# Importance of Security in DS

Security goal: Restrict access to information/resources to just to those entities that are authorized to access.

There is a pervasive need for measures to guarantee the privacy, integrity and availability of resources in DS.

Security attacks take various forms: eavesdropping, masquerading, tampering and denial of service.

Designers of secure distributed systems must cope with the exposed interfaces and insecure network in an environment where attackers are likely to have knowledge of the algorithms used to deploy computing resources.

Cryptography provides the basis for the authentication of messages as well as their secrecy and integrity.

# Security in Real World

In the physical world, organizations adopt "security policies" that provide for the sharing of resources within specified limits.
* Company may permit entry to its building for its employees and for accredited visitors
* A security policy for documents may specify groups of employees who can access classes of documents or it may be defined for individual documents and users.

Security policies are enforced with security mechanisms. You can't build a $100$% secure system. Depending on the application, how much would you like to invest in security. And systems are build on those policies.
* Access to building may be controlled by a reception clerk, who issues badges to accredited visitors, and enforced by security guard or by electronic door locks.

In electronic world, the distinction between security policy and mechanisms is equally important.

# Revision

<img src="img/img44.png" width="500">

Object(or resource) may be mailbox, system file or part of a commercial website.

Principal is a user or process that has authority(rights) to perform actions.

Cryptographic concealment is based on: confusion and diffusion.

# Threats and Attacks

Security threats - Three broad classes:
* Leakage: Acquisition of information by unauthorized recipients. Doesn't need to be revealed. An enemy can observe the traffic and find out that every morning around 8am, there is a constant traffic. He may deduce that it might be a backup time. Then use this information to enforce other attacks.
* Tampering: Unauthorized alteration of information
* Vandalism: Interference with the proper operation of systems(DoS)

Method of attacks are listed below:
* Eavesdropping(A form of leakage): obtaining private or secret information or copies of messages without authority
* Masquerading(A form of impersonating): assuming the identity of another user/principal, i.e, sending or receiving messages using the identity of another principal without their authority
* Message tampering: altering the content of messages in transit
* Replaying: storing secure messages and sending them at a later time(you may capture the request of client visiting a website, and replay it again and again to earn money from a advertisement company)
* Denial of service: flooding a channel or other resource, denying access to others

## Threats not defeated by secure channels or other cryptographic techniques

### Denial of service(DoS) attacks

If the attack comes from a single IP address, you can simply deal with it by setting a limited number of request a PC can perform.

If the attacks come from various address, then it is called distributed denial of service(DDoS). You can hack into a campus intranets, and command all the PCs to make a request synchronously to a server. The simple solution is to adopt verification code before serving a client. However, the hacker can have another website, say porn site, with tens of thousands of users online. Then he can get all these verification code and pass them to the users to let them type this thing.

### Trojan horses and other viruses

Viruses can only enter computers when program code is imported.

But users often require new programs, for example:
* New software installation
* Mobile code downloaded dynamically by existing softwares(e.g, Java applets)
* Accidental execution of programs transmitted surreptitiously

Defense: code authentication(signed code), code validation(obeying certain standards, type checking), sandboxing

# Security policies for Internet transaction

* Authenticate the vendor to the buyer.
* Keep buyer's credit card details secure
* Ensure that content is delivered to the buyer
* Authenticate the identity of account holder before giving them access to their account

# Designing Secure Systems

Setup a policy. Your implementation comes at a cost(cost of implementing or accessing the service).

Security is about avoiding disasters and minimizing mishaps. When designing for security it is necessary to assume the worst.

The design of security system is an exercise in balancing costs against threats:
* A cost is incurred for their use.(It won't be linear, if you want to build a perfect system, the cost will be indefinite)
* Inappropriately specified security measures may exclude legitimate users from performing necessary actions

## Worst case assumptions

* Interfaces are exposed, DSs made up of processes with open interfaces
* Networks are insecure
* Limit the lifetime and scope of each secret(passwords and keys validity)
* Algorithms and code are available to hackers
* Attackers may have access to large resources

# Security Techniques

Digital cryptography provides the basis for most computer security mechanisms, but it is important to note that computer security and cryptography are distinct subjects.
* Cryptography is an art of encoding information in a format that only intended recipient can access
* Cryptography can be used to provide a proof of authenticity of information in a manner analogous to the use of signature in conventional transactions

## Cryptography

Cryptography is about encryption and decryption. Encryption is the process of encoding a message in such a way as to hide its contents. Modern cryptography includes several secure algorithms for encrypting and decrypting messages. They are based on keys. A cryptography key is a parameter used in an encryption algorithms in such a way that the encryption cannot be reversed without a knowledge of the key.

There are two main classes:
* Shared secret keys: The sender and recipient share a knowledge of the key and it must not be revealed to anyone.
* Public/Private key pair: The sender of a message uses a recipient's public key to encrypt the message. The recipient uses a corresponding private key to decrypt the message.

Use of Cryptography:
* Secrecy and integrity(to stop eavesdropping and tampering), also use redundant information(checksums) for maintaining integrity
* Authentication: make sure the person access the message is the right person
* Digital signature: the message is created by the person who should create the message

Security notations:

<img src="img/img45.png" width="400">

### Scenario 1: Secret communication with a shared secret key

Alice wishes to send some information secretly. Alice and Bob share a secret key $K_{AB}$.
1. Alice uses $K_{AB}$ and an agreed encryption function $E(K_{AB}, M)$ to encrypt and send any number of messages $\{M_i\}_{K_{AB}}$ to Bob.

2. Bob reads the encrypted messages using the corresponding decryption function $D(K_{AB}, M)$.

Alice and Bob can go on using $K_{AB}$ as long as it is safe to assume that $K_{AB}$ has not been compromised.

Issues:
* Key distribution: How can Alice send a shared key $K_{AB}$ to Bob securely?
* No guarantee for freshness of communication: How does Bob know that any $\{M_i\}$ isn't a copy of an earlier encrypted message from Alice that was captured by Mallory and replayed later? If the message is a request to pay some money to someone. Mallory might trick Bob into paying twice.

This approach is low cost and efficient, but only work in small organizations, not over the Internet.

### Scenario 2: Authenticated communication with a server

Bob is a file server, Sara is an authentication service. Sara shares secret key $K_A$ with Alice and secret key $K_B$ with Bob.

1. Alice sends an (unencrypted) message to Sara stating her identity and requesting a *ticket* for access to Bob.
2. Sara sends a response to Alice. $\{\{Ticket\}_{K_{B}}, K_{AB}\}_{K_{A}}$. It is encrypted in $K_A$ and consists of a ticket(to be sent to Bob with each request for file access) encrypted in $K_B$ and a new secret key $K_{AB}$.
3. Alice uses $K_A$ to decrypt the response.
4. Alice sends Bob a request R to access a file: $\{Ticket\}_{K_B}, Alice, R$.
5. The ticket is actually $\{K_{AB}, Alice\}_{K_B}$. Bob uses $K_B$ to decrypt it, checks that Alice's name matches and then uses $K_{AB}$ to encrypt responses to Alice.

This is a simplified version of the Needham and Schroeder (and Kerberos) protocol.

Not suitable for e-commerce because authentication service doesn't scale:
* If server is broken into, all secret keys of all parties will be lost
* Which server to trust remains a problem
* One server for all people over the Internet is unrealistic

Inside a small company, using this approach rather than approach 1 can avoid the situation that everyone has access to everything.

Limitations of Needham and Schroeder Protocol
* It depends upon prior knowledge by the authentication server Sara of Alice's and Bob's keys. This is feasible in a single organization where Sara run a physically secure computer and is managed by a trusted principal.

Usefulness of challenges: They introduced the concept of a cryptographic challenge. You challenge Alice by sending a message which is locked by a certain key. If Alice knows the key, then Alice meets the challenge.

### Scenario 3: Authenticated communication with public keys

Bob has a public/private key pair $<K_{Bpub}, K_{Bpriv}>$ and establishes $K_{AB}$ as follows:

1. Alice obtains a certificate that was signed by a trusted authority stating Bob's public key $K_{Bpub}$.
2. Alice creates a new shared key $K_{AB}$, encrypts it using $K_{Bpub}$ using a public-key algorithm and sends the result to Bob.
3. Bob uses the corresponding private key $K_{Bpriv}$ to decrypt it.

If they want to be sure that the message hasn't been tampered with, Alice can add an agreed value to it and Bob can check it.

Mallory might intercept Alice's initial request to a key distribution service for Bob's public-key certificate and send a response containing his own public key. He can then intercept all the subsequent messages.

### Scenario 4: Digital signatures with a secure digest function

Alice wants to publish a document $M$ in such a way that anyone can verify that it is from her.

1. Alice computes a fixed-length digest(a snippet, unique for each document) of the document *Digest(M)*.
2. Alice encrypts the digest in her private key, appends it to $M$ and makes the resulting signed document $(M, \{Digest(M)\}_{K_{Apriv}})$ available to the intended users.
3. Bob obtains the signed document, extracts $M$ and computes $Digest(M)$.
4. Bob uses Alice's public key to decrypt $\{Digest(M)\}_{K_{Apriv}}$ and compares it with his computed digest. If they match, Alice's signature is verified.

## Cryptographic Algorithms

Message $M$, key $K$, published encryption functions $E, D$

**Symmetric(secret key)**

$E(K,M)=\{M\}_K\space\space\space\space\space D(K,E(K,M))=M$

Same key for $E$ and $D$

$M$ must be hard(infeasible) to compute if $K$ is not known.

Usual form of attack is brute-force: try all possible key values for a known pair $M,\{M\}_K$. Resisted by making $K$ sufficiently large ~ $128$ bits.

**Asymmetric(public key)**

Separate encryption and decryption keys: $K_e, K_d$

$D(K_d, E(K_e, M))=M$

depends on the use of trap-door function to make the keys. $E$ has high computational cost. Very large keys > $512$ bits.

**Hybrid protocols** - used in SSL(now called TLS)

Uses asymmetric crypto to transmit the symmetric key that is then used to encrypt a session.

## Public Key Infrastructure

PKI allows you to know that a given public key belongs to a given user.

PKI builds on asymmetric encryption: Each entity has two keys, public and private. Data encrypted with one key can only be decrypted with another. The private key is known only to the entity.

The public key is given to the world encapsulated in a $X.509$ certificate which is the most widely used standard format for certificates.

Certificate Authorities(CAs) is an entity that issues digital certificates.

Requesting a certificate:
* Certificate Request
* Registration Authority

### Certificates

<img src="img/img46.png" width="400">

Certificate is a statement signed by an appropriate authority.

Certificate requires:
* An agreed standard format
* Agreement on the construction of chains of trust
* Expiry dates, so that certificates can be revoked

It provides a public key to a named entity called the subject. The binding is in the signature, which is issued by another entity called issuer(CA).

Certificates can act as credentials which is the evidence for a principal's right to access a resource. Two certificates shown above could act as credentials for Alice to operate on her bank account. She would need to add her public key certificate.

# Access Control

protection domain is a set of $<resources, rights>$ pairs.

Two main approaches to implementation:
* Access control list(ACL) associated with each object. E.g, Unix file access permissions.
* Capabilities associated with principals. Like a key allowing the holder access to certain operations on a specified resource. Format: $<resource id, permitted operations, authentication code>$

# Kerberos authentication and key distribution service

It secures communication with servers on a local network.

Standardized and now included in many operating systems such as Linux, Windows XP, Windows 8.

Kerberos server creates a shared secret key for any required server and sends it(encrypted) to the user's computer.

User's password is the initial secret shared with Kerberos.

<img src="img/img47.png" width="500">

## Kerberized NFS

Kerberos protocol is too costly to apply on each NFS operation.

Kerberos is used in the mount service:
* to authenticate the user's identity
* User's UserID and GroupID are stored at the server with the client's IP address

For each file request:
* UserID and GroupID are sent encrypted in the shared session key
* The UserID and GroupID must match those stored at the server
* IP addresses must also match

This approach has some problems:
* can't accommodate multiple users sharing the same client computer
* all remote file stores must be mounted each time a user logs in

# The Secure Socket Layer(SSL)

Key distribution and secure channels for Internet commerce
* Hybrid protocol; depends on public-key cryptography
* Provides the security in all web servers and browsers and in secure versions of Telnet, FTP and other network applications

Key Feature: **Negotiable encryption and authentication algorithms**. In an open network we should NOT assume that all parties use the same client software or all client/server software includes a particular encryption algorithms.

To meet the need for secure communication without previous negotiation/help from 3rd parties, the secure channel is established using a hybrid schemes.

The secure channel is fully configurable.

The details of TLS protocols are standardized and several software libraries and toolkits are available to support it.

TLS consists of two layers:
* TLS Record Protocol Layer: implements a secure channel, encrypting and authenticating messages transmitted through any connection oriented protocol. It is realized at session layer.
* Handshake Layer: Containing handshake protocol and two other related protocols that establish and maintain TLS session(i.e., secure channel) between client and server.
* Both are implemented by software libraries at application level in the client and the server.