0x1A Great Papers in Computer SecurityB. Lampson, M. Abadi, M. Burrows, E. Wobber Authentication in Distributed Systems: Theory and Practice (ACM Trans. Computer Systems 1992)Confidentiality (Secrecy)Symmetric EncryptionPublic-Key EncryptionAuthenticationIntegrityMAC: Message Authentication CodeDigital SignatureDistribution of Public KeysHierarchical ApproachTrusted Certificate AuthoritiesThe Access Control ModelAccess Control in OSDistributed Systems Are HarderTrusted Computing Base (TCB)Authentication and AuthorizationPrincipals and SubjectsPrincipal = Abstraction of “Who”Principals and ChannelsImplementing Secure ChannelsDelegationAuthorization with ACLsNames and Name SpacesSecure ChannelsAuthenticating a ChannelChecking AccessGroups and Group CredentialsAuditingReasoning About CertificatesStrawman Authentication ModelDrawbacks of Strawman ModelAuthentication in TAOSAuthorizing Second MachineCertificatesDelegation of AuthorityScenarioState Before Bob Logs InWorkstation Boot: Generating KwsState after Boot-upLogging InState After Bob’s LoginChannelsChannel Certificates (1)Channel Certificates (2)All Certificates TogetherDelegation AxiomProving Authenticityslide 10x1A Great Papers inComputer SecurityVitaly ShmatikovCS 380Shttp://www.cs.utexas.edu/~shmat/courses/cs380s/slide 2B. Lampson, M. Abadi, M. Burrows, E. WobberAuthentication in Distributed Systems:Theory and Practice(ACM Trans. Computer Systems 1992)slide 3 networkConfidentiality (Secrecy)Confidentiality is concealment of informationEavesdropping,packet sniffing,illegal copyingQ: Who is the receiver of the message? (who might be able to read it)slide 4Symmetric Encryption?---------------Given: both parties already know the same secret How is this achieved in practice?Goal: send a message confidentiallyslide 5Public-Key Encryption?Given: Everybody knows Bob’s public key Only Bob knows the corresponding private keyprivate keyGoal: Send a message to Bob confidentiallypublic keypublic keyAlice BobHow is this achieved in practice?slide 6 networkAuthenticationAuthentication is identification and assurance of origin of informationUnauthorized assumption ofanother’s identityQ: Who is the sender of the message? (who might have been able to create it)slide 7 networkIntegrityIntegrity is prevention of unauthorized changesIntercept messages,tamper, release againQ: Who is the sender of the message? (who might have been able to modify it)slide 8MAC: Message Authentication CodeIntegrity and authentication: only someone who knows KEY can compute MAC for a given messageAliceBobKEYKEYmessageMAC(usually based on a cryptographic hash, aka “digest”)message, MAC(KEY,message)=?Recomputes MAC and verifies whether it isequal to the MAC attached to the messageslide 9Digital Signature?Given: Everybody knows Bob’s public key Only Bob knows the corresponding private keyprivate keyGoal: Bob sends a “digitally signed” message•To create a valid signature, must know the private key•To verify a signature, enough to know the public keypublic keypublic keyAlice Bobslide 10Distribution of Public KeysPublic announcement or public directory•Risks: forgery, tamperingPublic-key certificate•Signed statement binding a public key to an identity–sigAlice(“Bob”, PKB)Common approach: certificate authority (CA)•An agency responsible for certifying public keys•Browsers are pre-configured with 100s of trusted CAs–135 trusted CA certificates in Firefox 3–A public key for any website in the world will be accepted by the browser if certified by one of these CAsslide 11Hierarchical ApproachSingle CA certifying every public key is impracticalInstead, use trusted root authorities•Everybody has root CAs’ public keysA root authority signs certificates for lower-level authorities, lower-level authorities sign certificates for individual networks, and so on•Instead of a single certificate, use a certificate chain–sigVeriSign(“UT Austin”, PKUT), sigUT(“Vitaly S.”, PKV)•What happens if a root authority is ever compromised?slide 12Trusted Certificate AuthoritiesThe Access Control ModelGuards control access to valued resources.Reference monitorObjectDo operationResourcePrincipalGuardRequestSourceslide 13Goal: Decide whether to grant a request to access an objectAccess Control in OSAssume secure channel from userAuthenticate user by local passwordMap user to her user ID + group IDs•Local database for group membershipsAccess control by ACL on each resource•OS kernel is usually the reference monitor•Any RPC target can read IDs of its callerACLs are lists of IDs•A program has IDs of its logged-in userslide 14Distributed Systems Are HarderAutonomy•Path to a resource may involve untrusted machinesSizeHeterogeneity•Different kinds of channels: encryption, physically secure wires, inter-process channels within OSFault tolerance•Components may be broken or inaccessibleslide 15Hardware and local operating system on each nodeChannels based on encryptionslide 16Trusted Computing Base (TCB)Authentication and AuthorizationGiven a statement s, authentication answers the question “who said s?”Given an object o, authorization answers the question “who is trusted to access o?”“who” refers to a principalslide 17Principals and SubjectsPrincipal and subject are both used to denote the active entity in an access operationMany different and confusing meanings•Principals are subjects in the TCSEC sense, but not all subjects are principals. [Gasser, 1989]•Principals are public keys. [SDSI, 1996]•The term principal represents a name associated with a subject. Since subjects may have multiple names, a subject essentially consists of a collection of principals. [Gong, 1999]slide 18Principal = Abstraction of “Who”Authentication: Who sent a message?Authorization: Who is trusted?Principal — abstraction of "who"•People Lampson, Gray•Machines SN12672948, Jumbo•Services microsoft.com, Exchange•Groups UTCS, MS-Employeesslide 19Principals and ChannelsPrincipal says statements•Lampson says “read /MSR/Lampson/foo”•Microsoft-CA says “Lampson's key is #7438”Secure channel says messages (RPCs)•Has known possible receivers•Has known possible sendersSecrecyIntegrityslide 20Implementing Secure ChannelsWithin a node•Responsibility of OS (pipes, interprocess sockets, etc.)Between