Security

Part I
CS403/534
Distributed Systems
Erkay Savas
Sabanci University

1
 Overview
• Introduction
• Security Mechanisms
• Secure Channels
• Access Control
• Security Management (Key Distribution)
• Security Policy
• Example Systems

2
 Security: Dependability Revisited

• Dependability includes:
– Availability, Reliability, Safety, Maintainability
• And also Security:
– Confidentiality: No unauthorized disclosure of
information
– Integrity: Modifications to a system’s assets (e.g.
hardware, software, data) can be made only by
authorized parties. Unauthorized alterations should be
detectable and recoverable.
– Authenticity: The true identity of the users in the
system can be provable.

3
 Types of Threats (Falsifications)
We need to protect our systems against
1. Interception: Access to a service or data by
unauthorized parties
2. Interruption: A service or data becomes
unavailable (unusable, destroyed, etc.) to
authorized parties (e.g. denial of service
attacks)
3. Modification: Unauthorized alteration of data
or tampering with a service
4. Fabrication: Creating additional data or
activity that would normally not exist (e.g.
inserting messages, replaying recorded
interactions) 4
 Security Mechanisms
• To protect against security threats, we have a
number of security mechanisms (tools) at our
disposal:
1. Encryption: Confidentiality and integrity
2. Authentication:Verifying the claimed identity
of the subject (user, client, server, etc.)
3. Authorization: Determining if a subject is
allowed to access certain assets
4. Auditing: Tracing which clients accessed what,
and in which way. Useful for the analysis of a
security breach, and subsequently taking
measures against intruders 5
 Cryptography: Basic Setting
• Intruders and eavesdroppers in communication.
Passive intruder Active intruder Active intruder
only listens to C can alter messages can insert messages

Plaintext, P Decryption plaintext, P

Encryption Ciphertext
method C = EK(P) method

Encryption key, Decryption key,

K K’
sender receiver
6
 Cryptography: Terminology
• Symmetric cryptosystem (secret key systems)
– Encryption and decryption keys are identical.
– Sender and receiver must share a secret key
– Notation: KA,B.
• Asymmetric cryptosystem (Public key systems)
– Encryption and decryption keys are different, but
related.
– Public key for encryption; private key for decryption
• Hash Functions
– One-way functions
– Generates a fixed length output given an arbitrary
length message h = H(m)
7
 Cryptography: Notation
• Notation used in this chapter.

Notation Description

KA,B Secret key shared by A and B

K +A Public key of A

K −A Private key of A

• C = EKAB(P)
P = DKAB(C)

• C = EK+(P)
P = DK-(C)
8
 Hash Functions
• One-way functions
• h = H(m)
– Given m it is easy to compute h; difficult to do
otherwise
1. Weak collision resistance
– Given a message m and its hash value h, it is
computationally infeasible to find another, different
message m’ ≠ m, such that H(m’) = H(m)
2. Strong collision resistance
– It is computationally infeasible to find a message
pair, e.g. m and m’ and m ≠ m’, such that H(m) =
H(m’).
9
 Symmetric Cryptosystems: DES (1)
Plaintext (64-bit)

Initial Permutation

Modified text0 Li-1 8 bytes Ri-1

Generate 16 keys of 48 bits

Round 1

Modified text1
56-bit key

Li-1 ⊕ f(Ri-1, Ki)

Modified text15

Round 16
Li Ri
Modified text16

Final permutation

Ciphertext (64-bit)

Principle of DES Outline of one encryption round

10
 DES: Key Schedule
56-bit key

Initial Permutation

28-bit string 28-bit string

28-bit string 28-bit string

Used for
Rotate Left Rotate Right Next round

28-bit string 28-bit string

Extract 24 bits Extract 24 bits

48-bit round key

• Details of per-round key generation in DES. 11

 Public-Key Cryptosystems: RSA

• Generating the private and public key requires

the following steps:
1. Choose two very large prime numbers, p and q
2. Compute n = p × q and φ = (p – 1) × (q – 1)
3. Choose a number d that is relatively prime to φ
4. Compute the number e such that e × d ≡ 1 mod φ
5. Make (e, n) public
6. Keep (d, p, q, φ) private
• Encryption/Decryption
– Encryption: c ≡ me mod n
– Decryption: m ≡ cd mod n
12
 Hash Functions : MD5 (1)
• The structure of MD5
128-bit constant (p q r s) Padded message (multiple 512 bits)

Digest
(b0, b1, …, b15) ..................

(p q r s)

(b16, b17, …, b31)

Digest

512 bits
Digest

Message Digest

13
 Hash Functions : MD5 (2)
• The digest algorithm consists of four rounds of
computations, where each round uses one of the
following four functions
– First round:
F(x, y, z) = (x AND y) OR ((NOT x) AND z)
– Second round:
G(x, y, z) = (x AND z) OR (y AND (NOT z))
– Third round:
H(x, y, z) = x XOR y XOR z
– Fourth round:
I(x, y, z) = y XOR (x OR (NOT z))
• Each of these functions operates on 32-bit
variables.
14
 Hash Functions : MD5 (3)
• The 16 iterations during the first round in a
phase in MD5.
– b = b0 … b15 : the message (512-bit)
– p || q || r || s : 128-bit vector.
– Ci: predefined constants (32-bit)

15
 Secure Channels
• Issue: Secure communication between clients
and servers
• Authentication
• Message integrity and confidentiality
• Secure group communication
• Secure Channel concept
• Secure channel protects communicating parties
against
– Interception (through ensuring confidentiality)
– Modification (authentication & integrity)
– Fabrication (authentication & integrity)
– (not against Interruption) 16
 Authentication (1)
• Note:
– Authentication and data integrity rely on each other.
In the absence of one, the other is meaningless
• Authentication without integrity
– Bob is sure he is talking to Alice; but he is not sure
whether the message is not modified by a third person,
say Chuck.
• Integrity without authentication
– Bob is sure the message he gets is not tampered with;
but he is not sure from whom this message is
originated. Integrity is meaningless.

17
Authentication with Shared Secret
• Authentication based on a shared secret key KA,B.

1
A

2
RB

3
Alice

Bob
KA,B(RB)

4
RA

5
KA,B(RA)

18
 Authentication: Optimized protocol
• Authentication based on a shared secret key, but
using three instead of five messages

1
A, RA

2
Alice

RB, KA,B(RA)

Bob
3
KA,B(RB)

19
 Is Optimized Protocol Secure?
• The reflection attack.
– Chuck claims to be Alice
– He maintains two sessions with Bob

1
A, RC
2
RB, KA,B(RC)

1’
Chuck

A, RB

Bob
2’
RB2, KA,B(RB)

3
KA,B(RB)

20
 Authentication Using a Key Distribution Center (1)
• Authentication with shared secret key requires that many
keys be maintained in the system
• The principle of using a KDC (which shares a secret key
with each user, N keys in total in the system).
1
A, B
Alice

KDC

Bob
2 2
KA,KDC(KA,B) KB,KDC(KA,B)

21
Authentication Using a Key Distribution Center (2)

• Using a ticket and letting Alice set up a

connection to Bob.

1
A, B

KDC
Alice

Bob
KA,KDC(KA,B), KB,KDC(KA,B)

3
A, KB,KDC(KA,B)

Ticket 22
Needham-Schroeder Authentication Protocol

1
RA1, A, B

KDC
2
KA,KDC(RA1, B, KA,B, KB,KDC(A, KA,B))

3
Alice

Bob
KA,B(RA2), KB,KDC(A, KA,B)

4
KA,B(RA2-1, RB)

5
KA,B(RB-1)

23
 Subtleties in NS Protocol
• Why use a nonce in Message 1 and Message 2?
– To avoid replay attacks. Consider the case that Chuck has stolen
one of Bob’s old keys, say K Bold, KDC and also intercepted and old
response K A, KDC ( B, K A, B , K Bold, KDC ( A, K A, B ))
– Then Chuck makes Alice believe that she is talking to Bob

• Why Message 2 also contains B, identity of Bob?

– Chuck can replace B in Message 1 by his own identity C. KDC would
think that Alice wants to communicate with Chuck.

• What happens if Chuck got a hold of an old key KA,B?

– He could replay message 3.
– Bob sets up a channel with Chuck; but he thinks that he is talking
to Alice.
24
 Needham-Schroeder Protocol
• Protection against malicious reuse of a previously
generated session key.
1
A

2
KB,KDC(RB1)

3
RA1, A, B, KB,KDC(RB1)

KDC
Alice

Bob
4
KA,KDC(RA1, B, KA,B, KB,KDC(A, KA,B, RB1))

5
KA,B(RA2), KB,KDC(A, KA,B, RB1)

6
KA,B(RA2-1, RB2)

7
KA,B(RB2-1)
25
 Authentication Using PKC
• Mutual authentication in a public-key
cryptosystem.

1
+ (A, R )
KB A
Alice

K +A (R A , R B , K A, B )
2

Bob
3
K A, B (R B )

26
 Message Integrity: Digital Signatures (1)

Digitally signing a message using public-key cryptography

Alice’s computer Bob’s computer

m m
Alice’s private Alice’s public
key key m
K −A K +A

K −A (m)

27
 Integrity + Confidentiality
Alice’s computer

Alice’s private Bob’s public

m key key
+ + (m, K − (m))
K −A KB KB A

K −A (m)

Bob’s computer
m
Alice’s public Bob’s private
m key key
K +A −
KB

m, K −A (m), 28
 Digital Signatures + Hash Functions
• Digitally signing a message using a message digest.
Alice’s computer
m
Alice’s private
Hash Function
key
K −A (H(m))
H H(m) K −A

H(m) Hash Function

Compare H
OK

Alice’s public
H(m)
key
K +A
Bob’s computer
29
 Digital Signatures
• Digital Signatures provide
– Integrity
– Authentication
– Non-repudiation

30
 Session Keys
• Using the same key for a long time is not a good
idea:
1. Keys wear and tear:
– Attacker can accumulate more data that is encrypted
with the same key
2. Protection against replay attacks
– Using the same key for different communication
sessions permits an attacker to insert messages from
old sessions into the current session
• Generate new keys for each session
• Do not use long-lasting keys when communicating
with parties that you don’t trust

31
 Secure Group Communication
• N servers can follow the following strategies:
1. They use the same shared secret key. The shared key
is more vulnerable to attacks from inside and outside.
2. They use different keys for communication between
any two members of the group. Too many keys
(N(N-1)/2 keys in total)
3. Use PKC. N pairs of key.

32
 Secure Replicated Servers
• There are t replicas for a service, of which k-1
replicas cannot be trusted.
– They are actively replicated; i.e. a request is sent to all
servers simultaneously.
– Each server handles the request and returns a
response, say ri, to the client
– Each server has to sign its response
– We do not trust a single server and its signature
– A signature by a replica is called a partial signature, si.
– Therefore, we only accept a signature generated
jointly by multiple servers
• We must prevent k-1 corrupted replicas from
getting together to produce a valid signature.
33
Secret Sharing: Threshold Cryptography
• Shamir’s (t, k) – threshold scheme:
– There is a secret, say x.
– t users that possess partial information on the secret
x, (t > k)
– Any k users can come together and compute the secret
– For any k-1 users, it is computationally infeasible to
compute x.
• In our case,
– Each replica computes a partial signature si for its
response ri.
– In order to produce a valid signature, we need partial
signatures of at least k honest replicas.
– It is computationally infeasible for k-1 corrupted
replicas to generate a valid signature for their faulty
response. 34
Secure Replicated Services:Example (1)
• Let us assume, we have 5 replicas, of which 2 are corrupt
– A honest replica will collect responses from other four replicas
along with associated signatures

User
Request

S1 {r1, s1} { r3 , s 3 } S3

S2
{r4, s4} {r5, s5 }
{r2, s2 }
S4 S5

35
Secure Replicated Services:Example(2)
• It compares all the responses
– And finds out r2, r4, and r5 are identical.
– Then it combines corresponding partial signatures to
compute the valid signature for the response
• A corrupted replica cannot compute a valid
signature for its incorrect response even if it
collaborates with the other corrupted replica

r = r2
S2 User
s = Combine (s2, s4, s5)

r2 = r4 = r5
r2 ≠ r1 ≠ r3

36