Security In Distributed Systems

1
Security In Distributed Systems

• Erik Schneider
• 4/25/2007

2
What is a Distributed System?

• Description
• Architectures
• Client / Server
• Distributed Object
• Peer to peer
• Service Oriented

3
Client / Server Architecture

• Thin Client vs. Fat Client
• Tiered Architecture

4
Distributed Object Architecture
5
Peer-to-Peer Architecture

• Examples
• Napster
• Gnutella
• Computations may be carried out by any node in
  the network
• Links between any two nodes that are know to each
  other

6
Service Oriented Architecture

• Loosely coupled services on a network
• Smaller, more compact applications
• Reactive and adaptive applications

7
What is Security?

• Integrity
• Authentication
• Authorization
• Confidentiality
• Non-repudiation

8
Who to be afraid of?

• Everyone!

9
Security Threats

• Packet Sniffing
• Replay Attack
• Masquerade Attack
• Denial of Service
• Malicious Code

10
Authentication

• Passwords
• Password Salting
• Challenge / Response
• One-time passwords
• Biometrics
• Digital Certificates

11
Authorization

• Access Control Lists
• Capabilities
• Application Level

12
Access Control Lists

• List of permission attached to an object
• Categories
• Discretionary
• Mandatory
• Role based
• Convenience

13
Capabilities

• Tokens
• Shared between processes
• Possession grants permission
• Like file descriptors
• Confused Deputy Problem

14
Application Level

• Be Creative

15
Confidentiality

• Encryption
• Public Key
• Private Key
• Protocols
• TSL
• HTTPS

16
Public Key Encryption

• AKA Asymmetric cryptography
• Pair of keys, public and private
• Locked mailbox with a mail slot analogy
• Authentication of public keys
• PKI, PGP
• Computationally intensive

17
Private Key Encryption

• AKA Symmetric key algorithm
• Algorithm Types
• Stream Ciphers
• Block Ciphers
• Less computationally intensive than public key
• Have to keep both keys a secret on both ends
  unless its useless
• Difficult key management

18
TSL

• Cryptographic protocol for secure communication
• Endpoint authentication
• Public key-based key exchange and
  certificate-based authentication
• Symmetric cipher-based traffic encryption
• Handshaking

19
HTTPS

• Secure HTTP connection
• Combination of HTTP and TSL
• Prevent eavesdropping

20
Non-repudiation

• Digital Signatures
• Message Transfer Agents
• Third party for proof

21
Digital Signatures

• Type of asymmetric cryptography
• Sealing of an envelope analogy
• Used for Public Key Infrastructure
• Consists of three algorithms
• Key generation
• Signing
• Signature verification
• Benefits
• Authentication
• Integrity

22
Technologies

• DCE
• Kerberos
• Active Directory

23
Questions

• ?

24
References

• Bruce, Glen Dempsey, Rob Security in Distributed
  Computing. Hewlett-Packard Co 1997
• Tanenbaum, Andrew Modern Operating Systems.
  Prentice-Hall 2006
• Sommerville, Ian Software Engineering. 2004
• http//en.wikipedia.org/wiki/Computer_security
• http//en.wikipedia.org/wiki/Encryption
• http//www.nihilent.com/white_papers/information_s
  ecurity_attacks.pdf