Security

Part III

CS403/534
Distributed Systems
Erkay Savas
Sabanci University

1
 Security Management
• Issue: how the keys are obtained securely?

• General management of cryptographic keys

– The means of distributing (public) keys
– Certificates
• Authorization management
– Granting access rights
– Delegating access rights

2
 Key Management
• Former assumption: Keys (public keys or secret
keys) were readily available.
• Establishing and distributing keys are not a
trivial matter.
• Revocation of keys are another important matter
in this context.
– Keys may get stale or compromised.

3
 Key Establishment
The principle of Diffie-Hellman key exchange.
Alice picks x public parameters: n, g Bob picks y

1
gx mod n
Alice

Bob
2
gy mod n

Alice computes Bob computes

(gy mod n)x mod n (gx mod n)y mod n
= (gyx mod n) = K = (gxy mod n) = K

n and g are public; x and y are secret random numbers 4

 Men-in-the-Middle Attack
Eve picks z
1 1’
gx mod n gz mod n

2
Alice

2’

Bob
Eve
gz mod n gy mod n

Eve computes Bob computes

Alice computes
sBE = (gyz mod n) sBE = (gzy mod n
sAE = (gzx mod n)
sAE = (gxz mod n)

5
 Public Key Certificates
• Public key distribution is done by certificates
issued by trusted Certification Authorities (CA).
– A certificate contains (i) a public key, (ii) identity of
the public key owner and (iii) signature of (i) and (ii) by
CA (using K-CA )
– Public key of CA, K+CA is well known (e.g. public keys of
various CAs are built into most Web browsers and
shipped with binaries).
• Public key verification
– A user uses K+CA to verify the public key
• Chain of trust can be built up.
– In PEM, CAs are authenticated by Policy Certification
Authorities (PCA) which are in turn authenticated by
the Internet Policy Registration Authority (IPRA).
6
 Certification Revocation Lists
• When private key of a certified user is
compromised…
– There must be a way to revoke the certificate
• Solution 1: keep a Certification Revocation List
(CRL).
– Whenever a client checks a certificate, it will have also
to check CRL.
– Some overhead.
• Solution 2: restrict the lifetime of a certificate.
– Validity of a certificate automatically expires after
some time.
– CRLs are still needed if a certificate should be revoked
before it expires.
• Solution 3: CA is always online. 7
 Conference Keying - 1
• Setup
– There are t users in the conference
– Large prime n and a generator g < n
• Key Generation
– User Ui selects a random integer xi
– Computes zi ≡ g i mod n
x

– sends zi to each of the other t-1 group members.

• Computation of key
– Each user Ui , after receiving zi-1 and zi+1 computes
y i ≡ i+1 zi ≡ g xi+1xi − xi−1xi mod n
z
zi−1
– and sends yi to other members
8
 Conference Keying - 2
• User Ui, upon receiving yj from other users
computes
K = K i ≡(zi−1)txi yti −1 yti+−12 m y i2+(t −3)y1i+(t −2) mod n

• Example: Four users

– U1 : (x1, z1 ≡ gx1 mod n)
– U2 : (x2, z2 ≡ gx2 mod n)
– U3 : (x3, z3 ≡ gx3 mod n)
– U4 : (x4, z4 ≡ gx4 mod n)

9
 Conference Keying - 3
• They calculate the following, respectively
– y1 ≡ gx2x1-x4x1 mod n
– y2 ≡ gx3x2-x1x2 mod n
– y3 ≡ gx4x3-x2x3 mod n
– y4 ≡ gx1x4-x3x4 mod n

K 1 =(z4)4x1 y13 y 22 y13 mod n ≡ g x4x1 + x2x1 + x3x2 + x4x3

K 2 =(z1)4x2 y 32 y 32 y14 mod n ≡ g x2x1 + x3x2 + x4x3 + x4x1

10
 Authorization Management
• Issue: How to grant initially and maintain rights
of users (i.e. access rights) in distributed
systems.
– In non-distributed systems, for each user an account is
generated on every machine and the rights of users
are automatically granted by the system
administrators in advance.
– In distributed systems, it is not feasible for each
machine to know every user.
– Instead, capabilities and attribute certificates are
used to express the access rights that the holder
possesses.

11
 Capabilities and Attribute Certificates
• Capability:
• an unforgeable data structure for a specific resource,
specifying the access rights that the holder of the
capability has with respect to that resource.
• Amoeba (an object-based distributed system):
• remote object model; to invoke a method on an object,
a client passes a capability to its local OS.
• Local OS locates the server of the object and
performs an RPC.
48 bits 24 bits 8 bits 48 bits

Server port Object Rights Check

• A capability in Amoeba is 128-bit identifier.

12
 Capabilities
• Generation of a restricted capability from an owner
capability. A random check field
stored in object server
Owner capability
Port Object 11111111 C
Proposed new rights
00000001

XOR

Port Object 00000001 F(C ⊕ 00000001)

13
 Attribute Certificates
• A generalization of capabilities
– List the access rights of the holder
– Issued and signed by attribute certification
authorities.
– Server managing the object does not have to be the
same server issuing attributes certificates.

14
 Delegation (1)
• Observation: A subject sometimes wants to delegate its
access rights for a resource to another entity.
• Example: a client schedule a print job with the print
server (PS) to fetch a file F from the file server (FS) and
to print it out. If PS does not have access to F, the client
should delegate its own temporarily.
• Token (Proxy) solution: A process creates a token stating
the rights of its holder.
• For example, “Alice says Bob has rights R”. [A, B, R]A.
• Or, “Alice says bearer of this token has rights
R”. [A, R]A
• Issue: The holder of the proxy must prove that it
obtained the proxy through legitimate means (i.e. it did
not steal it). 15
 Delegation (2)
• Neuman’ scheme
– A: process that created the proxy
– S+proxy : a hard question
– S-proxy : the answer to the hard question (must be
handed down securely). Anyone can easily verify the
correctness of the answer.
Certificate

R S+proxy sig(A, {R, S+proxy}) S-proxy

access rights public part of signature by A private part of

secret secret

• The general structure of a token as used for delegation.

16
 Delegation (3)
• Using a token to delegate and prove ownership of access rights.

[R, S+proxy]A, KA,B(S-proxy) 2

[R, S+proxy]A

Server
Alice

Bob
3
S+proxy(N)

4
N

17
 Example: Kerberos (1)
• A client-server system based on symmetric key
cryptography in which the clients securely uses services
with mutual authentication.
2
1 A
login

AS
3

Alice’s workstation
KA,AS(KA,TGS, KAS,TGS(A,KA,TGS))
Alice

4
password?

5
PWD 6
KAS,TGS(A,KA,TGS), B, KA,TGS(t)

TGS
7
KA,TGS(B, KA,B), KB,TGS(A, KA,B)

• Authentication in Kerberos. 18
 Example: Kerberos (2)
• Setting up a secure channel in Kerberos.
• Alice the client uses the service provided by Bob
the server using her ticket. They authenticate
each other.

1
KB,TGS(A, KA,B), KA,B(t)
Alice

Bob
2
KA,B(t+1)

19