Security: Focus of ControlAuthenticationAuthentication Protocol (ap)Authentication ProtocolAuthentication Using NoncesAuthentication Using Public KeysProblems with Ap 5.0Man-in-the-middle AttackDigital Signatures Using Public KeysMessage DigestsHash Functions : MD5Symmetric key exchange: trusted serverKey Exhange: Key Distribution Center (1)Authentication Using a Key Distribution Center (2)Authentication Using a Key Distribution Center (3)Public Key ExchangePublic key exchange: trusted serverProtection Against Intruders: FirewallsFirewallsSecure EmailSlide 21Secure Sockets Layer (SSL)Secure Socket LayerSSLElectronic Payment Systems (1)E-cashSecure Electronic Transactions (SET)Security: conclusionCS677: Distributed OSComputer ScienceLecture 22, page 1Security: Focus of Control•Three approaches for protection against security threatsa) Protection against invalid operationsb) Protection against unauthorized invocationsc) Protection against unauthorized usersCS677: Distributed OSComputer ScienceLecture 22, page 2Authentication•Question: how does a receiver know that remote communicating entity is who it is claimed to be?CS677: Distributed OSComputer ScienceLecture 22, page 3Authentication Protocol (ap)•Ap 1.0–Alice to Bob: “I am Alice”–Problem: intruder “Trudy” can also send such a message•Ap 2.0–Authenticate source IP address is from Alice’s machine–Problem: IP Spoofing (send IP packets with a false address)•Ap 3.0: use a secret password–Alice to Bob: “I am Alice, here is my password” (e.g., telnet)–Problem: Trudy can intercept Alice’s password by sniffing packetsCS677: Distributed OSComputer ScienceLecture 22, page 4Authentication ProtocolAp 3.1: use encryptionuse a symmetric key known to Alice and Bob •Alice & Bob (only) know secure key for encryption/decryption A to B: msg = encrypt("I am A")B computes: if decrypt(msg)=="I am A" then A is verified else A is fradulent•failure scenarios: playback attack–Trudy can intercept Alice’s message and masquerade as Alice at a later timeCS677: Distributed OSComputer ScienceLecture 22, page 5Authentication Using Nonces Problem with ap 3.1: same password is used for all sessionsSolution: use a sequence of passwordspick a "once-in-a-lifetime-only" number (nonce) for each sessionAp 4.0A to B: msg = "I am A" /* note: unencrypted message! */B to A: once-in-a-lifetime value, nA to B: msg2 = encrypt(n) /* use symmetric keys */B computes: if decrypt(msg2)==n then A is verified else A is fradulent•note similarities to three way handshake and initial sequence number choice •problems with nonces?CS677: Distributed OSComputer ScienceLecture 22, page 6Authentication Using Public Keys Ap 4.0 uses symmetric keys for authenticationQuestion: can we use public keys? symmetry: DA( EA(n) ) = EA ( DA(n) ) AP 5.0A to B: msg = "I am A"B to A: once-in-a-lifetime value, nA to B: msg2 = DA(n)B computes: if EA (DA(n))== n then A is verified else A is fradulentCS677: Distributed OSComputer ScienceLecture 22, page 7Problems with Ap 5.0•Bob needs Alice’s public key for authentication–Trudy can impersonate as Alice to Bob•Trudy to Bob: msg = “I am Alice”•Bob to Alice: nonce n (Trudy intercepts this message)•Trudy to Bob: msg2= DT(n)•Bob to Alice: send me your public key (Trudy intercepts)•Trudy to Bob: send ET (claiming it is EA)•Bob: verify ET(DT(n)) == n and authenticates Trudy as Alice!!•Moral: Ap 5.0 is only as “secure” as public key distributionCS677: Distributed OSComputer ScienceLecture 22, page 8Man-in-the-middle Attack•Trudy impersonates as Alice to Bob and as Bob to Alice–Alice Trudy Bob– “I am A” “I am A”– nonce n – DT(n)– send me ET– ET– nonce n– DA(n)– send me EA– EA– Bob sends data using ET, Trudy decrypts and forwards it using EA!! (Trudy transparently intercepts every message)CS677: Distributed OSComputer ScienceLecture 22, page 9Digital Signatures Using Public KeysGoals of digital signatures: •sender cannot repudiate message never sent ("I never sent that") •receiver cannot fake a received message Suppose A wants B to "sign" a message M B sends DB(M) to AA computes if EB ( DB(M)) == M then B has signed MQuestion: can B plausibly deny having sent M?CS677: Distributed OSComputer ScienceLecture 22, page 10Message Digests•Encrypting and decrypting entire messages using digital signatures is computationally expensive–Routers routinely exchange data•Does not need encryption•Needs authentication and verify that data hasn’t changed•Message digests: like a checksum–Hash function H: converts variable length string to fixed length hash–Digitally sign H(M)–Send M, DA(H(m))–Can verify who sent the message and that it has been changed!•Property of H–Given a digest x, it is infeasible to find a message y such that H(y) = x–It is infeasible to find any two messages x and y such that H(x) = H(y)CS677: Distributed OSComputer ScienceLecture 22, page 11Hash Functions : MD5 •The structure of MD5CS677: Distributed OSComputer ScienceLecture 22, page 12Symmetric key exchange: trusted serverProblem: how do distributed entities agree on a key?Assume: each entity has its own single key, which only it and trusted server knowServer: •will generate a one-time session key that A and B use to encrypt communication •will use A and B's single keys to communicate session key to A, BCS677: Distributed OSComputer ScienceLecture 22, page 13Key Exhange: Key Distribution Center (1)•The principle of using a KDC.CS677: Distributed OSComputer ScienceLecture 22, page 14Authentication Using a Key Distribution Center (2)•Using a ticket and letting Alice set up a connection to Bob.CS677: Distributed OSComputer ScienceLecture 22, page 15Authentication Using a Key Distribution Center (3)•The Needham-Schroeder authentication protocol.CS677: Distributed OSComputer ScienceLecture 22, page 16Public Key Exchange•Mutual authentication in a public-key cryptosystem.CS677: Distributed OSComputer ScienceLecture 22, page 17Public key exchange: trusted server•public key retrieval subject to man-in-middle attack •locate all public keys in trusted server •everyone has server's encryption key (ES public) •suppose A wants to send to B using B's "public" keyCS677: Distributed OSComputer ScienceLecture 22, page 18Protection Against Intruders: Firewalls•A common implementation