Notes on Security in Distributed Systems II | CS 425, Study notes of Computer Science

Material Type: Notes; Class: Distributed Systems; Subject: Computer Science; University: University of Illinois - Urbana-Champaign; Term: Unknown 2006;

Typology: Study notes

Pre 2010

Uploaded on 03/16/2009

koofers-user-bwx
koofers-user-bwx 🇺🇸

10 documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
©2006, Mehdi T. Harandi, All Rights Reserved Lecture 26- 1
Lecture 26- 1
Computer Science
328
Distributed Systems
Computer Science
328
Distributed Systems
Lectures 26
Security in Distributed Systems - II
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Notes on Security in Distributed Systems II | CS 425 and more Study notes Computer Science in PDF only on Docsity!

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Computer Science

Computer ScienceDistributed Systems

Distributed Systems

Lectures 26

Security in Distributed Systems - II

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Lecture 26- 2Lecture 26- 2

Digital Signatures^ Digital Signatures^ ™

Cryptography is also used to verify that a messageor document is a true copy by verified signature.

<m,{m}

KA-^

KB+

A’s Priv.Key, K

A-

B’s PubKey, K

B+

m

m,{m}

KA-

B’s Priv.Key, K

B-

A’s PubKey, K

m A+

m,{m}

KA-

A^

B

<m, D(m)>

KA-

DigestFunction

A’s Priv.Key, K

A-

m

m,D(m)

Compare

A’s PubKey, K

m A+

A^

B^

DigestFunctionm,D(m)

D(m)

Digital Signature Using Public-Private KeysDigital Signature Using Message Digest

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Control of access to resources of a server.

A basic form of access control checks<principal, op, resource> requests for:^ ¾^

Authenticity of the principal or its credentials.

¾^

Access rights for the requested resource & op.

Alternatively, the server may issue keys,called capabilities, to authenticated clients,for specific <resource, op> pairs.Potential problems: stolen keys, key revocation.

Access lists, associate a list of the form<domain,op> with each resource.

Access Control^ Access Control

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Focus of Access Control^ Focus of Access Control^ •^

Three approaches forprotection againstsecurity threats a)^

Protection against invalidoperations b)^

Protection againstunauthorized invocations c)^

Protection againstunauthorized users

©^ 2006, Mehdi T. Harandi, All Rights Reserved

A set of evidence by a principal to gainaccess rights to a resource, e.g. a private-key or a certificate from an authority.

A credential

speaks for

a principal.

Credentials may require cooperation ofmore than one authority (co-signing).

A delegation certificate allows oneprincipal to act on behalf of another, e.g. aprint server needs read-access to a remotefile by delegation.

role-based credentials are useful incollaborative systems.

Credentials^ Credentials

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Firewalls^ Firewalls

™^

Processes to monitor & control allcommunications into/out of interanet, for:^ ™^

Service Control ™ Behavior Control ™ User Control ™^

Firewall filtering can be done at diff. Levels^ ™^

IP packet filtering ™ TCP Gateway filtering ™ Application Gateway filtering

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Firewall Configuration^ Firewall Configuration

-^ A common implementation of a firewall.

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Lecture 26- 11Lecture 26- 11

Firewall Configurations^ Firewall Configurations

Filtering Router

Internet

Internet

Internet

Filtering w/ Bastion

Screened Subnet

filter

filter

filter filter

Bastion

Bastion

Web/ftpserver

Web/ftpserver

Web/ftpserver

©^ 2006, Mehdi T. Harandi, All Rights Reserved

SSL Protocol Stack^ SSL Protocol Stack

SSLHandshakeprotocol

SSL ChangeCipher Spec

SSL AlertProtocol Transport layer (usually TCP)Network layer (usually IP) SSL Record Protocol

HTTP

Telnet

SSL protocols:

Other protocols:

©^ 2006, Mehdi T. Harandi, All Rights Reserved

Lecture 26- 14Lecture 26- 14

SSL Protocols^ SSL Protocols

11

1

(^32) 4

(^65) 7 8

9 10 Client Server

Changeciphersuite &Finish Clientcertifi-cateandverifi-cation

Establish:SessionID, ciphersuite,compressmethod,etc.

Servercertific.& verifi-cation,req.certific.

abcdefghi abc

ghi def

The Handshake Protocol

Appl. Data

Fragment/combine Record Units

Compress Comp. Units

Hash

Encrypt Encrypted TCP Packet

The Record Protocol