0x1A Great Papers in Computer SecurityB. Lampson, M. Abadi, M. Burrows, E. Wobber Authentication in Distributed Systems: Theory and Practice (ACM Trans. Computer Systems 1992)Confidentiality (Secrecy)Symmetric EncryptionPublic-Key EncryptionAuthenticationIntegrityMAC: Message Authentication CodeDigital SignatureDistribution of Public KeysHierarchical ApproachTrusted Certificate AuthoritiesThe Access Control ModelAccess Control in OSDistributed Systems Are HarderTrusted Computing Base (TCB)Authentication and AuthorizationPrincipals and SubjectsPrincipal = Abstraction of “Who”Principals and ChannelsImplementing Secure ChannelsDelegationAuthorization with ACLsNames and Name SpacesSecure ChannelsAuthenticating a ChannelChecking AccessGroups and Group CredentialsAuditingReasoning About CertificatesStrawman Authentication ModelDrawbacks of Strawman ModelAuthentication in TAOSAuthorizing Second MachineCertificatesDelegation of AuthorityScenarioState Before Bob Logs InWorkstation Boot: Generating KwsState after Boot-upLogging InState After Bob’s LoginChannelsChannel Certificates (1)Channel Certificates (2)All Certificates TogetherDelegation AxiomProving Authenticityslide 10x1A Great Papers inComputer SecurityVitaly ShmatikovCS 380Shttp://www.cs.utexas.edu/~shmat/courses/cs380s/slide 2B. Lampson, M. Abadi, M. Burrows, E. WobberAuthentication in Distributed Systems:Theory and Practice(ACM Trans. Computer Systems 1992)slide 3 networkConfidentiality (Secrecy)Confidentiality is concealment of informationEavesdropping,packet sniffing,illegal copyingQ: Who is the receiver of the message? (who might be able to read it)slide 4Symmetric Encryption?---------------Given: both parties already know the same secret How is this achieved in practice?Goal: send a message confidentiallyslide 5Public-Key Encryption?Given: Everybody knows Bob’s public key Only Bob knows the corresponding private keyprivate keyGoal: Send a message to Bob confidentiallypublic keypublic keyAlice BobHow is this achieved in practice?slide 6 networkAuthenticationAuthentication is identification and assurance of origin of informationUnauthorized assumption ofanother’s identityQ: Who is the sender of the message? (who might have been able to create it)slide 7 networkIntegrityIntegrity is prevention of unauthorized changesIntercept messages,tamper, release againQ: Who is the sender of the message? (who might have been able to modify it)slide 8MAC: Message Authentication CodeIntegrity and authentication: only someone who knows KEY can compute MAC for a given messageAliceBobKEYKEYmessageMAC(usually based on a cryptographic hash, aka “digest”)message, MAC(KEY,message)=?Recomputes MAC and verifies whether it isequal to the MAC attached to the messageslide 9Digital Signature?Given: Everybody knows Bob’s public key Only Bob knows the corresponding private keyprivate keyGoal: Bob sends a “digitally signed” message•To create a valid signature, must know the private key•To verify a signature, enough to know the public keypublic keypublic keyAlice Bobslide 10Distribution of Public KeysPublic announcement or public directory•Risks: forgery, tamperingPublic-key certificate•Signed statement binding a public key to an identity–sigAlice(“Bob”, PKB)Common approach: certificate authority (CA)•An agency responsible for certifying public keys•Browsers are pre-configured with 100s of trusted CAs–135 trusted CA certificates in Firefox 3–A public key for any website in the world will be accepted by the browser if certified by one of these CAsslide 11Hierarchical ApproachSingle CA certifying every public key is impracticalInstead, use trusted root authorities•Everybody has root CAs’ public keysA root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on•Instead of a single certificate, use a certificate chain–sigVeriSign(“UT Austin”, PKUT), sigUT(“Vitaly S.”, PKV)•What happens if a root authority is ever compromised?slide 12Trusted Certificate AuthoritiesThe Access Control ModelGuards control access to valued resources.Reference monitorObjectDo operationResourcePrincipalGuardRequestSourceslide 13Goal: Decide whether to grant a request to access an objectAccess Control in OSAssume secure channel from userAuthenticate user by local passwordMap user to her user ID + group IDs•Local database for group membershipsAccess control by ACL on each resource•OS kernel is usually the reference monitor•Any RPC target can read IDs of its callerACLs are lists of IDs•A program has IDs of its logged-in userslide 14Distributed Systems Are HarderAutonomy•Path to a resource may involve untrusted machinesSizeHeterogeneity•Different kinds of channels: encryption, physically secure wires, inter-process channels within OSFault tolerance•Components may be broken or inaccessibleslide 15Hardware and local operating system on each nodeChannels based on encryptionslide 16Trusted Computing Base (TCB)Authentication and AuthorizationGiven a statement s, authentication answers the question “who said s?”Given an object o, authorization answers the question “who is trusted to access o?”“who” refers to a principalslide 17Principals and SubjectsPrincipal and subject are both used to denote the active entity in an access operationMany different and confusing meanings•Principals are subjects in the TCSEC sense, but not all subjects are principals. [Gasser, 1989]•Principals are public keys. [SDSI, 1996]•The term principal represents a name associated with a subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Gong, 1999]slide 18Principal = Abstraction of “Who”Authentication: Who sent a message?Authorization: Who is trusted?Principal — abstraction of "who"•People Lampson, Gray•Machines SN12672948, Jumbo•Services microsoft.com, Exchange•Groups UTCS, MS-Employeesslide 19Principals and ChannelsPrincipal says statements•Lampson says “read /MSR/Lampson/foo”•Microsoft-CA says “Lampson's key is #7438”Secure channel says messages (RPCs)•Has known possible receivers•Has known possible sendersSecrecyIntegrityslide 20Implementing Secure ChannelsWithin a node•Responsibility of OS (pipes, interprocess sockets, etc.)Between
View Full Document