys and access rights must be in the
KAS or TGS
It is a centralized security system
A single security policy is enforced
It is relatively easy to check that the system set-up
complies with the security policy and to implement
changes
13
Summary of Kerberos








Timeliness of messages is checked by time stamps.
Checking of time stamps allows for some clock skew.
Servers have to be on-line.
Session keys are generated by Kerberos servers.
Kerberos does not address the delegation of privileges
(tickets)
Password guessing and password spoofing attacks are
possible.
Keys and tickets are held on the clients machine.
It is important to distinguish the security of the protocol
itself from the security of implementations of Kerberos.
14
DSSA/SPX



DSSA (Distributed system security architecture) is developed by DEC
SPX (Sequenced Packet Exchange) is a part of DSSA
The authentication in SPX






Credentials: name
Certificates: binding name to public keys
Authentication tokens.
Certification authority (CA): issues public key certificates
Certificate distribution center (CDC): stores the certificates issued by a
CA.
A certificate can be revoked by maintaining a certificate revocation list.
15
SPX conventions








Sp : the private signature key of principle P
Pa, Sa : the long-term public key and long-term private key of A
P’a, S’a :the short-term public key and short-term private key of
A
Ka,b: a session key created by A for use between A and B in a
symmetric encryption algorithm
eK(X): data packet X encrypted under key K
sK(X): digital signature of data packet X generated with key K
T: a time stamp
Lc, Lt : expiry date of a certificate or a ticket
16
The DSSA/SPX authentication Protocol
A-> CDC: B
2)
CDC-> A: Certificate (B, CAa)
1
3)
A->B: A, eKa,b(T,A), sSa(Lt, A, P’a),
ePb(Ka, b), eKa,b (S’a)
4)
B->CDC: A
A
5)
CDC->B: certificate(A, CAb)
6)
B-> A: eKa,b(T)
Note: Certificate (B, CAa) = sSCAa(CAb, B,
Lc, Pb)
CDC
1)
6
2
5
3
4
B
17
Security API



Security requirements in a DS often exceed mere
authentication.
Different components in a DS will not necessarily
use the same security mechanisms.
Users and application writers are not necessarily
security experts.
18
GSS (General Security Services)-API

GSS-API provides a simple interface to security
services for connection-oriented applications.

Mechanism independence:


Protocol environment independence:


Mechanisms such as symmetric or asymmetric
Such as connection-oriented or data packet communication
Suitability to a range of implementation placements

May reside in a TCB or not
19
GSS-API Characteristics and Concepts

Functions:




Data conversion
Call interfacing with each known mechanism
Hide the details of the mechanism from applications
The basic elements:




Credentials: security-relevant data
Tokens: Formatted data used to call the API interfaces.
Security context: the information related to the management of the
security services
Status code: to indicate which feature are desired. P176-177
20
GSS-API Interface Descriptions

Credential management calls


Context-level calls


To provide cryptographic integrity and confidentiality protection
Support calls:


Initiation, acceptance and deletion of contexts…
Per-message calls


Allow a principal to acquire and release credentials, and inquire
about various credential information
General housekeeping and support routines, such as freeing
memory spaces, name comparison
P177-178
21
API and security

Security services depend on:
Proper implementation of relevant mechanisms
 Proper security management

Key generation
 Key storage
 Key transport
 Key usage


Key management is entirely above the APIs
22
Access Control in DS
Three approaches
for protection
against security
threats

a)
b)
c)
Protection against
invalid operations
Protection against
unauthorized
invocations
Protection against
unauthorized users
23
Summary for DS security




It is essential to protect the resources, communication
channels and interfaces of distributed systems and
applications against attacks.
This is achieved by the use of access control mechanisms
and secure channels.
Public-key and secret-key cryptography provide the basis for
authentication and for secure communication.
Kerberos are widely-used system components that support
authenticated communication.
24
*
Network security
Send and receive
 Data Transportation
 Sequence of signals
 Resemble and present
 Route
 Loss and corruption of data

25
Sniffing and spoofing


A packet sniffer is a wire-tap devices that plugs into computer
networks and eavesdrops on the network traffic. Like a telephone
wiretap allows the FBI to listen in on other people's
conversations, a "sniffing" program lets someone listen in on
computer conversations.
Web Spoofing is a security attack that allows an adversary to
observe and modify all web pages sent to the victim's machine,
and observe all information entered into forms by the victim.
The attacker can observe and modify all web pages and form
submissions, even when the browser's "secure connection"
indicator is lit. The user sees no indication that anything is
wrong.
26
ISO/OSI Security Architecture





Data confidentiality:
Data integrity
Data origin authentication: to corroborate the source
Peer-entity authentication: to verify the identity of a
peer entity
Non-repudiation: to create evidence that data has
been sent or received. (proof of origin and delivery)
27
28
Package-Encapsulation
29
Network Security Issues






Sharing
Complexity
Perimeter
Points of attack
Anonymity
Unknown path
30
The Internet layers

Actual four layers
Application layer: Telnet, FTP, HTTP, SMTP or SET
 Transport layer: TCP, UDP
 Internet layer: IP
 Interface layers: the Network Interface Card (Physical)

31
TCP/IP Security



IPSEC (IP Security ) provides security for every one using
IP without changing the interface to IP.
The IP authentication header (AH), covered in RFC 1826
The IP encapsulating security payload (ESP), covered in
RFC 1827

Transport mode:


encrypts only the data portion (payload) of each packet, but leaves the header
untouched.
Tunnel mode:

encrypts both the header and the payload. On the receiving side, an IPSeccompliant device decrypts each packet.
32
Location and syntax of the
authentication header
8 bits
8 bits
16 bits
Next header Payload length Reserved
Security parameters index
32 bits
Sequence number field
32 bits
Authentication data
IPv6 header
32 bits
MAC or
Digital signature
Hop-by-hop routing Auth. Header Dest. Options TCP Data
33
Authentication header for tunnel mode
New IP
header
Ext. header AH Orig. IP Ext. header TCP Data
if present
if present
header
The ESP Header
Security parameters index
Opaque transform data
IP
header
Other IP
header
ESP
header
Encapsulated
data
34
Secure Socket Layer Protocol
 SSL was developed by Netscape for electronic transaction
security. (TLS –Transport Layer Security is similar to it)
 A protocol layer is added below the application layer for:
 Negotiating encryption and authentication methods.
 Bootstrapping secure communication
 It consists of two layers:
The Record Protocol Layer implements a secure channel
by encrypting and authenticating messages
 The Handshake Layer establishes and maintains a secure
session between two nodes.
35
SSL Protocol Stack
SSL
Handshake
protocol
SSL Change
Cipher Spec
SSL Alert
Protocol
HTTP
Telnet
SSL Record Protocol
Transport layer (usually TCP)
Network layer (usually IP)
SSL protocols:
Other protocols:
36
SSL Record Protocol

The record protocol takes
an application message to
be transmitted
fragments the data into
manageable blocks
 optionally compresses the
data
 computes a message
authentication code (MAC)
 encrypts
 adds a header.

abcdefghi
Application data
Fragment/combine
Record protocol units
abc
def
ghi
Compress
Compressed units
Hash
MAC
Encrypt
Encrypted
Transmit
TCP packet
37
SSL Handshake
Protocol
Cipher suite: a list of cryptographic
algorithm supported by the client
Phase 1: Establish security capabilities
Es tablis h prot oc ol version, s es sion ID,
cipher suite, c ompres sion method,
ex change random v alues
ClientHello
ServerHello
Phase 2: Sever authentication and key exchange
Certif icate
Opt ionally s end server certif ic ate and
Certif icate Reques t
request client certif ic ate
ServerHelloDone
Phase 3: Client authentication and key exchange
Client
Certif icate
Certif icate Verif y
Phase 4: Finish
Server
S end client certif icate res pons e if
request ed
Change Cipher Spec
Finished
Change Cipher Spec
Finished
Change cipher suite and f inis h
handshake
The client sends a change Cipher Spec
message and copies the pending
CipherSpec into the current CipherSpec.
38
An Example

M1:

ClientHello:


ClientRandom[28]
Sugessted Cipher Suites:





Suggested Compression Algorithm: none
ServerHello:


ServerRandom[28]
Use Cipher Suite:









M3:



A: ClientKeyExchange: RSA_Encrypt
B: ChangeCipherSpec: NONE
C: Finished: MD5(M1||M2||M3A) SHA
(M1||M2||M3A)
M4:


A: ChangeCipherSpec: NONE
B: Finished: MD5(M1||M2||M3A||M3C) SHA
(M1||M2||M3A||M3C)
TLS_RSA_WITH_IDEA_CBC_SHA
Session ID: 0x00372d4XS
Certificate:


TLS_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 
M2:


Subject:
Public Key:
Issuer:
Subject:
Public Key:
Issuer:
Server Done: None
39
Firewalls



Firewall: the general name for any security system protecting
the boundary of an internal network.
Bastion host: a computer system with strong security as it is
exposed to the outside world.
Tasks of a firewall:






AC based on sender or receiver addresses
AC based on the service requested
Hiding the internal network (topology, addresses, traffic)
Virus checking on incoming messages
Authentication based on source of traffic
Logging of Internet activities.
40
Packet Filtering


Operates as a router and makes decisions as to whether or not to pass
a packet based on its source/destination addresses.

Source addresses

Destination addresses

Protocol

Connection
The gateway on the outside LAN protects against incoming packets.
The gateway on the inside LAN protects against outgoing packets.
41
Proxy Servers



To implement policies based on user identities and
hide information about the internal network
Another example of controlled invocation.
It intercepts the client’s request and decides whether
it is permitted according to its security rules.
42
Firewall Filtering

Firewall filtering can be done at diff. levels
TCP
gateway: checks all TCP connection requests and segment
transmissions. TCP segments will be checked for correctness
and may be routed to an application-level gateway for content
checking.

Application-level filtering (proxy gateway): inspects the
content of incoming/outgoing messages.
 To
prevent applets to be downloaded to the inside LAN, all Web
traffic could be directed through a Web proxy gateway. The gateway
accepts regular HTTP requests, but may discard certain
requests/pages.
43
Firewall Configuration
A
common implementation of a firewall.
44
Network Security Specialties
More Intruders
45
Three Classes of Intruders



Masquerader – unauthorized user who penetrates a system
exploiting a legitimate user’s account (outside)
Misfeasor - legitimate user who makes unauthorized accesses
or misuses his privileges (inside)
Clandestine user - seizes supervisory control to evade
auditing and access controls or suppress audit collection
(inside|outside)
46
Intruders
Intruder attacks range from benign to serious:
 Benign intruders tolerable but consume resources
 Difficult to know in advance the type of intruder
 Really growing problem


globalization
the move to Client/Server architectures
47
Attack Sophistication vs.
Intruder Technical Knowledge
Auto
Coordinated
Tools
Cross site scripting
“stealth” / advanced
scanning techniques
High
Staged
packet spoofing denial of service
sniffers
Intruder
Knowledge
sweepers
GUI
distributed
attack tools
www attacks
automated probes/scans
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
Attack
Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Intruders
password guessing
Low
1980
1985
1990
1995
2000
Source: Carnegie Mellon University
48
Summary


Introduction
Authentication
Kerberos
 DSSA/SPX





Network Security
TCP/IP Security
SSL/TLS
Firewalls
49