Distributed Systems

1
Distributed Systems

• lecture 15 - 07/11/07
• Security

2
Modalità desame e appelli

• ... Esame orale classico, negli appelli
  ufficiali...(dicembre-gennaio, marzo,
  agosto-settembre)
• Lesame consiste in una prova orale
• Ogni studente può sempre scegliere la modalità
  standard
• nessun vincolo alla partecipazione ai 5 appelli

3
... in alternativa ...

• Prova scritta, mercoledì 28 novembre alle 8.30
  (durata 1 ora e mezza), aula Be
• Approfondimento relativo ad un articolo
  scientifico apparso su conferenze recenti (2007)

4

• Presentazione 25 minuti 5 minuti per domande.
  in sessioni di 6 presentazioni, a partire dal 10
  dicembre, con calendario da concordare ...
• Si valuta
• la comprensione
• Linquadramento nella letteratura corrente
• la valutazione critica

5

• Individuato larticolo di interesse, inviare una
  mail al docente e attendere una conferma
  definitiva
• via email...subject SD07
• Entro il 26 novembre
• Pubblicazione calendario ...ultima settimana di
  lezione

6
alcune conferenze

• Twenty-Sixth Annual ACM SIGACT-SIGOPS Symposium
  on Principles of Distributed Computing (PODC
  2007) http//www.podc.org/podc2007/
• ICDCS 2007 The 27th International Conference on
  Distributed Computing Systems http//www.eecg.utor
  onto.ca/icdcs07
• OPODIS'07, 11th International Conference On
  Principles Of Distributed Systems
• The Thirteenth International Conference on
  Parallel and Distributed Systems (ICPADS 07)

7
Some topics ...

• Ubiquitous Computing
• Web Services
• Peer-to-peer Computing
• Collaborative Computing
• Pervasive Computing
• Cluster Computing
• Distributed Agents
• Distributed Databases

8
...more topics...

• Distributed Storage
• Distributed Media
• Distributed Sensing
• Distributed Algorithms
• Distributed Filesystems
• Grid computing
• Globus
• Real-Time and Embedded Systems

9
... more and more topics

• Software architectures
• Application deployment
• Languages
• Extension to shared memory
• Dependable Systems
• Massively parallel systems
• Mobile and wireless issues
• Security issues
• .........

10

• Group communication
• A unique secret key
• pairs of secret key
• Public key cryptosys
• Majority mechanism authentication

11
Secure Replicated Servers

• Sharing a secret signature in a group of
  replicated servers.

12
second solution

• Broadcast solution among servers
• Compute signature from c1 messages
• Send the answer and the set of signatures

13
General Issues in Access Control

• A general model

14
..ACL

• an Access Control List is a key allowing the
  object to know the subjects that want to access
  its method.
• Format ltsubject id, required operationsgt
• Problems eavesdropping, difficulty of
  cancellation

15
Access Control Matrix

• Using an ACL for protecting objects.

16
Capability

• a capability is a key allowing the holder to
  access one or more of the operations supported by
  a resource.
• Format ltresource id, permitted operations,
  authentication codegt
• Problems eavesdropping, difficulty of
  cancellation

17
Access Control Matrix

• Using capabilities for protecting objects.

18
Protection Domains

• The hierarchical organization of protection
  domains as groups of users.

19

• certificates
• roles

20
Firewalls

• A common implementation of a firewall.

21

• packet filtering gateway
• application-level gateway
• proxy gateway

22
(No Transcript)
23
Key Establishment

• The principle of Diffie-Hellman key exchange.

24
Key Distribution

• Secret-key distribution

25
Key Distribution

• Public-key distribution

26
Secure Group Management

• Securely admitting a new group member

27

• The speaks for idea
• We don't want users to have to give their
  password every time their PC accesses a server
  holding protected resources.
• Requests to access resources must be accompanied
  by credentials

28
credentials

• Evidence for the requesting principal's right to
  access the resource
• Simplest case an identity certificate for the
  principal, signed by the principal.
• Credentials can be used in combination. E.g. to
  send an authenticated email as a member of
  University of Padova, I would need to present a
  certificate of membership of UP and a certificate
  of my email address.

29
Delegation a simple example

• Consider a server that prints files
• wasteful to copy the files, should access users'
  files in situ
• server must be given restricted and temporary
  rights to access protected files

30
Certificates

• Certificate a statement signed by an appropriate
  authority.
• Certificates require
• An agreed standard format
• Agreement on the construction of chains of
  trust.
• Expiry dates, so that certificates can be
  revoked.

31
Certificates
Alices bank account certificate
32
X509 Certificate format
33
Certificates as credentials

• Certificates can act as credentials
• Evidence for a principal's right to access a
  resource
• The two certificates shown in the next slide
  could act as credentials for Alice to operate on
  her bank account
• She would need to add her public key certificate

34
(No Transcript)
35
a delegation certificate

• a delegation certificate is a signed request
  authorizing another principal to access a named
  resource in a restricted manner.
• The temporal restriction can be achieved by
  adding expiry times.
• CORBA Security Service supports delegation
  certificates

36
Biometrics

• Fingerprints, irix, face, voice, gesture etc
• Multibiometrics
• Systems

37
Delegation (2)

• Figure 9-39. Using a proxy to delegate and prove
  ownership of access rights.

38
Summary

• It is essential to protect resources,
  communication channels and interfaces of
  distributed systems and applications against
  attacks.
• This is achieved by the use of access control
  mechanisms and secure channels.
• Public-key and secret-key cryptography provide
  the basis for authentication and for secure
  communication.

39
Distributed Systems

• end of lecture 15