CTIS 490 DISTRIBUTED SYSTEMS

1
CTIS 490DISTRIBUTED SYSTEMS

• WEEK 6
• DISTRIBUTED SYSTEMS
• SECURITY

2
INTRODUCTION

• Security plays an extremely important role in
  distributed systems.
• A distributed system should provide the
  mechanisms that allow a variety of different
  security policies to be enforced.
• There are three important issues related to
  distributed systems security
• A distributed system should offer facilities to
  establish secure channels between processes. A
  secure channel provides the means to mutually
  authenticate the communicating parties and
  protect messages against tampering during their
  transmission.

3
INTRODUCTION

• A distributed system should offer facilities for
  authorization and access control. Authorization
  deals with protecting resources in such a way
  that only processes that have proper access
  rights can use the resources. Related to access
  control is firewalls, mobile code, and
  denial-of-service attacks.
• A distributed system should offer facilities for
  security management dealing with key management
  and authorization management.

4
INTRODUCTION

• Information security is the process of protecting
  data from unauthorized access, disclosure,
  destruction, modification, and interruption.
• The generic name for the collection of tools
  designed to protect data and stop hackers is
  called computer security.
• Network security protects data during its
  transmission and guarantees that it is authentic.

5
SECURITY POLICY

• Simply stating that a distributed system should
  be able to protect itself against all possible
  security threats is not the way to build a secure
  system.
• What is first needed is a description of security
  requirements, which is called a security policy.
• A security policy describes precisely which
  actions the entities in a system are allowed to
  take and which ones are prohibited.
• Entities include users, services, data, etc.

6
SECURITY REQUIREMENTS

• Confidentiality Requires that data be
  accessible only by authorized parties. This type
  of access includes printing, displaying, and
  other forms of disclosure.
• Integrity Requires that only authorized parties
  can modify data. Modification includes writing,
  deleting, and creating.
• Authenticity (and also Non-repudiation)
  Requires that a host or service be able to verify
  the identity of a user. Ensures that the sender
  has strong evidence that the receiver has
  received the message, and the receiver has strong
  evidence of the sender identity.
• Availability Requires that data be available to
  authorized parties.

7
SECURITY ATTACKS

• Interception (eavesdropping) unauthorized party
  gains access to service or data. For example,
  communication between two parties has been
  overheard or illegal copying of file.
• Interruption (denial of service) services or
  data become unavailable. For example, someone
  maliciously attempts to make service
  inaccessible.
• Modification unauthorized party changes the
  data or tampers with the service. For example,
  intercepting and changing transmitted data or
  logging the activities of a user.
• Fabrication unauthorized party generate
  additional data or activity. For example,
  replaying of previously sent messages.

8
SECURITY MECHANISMS

• Encryption It transforms data into something an
  attacker cannot understand. It provides a
  mechanism to implement confidentiality and
  integrity.
• Authentication Used to verify the claimed
  identity of a user, client, server, host, or
  other entity. Typically, users are authenticated
  by means of passwords, but there are many other
  ways.
• Authorization Used to verify and grant access
  rights to resources.
• Auditing tools Used to trace which clients
  accessed to what and which way. Although it does
  not provide any protection against security
  threats, they are useful for analysis of a
  security breach.

9
CRYPTOGRAPGY

• Fundamental to security in distributed systems is
  the use of cryptographic techniques based on
  encryption and decryption key(s).

10
CRYPTOGRAPGY

• An intruder may intercepts the message without
  either the sender or receiver being aware that
  eavesdropping is happening (loss of
  confidentiality).
• An intruder may modify the message by decrypting
  and encrypting again (loss of integrity).
• An intruder may insert encrypted messages as if
  they are coming from the sender (loss of
  authenticity).

11
CRYPTOSYSTEMS

• There are two types of cryptosystems
• Symmetric cryptosystems The same key is used to
  encrypt and decrypt a message. They are also
  referred as secret-key or shared-key systems,
  because sender and receiver are required to share
  the same key.
• P DK(EK(P))
• Asymmetric cryptosystems Encryption and
  decryption keys are different, but together they
  form a unique pair. One of the keys is kept
  private and the other key made public. For this
  reason, asymmetric cryptosystems are also
  referred as public-key systems.
• P DKD(EKE(P))

12
HASH FUNCTIONS

• Another application of cryptography in
  distributed systems is the use of hash functions.
• A hash function H takes a message m of arbitrary
  length as input and produces a bit string h
  having a fixed length as output
• h H (m)
• A hash h is somewhat comparable to the extra bits
  that are appended to a message in communication
  systems to allow for error detection, such as
  cyclic-redundancy check (CRC).

13
CRYPTOGRAPHIC ALGORITMS

• There are several cryptographic algorithms, but
  it is beyond our scope to discuss any of these
  algorithms in detail.
• Three most common cryptographic algorithms are
• Data Encryption Standard (DES) used for
  symmetric cryptosystems.
• RSA (Named after its inventors Rivest, Shamir,
  and Adleman) - used for asymmetric cryptosystems.
• Message Digest 5 (MD5) is a hash function for
  computing a 128-bit, fixed length message digest
  from an arbitrary length binary input string.

14
AUTHENTICATION

• Authentication and message integrity cannot do
  without each other.
• In other words, authentication is meaningless if
  message integrity cannot be provided.
• Also, message integrity is useless if the sender
  cannot be authenticated.
• For example, assume that Alice and Bob want to
  communicate, and Alice starts by sending a
  message.

15
AUTHENTICATION BASED ON A SHARED SECRET KEY

• This protocol is called challenge-response
  protocol whereby one party challenges the other
  to a response that can be correct only if the
  other knows the shared secret key (It is like
  asking the parola).

16
AUTHENTICATION BASED ON A SHARED SECRET KEY

• When Alice wants to set up a secure channel, she
  sends her identity to Bob (1).
• Bob sends a challenge to Alice (2).
• Alice encrypts the challenge and sends it to Bob
  (3).
• Alice sends a challenge to Bob (4).
• Bob encrypts the challenge and sends it to Alice
  (5).

17
AUTHENTICATION USING A KEY DISTRIBUTION CENTER

• If a distributed system contains N hosts, each
  host has to mange N-1 keys, and the system as a
  whole needs to manage N(N-1)/2 keys.
• An alternative is to use a centralized approach
  by means of Key Distribution Center (KDC) so that
  it shares a key with each host but no pair of
  hosts is required to have a secret key. As a
  result, only N keys are managed.

18
AUTHENTICATION USING PUBLIC-KEY CRYPTOGRAPHY

• Alice sends a challenge RA to Bob encrypted with
  his public key KB (1).
• Bob decrypts Alices challenge RA with his
  private key and sends it to Alice along with his
  challenge RB. He also generates a session key
  KA,B that can be used for further communication.
  All three of them are encrypted using Alices
  public key KA (2).
• Alice returns her response to Bobs challenge
  using the session key KA,B generated by Bob. In
  this way, she will prove that she can decrypt
  message (2), and thus she is actually Alice to
  whom Bob is talking (3).

19
MESSAGE INTEGRITY AND CONFIDENTIALITY

• Message integrity often goes beyond the actual
  transfer through a secure channel.
• First, message should be digitally signed in such
  a way that it is uniquely tied to its content
  (think about a bank transaction).
• Second, if the signature can be verified to be
  authentic, the person who sent the message cannot
  later deny.

20
DIGITAL SIGNATURES USING PUBLIC-KEY CRYPTOGRAPHY

• Digital signing of a message using public-key
  cryptography.

21
DIGITAL SIGNATURES USING A MESSAGE DIGEST

• Alice computes a message digest and encrypt the
  digest with her private key.
• The encrypted digest is sent along with the
  message to Bob.
• Note that the message itself is sent as
  plaintext everyone is allowed to read it.
• If confidentiality is required, then the message
  should also be encrypted with Bobs bublic key.
• Bob descrypt with Alices public key and
  calculates the message digest.

22
ACCESS CONTROL

• Formally, verifying access rights is referred to
  as access control, whereas authorization means
  granting access rights. These two terms are
  related and used in an interchangable way.
• Protection is often enforced by a program called
  reference monitor.
• The reference monitor is called by the underlying
  operating system each time an object is invoked.

23
ACCESS CONTROL

• Controlling the access to an object is about
  protecting the object against invocations by
  subjects that are not allowed.
• Also, protection may include object management
  issues, such as creating, renaming, or deleting
  objects.
• A common approach to modeling the access rights
  of subjects with respect to objects is to
  construct an Access Control Matrix (ACM).
• Each subject is represented by a row and each
  object is represented by a column.
• Another widely-used approach is to have each
  object maintain a list of the access rights of
  subjects . This means that the matrix is
  distributed column-wise across all objects. This
  type of implementation is called Access Control
  List (ACL).

24
FIREWALLS

• External access to any part of a distributed
  system is controlled by a special kind of
  reference monitor known as firewall.
• A firewall disconnects any part of a distributed
  system from the outside world.

25
FIREWALLS

• There are two types of firewalls
• Packet-filtering gateway operates as a router
  and makes decisons as to whether or not to pass a
  network packet based on the source and
  destination address contained in the header. For
  example, if a companys network consists of
  multiple LANs, only the packets from other LANs
  can be allowed. In this way, a private virtual
  network can be set up.
• Application-level gateway inspects the contents
  of incoming or outgoing message. For example, a
  mail gateway that disregards a message exceeding
  certain size and filters spam email.

26
DENIAL OF SERVICE

• Another type of attack that is related to access
  control is maliciously preventing authorized
  processes from accessing resources.
• Defenses against such Denial of Service (DoS)
  attacks are becoming increasingly important as
  distributed systems are opened up through the
  Internet.
• There are two types of DoS
• Aimed at bandwidth depletion sending many
  messages
• Aimed at resource depletion initiate huge
  amounts of connections
• To prevent DoS attack, an organization must have
  routers further in the Internet, and routers
  should start dropping packets when they suspect
  an attack is going on before they reach to the
  organizations network.