Docstoc

Security and Authentication

Document Sample
Security and Authentication Powered By Docstoc
					                  Security and Authentication

                             CS-4513
                 Distributed Computing Systems
          (Slides include materials from Operating System Concepts, 7th ed., by Silbershatz, Galvin, & Gagne,
                Distributed Systems: Principles & Paradigms, 2nd ed. By Tanenbaum and Van Steen, and
                                   Modern Operating Systems, 2nd ed., by Tanenbaum)




CS-4513 D-term 2008                               Security and                               1
                                                 Authentication
                      Reading Material

• Tanenbaum, Modern                          • Silbershatz, Chapters 14-
  Operating Systems,                           15
  Chapter 9                                       – Protection
      – Security and threats                      – Security
      – Viruses                              • Tanenbaum & Van Steen
            • How to write and
                                                  – Chapter 9
              detect!
      – Protection –
        implementation of
        security

CS-4513 D-term 2008               Security and                  2
                                 Authentication
                        Puzzle

• Alice wishes to send secret message to Bob
      – She places message in impenetrable box
      – Locks the box with unbreakable padlock
      – Sends locked box to Bob

• Problem:– Bob has no key to unlock box
      – No feasible way to securely send key to Bob

• How does Bob retrieve message?
CS-4513 D-term 2008      Security and      3
                        Authentication
                       Answer

• Bob adds 2nd unbreakable padlock to box
      – Locks with own key
      – Sends box back to Alice (with two padlocks!)
• Alice unlocks and removes her lock
      – Sends box back to Bob
• Bob unlocks his lock
      – Opens box and reads message

• What could go wrong?
CS-4513 D-term 2008      Security and     4
                        Authentication
                       Answer

• Bob adds 2nd unbreakable padlock to box
      – Locks with own key
      – Sends box back to Alice (with two padlocks!)
• Alice unlocks and removes her lock
      – Sends box back to Bob
• Bob unlocks his lock
      – Opens box and reads message

• What could go wrong?
CS-4513 D-term 2008      Security and     5
                        Authentication
                       Authentication

• How does a system (distributed or not) know
  who it is talking to?

• Who do I say that I am?

• How can I verify that?
            • Something I know (that nobody else should know)
            • Something I have (that nobody else should have)
            • Something I am (that nobody else should be…)

CS-4513 D-term 2008           Security and        6
                             Authentication
            Threats against Authentication

I want to pretend to be you:
• I can steal your password
      – the sticky note on your monitor or the list in your desk
        drawer
      – by monitoring your communications or looking over
        your shoulder
• I can guess your password
      – particularly useful if I can also guess your user name
• I can get between you and the system you are
  talking to
CS-4513 D-term 2008          Security and          7
                            Authentication
Getting between you and system you are talking to




  CS-4513 D-term 2008    Security and    8
                        Authentication
                       Login Spoof

• I create a login screen in my process
      – On a public machine
      – Looks exactly like real one
• You log into system
      – My login process records your user ID and password
      – Logs you in normally


• Result:– I have gotten between you and system
  without your knowledge
      – Also, I have stolen your user ID and password
CS-4513 D-term 2008         Security and         9
                           Authentication
               The Trouble with Passwords

•   They are given away
•   They are too easy to guess
•   They are used too often
•   There are too many of them
•   They are used in too many places




CS-4513 D-term 2008       Security and    10
                         Authentication
           Some ways around the problem

• Better passwords
      – longer
      – larger character set
      – more random in nature/encrypted


• Used less often
      – changed frequently, one system per password
      – challenge/response – use only once

CS-4513 D-term 2008     Security and      11
                       Authentication
        The Challenge/Response Protocol


Art                                                         Mary
                           Hello, I’m Art


                           Decrypt This {R}P


                                   R


                      Hello Art! How can I help you?

CS-4513 D-term 2008                Security and        12
                                  Authentication
        The Challenge/Response Protocol


Art                                                         Mary
                           Hello, I’m Art


                           Decrypt This {R}P


                                   R


                      Hello Art! How can I help you?

CS-4513 D-term 2008                Security and        13
                                  Authentication
Threat: Steal passwords from the system


• Don’t keep them in an obvious place
• Encrypt them so that version seen by system
  is not same as what user enters
• … or version on the wire
• …… or version used last time


CS-4513 D-term 2008    Security and    14
                      Authentication
      Too many passwords to remember?

• Third-party authentication
      – Get someone to vouch for you

• The basics: “This guy says you know him..”
     “Yes, I trust him, so you should too..”

• Kerberos – Certificate-based authentication
  within a trust community
CS-4513 D-term 2008     Security and    15
                       Authentication
                      What is in a certificate?

•   Who issued it
•   When was it issued
•   For what purpose was it issued
•   For what time frame is it valid
•   (possibly other application-specific data)
•   A “signature” that proves it has not been
    forged

CS-4513 D-term 2008             Security and    16
                               Authentication
Systems and Networks Are Not Different

• Same basic rules about          • Same Coding Rules
  code behavior apply               Apply To:
• Same authentication                  – An application
  rules apply                          – Code which manages
                                         incoming messages
• The same security
                                       – Code which imposes
  principles apply
                                         access controls on a
                                         network
                                       – ...


CS-4513 D-term 2008    Security and              17
                      Authentication
                      The Principles

• Understand what you are trying to protect
• Understand the threat(s) you are trying to
  protect against
      – Also, costs and risks
• Be prepared to establish trust by telling
  people how you do it
• Assume that the bad guys are at least as
  clever as you are!
CS-4513 D-term 2008        Security and    18
                          Authentication
       Security must occur at four levels to be
                      effective
• Physical
      – The best security system is no better than the lock on your front
        door (or desk, or file cabinet, etc.)!
• Human
      – Phishing, dumpster diving, social engineering
• Operating System
      – Protection and authentication subsystems
      – Prevention of unauthenticated access to data
• Network
      – Protection and authentication subsystems
      – Separate from underlying protocols

• Security is as weak as the weakest link in chain
CS-4513 D-term 2008              Security and              19
                                Authentication
               How do these attacks work?

• Messages that attack mail readers or
  browsers
• Denial of service attacks against a web
  server
• Password crackers
• Viruses, Trojan Horses, other “malware”



CS-4513 D-term 2008       Security and    20
                         Authentication
         The concept of a “Vulnerability”

• Buffer overflow
• Protocol/bandwidth interactions
      – Protocol elements which do no work
• “execute this” messages
      – The special case of “mobile agents”
• Human user vulnerabilities
      – eMail worms
      – Phishing
CS-4513 D-term 2008      Security and     21
                        Authentication
                      Another Principle

• There is a never-ending war going on
  between the “black hats” and the rest of us.

• For every asset, there is at least one
  vulnerability

• For every protective measure we add,
  “they” will find another vulnerability
CS-4513 D-term 2008         Security and    22
                           Authentication
                      Yet Another Principle

• There is no such thing as a bullet-proof
  barrier

• Every level of the system and network
  deserves an independent threat evaluation
  and appropriate protection

• Only a multi-layered approach has a chance
  of success!
CS-4513 D-term 2008           Security and    23
                             Authentication
                      Actual Losses:

• Approximately 70% are due to human error

• More than half of the remainder are caused
  by insiders

• “Social Engineering” accounts for more loss
  than technical attacks.


CS-4513 D-term 2008        Security and    24
                          Authentication
            What is “Social Engineering”?

    “Hello. This is Dr. Burnett of the cardiology
    department at the Conquest Hospital in
    Hastings. Your patient, Sam Simons, has
    just been admitted here unconscious. He has
    an unusual ventricular arrhythmia. Can you
    tell me if there is anything relevant in his
    record?”


CS-4513 D-term 2008     Security and    25
                       Authentication
                      Social Engineering (2)



                 From: 3dksobinsky@zoom-internet.net
                 Sent: Sunday, December 3, 2006 8:10 AM
                 To: rmstronger@charter.net
                 Subject: Re: Approved

                 Please read the attached file.



CS-4513 D-term 2008               Security and     26
                                 Authentication
  Program Threats in Operating Systems
• Trojan Horse
      – Code segment that misuses its environment
      – Exploits mechanisms for allowing programs written by users to be
        executed by other users
      – Spyware, pop-up browser windows, covert channels
• Logic Bomb
      – Program that initiates a security incident under certain
        circumstances
• Trap Door
      – Specific user identifier or password that circumvents normal
        security procedures
      – Could be included in a compiler
• Stack and Buffer Overflow
      – Exploits a bug in a program (overflow either the stack or memory
        buffers)
CS-4513 D-term 2008               Security and             27
                                 Authentication
                 Program Threats – Viruses
• Code fragment embedded in legitimate programs
• Very specific to CPU architecture, operating
  system, applications
• Usually borne via email or as a macro
• E.g., Visual Basic Macro to reformat hard drive
            Sub AutoOpen()
            Dim oFS
              Set oFS =
              CreateObject(’’Scripting.FileSystemObject’
              ’)
              vs = Shell(’’c:command.com /k format
                   c:’’,vbHide)
            End Sub

CS-4513 D-term 2008        Security and     28
                          Authentication
                      Program Threats (Cont.)
• Virus dropper inserts virus onto the system
• Many categories of viruses, literally many thousands of
  viruses
      –   File
      –   Boot
      –   Macro
      –   Polymorphic
      –   Source code
      –   Encrypted
      –   Stealth
      –   Tunneling
      –   Multipartite
      –   Armored
CS-4513 D-term 2008            Security and    29
                              Authentication
                      Questions?




CS-4513 D-term 2008     Security and    30
                       Authentication
               What is a “Security Policy?”

• What rights MAY a user have?
      – Define the maximum!
• What rights can a user pass on?
• How can a user acquire additional rights?

• Linux/Unix:           -rwxr-xr-- /foo
                        -rw--w---- /bar

CS-4513 D-term 2008       Security and    31
                         Authentication
                      Policy Models (1)

A “Policy Model” is a framework for creating
 a specific policy for a specific organization

• Linux/Unix
      –   Users, groups, everybody
      –   “owner” (or “…”) controls grant of rights
      –   Rights based on UID, GID – Focus on files
      –   Process has rights of parent
            • can change GID or drop rights
CS-4513 D-term 2008           Security and    32
                             Authentication
                      Policy Models (2)

• Win200X
      – Users and groups
      – Groups may be members of groups
      – Rights are the combined rights of all groups of
        which the user is a direct or indirect member
      – Administrator controls everything
            • can grant any right
      – The default is strong control over admin
        functions and little control over files
CS-4513 D-term 2008            Security and    33
                              Authentication
                      Policy Models (3)

• Typical Business
      – Managers can (usually) grant rights to their staff
      – Information is visible to people above in the
        organization
      – Managers do not have authority to grant access
        downward for some classes of information
      – Overall control is maintained by restricting access to
        applications rather than to data
      – Databases have their own distinct access controls


CS-4513 D-term 2008          Security and         34
                            Authentication
                            Policy Models (4)

• The Military Mind
      – Access rights are granted only by a higher
        authority
      – Access is broken into two models
            • need-to-know (usually organizational with upward
              visibility)
            • item-by-item (classification may occur in advance of
              creation or after)
                      – Creator may be denied access to own work
                      – Some weird anomalies

CS-4513 D-term 2008                    Security and           35
                                      Authentication
                      Policy Models (5)
• The BMA (British Medical Assoc.) model (1995)
      – Each medical record has an access control list
      – Access may be granted to a new clinician by the subject
        or the primary clinician
      – Patient must be notified of all ACL changes, and may
        revoke access
      – Deletions are not allowed
      – All access must be logged and auditable
      – Information may be aggregated from A into B only if
        ACL(A) is a superset of ACL(B)
• Reference
            Anderson, Ross, “An Update on the BMA Security Policy,”
             1996. (.pdf)
CS-4513 D-term 2008              Security and           36
                                Authentication
                      Policy Models (6)

• The HIPAA model (1998)
      – The patient controls the right to access
        “personally identifiable health information”
      – Access is granted to any clinician or facility
        staff participating in the care of the patient
      – Patient must be notified of all breaches
      – Deletions are not allowed
      – All access must be logged and auditable
      – Privileges may be revoked
CS-4513 D-term 2008         Security and     37
                           Authentication
                      More Principles

• Think about Assets, Threats and
  Vulnerabilities FIRST
• Find an appropriate (and minimally
  complex) Policy Model
• Match your OS capabilities to the policy
  model as best you can
• Train staff to recognize social engineering!
• Train staff to make a habit out of the policy!
CS-4513 D-term 2008        Security and    38
                          Authentication
                      Fun with Cryptography

• What is cryptography about?
• General Principles of Cryptography
• Basic Protocols
      – Single-key cryptography
      – Public-key cryptography
• An example...


CS-4513 D-term 2008           Security and    39
                             Authentication
          Cryptography as a Security Tool

• Broadest security tool available
      – Source and destination of messages cannot be
        trusted without cryptography
      – Means to constrain potential senders (sources)
        and / or receivers (destinations) of messages
• Based on secrets (keys)



CS-4513 D-term 2008      Security and      40
                        Authentication
                      Principles

• Cryptography is about the exchange of
  messages
• The key to success is that all parties to an
  exchange trust that the system will both
  protect them from threats and accurately
  convey their message
• TRUST is essential


CS-4513 D-term 2008     Security and    41
                       Authentication
                      Therefore

• Algorithms must be public and verifiable
• We need to be able to estimate the risk of
  compromise
• The solution must practical for its users, and
  impractical for an attacker to break




CS-4513 D-term 2008     Security and    42
                       Authentication
                      Guidelines

• Cryptography is always based on algorithms
  which are orders of magnitude easier to
  compute in the forward (normal) direction
  than in the reverse (attack) direction.
• The attacker’s problem is never harder than
  trying all possible keys
• The more material the attacker has the
  easier his task
CS-4513 D-term 2008      Security and    43
                        Authentication
                      Example

• What is
  314159265358979  314159265358979?

                             vs.

• What are prime factors of
  3912571506419387090594828508241?

CS-4513 D-term 2008     Security and    44
                       Authentication
                      Time marches on…

• We must assume that there will always be
  improvements in computational power,
  mathematics and algorithms.
      – Messages which hang around get less secure
        with time!
• Increases in computing power help the good
  guys and hurt the bad guys for new and
  short-lived messages

CS-4513 D-term 2008         Security and    45
                           Authentication
                      Caveat

• We cannot mathematically PROVE that the
  inverse operations are really as hard as they
  seem to be…It is all relative…

The Fundamental Tenet of Cryptography:
If lots of smart people have failed to solve a
  problem, it won’t be solved (soon)

CS-4513 D-term 2008    Security and    46
                      Authentication
                      Secret key cryptography


                        K                           K


T                                     C                                 T
                      f (T,K)                     g (C,K)
    Cleartext                   Cyphertext                  Cleartext




CS-4513 D-term 2008               Security and              47
                                 Authentication
                      Secret Key Methods

• DES (56 bit key)
• IDEA (128 bit key)
            • http://www.mediacrypt.com/community/index.asp
• Triple DES (three 56 bit keys)
• AES
      – From NIST, 2000
      – choice of key sizes up to 256 bits and more
      – Commercial implementations available
CS-4513 D-term 2008          Security and       48
                            Authentication
                           Diffie – Hellman


   Alice                       Agree on p,g                     Bob
choose random A                                          choose random B
                                 TA = gA mod p

                                 TB = gB mod p


compute (TB)A                                            compute (TA)B

                        Shared secret key is gAB mod p

  CS-4513 D-term 2008               Security and           49
                                   Authentication
                      D–H Problems

• Not in itself an encryption method – we
  must still do a secret key encryption

• Subject to a “man in the middle” attack
      – (Alice thinks she is talking to Bob, but actually
        Trudy is intercepting all of the messages and
        substitution her own)


CS-4513 D-term 2008       Security and       50
                         Authentication
             RSA Public key cryptography


                      Key #1                     Key #2


T                                   C                                 T
                        f ()                       f ()
    Cleartext                  Cyphertext                 Cleartext




      Key #1 can be either a Public Key or a Private Key.
      Key #2 is then the corresponding Private Key or Public Key.

CS-4513 D-term 2008              Security and             51
                                Authentication
            RSA Public Key Cryptography

• Rivest, Shamir and Adelman (1978)
• I can send messages that only you can read
• I can verify that you and only you could
  have sent a message
• I can use a trusted authority to distribute my
  public key
      – The trusted authority is for your benefit!


CS-4513 D-term 2008       Security and       52
                         Authentication
                      RSA Details

• We will use the same operation to encrypt
  and decrypt
• To encrypt, we will use “e” as a key, to
  decrypt we will use “d” as a key
• e and d are inverses with respect to the
  chosen algorithm



CS-4513 D-term 2008      Security and    53
                        Authentication
                      RSA Details

• Choose n as the product of two large primes
      – Finding the factors of a large number is
        mathematically hard (difficult)
      – Finding primes is also hard
• Choose e to be a (fairly small) prime and
  compute d from e and the factors of n
• THROW AWAY THE FACTORS OF n!
• Publish two numbers, e (public key) and n
CS-4513 D-term 2008       Security and      54
                         Authentication
                       RSA Details

• Encryption: Cyphertext = (Cleartext)e mod n
• Decryption: Cleartext = (Cyphertext)d mod n

• Typical d will be on the order of 500 to 700 bits
• The cost of the algorithm is between 1 and 2 
  the size of n,
      – Each operation is a giant shift and add (multiply by a
        power of 2)


CS-4513 D-term 2008          Security and         55
                            Authentication
                      RSA Problems

• It is much more costly than typical secret-
  key methods 
      – Use RSA to hide (i.e., encrypt) a secret key,
      – Encrypt the message with the secret key and
        append/prefix the encrypted key
• Requires a “Public Key Infrastructure” for
  effective key generation and distribution
      – Chain of trust thing again!

CS-4513 D-term 2008       Security and      56
                         Authentication
    Message Digests (aka Digital Signatures)

• A message digest is a non-reversable
  algorithm which reduces a message to a
  fixed-length “summary”
• The summary has the property that a change
  to the original will produce a new summary
• The probability that the new summary is the
  same as the old should be 1/(size of digest)
• Silbershatz, p. 582 (§15.4.1.3)
• Tanenbaum, p. 590 (§9.2.4)
CS-4513 D-term 2008    Security and    57
                      Authentication
                      Message Digests (2)

• There are several good (but possibly no
  perfect) message digest algorithms
• MD5 is probably the most common one in
  use – 128 bit digest
            • has known weaknesses
• SHA-1 – 160 bit digest (current best choice)
            • [Another product of NIST]



CS-4513 D-term 2008           Security and    58
                             Authentication
                          Conclusion

• Protection in OS and distributed system is
            • Difficult
            • Important
• Security is needed for
            • Authentication of users
            • Validation of communication




CS-4513 D-term 2008           Security and    59
                             Authentication
                              Resources
• Network World Security Newsletter
      – http://www.nwsubscribe.com
      – Practical advice, not a virus alert newsletter. Especially good for
        the links to other security resources at the bottom of each article
• CERT Coordination Center at CMU
      – http://www.cert.org
• News about system threats, including viruses and other
  problems. Source for OCTAVE papers and process
• Norton AntiVirus Site (Symantec)
      – http://securityresponse.symantec.com/avcenter/
• McAfee Security (Network Associates)
      – http://us.mcafee.com/virusinfo/

CS-4513 D-term 2008               Security and              60
                                 Authentication
                            Textbooks
Network Security: C. Kaufman, R. Perlman, M. Speciner,
  Prentice Hall (2002)
      – A practical but rigorous presentation of network security issues
        and techniques with emphasis on cryptographic solutions
Security Engineering: R. Anderson, Wiley (2001)
      – Focused on learning from past mistakes in security system design.
      – Excellent discussion of policies and policy models.
      – See author’s web site (www.ross-anderson.com) if you are
        interested in current research.




CS-4513 D-term 2008              Security and             61
                                Authentication
                          Other Books

Real World Linux Security: R. Toxen, Prentice Hall (2003)
      – An excellent read. Lists hundreds of vulnerabilities and what to do
        about them. Valuable for non Linux users too.
Windows 2003 Security Bible: B. Rampling, Wiley (2003)
      – Good example of a how-to book. Specific to WIN2003
The Art of Deception: K. Mitnick, Wiley (2002)
      – Mitnick is one of the most famous social engineers.
      – Must-read for those involved in broad security planning, and fun
        for everyone.




CS-4513 D-term 2008              Security and             62
                                Authentication

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:17
posted:12/3/2011
language:English
pages:62
liamei12345 liamei12345 http://
About