© Chinese University, CSE Dept. Distributed Systems / 7 - 1 Distributed Systems Topic 7: Security Dr. Michael R. Lyu Computer Science & Engineering Department.

Slides:



Advertisements
Similar presentations
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Presentation 5: Security Internetteknologi 2 (ITNET2)
Security and Reliability Issues in Distributed Systems Chan Hing Wing, Anthony MPhil Term 1, CSE CUHK December 11, 1998.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Distributed Systems CS Security – Part I Lecture 21, Nov 28, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
8.1 Learning Objectives To become familiar with the range of security threats faced by networked and distributed systems (DSs); To examine various cryptographic.
Cryptographic Technologies
Applied Cryptography for Network Security
CS542: Topics in Distributed Systems Security. Why are Distributed Systems insecure?  Distributed component rely on messages sent and received from network.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Introduction to Public Key Cryptography
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Chapter 10: Authentication Guide to Computer Network Security.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus
Cryptography and Network Security
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Chapter 21 Distributed System Security Copyright © 2008.
CS551 - Lecture 18 1 CS551 Object Oriented Middleware (VII) Advanced Topics (Chap of EDO) Yugi Lee STB #555 (816)
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
© Chinese University, CSE Dept. Distributed Systems / Distributed Systems Topic 3: Security Dr. Michael R. Lyu Computer Science & Engineering Department.
1 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Security is often cited as a major barrier to electronic commerce. Prospective buyers are leery of sending credit card information over the web. Prospective.
IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Network Security Lecture 18 Presented by: Dr. Munam Ali Shah.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Fall 2006CS 395: Computer Security1 Key Management.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
© Chinese University, CSE Dept. Distributed Systems / Distributed Systems Topic 3: Security Dr. Michael R. Lyu Computer Science & Engineering Department.
Presentation transcript:

© Chinese University, CSE Dept. Distributed Systems / Distributed Systems Topic 7: Security Dr. Michael R. Lyu Computer Science & Engineering Department The Chinese University of Hong Kong

© Chinese University, CSE Dept. Distributed Systems / Outline 1 Motivation 2 Styles of Attacks 3 Cryptography 4 Authentication 5 Security Systems 6 CORBA Security Service 7 Summary

© Chinese University, CSE Dept. Distributed Systems / Motivation  More vital/secret data handled by distributed components.  Security: protecting data stored in and transferred between distributed components from unauthorised access.  Security is a non-functional requirement that cannot be added as a component but has to be built into all components.

© Chinese University, CSE Dept. Distributed Systems / Why are Distributed Systems insecure?  Distributed component rely on messages sent and received from network.  Is network (especially WANs and wireless networks) secure?  Is client component secure?  Is client component who it claims to be?  Are users of calling components really who they claim to be?

© Chinese University, CSE Dept. Distributed Systems / Effects of Insecurity  Confidential Data may be stolen, e.g.: –corporate plans. –new product designs. –medical/financial records (e.g. Access bills....).  Data may be altered, e.g.: –finances made to seem better than they are. –results of tests, e.g. on drugs, altered. –examination results amended (up or down).

© Chinese University, CSE Dept. Distributed Systems / Need for Security  Loss of confidence: above effects may reduce confidence in computerized systems.  Claims for damages: legal developments may allow someone to sue if data on computer has not been guarded according to best practice.  Loss of privacy: data legally stored on a computer may well be private to the person concerned (e.g. medical/personnel) record.

© Chinese University, CSE Dept. Distributed Systems / Threats  Categorization of attacks (and goals of attacks) that may be made on system.  Three broad classes: –leakage: information leaving system. –tampering: unauthorised information altering. –vandalism: disturbing correct system operation.  Used to specify what the system is proof, or secure, against.

© Chinese University, CSE Dept. Distributed Systems / Methods of Attack  Eavesdropping: Obtaining message copies without authority.  Masquerading: Using identity of another principal without authority.  Message tampering: Intercepting and altering messages.  Replaying: Storing messages and sending them later.  Denial of service: Flooding server resources with messages in order to deny other’s access.

© Chinese University, CSE Dept. Distributed Systems / Some Security Attack Scenarios Eavesdropping: Peter Mary “Let’s meet at 5pm, old place” Tom “hee hee…” Tampering: PeterMary “Let’s meet at 5pm, old place” Tom “Let’s meet at 3pm, old place” Replaying: Peter Tom “Let’s meet at 5pm today” Mary One day later: “Let’s meet at 5pm today”

© Chinese University, CSE Dept. Distributed Systems / Infiltration  Launch of attack requires access to the system. –Launched by legitimate users. –Launched after obtaining passwords of known users.  Subtle ways of infiltration: –Viruses –Worms –Trojan horses.

© Chinese University, CSE Dept. Distributed Systems / Cryptography 1 Introduction 2 Terminology 3 Encryption 4 Secret Keys 5 Public Keys 6 RSA Encryption Algorithm

© Chinese University, CSE Dept. Distributed Systems / Introduction  Cryptography: encode message data so that it can only be understood by intended recipient.  Romans used it in military communication.  Given knowledge of encryption algorithm, a brute force attempt: try every possible decoding until a valid message is produced.  Computers are good at this!  Modern schemes must be computationally hard to solve to remain secure.

© Chinese University, CSE Dept. Distributed Systems / Cryptographic Terminology  Plain text: the message before encoding.  Cipher text: the message after encoding.  Key: information needed to convert from plain text to cipher text (or vice-versa).  Function: the encryption or decryption algorithm used, in conjunction with key, to encode or decode message.  Key distribution service: trusted service which hands out keys.

© Chinese University, CSE Dept. Distributed Systems / Encryption  Encrypting data prevents unauthorised access to the data (i.e. prevents eavesdropping).  If encrypted data can only be encrypted with a matching key, this can be used to prove sender’s identity (i.e. prevents masquerading).  Likewise, it can be used to ensure that only intended recipients can use the data..  Two main ways: secret key and public key.

© Chinese University, CSE Dept. Distributed Systems / Secret Keys  One key is used to both encrypt and decrypt data  Encryption and decryption functions are often chosen to be the same type  Security should not be compromised by making function well-known as security comes from secret keys

© Chinese University, CSE Dept. Distributed Systems / Using Secret Keys  Sender and recipient exchange keys through some secure, trusted, non-network based means.  Sender encodes message using encryption function and sends the message, knowing that only the holder of key (the intended recipient) can make sense of it.  Recipient decodes message, and knows that only intended sender could generate it.  Message can be captured but is of no use.

© Chinese University, CSE Dept. Distributed Systems / Public Keys  Gives 'one-way' security.  Two keys generated, one used with decryption algorithm (private key) and one with encryption algorithm (public key).  Generation of the private key, given only the public key, is computationally hard.  Do not need secure key transmission mechanism for key distribution.

© Chinese University, CSE Dept. Distributed Systems / Using Public Keys  Recipient generates key pair.  Public key is published by trusted service.  Sender gets public key, and uses this to encode a message.  Recipient decodes the message.  Replies can be encoded using sender’s public key from the trusted distribution service if two- way security is needed.  Message can be captured but is of no use.

© Chinese University, CSE Dept. Distributed Systems / RSA Encryption Algorithm  Named after the three inventors –Ron Rivest –Adi Shamir –Leonard Adleman  A common and well-known Public-key algorithm

© Chinese University, CSE Dept. Distributed Systems / Methods used in RSA  Choose a pair of large prime number ( p and q )  Calculate n = p * q  Find an encryption key ( e ) such that e and (p-1)(q-1) are relatively prime.  Then decryption key ( d ) will be obtained by the formula 1 = e*d mod (p-1)(q-1) ðed = 1 mod (p-1)(q-1)  d = e -1 mod (p-1)(q-1)

© Chinese University, CSE Dept. Distributed Systems / RSA Encryption/Decryption Key  ( e, n ) will be the encryption key available to public: c i = m i e mod n  ( d, n ) will be the decryption key owners keeps private: m i = c i d mod n  The decryption holds because c i d = (m i e ) d = m i ed = m i k(p-1)(q-1)+1 = m i m i k(p-1)(q-1) = m i *1 = m i ; all (mod n)

© Chinese University, CSE Dept. Distributed Systems / Authentication 1 Motivation 2 Types of Authentication 3 Needham/Schroeder Protocol

© Chinese University, CSE Dept. Distributed Systems / What is Authentication? Authentication: Proving you are who you claim to be.  In centralized systems: Password check at session start.  In distributed systems: –Ensuring that each message came from claimed source. –Ensuring that each message has not been altered. –Ensuring that each message has not been replayed.

© Chinese University, CSE Dept. Distributed Systems / Types of Authentication  Authentication can be used to ensure a number of different aspects of an interaction.  Proving that a client of a server is who it claims to be.  This can be refined to proving that the end user has the right to use a service.

© Chinese University, CSE Dept. Distributed Systems / Types of Authentication  Proving both client and server are who they say they are.  This is needed to prevent impostor services from collecting information or disrupting (vandalizing) the system.  This is really just an extension of the idea of authentication a client.

© Chinese University, CSE Dept. Distributed Systems / Types of Authentication  Securing communication from eavesdropping.  Authentication will usually involve encrypting data.  This can be used just at the start to prove the identity of ends of the communication link.

© Chinese University, CSE Dept. Distributed Systems / Needham/Schroeder Protocol  Provides a secure way for pairs of components to obtain keys to be used during communication.  Based on an authentication server: –maintains a name and a secret key for each component. –can generate keys for peer-to-peer communications.  Secret keys are used for communication with authentication server.

© Chinese University, CSE Dept. Distributed Systems / Needham/Schroeder Protocol Authentication Server CS 1: C, S, N C 2: {N C,S,K CS,{K CS,C} K S } K C 3: {K CS,C} K S 4: {N S } K CS 5: {N S -1} K CS C: Client Name S: Server Name K C :Client´s secret key K S : Server´s secret key K CS : Secret key for client/server communication N x : Nonce generated by x {M} K :Message encrypted in key K

© Chinese University, CSE Dept. Distributed Systems / Security Systems: Kerberos  Based on Needham/Schroeder Protocol.  Developed by Steiner at MIT (1988).  Used in –OSF/DCE. –Unix NFS.

© Chinese University, CSE Dept. Distributed Systems / System architecture of Kerberos Server Client DoOperation Authentication database Login session setup Ticket- granting service T Kerberos Key Distribution Centre Server session setup Authen- tication service A 1. Request for TGS ticket 2. TGS ticket 3. Request for server ticket 4. Server ticket 5. Service request Request encrypted with session key Reply encrypted with session key Service function Step B Step A Step C C S

© Chinese University, CSE Dept. Distributed Systems / Security Systems: CORBA Supports the following security algorithms:  Authentication of users.  Authentication between objects.  Authorisation and access control.  Security auditing.  Non-repudiation.  Administration of security information. Cryptography is not exposed at interfaces.

© Chinese University, CSE Dept. Distributed Systems / ORB 5.2 CORBA Security Architecture  The security model: Client Server Security Implementation enforcing security policy User requests All object invocations are mediated by the security implementation No specific security policy defined in the model, so that a wide variety of different policies can be defined according to different needs Message protection, access control device, etc. Message protection, access control device, etc.

© Chinese University, CSE Dept. Distributed Systems / CORBA Security  Principals –Human users or system entities (e.g., the client acting for a user) registered in and authenticated to the system  Credentials –Each principal in a CORBA environment with Security Service is associated with credentials –Credentials contain security attributes of an object, e.g., its identity and privileges (like gate-passes) –Credentials are used for access controls, authentication, etc. –An object may have several credentials, representing privileges in different domains

© Chinese University, CSE Dept. Distributed Systems / CORBA Security  Delegation –Passing of credentials from one object to another, so that the receiving object (intermediate) can invoke a third object (target) on behalf of the passing object (invoker) –Options of delegation: »no delegation »simple delegation »composite delegation »combined delegation »traced delegation invoker intermediate target Client credentials Client credentials / intermediate credentials / mixed, according to different options

© Chinese University, CSE Dept. Distributed Systems / CORBA Security  Non-repudiation service –provide services that make users / principals accountable for their actions  Implementation: SSL services come with Orbix; separate purchase for Visibroker Object AObject B Evidence generation & verification Evidence storage & retrieval Delivery Authority Non-repudiation service Adjudicator Dispute/judgement Service requests / responses

© Chinese University, CSE Dept. Distributed Systems / Summary  Threats, Methods of Attack, Infiltration  Cryptology: –Secret Keys –Public Keys  Authentication: Needham/Schroeder Protocol  Systems: –Kerberos –CORBA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.