Security & Authentication (continued) CS-4513 D-term Security and Authentication (continued) CS-4513 Distributed Computing Systems (Slides include materials from Operating System Concepts, 7 th ed., by Silbershatz, Galvin, & Gagne, Distributed Systems: Principles & Paradigms, 2 nd ed. By Tanenbaum and Van Steen, and Modern Operating Systems, 2 nd ed., by Tanenbaum)

Security & Authentication (continued) CS-4513 D-term Review Authentication How to identify someone How to establish that they are who they say they are Fundamental to establishing authority in Distributed Systems Everything else is based on trust that the person or agent doing something has the authority to do it Threats Masquerading as someone else Intercepting / corrupting communications

Security & Authentication (continued) CS-4513 D-term Review (continued) Passwords Easy to steal Easy to guess or “crack” Human frailties Errors Dilemmas (“social engineering”)

Security & Authentication (continued) CS-4513 D-term Video

Security & Authentication (continued) CS-4513 D-term Reading Assignments Allman, Eric, “ Authentication: what? Why? How?,” ACM Queue, November 2006, pp (.pdf).pdf One of –Tanenbaum, MOS, Chapter 9 –Silbershatz, OSP, Chapters –Tanenbaum & van Steen, Chapter 9

Security & Authentication (continued) CS-4513 D-term Fun with Cryptography What is cryptography about? General Principles of Cryptography Basic Protocols –Single-key cryptography –Public-key cryptography A short intro to key distribution

Security & Authentication (continued) CS-4513 D-term Cryptography as a Security Tool Broadest security tool available –Fundamental foundation for secure storage and communication –Basis for establishing trust –Means to constrain potential senders (sources) and / or receivers (destinations) of messages –Means to detect/prevent intrusion or corruption –(Cannot prevent denial of service attacks)

Security & Authentication (continued) CS-4513 D-term Principles Cryptography is about the exchange of messages The key to success is that all parties to an exchange trust that the system will both protect them from threats and accurately convey their message TRUST is essential

Security & Authentication (continued) CS-4513 D-term Note Data storage is just another means of communication Writing data  Sending message Reading data  Receiving message Perhaps much, much later! Integrity of data  Integrity of message

Security & Authentication (continued) CS-4513 D-term Basic Premise of Cryptography Algorithms are (usually) public Orders of magnitude easier to compute in forward (normal) direction than in reverse (attack) direction Keys are always secret Enough bits to prevent trying all key values Key management is a very big deal Heart of all successful cryptographic systems

Security & Authentication (continued) CS-4513 D-term Conventional Wisdom Algorithms must be public and verifiable We need to be able to estimate the risk of compromise The solution must practical for its users, and impractical for an attacker to break

Security & Authentication (continued) CS-4513 D-term Public Policy Dilemma Algorithm intended to be a public standard must be subject to scrutiny of its users I.e., banks, industry, commerce, etc. To establish trust that it is good enough! Any algorithm good enough to protect billions of $$ of funds & commerce will be too hard for governments to penetrate! Crime, terrorism, etc.

Security & Authentication (continued) CS-4513 D-term Ergo … Governments tend to use secret encryption methods and algorithms for the most secure communications Sometimes, confidence in such algorithms is misplaced!

Security & Authentication (continued) CS-4513 D-term History Most secret algorithms have been broken Prior to computing age, at least Vulnerabilities Redundancy in human languages Repeatability or lack of randomness in algorithm Repeatability or lack of randomness in keys

Security & Authentication (continued) CS-4513 D-term Guidelines Cryptography is always based on algorithms which are orders of magnitude easier to compute in the forward (normal) direction than in the reverse (attack) direction. The attacker’s problem is never harder than trying all possible keys The more material the attacker has the easier his task

Security & Authentication (continued) CS-4513 D-term Example What is  ? vs. What are prime factors of ?

Security & Authentication (continued) CS-4513 D-term Caveat We cannot mathematically PROVE that the inverse operations are really as hard as they seem to be…It is all relative… The Fundamental Tenet of Cryptography: If lots of smart people have failed to solve a problem, it won’t be solved (soon)

Security & Authentication (continued) CS-4513 D-term Time marches on… We must assume that there will always be improvements in computational power, mathematics and algorithms. –Messages which hang around get less secure with time! Increases in computing power help the good guys and hurt the bad guys for new and short-lived messages

Security & Authentication (continued) CS-4513 D-term Two fundamental approaches Symmetric Sender and receiver must share the key Asymmetric Keys are paired Sender uses one, receiver uses its mate

Security & Authentication (continued) CS-4513 D-term Two fundamental approaches Symmetric Sender and receiver must share the key  there must be a secure way to get key from one to the other Asymmetric Keys are paired Sender uses one, receiver uses its mate  there must be a secure way to get key from one to the other

Security & Authentication (continued) CS-4513 D-term Secret key cryptography (Symmetric) f (T,K)g (C,K) Cleartext KK Cyphertext TT C

Security & Authentication (continued) CS-4513 D-term Secret Key Methods DES (56 bit key) IDEA (128 bit key) Triple DES (three 56 bit keys) AES –From NIST, 2000 –choice of key sizes up to 256 bits and more –Commercial implementations available

Security & Authentication (continued) CS-4513 D-term Reducing the Vulnerability Minimize the amount of information encrypted with shared key K Use K to encrypt a random number to obtain a session key I.e., used for one connection, conversation, exchange, etc. Discarded when channel is ended.

Security & Authentication (continued) CS-4513 D-term Diffie – Hellman AliceAgree on p,gBob choose random A choose random B T A = g A mod p T B = g B mod p compute (T B ) A compute (T A ) B Shared secret key for this session is g AB mod p The shared key!

Security & Authentication (continued) CS-4513 D-term D–H Problems Not in itself an encryption method – we must still do a secret key encryption The body of the message Still must distribute the shared key safely Subject to a “man in the middle” attack (Alice thinks she is talking to Bob, but actually Trudy is intercepting all of the messages and substituting her own)

Security & Authentication (continued) CS-4513 D-term Questions about Secret Key Methods?

Security & Authentication (continued) CS-4513 D-term RSA Public Key Cryptography (Asymmetric Keys) f () Cleartext Key #1Key #2 Cyphertext Key #1 can be either a Public Key or a Private Key. Key #2 is then the corresponding Private Key or Public Key. T C T

Security & Authentication (continued) CS-4513 D-term RSA Public Key Cryptography Rivest, Shamir and Adelman (1978) I can send messages that only you can read I can verify that you and only you could have sent a message I can use a trusted authority to distribute my public key –The trusted authority is for your benefit!

Security & Authentication (continued) CS-4513 D-term RSA Details Uses same operation to encrypt and decrypt To encrypt, we will use “e” as a key, to decrypt we will use “d” as a key e and d are inverses with respect to the chosen algorithm

Security & Authentication (continued) CS-4513 D-term RSA Details (continued) Based on mathematical premise that finding prime factors of large numbers is difficult computationally No known solution despite 100’s of years of trying! Note: Finding primes is also hard

Security & Authentication (continued) CS-4513 D-term RSA Details (continued) Let p and q be two large primes bits in length Let n = p  q Let z = (p – 1)  (q – 1) Choose d to be relatively prime to z Choose e such that d  e = 1 mod z Publish n and either d or e (but not both!)

Security & Authentication (continued) CS-4513 D-term RSA Details (continued) Encryption: Cyphertext = (Cleartext) e mod n Decryption: Cleartext = (Cyphertext) d mod n Typical d will be on the order of 500 to 700 bits The cost of the algorithm is between 1  and 2  the size of n, –Each operation is a giant shift and add (multiply by a power of 2)

Security & Authentication (continued) CS-4513 D-term RSA Details (continued) References –Tanenbaum & van Steen, §9.1.3 –Silbershatz, §

Security & Authentication (continued) CS-4513 D-term RSA Problems It is computationally much more costly than typical secret-key methods Impractical to use for message encryption Use RSA to encrypt a random session key Encrypt the message with the session key and append/prefix the RSA encrypted key Requires a “Public Key Infrastructure” for effective key generation and distribution Chain of trust thing again!

Security & Authentication (continued) CS-4513 D-term Questions about Public Key Encryption?

Security & Authentication (continued) CS-4513 D-term Authentication using Secure Channels

Security & Authentication (continued) CS-4513 D-term Authentication using Secure Channels At this point, Bob knows he is talking with Alice

Security & Authentication (continued) CS-4513 D-term Authentication using Secure Channels At this point, Bob knows he is talking with Alice Not until this point, does Alice know she is talking with Bob

Security & Authentication (continued) CS-4513 D-term What is wrong with this “Optimization”?

Security & Authentication (continued) CS-4513 D-term Subject to “Reflection Attack” Attacker cons Bob into encrypting R B for him “Reflection” attack

Security & Authentication (continued) CS-4513 D-term Reflection Attack

Security & Authentication (continued) CS-4513 D-term Key Distribution Server Alice requests secure channel to Bob KDC generates session key K A,B KDC sends secure messages to both Alice and Bob containing K A,B

Security & Authentication (continued) CS-4513 D-term Key Distribution Server (continued) Alice requests secure channel to Bob KDC generates session key K A,B and ticket to speak with Bob Alice uses ticket to contact Bob

Security & Authentication (continued) CS-4513 D-term Needham-Schroeder Protocol Nonce – a random number that is never re-used E.g., R A1, R A2, and R B Prevents intruder from replaying old tickets

Security & Authentication (continued) CS-4513 D-term Kerberos Single sign-on system One login used to generate tickets for authenticating shared services on distributed system No passwords maintained by any client Two parts AS – Authentication Service TGS – Ticket Granting Service Once authenticated, user may ask TGS for a ticket for a session with any service.

Security & Authentication (continued) CS-4513 D-term Kerberos (continued)

Security & Authentication (continued) CS-4513 D-term Kerberos (continued) With ticket, Alice can communicate securely with Bob. Alice knows it is Bob because only Bob could descript ticket Bob knows that it is Alice because TGS said it was Timestamp prevents replaying old sessions

Security & Authentication (continued) CS-4513 D-term Key Distribution Many variations –Secret (symmetric) keys –Public (asymmetric) keys Always based on trust Central part of any distributed system that requires authentication

Security & Authentication (continued) CS-4513 D-term Questions?