The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M030 24 th November, 2008.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Data Security 101 Part 1: PKI and SSL. Reading First, read the VeriSign case, –page Second, read section 5.3 –pages Finally, briefly skim.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Science Public Key Management Lecture 5.
Cryptography 101 Frank Hecker
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
ECE453 – Introduction to Computer Networks Lecture 18 – Network Security (I)
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Masud Hasan Secue VS Hushmail Project 2.
Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Pertemuan-13 Enkripsi and Authentication. Symmetric-key Cryptography  Data encrypted and decrypted with same key  Classical examples: Caesar cipher,
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
3/15/01CSCI {4,6}900: Ubiquitous Computing1 Announcements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Fall 2006CS 395: Computer Security1 Key Management.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Authentication in Dist Systems Presented in cs294-4 P2P Systems by Sailesh Krishnamurthy Oct
Grid Security.
Outline What does the OS protect? Authentication for operating systems
Outline What does the OS protect? Authentication for operating systems
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Certificates An increasingly popular form of authentication
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008

2 Motivation: Building Correct Authentication Systems We’ve studied cryptographic primitives We’ve studied certificates, and how they’re used in SSL –Trusted third party, CA, attests to binding between public key and principal’s name –One party can authenticate other using certificate Certificates are more general tool, but can be hard to reason about How can we reason formally about whether collection of certificates truly authenticates some principal to complete some operation on some object?

3 Motivation: Flexible Authentication Systems Suppose want to authenticate user on client workstation to file server –User is principal –User authorized on file server to perform certain operations on certain file objects Simple model: –Use public-key cryptography –Install user’s public key on file server –User holds private key on client workstation while logged in –User signs each RPC sent to file server using his private key

4 Motivation: Drawbacks of Simple Authentication Model Very slow (TAOS took 250 ms per RSA sig) Rigid: –What if I ssh into second machine? –2 nd box must sign file server RPCs, too –Does it send messages back to 1 st box for signing? How would user know they’re authentic? –What if user goes home, leaves simulation running for hours?

5 Motivation: SSL Rigid, Too Does SSL work here? Assume both sides (client and server) authenticate by presenting certificates Fast: symmetric-key ciphers for session data But workstation must hold private key for every connection What if I ssh into second machine? –Want it to be able to use file server, too –Would have to give second machine private key!

6 Outline of TAOS Authentication (1) Give each machine an identity: public/private key pair User bkarp logs into machine X, signs certificate saying: –“bkarp says X speaks for bkarp.” –Reflects reality; X executes bkarp’s programs

7 Outline of TAOS Authentication (2) Now machine X can: –Open SSL-like secure channel from self to server; file server knows it’s talking to X –Present “bkarp says X speaks for bkarp” to file server; file server knows X can speak for user –Send RPCs generated by bkarp’s programs to file servers –All without machine X holding bkarp’s private key!

8 Authorizing 2 nd Machine with TAOS Consider ssh by bkarp to 2 nd machine Want Y to talk to file server for bkarp ssh on X signs “X says Y can speak for bkarp” Gives this certificate to Y when bkarp logs into Y Now Y presents proof outline to file server: –I’m Y –X says Y can speak for bkarp –bkarp says X can speak for bkarp File server can check signatures and verify that RPCs authorized!

9 Why Can’t SSL Authorize 2 nd Machine? SSL for exactly two principals, tied to channels If X says something to Y, Y can’t prove anything to Z In fact, Y can’t verify anything after X closes its connection to Y SSL too rigid to support distributed systems with > 2 parties

10 TAOS’s Central Strengths Certificates are true independent of channels …so can be stored, passed to other parties …and used to prove transitive trust relationships

11 Using Logic to Reason About Authentication Consider example in Section 2.2 of TAOS paper: –User Bob logs into workstation WS –Logic used to authenticate requests from Bob’s login session to a remote file server FS What principals are involved? –Workstation firmware, OS, Bob, Channel Keep track of who knows: –Private keys –Signed certificates –Channel keys

12 State Before Bob Logs In Workstation firmware knows K vax4 User knows K bob ’s private “half” File server has K bob ’s public “half” in an ACL

13 Workstation Boot Time: Generating K ws At boot, workstation firmware generates fresh public/private key, K ws Why not just use K vax4 directly? –Don’t want it to be stolen –Don’t want statements to survive reboot (i.e., certificates generated for login sessions) Firmware signs: “K vax4 says (K ws speaks for K vax4 )” K vax4 never used again (until reboot) Why bother preserving K vax4 ’s identity? –Why not just use K ws as workstation’s true identity? –Want workstation’s identity to survive reboots

14 Boot Time: Generating K ws (2) Why bother with roles (“K vax4 as OS”)? –User might not trust some versions of OS, or some OS –Want to allow OS type/version to be visible in ACLs –Assuming a role amounts to reducing access rights Now vax4’s authentication agent knows: K ws (but forgets K vax4 ) (K vax4 as OS) says (K ws speaks for (K vax4 as OS)) Why does vax4 need an identity at all? –So Bob can delegate to it!

15 Login: Delegation of Authority to Workstation by User Want ws to be able to act for Bob Bob signs with his private key, K bob : K bob says ((K ws | K bob ) speaks for (K ws for K bob )) Private half of K bob not used again until next login! Why not “K bob says (K ws speaks for K bob )”? –If K ws signs something, on whose behalf was it? –So statements by K ws ambiguous, and perhaps usable out of context

16 Delegation at Login (2) What does (A | B) mean? –That A is doing the signing –That A is claiming (no proof yet) that A is speaking for B –Really means that A says in its signed statement that it’s speaking for B What does (A for B) mean? –Logical conclusion that A allowed to speak for B –i.e., (A | B) plus delegation, like one on previous slide (see delegation axiom on p. 4 of paper) –By default, interpreted as B for purposes of ACLs –But for those who care, preserves who actually signed (A)

17 Delegation at Login (3) After delegation by Bob, vax4’s authentication agent knows: K ws private half (K vax4 as OS) says (K ws speaks for (K vax4 as OS)) K bob says ((K ws | K bob ) speaks for (K ws for K bob ))

18 TAOS Channels TAOS uses symmetric-key ciphers to encrypt channels between hosts Channels named by their symmetric key –Name has global meaning C bob doesn’t imply anything about Bob –Only a mnemonic used by authors to indicate intent that C bob carries messages from Bob –System must establish proof that this is case File server knows: –C bob says RQ (where RQ a file server request) –i.e., “received request from someone who knows key C bob ” But who knows key C bob ? –K ws ? –K ws on behalf of Bob? –K ws on behalf of someone else?

19 Proving Authenticity: Channel Certificates ws signs channel certificate when channel between ws and file server first created: (K ws | K bob ) says (C bob speaks for (K ws for K bob )) Goal: link RQ encrypted with C bob to Bob Why not just have K bob sign: –“C bob speaks for K bob ” –This is what SSL client-side certificates do. –But in TAOS, authentication agent doesn’t hold K bob ’s private half—and that’s a good thing…

20 Channel Certificates (2): Why not have K ws sign: –“C bob speaks for K ws ” –Along with pre-signed “K ws speaks for K bob ” –C bob doesn’t speak for K ws in general! Only K bob. Channel certificate is in fact nicely restricted: –States what we mean, and no more –vax4 says C bob speaks for (vax4 speaking for Bob) But vax4 could sign this statement without Bob’s agreement! So file server needs further evidence: –Is vax4 allowed to speak for Bob?

21 Using Logic to Prove Authenticity Suppose ws sends all certificates to file server: (K vax4 as OS) says (K ws speaks for (K vax4 as OS)) K bob says ((K ws | K bob ) speaks for (K ws for K bob )) (K ws | K bob ) says (C bob speaks for (K ws for K bob )) Now file server can reason about meaning of C bob says RQ

22 Using Logic to Prove Authenticity (2) File server can take K bob says ((K ws | K bob ) speaks for (K ws for K bob )) and deduce, using delegation axiom: (K ws | K bob ) speaks for (K ws for K bob ) Informally, delegation axiom just means: –If Bob signs certificate allowing K ws to speak for Bob, then K ws is allowed to speak for Bob Really, delegation certificate means: –If K ws says it’s speaking for Bob, believe it. –This is different than “K ws speaks for K bob ”!

23 Using Logic to Prove Authenticity (3) Now, combine: (K ws | K bob ) speaks for (K ws for K bob ) (K ws | K bob ) says (C bob speaks for (K ws for K bob )) And thus derive: (K ws for K bob ) says (C bob speaks for (K ws for K bob )) In other words: –K ws really does speak for K bob ; it’s not just claiming to do so So we can conclude that C bob speaks for K ws speaking for K bob And thus: (K ws for K bob ) says RQ

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.