Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.

Published byProsper Cain Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004."— Presentation transcript:

1 Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004

2 Computer Science and Engineering Contents  A3  in  Electronic Signatures (Cont.)  Operating Systems Security  Protection  Authentication  Access Control  Padmaraj’s presentation

3 Computer Science and Engineering Digital Signature Using RSA  The RSA public-key cryptosystem can be used to create a digital signature for a message m.  The signer must have an RSA public/private key pair.

4 Computer Science and Engineering RSA Review -C = P e mod n -P = C d mod n -P = C d mod n = (P e ) d mod n = (P d ) e mod n

5 Computer Science and Engineering Key Choice (RSA Review) -We start by selecting n to be a very large integer (product of two large primes p and q) -Next a large integer e is chosen so that e is relatively prime to (p-1) * (q-1). -Finally, select d such that e * d = 1 mod (p-1) * (q-1)

6 Computer Science and Engineering Example (RSA Review) 1.Select primes p=11, q=3. 2.n = p* q = 11*3 = 33 3.Choose e = 3 Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common factors except 1), and check gcd(e, q-1) = gcd(3, 2) = 1 therefore gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1 4.Compute d such that e* d = 1 (mod (p-1)*(q-1)) d = 7 5.Public key = (n, e) = (33, 3) Private key = (n, d) = (33, 7).

7 Computer Science and Engineering Signature Generation (Signer) Message SignaturePrivate Key Redundancy Function Formatted Message Encrypt

8 Computer Science and Engineering Signature Verification Message Signature Public Key Verify Formatted Message Decrypt

9 Computer Science and Engineering Example (generate signature S) -- Signer end d = 53 e = 413 n = 629 m = 250 Assume that R(X) = X S = R(m) e mod n S = 250 53 mod 629 = 411

10 Computer Science and Engineering Example (verify signature with message recovery) Public key (e) = 413 n = 629 S = 411 R(m) = S e mod n R(m) = 411 413 mod 629 = 250 The verifier then checks that R(m) has the proper redundancy created by R (none in this case) and recover the message: m = R -1 (m) = 250

11 Computer Science and Engineering Creating a forged signature Choose a random number between 0 and n-1 for S S = 323 Use the signer’s public key to decrypt S R(m) = 323 413 mod 629 = 85 Invert R(m) to m: m = 85 Note that a valid signature (323) has been created for a random message (85) without the knowledge of the signer’s private key. The choice of a poor redundancy function can make RSA vulnerable to forgery.

12 Computer Science and Engineering Selecting a Good Redundancy Function  A good redundancy function should make forging signatures much harder.

13 Computer Science and Engineering Example (generate signature S) -- Signer end d = 53 e = 413 n = 629 m = 7 Assume that R(X) = XX S = R(m) e mod n S = 77 53 mod 629 = 25

14 Computer Science and Engineering Example (verify signature with message recovery) Public key (e) = 413 n = 629 S = 25 R(m) = S e mod n R(m) = 25 413 mod 629 = 77 The verifier then checks that R(m) is of the form XX for some message X. It is, and we recover the message: m = R -1 (m) = 7

15 Computer Science and Engineering Forging signature (revisited) Choose a random number between 0 and n-1 for S S = 323 Use the signer’s public key to decrypt S R(m) = 323 413 mod 629 = 85 However, 85 is not a legal value for R(m), so S = 323 is not a valid signature

16 Computer Science and Engineering Simple Scenario of Digital Signature

17 Computer Science and Engineering Getting a Message Digest from a document Hash Message Digest

18 Computer Science and Engineering Generating Signature Message Digest Signature Encrypt using private key

19 Computer Science and Engineering Appending Signature to document Append Signature

20 Computer Science and Engineering Verifying Signature Hash Decrypt using public key Message Digest Message Digest

21 Computer Science and Engineering Operating System Security (Chapter 4)  Protection in General Purpose OS  Authorization/Authentication  Access Control

22 Computer Science and Engineering Memory and Address Protection Bare Machine user 0 n memory

23 Computer Science and Engineering Memory and Address Protection (cont.) Resident Monitor user 0 n memory Monitor Fence register

24 Computer Science and Engineering Address Protection for a resident monitor memory 0 n Fence register CPU address true false error Address >= fence

25 Computer Science and Engineering Other Issues  Multiprogramming  Multiple users  Relocation  Segmentation, paging, combined

26 Computer Science and Engineering Segmentation memory 0 n CPU (s,d) < true false error limitbase + Segment Table

27 Computer Science and Engineering paging memory 0 n CPU pd Page Table f fd Logical addressPhysical address

28 Computer Science and Engineering User Authentication  Knowledge-based techniques (passwords)  Token-based techniques (smart cards)  Biometric techniques (fingerprint)  Two-factor (Card + PIN)

29 Computer Science and Engineering Passwords  Protected Password table  Unprotected Password table with one way hash functions  Attacks

30 Computer Science and Engineering Access Control Policies  Specification of how each user is authorized to use each resource.  In practice, no computer applies a single policy to manage all of its resources.  Scheduling algorithms for CPU  SJF, RR  Storage  paging, segmentation

31 Computer Science and Engineering ACCESS Control Matrix O1O1 O2O2 O2O2 O4O4 O1O1 O3O3 Domain 1 Domain 3 Domain 2 objectdomains Every object to be protected is within one or more protection domains

32 Computer Science and Engineering ACCESS Rights Domain 1 Domain 3 Domain 2

33 Computer Science and Engineering What does that mean?  O 1 can be read and written in domain 1 and executed in domain 3, O2 can be executed in domain 1 and written in domain 2, O3 can be read in domain 3, and O 4 can be printed in domains 2 and 3.  At any given time, the domain is which a user is operating determines what actions are and are not permitted.  If Matthew is in domain 1, he is permitted to:  Read or write object 1  Execute object 2

34 Computer Science and Engineering Accesses Control Matrix Object 1Object 2Object 3Object 4 Domain 1 {read,write}{execute} Domain 2 {write}{print} Domain 3 {execute}{read}{print}

35 Computer Science and Engineering Access Control Matrix (cont.)  The matrix designates the protection policy. A mechanism is required to enforce the policy.  The OS stores the matrix in memory  Large and sparse matrix  Ordered triples instead

36 Computer Science and Engineering List of Ordered Triples (Domain 1, Object 1, {read,write}) (Domain 1, Object 2, {execute}) (Domain 2, Object 2, {write}) (Domain 2, Object 4, {print}) (Domain 3, Object 1, {execute}) (Domain 3, Object 3, {read}) (Domain 3, Object 4, {print})

37 Computer Science and Engineering List of Ordered Triples (Cont.) For each attempt by a user in Domain i to perform operation O on object j, the OS consults the list of triples. If it finds a triple (i,j,R) where O is a member of the access rights, R, the operation is allowed to proceed; otherwise it is not. The list must be protected from tampering by users Could be very large Search may become a problem Does not take advantage of special grouping of objects

38 Computer Science and Engineering Access lists Object 1: (, ) Object 2: (, ) Object 3: ( ) Object 4: (, ) An attempt by a user in Domain i to perform operation O on object j causes the OS to consult the entry of the access list for object j. Object j’s list is searched for Domain i’s entry, and the operation is permitted if there is an access right for O.

39 Computer Science and Engineering Default Object 2: (,, )

40 Computer Science and Engineering Capability List (Object, rights)  capability Domain 1: (, ) Domain 2: (, ) Domain 3: (, ) Users are given a copy of the capability list for the domain in which they are operating.

41 Computer Science and Engineering How does it work? Domain 1: (, ) Domain 2: (, ) Domain 3: (, ) When a user wants to perform some operation O, on object j, it passes its capability for j as one of the parameters of O. For example, a user might request to write to Object 2 and passes its copy of. The OS verifies.

42 Computer Science and Engineering Encrypting Capabilities  OS must ensure that users cannot create their own capabilities or alter capabilities they are given.  OS may encrypt capabilities using a secret key before giving them to users.  The OS decrypts and checks the capability each time it is used.

43 Computer Science and Engineering Harrison, Ruzzo, and Ullman (HRU) Model S1S2S3O1O2O3 S1controlOwner read S2controlOwner Read write readOwner execute S3controlread execute

44 Computer Science and Engineering HRU Model (cont.)  HRU allows the state of the protraction system to be changed by a well defined set of commands:  Add subject s to M  Add object o to M  Delete subject s from M  Delete object o from M  Add right r to M[s,o]  Delete right r from M[s,o] Owner can change rights of an object

45 Computer Science and Engineering Take Grant Model  Unlimited number of subjects and objects  States and state transitions  Directed graph  Four primitive operations:  take  create  grant  revoke

46 Computer Science and Engineering Take Grant Model (Cont.) O2 O1 O3 S1 S2 S3 read execute Read, write

47 Computer Science and Engineering Create OS S rights becomes

48 Computer Science and Engineering Revoke OS r1, r2 becomes OS r1, r2, r3

49 Computer Science and Engineering Take OS2 take becomes S1read OS2 take S1read

50 Computer Science and Engineering Grant becomes OS2 grant S1read OS2 grant S1 read

Download ppt "Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Chapter 7  Computer Security 1 Overview  Important components of computer security: o User authentication – determine the identity of an individual accessing.

Chapter 7  Computer Security 1 Overview  Important components of computer security: o User authentication – determine the identity of an individual accessing.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
BR1 Protection and Security B. Ramamurthy Chapters 18 and 19.

BR1 Protection and Security B. Ramamurthy Chapters 18 and 19.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall

Similar presentations

Ads by Google