Security and Authentication
(continued)
CS-4513
D-Term 2007
(Slides include materials from Operating System Concepts, 7th ed., by Silbershatz, Galvin, & Gagne,
Modern Operating Systems, 2nd ed., by Tanenbaum, and Distributed Systems: Principles & Paradigms, 2nd
ed. By Tanenbaum and Van Steen)
CS-4513, D-Term 2007
Security and
Authentication
1
Review
• Authentication
• How to identify someone
• How to establish that they are who they say they are
• Fundamental to establishing authority in
Distributed Systems
• Everything else is based on trust that the person or
agent doing something has the authority to do it
• Threats
• Masquerading as someone else
• Intercepting / corrupting communications
CS-4513, D-Term 2007
Security and
Authentication
2
Review (continued)
• Passwords
• Easy to steal
• Easy to guess or “crack”
• Human frailties
• Errors
• Dilemmas (“social engineering”)
CS-4513, D-Term 2007
Security and
Authentication
3
Video
CS-4513, D-Term 2007
Security and
Authentication
4
Reading Assignments
• Allman, Eric, “E-mail Authentication: what?
Why? How?,” ACM Queue, November 2006,
pp 30-34. (.pdf)
• One of
– Tanenbaum, MOS, Chapter 9
– Silbershatz, OSP, Chapters 14-15
– Tanenbaum & van Steen, Chapter 9
CS-4513, D-Term 2007
Security and
Authentication
5
Fun with Cryptography
• What is cryptography about?
• General Principles of Cryptography
• Basic Protocols
– Single-key cryptography
– Public-key cryptography
• A short intro to key distribution
CS-4513, D-Term 2007
Security and
Authentication
6
Cryptography as a Security Tool
• Broadest security tool available
– Fundamental foundation for secure storage and
communication
– Basis for establishing trust
– Means to constrain potential senders (sources)
and / or receivers (destinations) of messages
– Means to detect/prevent intrusion or corruption
– (Cannot prevent denial of service attacks)
CS-4513, D-Term 2007
Security and
Authentication
7
Principles
• Cryptography is about the exchange of
messages
• The key to success is that all parties to an
exchange trust that the system will both
protect them from threats and accurately
convey their message
• TRUST is essential
CS-4513, D-Term 2007
Security and
Authentication
8
Note
• Data storage is just another means of
communication
• Writing data  Sending message
• Reading data  Receiving message
• Perhaps much, much later!
• Integrity of data  Integrity of message
CS-4513, D-Term 2007
Security and
Authentication
9
Basic Premise of Cryptography
• Algorithms are (usually) public
• Orders of magnitude easier to compute in forward
(normal) direction than in reverse (attack) direction
• Keys are always secret
• Enough bits to prevent trying all key values
• Key management is a very big deal
• Heart of all successful cryptographic systems
CS-4513, D-Term 2007
Security and
Authentication
10
Conventional Wisdom
• Algorithms must be public and verifiable
• We need to be able to estimate the risk of
compromise
• The solution must practical for its users, and
impractical for an attacker to break
CS-4513, D-Term 2007
Security and
Authentication
11
Public Policy Dilemma
• Algorithm intended to be a public standard
must be subject to scrutiny of its users
• I.e., banks, industry, commerce, etc.
• To establish trust that it is good enough!
• Any algorithm good enough to protect
billions of $$ of funds & commerce will be
too hard for governments to penetrate!
• Crime, terrorism, etc.
CS-4513, D-Term 2007
Security and
Authentication
12
Ergo …
• Governments tend to use secret encryption
methods and algorithms for the most secure
communications
• Sometimes, confidence in such algorithms
is misplaced!
CS-4513, D-Term 2007
Security and
Authentication
13
History
• Most secret algorithms have been broken
• Prior to computing age, at least
• Vulnerabilities
• Redundancy in human languages
• Repeatability or lack of randomness in algorithm
• Repeatability or lack of randomness in keys
CS-4513, D-Term 2007
Security and
Authentication
14
Guidelines
• Cryptography is always based on algorithms
which are orders of magnitude easier to
compute in the forward (normal) direction
than in the reverse (attack) direction.
• The attacker’s problem is never harder than
trying all possible keys
• The more material the attacker has the
easier his task
CS-4513, D-Term 2007
Security and
Authentication
15
Example
• What is
314159265358979  314159265358979?
vs.
• What are prime factors of
3912571506419387090594828508241?
CS-4513, D-Term 2007
Security and
Authentication
16
Caveat
• We cannot mathematically PROVE that the
inverse operations are really as hard as they
seem to be…It is all relative…
The Fundamental Tenet of Cryptography:
If lots of smart people have failed to solve a
problem, it won’t be solved (soon)
CS-4513, D-Term 2007
Security and
Authentication
17
Time marches on…
• We must assume that there will always be
improvements in computational power,
mathematics and algorithms.
– Messages which hang around get less secure
with time!
• Increases in computing power help the good
guys and hurt the bad guys for new and
short-lived messages
CS-4513, D-Term 2007
Security and
Authentication
18
Two fundamental approaches
• Symmetric
• Sender and receiver must share the key
• Asymmetric
• Keys are paired
• Sender uses one, receiver uses its mate
CS-4513, D-Term 2007
Security and
Authentication
19
Two fundamental approaches
• Symmetric
• Sender and receiver must share the key
•  there must be a secure way to get key from one to
the other
• Asymmetric
• Keys are paired
• Sender uses one, receiver uses its mate
•  there must be a secure way to get key from one to
the other
CS-4513, D-Term 2007
Security and
Authentication
20
Secret key cryptography
(Symmetric)
K
T
Cleartext
CS-4513, D-Term 2007
f (T,K)
K
C
Cyphertext
Security and
Authentication
g (C,K)
T
Cleartext
21
Secret Key Methods
• DES (56 bit key)
• IDEA (128 bit key)
• http://www.mediacrypt.com/community/index.asp
• Triple DES (three 56 bit keys)
• AES
– From NIST, 2000
– choice of key sizes up to 256 bits and more
– Commercial implementations available
CS-4513, D-Term 2007
Security and
Authentication
22
Reducing the Vulnerability
• Minimize the amount of information
encrypted with shared key K
• Use K to encrypt a random number to
obtain a session key
• I.e., used for one connection, conversation,
exchange, etc.
• Discarded when channel is ended.
CS-4513, D-Term 2007
Security and
Authentication
23
Diffie – Hellman
Alice
Agree on p,g
choose random A
Bob
choose random B
TA = gA mod p
TB = gB mod p
compute (TB)A
compute (TA)B
Shared secret key for this session is gAB mod p
CS-4513, D-Term 2007
Security and
Authentication
24
D–H Problems
• Not in itself an encryption method – we
must still do a secret key encryption
• The body of the message
• Still must distribute the shared key safely
• Subject to a “man in the middle” attack
• (Alice thinks she is talking to Bob, but actually
Trudy is intercepting all of the messages and
substituting her own)
CS-4513, D-Term 2007
Security and
Authentication
25
Questions about Secret Key Methods?
CS-4513, D-Term 2007
Security and
Authentication
26
RSA Public Key Cryptography
(Asymmetric Keys)
Key #1
T
Cleartext
f ()
Key #2
C
Cyphertext
f ()
T
Cleartext
Key #1 can be either a Public Key or a Private Key.
Key #2 is then the corresponding Private Key or Public Key.
CS-4513, D-Term 2007
Security and
Authentication
27
RSA Public Key Cryptography
• Rivest, Shamir and Adelman (1978)
• I can send messages that only you can read
• I can verify that you and only you could
have sent a message
• I can use a trusted authority to distribute my
public key
– The trusted authority is for your benefit!
CS-4513, D-Term 2007
Security and
Authentication
28
RSA Details
• Uses same operation to encrypt and decrypt
• To encrypt, we will use “e” as a key, to
decrypt we will use “d” as a key
• e and d are inverses with respect to the
chosen algorithm
CS-4513, D-Term 2007
Security and
Authentication
29
RSA Details (continued)
• Based on mathematical premise that finding
prime factors of large numbers is difficult
computationally
• No known solution despite 100’s of years of trying!
• Note: Finding primes is also hard
CS-4513, D-Term 2007
Security and
Authentication
30
RSA Details (continued)
• Let p and q be two large primes
• 500-700 bits in length
• Let n = p  q
Let z = (p – 1)  (q – 1)
• Choose d to be relatively prime to z
• Choose e such that d  e = 1 mod z
• Publish n and either d or e (but not both!)
CS-4513, D-Term 2007
Security and
Authentication
31
RSA Details (continued)
• Encryption: Cyphertext = (Cleartext)e mod n
• Decryption: Cleartext = (Cyphertext)d mod n
• Typical d will be on the order of 500 to 700 bits
• The cost of the algorithm is between 1 and 2 
the size of n,
– Each operation is a giant shift and add (multiply by a
power of 2)
CS-4513, D-Term 2007
Security and
Authentication
32
RSA Details (continued)
• References
– Tanenbaum & van Steen, §9.1.3
– Silbershatz, §15.4.1.2
CS-4513, D-Term 2007
Security and
Authentication
33
RSA Problems
• It is computationally much more costly than
typical secret-key methods
• Impractical to use for message encryption
• Use RSA to encrypt a random session key
• Encrypt the message with the session key and
append/prefix the RSA encrypted key
• Requires a “Public Key Infrastructure” for
effective key generation and distribution
• Chain of trust thing again!
CS-4513, D-Term 2007
Security and
Authentication
34
Questions about Public Key Encryption?
CS-4513, D-Term 2007
Security and
Authentication
35
Authentication using Secure Channels
CS-4513, D-Term 2007
Security and
Authentication
36
Authentication using Secure Channels
CS-4513, D-Term 2007
Security and
Authentication
37
Authentication using Secure Channels
CS-4513, D-Term 2007
Security and
Authentication
38
What is wrong with this “Optimization”?
CS-4513, D-Term 2007
Security and
Authentication
39
Subject to “Reflection Attack”
• Attacker cons Bob into encrypting RB for him
• “Reflection” attack
CS-4513, D-Term 2007
Security and
Authentication
40
Reflection Attack
CS-4513, D-Term 2007
Security and
Authentication
41
Key Distribution Server
• Alice requests secure channel to Bob
• KDC generates session key KA,B
• KDC sends secure messages to both Alice and
Bob containing KA,B
CS-4513, D-Term 2007
Security and
Authentication
42
Key Distribution Server (continued)
• Alice requests secure channel to Bob
• KDC generates session key KA,B and ticket to
speak with Bob
• Alice uses ticket to contact Bob
CS-4513, D-Term 2007
Security and
Authentication
43
Needham-Schroeder Protocol
• Nonce – a random number that is never re-used
• E.g., RA1, RA2, and RB
• Prevents intruder from replaying old tickets
CS-4513, D-Term 2007
Security and
Authentication
44
Kerberos
• Single sign-on system
• One login used to generate tickets for authenticating
shared services on distributed system
• No passwords maintained by any client
• Two parts
• AS – Authentication Service
• TGS – Ticket Granting Service
• Once authenticated, user may ask TGS for a
ticket for a session with any service.
CS-4513, D-Term 2007
Security and
Authentication
45
Kerberos (continued)
CS-4513, D-Term 2007
Security and
Authentication
46
Kerberos (continued)
• With ticket, Alice can communicate securely with
Bob.
• Alice knows it is Bob because only Bob could descript ticket
• Bob knows that it is Alice because TGS said it was
• Timestamp prevents replaying old sessions
CS-4513, D-Term 2007
Security and
Authentication
47
Key Distribution
• Many variations
– Secret (symmetric) keys
– Public (asymmetric) keys
• Always based on trust
• Central part of any distributed system that
requires authentication
CS-4513, D-Term 2007
Security and
Authentication
48
Questions?
CS-4513, D-Term 2007
Security and
Authentication
49
Descargar

Security and Authentication (continued)