Security Concepts in Distributed systems By Harish R. Kumar

1
Security Concepts in Distributed
systemsByHarish R. Kumar
2
What is Security?

• Confidentiality
• Protection from disclosure to unauthorized
  persons
• Integrity
• Maintaining data consistency
• Authentication
• Assurance of identity of person or originator of
  data
• Authorization
• Identity combined with an access policy grants
  the rights to perform some action

3
Security Levels

• Authentication
• - Is someone who he or she says he or she is?
• - Is some object (such as a program) what it
  says it is?
• - Does a message come from where it says it
  comes from?
• Can someone deny something he or she did
  (nonrepudiation)?
• Authorization
• - What is a specific person or group of people
  allowed to do?
• What is a specific program allowed to do?
• Encryption
• - Who is allowed to see what information
• protection against system damage
• Confidentiality
• - includes virus protection
• firewalls and proxies,
• protection against denial-of-service attacks
• steps taken to minimize accidental system
  failures

4
Distributed SystemAuthentication

• 1. Message Content Authentication
  the ability to verify that the message
• received is exactly the
  message that was sent
• . Message Content
  Authentication can be achieved by
• applying a cryptographic checksum called a
  message authentication code (MAC), or by
  applying a public-key digital signature.
• 2. Message Origin Authentication
• The ability to verify that the actual sender of a
  received message is in fact the sender claimed in
  the message using a symmetric (secret key)
  cryptosystem, the receiver of a message can be
  assured of the validity of the sender since only
  the sender and receiver of the message possess
  the key used to encrypt the message.
• 3. General Identity Authentication the
  ability to verify that a principal's identity is
  who is claimed. The other two types of
  authentication are message content
  authentication and message origin authentication.

5
Security Building Blocks

• Encryption provides
• confidentiality, can provide authentication and
  integrity protection
• Checksums/hash algorithms provide
• integrity protection, can provide authentication
• Digital signatures provide
• authentication, integrity protection

6
Authentication methods

• Password authentication
• - Consists of user name and password
• password should be encrypted rather than plain
  text
• Address resolution
• relies on address of the packet.Packet with
  authorized address is routed to correct
  destination
• Trusted Host authentication
• If DES and public key is used
• Relies on trusted root that everyone
  (sender/receiver) believe it to be trustworthy
• Biometric authentication
• using personal physical features like finger
  prints,retina of the eye etc

7
Firewalls

• Firewall is a separator,restrictor ,an analyzer
  that is used to protect internal network from
  attacks
• Services provided
• - to restrict people to entering at a carefully
  controlled point
• - to prevent intruders from getting close to
  your other defenses
• - to restrict people to leaving at a carefully
  controlled point
• a firewall is a system, either software or
  hardware or both, that enforces access control
  policy between two networks
• a firewall is composed of a set of hardware
  components such as a router or a computer, or
  some combination of routers, computers and
  networks with appropriate software installed
• The specific firewall configuration for an
  internal network will depend a lot on the
  security policy, budget as well as the overall
  operations of a site

8
Keys

• Symmetric Keys
• Both parties share the same secret key
• Problem is securely distributing the key
• DES -Data Encryption Standard (DES).  DES, the
  most widely used commercial encryption algorithm
• Developed by the US Government and IBM in the
  1970s
• Protects financial transactions and electronic
  communications worldwide
• DES uses 56 bit encryption key
• Public/Private keys
• One key is the mathematical inverse of the other
• Private keys are known only to the owner
• Public key are stored in public servers

9
Hash Algorithms

• Hash A hash is simply a "summary", or "tag",
  which is generated from a digital document using
  a mathematical rule or algorithm
• Are a step ahead of CRC
• Reduce variable-length input to fixed-length (128
  or 160bit) output
• Requirements
• Can't deduce input from output
• Can't generate a given output
• Can't find two inputs which produce the same
  output
• Used to
• Produce fixed-length fingerprint of
  arbitrary-length data
• Produce data checksums to enable detection of
  modifications
• Distill passwords down to fixed-length encryption
  keys
• Hashes are used to check the integrity of files
  and documents, and are also often used in digital
  signature algorithms
• Also called message digests or fingerprints

10
Message Authentication Code (MAC)

• Hash algorithm key to make hash value dependant
  on the key
• Most common form is HMAC (hash MAC)
• hash( key, hash( key, data ))
• Key affects both start and end of hashing process
• Naming hash key HMAC-hash
• MD5 1 HMAC-MD5
• SHA-1 1 HMAC-SHA (recommended)

11
Digital Signatures

• Combines a hash with a digital signature
  algorithm
• To sign
• hash the data
• encrypt the hash with the sender's private key
• send data signers name and signature
• To verify
• hash the data
• decrypt the signature with the sender's public
  key
• the result of which should match the hash

12
SSL

• SSL- Secure Socket Layer
• a security protocol that provides communications
  privacy over the Internet.
• The protocol allows client/server applications to
  communicate in a way that is designed to prevent
  eavesdropping, tampering, or message forgery.
• Secure message passing protocol
• Developed by Netscape.
• Protocol for using one or two public/private
  keys
• to authenticate a sever to a client
• and by requiring a client key to authenticates
  the client to the server
• establish a shared symetric key (the session key)
• uses the session key to encypt all data over the
  secure channel
• Gives you authentication, message integrity and
  confidentiality

13
SSL Handshake

• Negotiate the cipher(any encryption algorithm)
  suite
• cipher suite A cipher suite defines a cipher
  specifications supported in SSL
• Establish a shared session key
• Authenticate the server (optional)
• Authenticate the client (optional)
• Authenticate previously exhanged data

14
SSL Handshake - details
Client
Server
Generate Challenge Define Protocols
Challenge
Encryption protocols
Return Server Certificate Generate connection
ID Confirm Protocols
Server Cert
Verify server certificate
Connection Id
Encryption protocols
Decrypt session key Generate server read/write
Key pairs
Generates session key Generate Client read/write
key pairs Encyrpt session key
(Session Key) Server's public key
Encrypt random challenge phrase
Decrypt and verify challenge phrase
(Client's Challenge) Server Write Key
15
References

• RSA Laboratories
• http//www.rsasecurity.com/rsalabs/pkcs/
• SSL
• http//www.ietf.org/SSL-v3 http//www.netscape.com
  /eng/ssl3/draft302.txt
• openSSL http//www.openssl.org/
• www.zdnet.com