CS162 Operating Systems and Systems Programming Lecture 26 Protection and Security in Distributed Systems II May 7 2008 Prof Anthony D Joseph http inst eecs berkeley edu cs162 Review Private Key Cryptography Private Key Symmetric Encryption Single key used for both encryption and decryption Plaintext Unencrypted Version of message Ciphertext Encrypted Version of message Key Decrypt Insecure Transmission ciphertext Key Plaintext Plaintext SPY Encrypt CIA Important properties Can t derive plain text from ciphertext decode without access to key Can t derive key from plain text and ciphertext As long as password stays secret get both secrecy and authentication Symmetric Key Algorithms DES Triple DES AES 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 2 Review Public Key Encryption Key distribution without an authentication server Public Key Details Don t have one key have two Kpublic Kprivate Two keys are mathematically related to one another Really hard to derive Kpublic from Kprivate and vice versa Forward encryption Encrypt cleartext Kpublic ciphertext1 Decrypt ciphertext1 Kprivate cleartext Reverse encryption Encrypt cleartext Kprivate ciphertext2 Decrypt ciphertext2 Kpublic cleartext Note that ciphertext1 ciphertext2 Can t derive one from the other Public Key Examples RSA Rivest Shamir and Adleman Kpublic of form kpublic N Kprivate of form kprivate N N pq Can break code if know p and q ECC Elliptic Curve Cryptography 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 3 Recall Authorization Who Can Do What How do we decide who is authorized to do actions in the system Access Control Matrix contains all permissions in the system Resources across top Files Devices etc Domains in columns A domain might be a user or a group of permissions E g above User D3 can read F2 or execute F3 In practice table would be huge and sparse Two approaches to implementation Access Control Lists store permissions with each object Still might be lots of users UNIX limits each file to r w x for owner group world More recent systems allow definition of groups of users and permissions for each group Capability List each process tracks objects has permission to touch Popular in the past idea out of favor today Consider page table Each process has list of pages it has access to not each page has list of processes 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 4 Goals for Today Distributed Authorization Enforcement Security Problems Buffer Overflow Morris Internet Worm Password Checking Self Replicating Programs Note Some slides and or pictures in the following are adapted from slides 2005 Silberschatz Galvin and 5 7 08 Josephgenerated CS162 UCB Spring Lec 26 5 Gagne Many slides Gagne from2008 my lecture notes How to perform Authorization for Distributed Systems Different Authorization Domains Issues Are all user names in world unique No They only have small number of characters adj mit edu adj lcs mit edu adj cs berkeley edu However someone thought their friend was adj mit edu and I got very private email intended for someone else Need something better more unique to identify person Suppose want to connect with any server at any time Need an account on every machine possibly with different user name for each account OR Need to use something more universal as identity Public Keys Called Principles People are their public keys 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 6 Distributed Access Control File File X X Access Control List ACL for X l Kc C A 9 X BC er D d rv e 7 Client 1 Ks ea 6 4 R Domain 1 x6 ta a 0 d y Ke RX Group Key 0xA2D3498672 GACL Server 1 Domain 2 nt ie ACL verifier Hash Timestamp R Key 0x546DFEFA34 Signature owner RW Key 0x467D34EF83 Read Group Owner Owner Key Key 0x22347EF 0x22347EF Group ACL GACL verifier Hash Timestamp Key 0xA786EF889A Signature group Key 0x6647DBC9AC Server 2 Domain 3 Distributed Access Control List ACL Contains list of attributes Read Write Execute etc with attached identities Here we show public keys ACLs signed by owner of file only changeable by owner Group lists signed by group key ACLs can be on different servers than data Signatures allow us to validate them ACLs could even be stored separately from verifiers 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 7 Analysis of Previous Scheme Positive Points Identities checked via signatures and public keys Client can t generate request for data unless they have private key to go with their public identity Server won t use ACLs not properly signed by owner of file No problems with multiple domains since identities designed to be cross domain public keys domain neutral Revocation What if someone steals your private key Need to walk through all ACLs with your key and change This is very expensive Better to have unique string identifying you that people place into ACLs Then ask Certificate Authority to give you a certificate matching unique string to your current public key Client Request request unique ID Cprivate give server certificate if they ask for it Key compromise must distribute certificate revocation since can t wait for previous certificate to expire What if you remove someone from ACL of a given file If server caches old ACL then person retains access Here cache inconsistency leads to security violations 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 8 Analysis Continued Who signs the data Or How does the client know they are getting valid data Signed by server What if server compromised Should client trust server Signed by owner of file Better but now only owner can update file Pretty inconvenient Signed by group of servers that accepted latest update If must have signatures from all servers Safe but one bad server can prevent update from happening Instead ask for a threshold number of signatures Byzantine agreement can help here How do you know that data is up to date Valid signature only means data is valid older version Freshness attack Malicious server returns old data instead of recent data Problem with both ACLs and data E g you just got a raise but enemy breaks into a server and prevents payroll from seeing latest version of update Hard problem Needs to be fixed by invalidating old copies or having a trusted group of servers Byzantine Agreement 5 7 08 Joseph CS162 UCB Spring 2008 Lec 26 9 Enforcement Enforcer checks passwords ACLs etc Makes sure that only authorized actions take place Bugs in enforcer things for malicious users to exploit In UNIX superuser can do anything Because of coarse grained access control lots of stuff
View Full Document
Unlocking...