The University of Sydney Page 1
COMP3221: Distributed Systems
Security
Unit Coordinator
Dr Nguyen Tran
School of Computer Science
The University of Sydney Page 2
Outline
– Definitions
– Encryption
– Secret Key System
– Public Key System
– Authentication
– How to generate keys ?
– Integrity
– What is privacy ?
The University of Sydney Page 3
Definitions
Security
The University of Sydney Page 4
Definitions
– Confidentiality: property of a computer system whereby its information
is disclosed only to authorized parties
– Integrity: alterations of a system’s assets (hardware, software, data)
can be made only in an authorized way
– Security threats
– Interception: unauthorized party has access to a service or data
e.g., communication between two parties was overheard by someone else
– Interruption: service of data becomes unavailable
e.g., denial of service attack, where a service is made inaccessible to others
– Modification: unauthorized changes of data or tampering with a service that
no longer adheres to its specification
e.g., changing a program so that it secretly logs activities of its user
– Fabrication: generating additional data or activity that would normally not
exist
e.g., an intruder adds an entry into a password file or databases
Goals
The University of Sydney Page 5
Definitions
– Security policy: actions the entities of the system are allowed to
take and which ones are prohibited
– Security mechanisms: to ensure the secure policy:
– Encryption: action of transforming data into something an attacker cannot
understand
– Authentication: action of verifying the claimed identity of an entity (e.g.,
client, server, host, user, etc.)
– Authorization: action of verifying whether the entity has the rights to
perform the action it requests
– Auditing: action of monitoring which entity access what and how
Means
The University of Sydney Page 6
Definitions
– Bob wants to transmit message P protected from security threats to Alice:
Cryptography example
P
plaintext message P
The University of Sydney Page 7
Definitions
– Bob wants to transmit message P protected from security threats to
Alice:
1. Bob encrypts P into an intelligible message C
Cryptography example (con’t)
C
K
A
+
sealed message C
The University of Sydney Page 8
Definitions
– Bob wants to transmit message P protected from security threats
to Alice:
1. Bob encrypts P into an intelligible message C
2. Bob sends C to Alice
Cryptography example (con’t)
C
K
A
+
The University of Sydney Page 9
Definitions
– Bob wants to transmit message P protected from security threats to
Alice:
1. Bob encrypts P into an intelligible message C
2. Bob sends C to Alice
3. Upon reception, Alice must decrypt C into its original form P
Cryptography example (con’t)
P
The University of Sydney Page 10
Definitions
– The original form of the message, P, is called the plaintext
– The encrypted form, C, is called the ciphertext
– C = EK(P): ciphertext C obtained by encrypting P using key K
– P = DK(C): plaintext P obtained by decrypting C using key K
Cryptography example (con’t)
P
C
K
A
+
The University of Sydney Page 11
Definitions
– Intruders and eavesdroppers in communication
– Cryptography protects from interruption, modification and
fabrication
Cryptography example (con’t)
The University of Sydney Page 12
Encryption
Security
The University of Sydney Page 13
Cryptographic methods are parameterized by keys:
1. Secret key (a.k.a., symmetric) cryptosystem:
– The same key K is used to both encrypt and decrypt the message
P = DK(EK(P))
– The key is kept secret, no one except the sender and receiver must know it
2. Public key (a.k.a., asymmetric) cryptosystem:
– There are two separate keys, KE for encryption and KD for decryption
P = DKD(EKE(P))
– One of the key of a public key system is public while the other is private
Definitions
Keys
The University of Sydney Page 14
Secret key system
– Consider that Bob wants to sends a protected message to Alice:
– Bob encrypts the message P using the secret key K into C
– Upon reception, Alice decrypts C using the secret key K to read P
K, Alice and Bob’s
Secret key
?
K, Alice and Bob’s
Secret key
The University of Sydney Page 15
Secret key system
Data Encryption Standard (DES)
– Used to operate on 64-bit
blocks of data
– A block is transformed into
a 64-bit block in 16
encryption rounds
– Each round uses a different
48-bit key for encryption
– Each of these 16 keys is
derived from a 56-bit
master key
– The permutation is applied
to the result leading to the
output
The University of Sydney Page 16
Secret key system
DES (con’t)
One encryption round
Encryption in a single round
› Round i takes as input the 64-bit
block from round i-1
› The block is split in a left part Li-1
and a right part Ri-1.
› The right part is used for the left
part of the next round Li=Ri-1
› The function f takes Ri-1 and key Ki
and outputs a 32-bit block
› This output block is XORed with Li-1
to output Ri
The University of Sydney Page 17
Secret key system
DES (con’t)
Per-round key generation in DES
Construction of the key Ki for round i
› The master key is permuted
and divided into two 28-bit
halves
› In each round, each half is
first rotated 1 or 2 bits to the
left, after which 24 bits are
extracted.
› Together with the 24-bits from
the other rotated half, a 48 bit
key Ki is constructed
The University of Sydney Page 18
Secret key system
– DES
– Simple enough to be implemented on smart card
– Resistant to analytical methods
– Can be broken using brute-force attack by simply searching for a key that
breaks it
– Triple DES
– Using DES three times in a special encrypt-decrypt-encrypt mode with
different keys
– Often used
The University of Sydney Page 19
– Consider that Bob wants to sends a protected message to Alice:
– Bob encrypts the message m using the public key KA+ of Alice into m’
– Upon reception, Alice decrypts m’ using her private key KA- to read m
– Alice is the only one with the private key KA-, only Alice can decrypt the message
Public key system
KA+, Alice’s public key KA-, Alice’s private key
KA+, Alice’s public key
The University of Sydney Page 20
Public key system
– All integers can be written as a multiple of prime number
e.g., 2100 = 2 * 2 * 3 * 5 * 5 * 7 (2, 3, 5, 7 are the prime factors
of 2100)
– No method is known to find the prime factors of large numbers
– In RSA, the private and public keys are constructed from very large
prime numbers (w/ 100’s of decimal digits)
Rivest, Shamir and Adleman (RSA)
The University of Sydney Page 21
Public key system
– This is achieved in 4 steps:
1. Choose large prime numbers p and q
2. Compute n = pq and totient z = (p – 1)(q – 1)
3. Choose a number d that is relatively prime to z
4. Compute the number e such that ed = 1 mod z
– One number, say d, can be used for decryption while e is used for encryption
– Message m is divided into fixed length blocks mi whose binary value is 0 ≤ mi < n
– Sender encrypts each block mi into ci = mie (mod n) before sending it
– Receiver decrypts each block mi = cid (mod n)
– Only e and n is made public
RSA (con’t)
The University of Sydney Page 22
Public key system
RSA (con’t)
– Bob wants to keep the message he sends to Alice confidential
1. Bob divides the message into fixed length blocks, each block mi, interpreted as a binary number
should lie in 0 ≤ mi < n
2. He calculates for each block mi, ci = mie (mod n) and sends it to the Bob
3. Alice computes mi = cid (mod n) to decrypt the message blocks
– e and n are needed for encryption, whereas d and n are needed for decryption.
– RSA is computationally more complex than DES
– Encrypting message with RSA is much slower (100-1000 multiplying factor were noticed) than DES
– It is thus used essentially to exchange encrypted keys in a secure way
– Less for encrypting “normal” data
c1
K
A
+
c2
K
A
+…
d, ne, n
m → m1, m2, … m1, m2, … → m
The University of Sydney Page 23
Public key system
RSA (numerical example from Wikipedia: https://simple.wikipedia.org/wiki/RSA_algorithm)
The University of Sydney Page 24
Authentication
Security
The University of Sydney Page 25
What is authentication ?
– Definition by Menezes at al.
– Authentication is the process whereby one party is assured (through
acquisition of corroborative evidence) of the identity of a second party
involved in a protocol, and that the second has actually participated.
– Note the elements needed to ascertain the identity:
– Corroborative evidence
– Process between (at least) two parties
– Involvement and participation of the second party
The University of Sydney Page 26
Authentication
A simpler strategy would be:
1. Alice sends a challenge along with her identity
2. Bob encrypts the challenge with KA,B and sends it with a new challenge
3. Alice encrypts the challenge and sends the result to Bob
Does it work?
Secret key authentication
The University of Sydney Page 27
Authentication
– Reflection attack: Unfortunately, a malicious user can ask Bob to
encode many challenges and exploit this encryption to pretend to
be Bob
Secret key authentication
The University of Sydney Page 28
Authentication
– Solution: Alice sends a challenge to Bob that can only be solved if Bob knows the
secret key KA,B
1. Alice (A) sends her identity to Bob (B) to initiate communication channel
2. Bob sends a challenge(i.e., random number) to Alice
3. Alice encrypts the challenge with the secret key KA,B
4. Alice sends a challenge to Bob
5. Bob encrypts the challenge and sends the encrypted challenge KA,B
– This remedies the reflection attack: the initiator has to solve first a challenge
– Many keys would have to be used (n(n-1)/2 keys for communication among n
nodes)
Secret key authentication (con’t)
The University of Sydney Page 29
Authentication
A centralized key distribution center (KDC)
1. Alice sends a request to communicate with Bob to the KDC
2. The KDC sends the key KA,B encrypted with the key KA,KDC to Alice and
the key KA,B encrypted with key KB,KDC to Bob
– KDC reduces the number of keys to n for n nodes
– Alice may want to set up the channel while Bob did not receive the secret key yet
Key distribution center (KDC) authentication
The University of Sydney Page 30
Authentication
It is better to let Alice set up the connection
1. Alice sends a message to KDC with a challenge
2. The KDC responds with a ticket KA,KDC(KA,B), KB,KDC(KAB)
3. Alice sends KB,KDC(KAB) to Bob who decrypts it
Alice uses the channel after Bob received the secret key from her
(cf. Needham-Schroeder authentication protocol for further details)
KDC authentication (con’t)
The University of Sydney Page 31
Authentication
Assumption: Alice knows Bob’s public key
1. Alice sends a challenge RA to Bob encrypted with Bob’s public key KB+
2. Bob decrypts the challenge and encrypts with key KA+ (i) the result RA, (ii) his
own challenge RB, and (iii) a new generated session key KA,B for further
communication
3. Alice decrypts the message using her key KA-
4. Alice responds to Bob using the session key KA,B generated by Bob
Does not require a centralized KDC
Public key authentication
The University of Sydney Page 32
Authentication Application: HTTPS (HTTP over TLS
(Transport Layer Security)
The University of Sydney Page 33
Operation of HTTPS
– TCP handshake
– Starts with a usual TCP handshake
– TLS handshake
– Client sends it capabilities (TLS version / Cipher-suite / Compressions
methods) & a random number (R1).
– The server has a certificate containing a public key
– Server replies with a selected TLS version, cipher-suite, compression
method & another random number (R2).
– Server also sends the certificate to the client.
– The client verifies the certificate.
The University of Sydney Page 34
Operation of HTTPS
– TLS handshake (contd.)
– Client generates a pre-master key and encrypts it using the server’s
public key and sends it to the server using Client Key Exchange
message.
– Both server and client compute the master key which is a combination of
the (i) pre-master key, (ii) R1, and (iii) R2.
– The client sends a Change Cipher Spec notification to the server
indicating that all subsequent messages will be authenticated and
encrypted using the master secret.
– Finally, the server sends a Change Cipher Spec back to the client,
completing the handshake. After the TLS negotiation phase is over, the
encrypted application data is transferred between the client and the
server.
The University of Sydney Page 35
Validation of Certificates
– A certificate is a simple text file containing some information
such as Company Name, the domain name, and a public key.
– Anybody can create such file and create a server pretending
to be somebody else.
– Answer for this problem is Certificate Authorities.
– A certificate is a cryptographic binding between an identifier and a
public key that is to be associated with that identifier.
– Example CAs are Comodo, Symantex, DigiCert, and Entrust.
The University of Sydney Page 36
Recall: What is authentication ?
– Definition by Menezes at al.
– Authentication is the process whereby one party is assured (through
acquisition of corroborative evidence) of the the identity of a second
party involved in a protocol, and that the second has actually participated.
– Note the elements needed to ascertain the identity:
– Corroborative evidence
– Process between (at least) two parties
– Involvement and participation of the second party
The University of Sydney Page 37
Corroborative evidence
– We are looking for factors that are unique to an entity. Classic
categorisation:
– Possession: Something the entity/user has
– Physical key, phone to send SMS messages to
– Inherence: Something the user is
– Biometrics: fingerprints, iris scan, face and voice recognition
– Knowledge: Something the user knows
– Passwords, security questions (mother’s maiden name, etc.)
The University of Sydney Page 38
Common problems with knowledge
– Humans are lazy !
– Enough evidence out there to verify that ”we” overly reuse
passwords.
– Simple predictable passwords.
– Low entropy – Faster brute force attacks
– Attackers can observe typing passwords in many different
ways
– Keystroke dynamics, Camera, Acoustics, etc.
– Security questions are often very standard, with predictable
answers and limited possibilities
– Mother’s maiden name? – depending on culture, try Smith, Chang, Kim,
Schmidt, ...
– First car? – try Golf, Yaris, Corolla, ...
– Social networks help collect additional information about a person
The University of Sydney Page 39
Common problems with possession
– Obvious problem: loss of the physical device/token
– Others are more subtle:
– How is the phone identified? By phone number? SIM?
– SMS messages are sent to a number can be rerouted
The University of Sydney Page 40
Common problems with inherence
– Biometrics – if compromised, lost for ever
– Can not be changed
– Most (if not all) biometric authentication falls back to PIN
– No more secure than PIN
The University of Sydney Page 41
Integrity
Security
The University of Sydney Page 42
Message integrity
Alice sends a message m to Bob
1. Alice encrypts it with her private key KA- and sends it off to Bob
2. She can use Bob’s public key KB+ to keep the message secret and sends
KB+(P, KA- (m)), combining m and the version she signed
3. Bob decrypts the signed version of the message with Alice’s public key. If the
message is the same as the non-signed one, then it has been sent by Alice.
Is this provide enough integrity?
Public key signature
The University of Sydney Page 43
Message integrity
Issues with public key signatures
– Alice’s signature is valid only until Alice’s private key remains a
secret
– If Alice wants to bail out, Alice could claim that her private key
was stolen
– Alice can change her private key
– Central authority may be required to keep track of keys
The University of Sydney Page 44
Hash functions
– Goal: integrity. We want to ascertain that a received message is the
same as the one that was sent
– Hash function H are used to produce a hash h of fixed length given a
message m: h = H(m)
– One-way function: computationally infeasible to find an input m that
corresponds to an output h, whereas computing h from m is easy
– Weak collision resistant: given an input m and an output h, it is infeasible to
find another different input m’ such that H(m) = H(m’) = h
– Idea: define a function to create a checksum (‘hash function’)
– Sender applies hash function to message and obtains a checksum (‘hash
value’ or just ‘hash’)
– Sender encrypts message and sends together with hash value of plaintext
– Receiver decrypts message, applies hash function, and compares with the
transmitted hash value
– If the hash values match, the plaintext must be correct
The University of Sydney Page 45
Message integrity
Alice sends a message m to Bob
1. Alice computes a message digest H(m) and encrypts it with her private key KA-
(The message can be sent encrypted using Bob’s public key KB+)
2. Bob decrypts the message with Alice’s public key and computes the message digest.
If the digest computed from the message received and the decrypted digest match,
Bob knows the message has been signed by Alice
The digest is typically smaller than the encrypted message
Public key and hash function signature
The University of Sydney Page 46
Hash functions
– Examples:
– CRC (CRC-16, CRC-32, ...)
– MD5 (no longer used)
– SHA1 (in phase-out)
– SHA-2, SHA-3
– RIPEMD160
The University of Sydney Page 47
What is Privacy ?
Security
The University of Sydney Page 48
What is Privacy ?
– “Personal Information”
– Any information that identifies you or could reasonably be used to
identify you
• E.g. name, address, financial details, opinions, memberships, ethnic
origin, health information, criminal record, etc.
– Not just demographics
• E.g. photos, IP address, Device IDs, MAC address, Contact list, Call
history, Location, Installed apps, etc.
– Carefully treat and protect personal information collection,
use, storage and sharing through your service
The University of Sydney Page 49
What is Privacy ?
– “Personal Information”
– Any information that identifies you or could reasonably be used to
identify you
• E.g. name, address, financial details, photos, opinions, memberships,
ethnic origin, health information, criminal record, etc.
The University of Sydney Page 50
Best Practices for Privacy Aware Solutions
– Do not ask “personal information” if not necessary
– Privacy by Design
– Building privacy and data protection up front, into the design specifications
and architecture of information and communication systems and
technologies, in order to facilitate compliance with privacy and data
protection principles
– Make privacy your competitive advantage
– Failing to protect privacy could also result in a breach of the Privacy
Act
– https://www.oaic.gov.au/privacy-law/privacy-act/
– EU General Data Protection Regulation (GDPR)
– https://www.eugdpr.org
https://www.oaic.gov.au/privacy-law/privacy-act/
https://www.eugdpr.org/
The University of Sydney Page 51
Privacy check list for app developers
Checklist
q Your privacy responsibilities
q Be open and transparent about your privacy practices
q Obtain meaningful consent despite the small screen challenge
q Timing of user notice and consent is critical
q Only collect personal information that your app needs to
function
q Secure what you collect
– Mobile Privacy – A better practice guide for mobile app
developers
– Developed in 2014 – Old, but still provides useful guidelines
– https://www.oaic.gov.au/resources/agencies-and-organisations/guides/guide-for-
mobile-app-developers.pdf
https://www.oaic.gov.au/resources/agencies-and-organisations/guides/guide-for-mobile-app-developers.pdf
The University of Sydney Page 52
USS is open now
– The Unit of Study Survey (USS) for COMP3221 is open here:
https://student-surveys.sydney.edu.au/students/
– Please help complete the survey (just 5 min), to have a chance
winning a range of Apple products including a 64gb Apple
iPad Air, an Apple Watch and JB HiFi Gift Cards.
– The list of winners of survey prize draw can be found here:
https://student-
surveys.sydney.edu.au/students/complete/prizes.cfm
https://student-surveys.sydney.edu.au/students/
https://student-surveys.sydney.edu.au/students/complete/prizes.cfm
The University of Sydney Page 53
What’s Next ?
– Security Tutorial on Wednesday
– Assignment 2 is due next week.
– See you all next week for Review lecture !