Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853."— Presentation transcript:

1 Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853 U.S.A. Joint work with Lidong Zhou and Robbert van Renesse.

2 1 Fault-tolerance by Replication The “fine print” … l Replica failures are independent. l Replica coordination protocol exists. l No secrets stored in server’s state. Servers Client

3 2 Trustworthy Services A trustworthy service… –tolerates component failures –tolerates attacks –might involve confidential data N.b. Cryptographic keys must be kept confidential and are useful for authentication, even when data is not secret.

4 3 Revisiting the “Fine Print” l Replica failures are independent. l Replica Coordination protocol exists. l No secrets stored in server’s state.

5 4 Revisiting the “Fine Print” l Replica failures are independent. –But attacks are not independent. l Replica Coordination protocol exists. l No secrets stored in server’s state.

6 5 Revisiting the “Fine Print” l Replica failures are independent. –But attacks are not independent. l Replica Coordination protocol exists. –But such protocols involve assumptions, and assumptions are vulnerabilities.  Timing assumptions versus Denial of Service l No secrets stored in server’s state.

7 6 Revisiting the “Fine Print” l Replica failures are independent. –But attacks are not independent. l Replica Coordination protocol exists. –But such protocols involve assumptions, and assumptions are vulnerabilities.  Timing assumptions versus Denial of Service l No secrets stored in server’s state. –But secrets cannot be avoided for authentication  Replicating a secret erodes confidentiality.

8 7 Compromised Components Correct component satisfies specification. Compromised component does not. –Adversary might control a compromised component. –Component is compromised if adversary knows secrets being stored there. A recovery protocol transforms component: compromised  correct

9 8 Component Correlation Components are correlated to the extent that one attack suffices to compromise all. Correlation arises from: –Dependence on the environment –Vulnerabilities in shared design / code –Shared secrets Goal: Eliminate sources of correlation.

10 9 Correlation: Environment Vulnerabilities Vulnerabilities = Assumptions –Weaker assumptions are better.  “Synchronous system” assumption: –Bounded message delivery delay –Bounds on process execution speed violated by denial of service attacks needed for “agreement protocols” in deterministic systems [FLP]

11 10 Correlation > Towards Weaker Assumptions: Eschewing Synchronous Systems Asynchronous system model is weaker but requires making “sacrifices”: –Sacrifice determinacy:  Use “randomized protocols” (requires randomness) –Sacrifice liveness but preserve safety. –Sacrifice state machine replication  Use quorums or other weaker mechanisms  Some service semantics cannot be implemented.

12 11 Component Correlation Correlation arises from: –Dependence on environment –Vulnerabilities in shared design / code –Shared secrets

13 12 Correlation: Eschewing Shared Design / Code Solution: Diversity!  Expensive or impossible to obtain: Development costs Interoperability risks Still, what diversity does exist should be leveraged.

14 13 Correlation > Leveraging Extant Diversity: Adversary Structures t-resilience: Service is not compromised unless more than t components are. –Known as a threshold structure. FS-resilience: If FS = {F 1, F 2, … F r } then service not compromised provided the set C of compromised components satisfies C  F i for some i. –Select FS according to dimensions of diversity. –Known as an adversary structure.

15 14 Component Correlation Correlation arises from: –Dependence on environment –Vulnerabilities in shared design / code –Shared secrets

16 15 Correlation: Eliminating Shared Secrets l (n,t) secret sharing [Shamir, Blakley] : –Secret s is divided into n shares. –Any t or more shares suffice for reconstructing s. –Fewer shares convey no information about s. –Can be adapted for arbitrary adversary structures. l Threshold cryptography: –Perform cryptographic operations piecewise using shares of private key; result is as if private key was used. Example: Threshold digital signatures

17 16 Proactive Recovery When is recovery protocol run? –After an attack is detected.  Not sufficient to reboot from good system image. Must get system state (or have stateless service). Must also “refresh” secrets. –Periodically, even if an attack is not detected.  Not all attacks are detected, proactive recovery defends against undetected attacks.  Adversary strategy: Increase the window of vulnerability, interval between proactive recovery executions.

18 17 Proactive Recovery: Secret Refresh l Refresh secret shares: PSS and APSS l Refresh symmetric keys:  Revisit KDC.  Force new password choices. l Refresh public / private key pairs:  Invent new server private key  Must disseminate new server public key.

19 18 Proactive Recovery > Secret Refresh: Refresh Private / Public Keys I Approach: Tamper proof hardware. –Key material stored in tamper-resistant hw.  Key cannot be read or modified.  Attacker can still instigate crypto operations with key. Protocols must accommodate such possible rogue behavior.

20 19 Proactive Recovery > Secret Refresh: Refresh Private / Public Keys II Approach: Use off-line private keys. –New public keys are propagated through a secure out-of-band channel.  Use off-line private keys to sign the new public keys.  Components storing off-line keys can be connected to network using a one-way channel (e.g. “pump”).

21 20 Proactive Recovery > Secret Refresh: Refresh Private / Public Keys III Approach: Assume “awareness” of attacks. –System-wide private key shared among components.  Component generates new private key  Component uses old private key to sign new public key.  Component requests system sign new public key.  System refuses to sign new public key if old private key already subsumed. Out of band process then invoked.

22 21 Proactive Recovery: Transparency and Change I Scalability concerns dictate that clients be shielded from changes due to proactive recovery. l Service public / private key: –Proactive secret sharing changes private key shares without changing private key (or public key). l Server identities: –A single contacted server operates as a delegate. –Service key signs responses to client. –Self-verifying messages impede rogue delegates from spoofing as clients.

23 22 Proactive Recovery: Transparency and Change II l Server public keys. If client must know… –Local certificate:   Signed by server using server’s off-line key –Global certificate:  Local certificate signed by service private key Service signs only if local signature on certificate is valid Use t+1 threshold crypto for service signature  Stored at 2t+1 servers. (Out of 3t+1) –Client obtains current public key for server i:  Retrieve global certificate for all servers from 2t+1 servers  epoch numbers in t+1 sets will be the same---that is current

24 23 Research Programme Trajectory l Cornell On-line Certification Authority (COCA) l Asynchronous Proactive Secret Sharing (APSS) l Distributed Blinding Protocol l Codex Secret Store Key ideas: –Weak computational models (asynchronous) –Thresholdization [sic] / “multi-party computation” –Proactive protocols (vs Transparency)

Download ppt "Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853."

Similar presentations

SCSC 455 Computer Security

SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.

1/6/2015HostAP1 P2P Security Case Study: COCA (Cornell Online Certification Authority) Mobile Multimedia Lab, AUEB, 04/04/2003.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, 1999 1 (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.

L. Zhou, Z.J. Haas: Securing Ad Hoc Networks, (26) L. Zhou and Z. J. Haas, Cornell University: Securing Ad Hoc Networks presented by Johanna Vartiainen.

Similar presentations

Ads by Google