Introduction to distributed security concepts and public key infrastructure mary thompson

50 %
50 %
Information about Introduction to distributed security concepts and public key...

Published on March 4, 2014

Author: natemiller67



Introduction to distributed security concepts and public key infrastructure mary thompson

An Introduction to Distributed Security Concepts and Public Key Infrastructure (PKI) Mary Thompson

Local Computing User sits down in front of the computer Responds to the login prompt with a user id and password. Machine has a list of all the users and their encrypted passwords Password never goes across the network Passwords are encrypted with a one-way code The crypt alogrithm of Unix has been around since mid 70’s. Uses a salt to keep identical passwords from having the same encryption. Uses only 8 characters, case sensitive. Uses 25 iterations of DES. Typically broken by guessing and verifying guess or snooping the password.

Remote Access Computing User logs in to one or more remote machine(s) Each machine has its own copy of userid and password for each user Changing a password on one machine does not affect the other machines Each time a user connects to a different machine, she must login again In the standard Unix login or rsh commands, the user’s password is sent in clear text over the network or else hosts trust users on the basis of their IP addresses Ssh encrypts the password before sending it or uses a user’s key pair for establishing her identity

Single Domain Remote Access Computing User gets access to many machines in a single administrative domain. He has a single userid and password for all the machines Can login just once to a central trusted server Examples Kerberos freeware from MIT Project Athena NIS - Sun software with remote access comands

Kerberos User - password based authentication based on late-70’s Needham -Schroeder algorithms. Kerberos Authentication Server aka KDC (Key Distribution Center) shares long-term secret (password) with each authorized user. User logs in and established a short term session key with the AS which can be used to establish his identity with other entities, e.g. file system, other hosts or services each of which trusts the authority server. The authorization mechanism needs to be integrated with the each function, e.g. file access, login, telnet, ftp, ... The central server is a single point of vulnerablity to attack and failure. Been in use for 20 years. We are now at version 5.

NIS Central server has all the user ids and passwords, don’t need to store passwords locally. Facilitates the same user id and passwords on all machines on a network Then rlogin and rsh allow the user to have access to all the hosts in the hosts.equiv and .rhost files No real security, depends IP addresses Integrated with NFS to allow access to NFS files from any host to which they are exported.

Cross Domain Authentication Holy Grail is to allow a user to login in once and get access to a ticket that will identify him to all machines on which he is allowed to run. Kerberos supports cross realm authentication, but it is politically difficult to achieve. Used for multiple AFS/DFS cells within a single institution. CMU, DOE weapons labs X.509 Identity certificates. An IETF standard. Contains a multi-part unique name and a public key. The legitimate owner of the certificate has the matching private key.

Motivation for Universal Identity certificate Distributed computing environments, collaborative research environments Resources, stakeholders and users are all distributed Spanning organizational as well as geographical boundaries, e.g., DOE Collaboratories Requires a flexible but secure way to identify users Requires a flexible and secure way to identify stakeholders

Security Levels Confidentiality Protection from disclosure to unauthorized persons Integrity Maintaining data consistency Authentication Assurance of identity of person or originator of data Non-repudiation Originator of communications can't deny it later - requires longterm of keys Authorization Identity combined with an access policy grants the rights to perform some action

Security Building Blocks Encryption provides confidentiality, can provide authentication and integrity protection Checksums/hash algorithms provide integrity protection, can provide authentication Digital signatures provide authentication, integrity protection, and non-repudiation

Keys Symetric Keys Both parties share the same secret key Problem is securely distributing the key DES - 56 bit key considered unsafe for financial purposes since 1998 3 DES uses three DES keys Public/Private keys One key is the mathematical inverse of the other Private keys are known only to the owner Public key are stored in public servers, usually in a X.509 certificate. RSA (patent expires Sept 2000), Diffie-Hellman, DSA

Hash Algorithms Reduce variable-length input to fixed-length (128 or 160bit) output Requirements Can't deduce input from output Can't generate a given output Can't find two inputs which produce the same output Used to Produce fixed-length fingerprint of arbitrary-length data Produce data checksums to enable detection of modifications Distill passwords down to fixed-length encryption keys Also called message digests or fingerprints

Message Authentication Code MAC Hash algorithm + key to make hash value dependant on the key Most common form is HMAC (hash MAC) hash( key, hash( key, data )) Key affects both start and end of hashing process Naming: hash + key = HMAC-hash MD5  HMAC-MD5 SHA-1  HMAC-SHA (recommended)

Digital Signatures Combines a hash with a digital signature algorithm To sign hash the data encrypt the hash with the sender's private key send data signer’s name and signature To verify hash the data find the sender’s public key decrypt the signature with the sender's public key the result of which should match the hash

Elements of PKI Certificate Authorities (CA) OpenSSL, Netscape, Verisign, Entrust, RSA Keon Public/Private Key Pairs - Key management x.509 Identity Certificates - Certificate management LDAP servers

X.509 Identity Certificates Distinguished Name of user C=US, O=Lawrence Berkely National Laboratory, OU=DSD, CN=Mary R. Thompson DN of Issuer C=US, O=Lawrence Berkely National Laboratory, CN=LBNL-CA Validity dates: Not before <date>, Not after <date> User's public key V3- extensions Signed by CA Defined in ANS1 notation - language independent

Certificate Authority A trusted third party - must be a secure server Signs and publishes X.509 Identity certificates Revokes certificates and publishes a Certification Revocation List (CRL) Many vendors OpenSSL - open source, very simple Netscape - free for limited number of certificates Entrust - Can be run by enterprise or by Entrust Verisign - Run by Verisign under contract to enterprise RSA Security - Keon servers

LDAP server Lightweight Directory Access Protocol (IETF standard) Evolved from DAP and X.500 Identities Used by CA's to store user's Identity Certificate Open source implementations Standard protocol for lookup, entry, etc. Access control is implemented by user, password.

SSL - OpenSSL Secure message passing protocol Developed by Netscape, now an IETF RFC (TLS Jan '99) Protocol for using one or two public/private keys to authenticate a sever to a client and by requiring a client key to authenticate the client to the server establish a shared symetric key (the session key) uses the session key to encypt or MAC all data over the secure channel Gives you authentication, message integrity and confidentiality Everything except authorizaton

SSL Handshake Negotiate the cipher suite Establish a shared session key Authenticate the server (optional) Authenticate the client (optional) Authenticate previously exhanged data

SSL handshake details Client hello: Client challenge, client nonce Available cipher suites (eg RSA + RC4/40 + MD5) Server hello: Server certificate, server nonce Connection ID Selected cipher suite Server adapts to client capabilities Optional certificate exchange to authenticate server/client Commercial sites only use server authentication

SSL Handshake - details Client Generate Challenge Define Protocols Verify server certificate Generates pre-master session key Encyrpt session key master-secret = hash(pre-master secret, previous messages) Generate Client read/write key pairs Decrypt and verify challenge phrase Server Challenge Encryption protocols Server Cert Connection ID Encryption protocols Return Server Certificate Generate connectiion ID Confirm Protocols Decrypt pre-master session key {pre-master master secret = hash (pre-master secret, session Key} previous messages) Server's public Generate server read/write Key pairs key {Client's Challenge} Server Write Key Encrypt random challenge phrase

SSL Handshake Client Authentication Client Decrypt challenge Calculate message digest on Challenge and Server certificate Done Server (Challenge phrase) Server write key [Message Digest & Client Certificate] Client private key (Session Identifier) Server's write key Generate new challenge Requests Client certificate Decrypt Message Digest and Client Certificate Verify Client certificate and recompute message digest

Status Single purpose CA’s e.g. Globus (SSLeay) Collaboratory, DOE-Grid (Netscape) Enterprises slow to run CA’s Many different Vendors - Verisign, Entrust, Netscape, RSA Security Keon Incompatible Key and Certificate management between vendors Certificates are not integrated with existing applications that need authorization Large amount of corporate overhead in running a CA Uncertain legal implications of issuing certificates Lab is currently looking at the RSA Keon server as it has integration with ssh and NIS authorization

Public Key Cryptography Standards PKCS PKCS 7 Cryptographic Message Syntax Standard PKCS 10 Certification Request Syntax Standard - used by Netscape browser, IE, and SSL libraries PKCS 11 Cryptographic Token Interface Standard - An API for signing and verifying data by a device that holds the key PKCS 12 Personal Information Exchange Syntax Standard - file format for storing certificate and private key - used to move private information between browsers

References Peter Guttman's tutorial about 500 slides covering cryptography, secure connection protocols, PKI, politics and more. RSA Laboratories PKCS specifications SSL/TLS TLS v 1.0 RFC - SSL-v3 openSSL Certificates

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

20 Database Security - Oracle Help Center

20 Database Security. ... Oracle provides a public key infrastructure ... Guide for information on authentication and distributed database concepts.
Read more

SDSI - A Simple Distributed Security Infrastructure

... A Simple Distributed Security Infrastructure. ... SDSI combines a simple public-key infrastructure design with a means of defining ... if mary, a ...
Read more

An Introduction to Public Key Infrastructure (PKI) - DST

An Introduction to Distributed Security Concepts and Public Key Infrastructure (PKI) Mary Thompson Local Computing User sits down in front of the computer ...
Read more

Introduction to Cyber Security OR Information Security English

Introduction to Cyber Security / Information Security ... Information Security Concepts ... Public Key infrastructure
Read more

PKI - Public Key Infrastructure | Certificate Authentication

... PKI certificates and certificate authentication ... Security Infrastructure for ... public key infrastructure product portfolio is ...
Read more

What is SSL and what are Certificates? - The Linux ...

What is SSL and what are Certificates? ... Several concepts have to be understood here. ... The Public Key Infrastructure ...
Read more

Database Concepts - Contents - Oracle Software Downloads ...

20 Database Security. Introduction to Database Security; ... Public-Key-Infrastructure-Based Authentication; ... Combine UNIQUE Key and NOT NULL Integrity ...
Read more

KSU | Department of Information Technology - Courses

... knowledge acquired in preceding IT courses. ... public key infrastructure ... of security concepts and practices in general and ...
Read more