COMP90015 Distributed Systems
Aaron of Computing and Information Systems © The University of Melbourne
2022 Semester II
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne)
Copyright By PowCoder代写 加微信 powcoder
2022 Semester II 1/36
1 Overview of Security for Distributed Systems
2 Cryptographic Techniques
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 2/36
Overview of Security for Distributed Systems
Policies and Mechanisms
• The challenges of security arise as a result of the need to share or to distribute resources. If a resource is not to be shared or distributed then it can be physically isolated from external access.
• A security policy provides a statement of the required integrity privacy of shared information and other limits to the allowable usage of a shared resource.
• A security policy is enforced using a security mechanism.
• Digital cryptography provides the basis for most computer security
mechanisms, though computer security and cryptography are distinct subjects.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 3/36
Overview of Security for Distributed Systems
Threats and attacks
• Some threats are obvious – e.g., reading traffic on a shared network to gain information like a password or other personal information.
• Some threats are unobvious – e.g., pretending to be an official server.
• Some threats attack the mechanism – e.g., the attacker purchases something
with their credit card and later denies that they actually did the purchase.
• Security threats fall into three broad classes:
• Leakage – the acquisition of information by unauthorized recipients;
• Tampering – the unauthorized alteration of information;
• Vandalism – interference with the proper operation of a system without gain to the
perpetrator.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 4/36
Overview of Security for Distributed Systems
Attacks on distributed systems depend on access to an existing
communication channel. A communication channel can be misused in different ways:
• Eavesdropping – obtaining copies of messages without authority.
• Masquerading – sending or receiving messages using the identity of another
principal without their authority.
• Message tampering – intercepting messages and altering their contents before passing them on (or substituting a different message in their place); e.g. the man-in-the-middle attack.
• Replaying – storing intercepted messages and sending them at a later date.
• Denial of service – flooding a channel or other resource with messages in order
to deny access for others.
Some attacks can be arguable, e.g. to what extent is spam email considered a denial of service attack?
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 5/36
Overview of Security for Distributed Systems
Threats from mobile code
• Some distributed systems allow code, called mobile code, to be communicated to a remote host, to be executed by that host. In this case it is necessary to ensure that the host, including all processes and resources available at the host, is secure from any operations that the mobile code undertakes; while of course still allowing legitimate operations.
• Similar to this is the case where code is delivered in an email or via the web browser. The operating system will typically ask the user whether the code should be trusted or not, e.g. to access files and the Internet.
• The Java VM has undergone revisions to ensure that mobile code does not pose a security risk.
• Construction of environments for running mobile code in a secure way is generally more difficult than providing secure channels. A different approach is to validate that the mobile code is not harmful. Trusted Network Computing works along these lines.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 6/36
Overview of Security for Distributed Systems
Information leakage
• Information leakage can be particularly difficult to prevent. E.g. a flood of messages to a dealer in a particular market can be a meaningful and useful piece of information; even though the messages are themselves secure.
• When the operation of a system and/or its outputs can be observed then there is the potential for information leakage.
• E.g. there are many forms of anonymizing networks, where a client can communicate anonymously with a server. However if the client always makes requests on a Thursday afternoon, then the behavior may be observed and the clients’ identity may be inferred.
• Basically, the system must appear to be random in order for no information to be leaked.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 7/36
Overview of Security for Distributed Systems
Securing electronic transactions
• There are a number of uses of the Internet that require secure transactions:
• Email – personal information is often transmitted via email, including e.g. credit card details, and in some cases emails are used to authenticate a user, e.g. when a user is signing up to a mailing list.
• Purchase of goods and services – payments for goods and services commonly happen via a web interface. Digital products are delivered via the Internet.
• Banking transactions – money can be directly transferred between bank accounts and different kinds of payment services can be used, e.g BPAY for paying bills.
• Micro-transactions – many digital goods and services, such as per page reading of a book, usage of a CPU, a single music title, 10 minutes of an Internet radio station, etc, require very low transaction costs since the price for such services may amount to fractions of a cent.
• Some example security policies for securing web purchases include:
• Authenticate the vendor to the buyer, so that the buyer is confident that the server is operated by the vendor.
• Ensure that credit card and personal details are transmitted, unaltered and privately, from the buyer to the vendor and that the details are kept private at all times.
• Responses from the vendor, including digital goods and services, should be received by the buyer without alteration or disclosure during transmission. In this case, authenticating the buyer is not usually required since the vendor is happy so long as the money is made available.
• It should be possible for a buyer to complete a secure transaction with a vendor even if there has been no previous contact between buyer and vendor and without the involvement of a third party.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 8/36
Overview of Security for Distributed Systems
Designing secure systems
• Building a completely secure system is akin to building a completely bug-free system.
• Known threats can be listed and the designer can show how the distributed system offers security against such threats.
• Logs of sensitive system actions can be used to audit and determine if security violations have or are taking place. E.g. a log file can contain whether attempts to use supervisor resources have failed, due to incorrect password.
• Costs of implementing a policy mechanism must be balanced against the threat. Costs of attack can be traded, i.e. how much does it cost the attacker in terms of time and resources.
• Security should not needlessly inhibit legitimate uses.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 9/36
Overview of Security for Distributed Systems
Worst-case assumptions and design guidelines
• Interfaces are exposed – e.g. a socket interface is open to the public, in much the same way as the front door of a house.
• Networks are insecure – messages can be looked at, copied and falsified.
• Limit the lifetime and scope of each secret – keys and passwords can be
broken, given enough time and resources.
• Algorithms and program code are available to attackers – the bigger and more widely distributed a secret is, the greater the risk of its disclosure. Open source code is scrutinized by many more programmers than closed source code and this helps to find potential security problems before they are taken advantage of.
• Attackers may have access to large resources – available computing power needs to be predicted into the life time of the system and systems need to be secure against some orders of magnitude beyond this.
• Minimize the trusted base – parts of the system that are responsible for enforcing security are trusted, the greater the number of trusted parts the greater the complexity and so the greater risk of errors and misuse.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 10/36
Cryptographic Techniques
Cryptography
Familiar names for the protagonists in security protocols: • Alice – First participant.
• Bob – Second participant.
• Carol – Participant in three- and four-party protocols.
• Dave – Participant in four-party protocols. • Eve – Eavesdropper.
• Mallory – Malicious attacker.
• Sara – A server.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne)
2022 Semester II
Cryptographic Techniques
Encryption keys
There are two main classes of encryption algorithms: shared secret key
algorithms and public/private key algorithms. Some common cryptographic notation includes:
• kA – Alice’s secret key.
• kB – Bob’s secret key.
• kAB – Secret key shared between Alice and Bob.
• kpriv – Alice’s private key (known only to Alice). A
• kpub – Alice’s public key (published by Alice for everyone to read). A
• {M}k – Message M encrypted with key k. • [M]k – Message M signed with key k.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 12/36
Cryptographic Techniques
Basic properties
• Given an encryption algorithm, E, a decryption algorithm, D, a key, k, and a message,M,{M}k =E(M,k)andM=D({M}k,k).
• If k = kA is Alice’s secret key then {M}k can only be decrypted by Alice using k.
• If k = kAB is a secret key shared between Alice and Bob then {M}k can only be decrypted by Alice or Bob using k.
• If k = kpriv is Alice’s private key, from a public/private key pair, then {M}k A
can be decrypted by anyone who has kpub. A
• If k = kpub is Alice’s public key, from a public/private key pair, then {M}k can A
only be decrypted by Alice using kpriv. A
• Private/secret keys should be securely maintained since their use is compromised if an attacker obtains a copy of them.
• Public/private key encryption algorithms typically require 100 to 1000 times more processing power than secret-key algorithms.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 13/36
Cryptographic Techniques
Secrecy and integrity
A fundamental policy is one of ensuring secrecy of a message. If Alice and Bob have agreed to a shared key and encryption/decryption algorithm then for a sequence of messages M1, M2, . . . :
1 Alice uses kAB and E to encrypt message Mi and sends {Mi }kAB to Bob. 2 Bob uses kAB and D to decrypt message {Mi }kAB .
If the message makes sense when it is decrypted, or better if it contains some agreed upon value such as a checksum, then Bob can be confident
that the message is from Alice and that it has not been tampered with. Some problems:
• How can Alice communicate a shared key kAB to Bob securely?
• How does Bob know that a received message is a not a copy of some previous
meessage {Mi }kAB captured by an attacker Mallory and resent to Bob?
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 14/36
Cryptographic Techniques
Authentication using a trusted third party
Consider the case when Alice wants to access a resource held by Bob. Sara is an authentication server that is securely managed. Sara issues passwords to all users including Alice and Bob. Sara knows kA and kB because they are derived from the passwords.
1 Alice sends an (unencrypted) message to Sara stating her identity and requesting a ticket for access to Bob.
2 Sara sends a response to Alice encrypted using kA consisting of a ticket encrypted in kB and a new secret key kAB for use when communicating with Bob: {{Ticket}kB ,kAB}kA.
3 Alice decrypts the response using kA. Alice cannot tamper with the ticket before sending it, because it is encrypted with kB.
4 Alice sends a request R to Bob: {Ticket}kB , Alice, R.
5 Bob receives the encrypted ticket and decrypts it using his key kB , where the ticket is actually Ticket = {kAB , Alice}. Alice and Bob can now communicate using the shared key or session key, kAB.
The previous algorithm is a simplified version of the authentication protocol originally developed by and .
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 15/36
Cryptographic Techniques
Kerberos overview
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 16/36
Cryptographic Techniques
Challenge Response
• The use of an authentication server is practical in situations where all users are part of a single organization. It is not practical when access is required between parties that are not supervised by a single organization.
• Simple systems like Telnet send passwords from client to server “in the clear”. Such passwords are easily compromised by eavesdroppers.
• The challenge-response technique is now widely used to avoid sending passwords in the clear. The identity of a client is established by sending the client an encrypted message that only the client should be able to decrypt, this is called a challenge message. If the client cannot decrypt the challenge message then the client cannot properly respond.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 17/36
Cryptographic Techniques
Authenticated communication with public keys
1 Alice accesses a key distribution service, Sara, to obtain a public-key certificate giving Bob’s public key. The public-key certificate, Cert, is a message signed
by Sara using kpriv. The key kpub is widely known by Alice and others and is SS
used to check the signature. Among other things the the certificate contains Bob,keyname,kpub.
2 Alice creates kAB and encrypts it using kpub with a public-key algorithm. She B
sends the result to Bob, along with a name that identifies the public/private
key pair (since Bob may have several public/private keys). Alice sends
{keyname , {kAB }k pub }. B
3 Bob selects the appropriate private key kpriv and decrypts the message to B
obtain kAB . Alice and Bob can now securely communicate.
If the message from Alice to Bob was tampered with then the decrypted kAB will not match and messages back from Bob will not make sense. Having said this, Alice can also encrypt some additional identification in the original message, e.g. a checksum or Alice’s email address, etc.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 18/36
Cryptographic Techniques
Digital signature
• A digital signature serves the same role as a signature, binding an identity to a message.
• In the case of public/private keys, the identity is the public/private key pair itself.
• A digital signature requires the use of a digest. A digest is a function, Digest(M), that maps an arbitrary message, M, to a fixed length datum. The digest function must be such that a given datum is very unlikely to be mapped to from two different messages. The SHA-2 hash function is a good example of this.
• If Alice wants to sign a message, M, then Alice constructs{M,Digest(M)kpriv}. A
• A receiver, Bob, decrypts the digest using kpub. Bob also computes the digest A
of M locally. If the message or the encrypted digest were tampered with then the results will not match.
• This is effectively a signature based on the identity kpriv since no other private A
key would produce that encrypted digest and no other message is likely to produce that digest. Alice cannot deny that she signed the message.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 19/36
Cryptographic Techniques
Digital Signature with pub/priv keys
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 20/36
Cryptographic Techniques
Digital Signature with shared key
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 21/36
Cryptographic Techniques
Certificate chains
• For Alice to authenticate a certificate from Sara concerning Bob’s public key, Alice must first have Sara’s public key. This poses a recursive problem.
• In the simplest case, Sara creates a self-signed certificate, which is attesting to her own public key. The self-signed certificate is widely publicized (e.g. by distributing with operating system or browser installation). This certificate is trusted. The private key must be closely guarded in order to maintain the integrity of all certificates that are signed with it.
• However, assume that Carol has signed a certificate attesting to Bob’s public key and that Sara has signed a certificate attesting to Carol’s public key. This is an example of a certificate chain. If Alice trusts Carol’s certificate then she can authenticate Bob’s identity. Otherwise Alice must first authenticate Carol’s identity using Sara’s certificate.
• Revoking a certificate is usually by using predefined expiry dates. Otherwise anyone who may make use of the certificate must be told that the certificate is to be revoked.
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 22/36
Cryptographic Techniques
http://publib.boulder.ibm.com
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne) 2022 Semester II 23/36
Cryptographic Techniques
A standard for digital certificates is X.509. From Wikipedia, the structure of an X.509 version 3 certificate is:
* Certificate
* Serial Number
* Algorithm ID
* Validity
* Not Before
* Not After
* Subject Public Key Info
* Public Key Algorithm
* Subject Public Key
* Issuer Unique Identifier (Optional)
* Subject Unique Identifier (Optional)
* Extensions (Optional)
* Certificate Signature Algorithm
* Certificate Signature
(School of Computing and InformaCtiOonMSPy9s0te0m15s ©DistTrihbeutUednivSeyrsstietymosf Melbourne)
2022 Semester II
Cryptographic Techniques
Certificate: Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
OU=Certification Services Division,
CN=Thawte Server Val
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com