CS162 Operating Systems and Systems Programming Lecture 26 Protection and Security in Distributed Systems II December 5 2007 Prof John Kubiatowicz http inst eecs berkeley edu cs162 Review Authentication Identifying Users How to identify users to the system Passwords Shared secret between two parties Since only user knows password someone types correct password must be user typing it Very common technique Smart Cards Electronics embedded in card capable of providing long passwords or satisfying challenge response queries May have display to allow reading of password Or can be plugged in directly several credit cards now in this category Biometrics Use of one or more intrinsic physical or behavioral traits to identify someone Examples fingerprint reader palm reader retinal scan Becoming quite a bit more common 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 2 Review Private Key Cryptography Private Key Symmetric Encryption Single key used for both encryption and decryption Plaintext Unencrypted Version of message Ciphertext Encrypted Version of message Key Decrypt Insecure Transmission ciphertext Key Plaintext Plaintext SPY Encrypt CIA Important properties Can t derive plain text from ciphertext decode without access to key Can t derive key from plain text and ciphertext As long as password stays secret get both secrecy and authentication Symmetric Key Algorithms DES Triple DES AES 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 3 Goals for Today Public Encryption Use of Cryptographic Mechanisms Authorization Mechanisms Worms and Viruses Note Some slides and or pictures in the following are adapted from slides 2005 Silberschatz Galvin and 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 4 Gagne Many slides Gagne generated from my lecture notes Public Key Encryption Can we perform key distribution without an authentication server Yes Use a Public Key Cryptosystem Public Key Details Don t have one key have two Kpublic Kprivate Two keys are mathematically related to one another Really hard to derive Kpublic from Kprivate and vice versa Forward encryption Encrypt cleartext Kpublic ciphertext1 Decrypt ciphertext1 Kprivate cleartext Reverse encryption Encrypt cleartext Kprivate ciphertext2 Decrypt ciphertext2 Kpublic cleartext Note that ciphertext1 ciphertext2 Can t derive one from the other Public Key Examples RSA Rivest Shamir and Adleman Kpublic of form kpublic N Kprivate of form kprivate N N pq Can break code if know p and q ECC Elliptic Curve Cryptography 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 5 Public Key Encryption Details Idea Kpublic can be made public keep Kprivate private Insecure Channel Bpublic Aprivate Alice Bprivate Apublic Insecure Channel Bob Gives message privacy restricted receiver Public keys secure destination points can be acquired by anyone used by anyone Only person with private key can decrypt message What about authentication Use combination of private and public key Alice Bob I m Alice Aprivate Rest of message Bpublic Provides restricted sender and receiver But how does Alice know that it was Bob who sent her Bpublic And vice versa 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 6 Secure Hash Function Fox Hash Function DFCD3454BBEA788A 751A696C24D97009 CA992D17 The red fox runs across the ice Hash Function 52ED879E70F71D92 6EB6957008E03CE4 CA6945D3 Hash Function Short summary of data message For instance h1 H M1 is the hash of message M1 h1 fixed length despite size of message M 1 Often h1 is called the digest of M1 Hash function H is considered secure if It is infeasible to find M2 with h1 H M2 ie can t easily find other message with same digest as given message It is infeasible to locate two messages m 1 and m2 which collide i e for which H m 1 H m2 A small change in a message changes many bits of digest can t tell anything about message given its hash Hash function Examples MD5 SHA 1 SHA 256 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 7 Signatures Certificate Authorities Can use Xpublic for person X to define their identity Presumably they are the only ones who know Xprivate Often we think of Xpublic as a principle user Suppose we want X to sign message M Use private key to encrypt the digest i e H M Xprivate Send both M and its signature Signed message M H M Xprivate Now anyone can verify that M was signed by X Simply decrypt the digest with X public Verify that result matches H M Now How do we know that the version of X public that we have is really from X Answer Certificate Authority Examples Verisign Entrust Etc X goes to organization presents identifying papers Organization signs X s key X public H Xpublic CAprivate Called a Certificate Before we use Xpublic ask X for certificate verifying key Check that signature over Xpublic produced by trusted authority How do we get keys of certificate authority Compiled into your browser for instance 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 8 Security through SSL SSL Web Protocol Port 443 secure http Use public key encryption for key distribution nc ns certs pms Ks Server has a certificate signed by certificate authority Contains server info organization IP address etc Also contains server s public key and expiration date Establishment of Shared 48 byte master secret Client sends 28 byte random value nc to server Server returns its own 28 byte random value n s plus its certificate certs Client verifies certificate by checking with public key of certificate authority compiled into browser Also check expiration date Client picks 46 byte premaster secret pms encrypts it with public key of server and sends to server Now both server and client have nc ns and pms Each can compute 48 byte master secret using one way and collision resistant function on three values Random nonces nc and ns make sure master secret fresh 12 05 07 Kubiatowicz CS162 UCB Fall 2007 Lec 26 9 SSL Pitfalls Netscape claimed to provide secure comm SSL So you could send a credit card over the Internet Three problems reported in NYT Algorithm for picking session keys was predictable used time of day brute force key in a few hours Made new version of Netscape to fix 1 available to users over Internet unencrypted Four byte patch to Netscape executable makes it always use a specific session key Could insert backdoor by mangling packets containing executable as they fly by on the Internet Many mirror sites including Berkeley to redistribute new version anyone with root access to any machine on LAN at mirror site could insert the
View Full Document
Unlocking...