Michele Vincent, profile picture
Uploaded byMichele Vincent
PPT, PDF431 views

dos_security_final

This document discusses security aspects in distributed operating systems. It covers authentication methods like symmetric cryptography and public key cryptography. It also discusses authorization mechanisms like access control matrices, lists and capabilities. The document proposes a design for distributed authentication using public key Kerberos and distributed authorization using trust management systems. It concludes that current security in distributed OS still relies on traditional centralized mechanisms and that alternatives like trust management systems are still immature.

Embed presentation

Download to read offline
02/01/1502/01/15 11 Security Aspects in Distributed Operating Systems CPSC 551 – Distributed Operating Systems Presented by: Cynthia Michele Vincent
02/01/15 2 Overview  Introduction  Authentication in OS & Distributed OS  Authorization in OS & Distributed OS  Authorization in Amoeba  Suggested Design using  Distributed Authentication  Distributed Authorization  Conclusion
02/01/15 3 Introduction  Why security?  Necessary to avoid unintentional or malicious attempts that affects the integrity of the system  Difference between security in OS and security in Distributed OS  One of the functions of OS  Authenticate and authorize users  One of the functions of Distributed OS  Authenticate and authorize users • To handle security across multiple computers, global tables need to be  Created  Maintained  Accessed
02/01/15 4 Authentication  Are you really who you say you are?  Authentication in Centralized Systems  Authentication in Distributed Systems  EavesdroppingEavesdropping • Symmetric Cryptography, Public-Key Cryptography  TrustTrust • Certificate Authorities (CA), KDC  Multiple Password ManagementMultiple Password Management • Kerberos, X.509  ReplayReplay • Sequence numbers, Timestamp, Nonce
02/01/15 5 Symmetric Cryptography  To deal with eavesdropping  Shared common key to encrypt and decrypt  Requires a key distribution center (KDC)  Issue is secure key distribution Source: Stallings
02/01/15 6 Public Key Cryptography  To deal with eavesdropping  No shared common key: public key, private key  Addresses key distribution with no KDC  Addresses digital signatures Source: Stallings
02/01/15 7 Certificate Authorities  To deal with trust  A certificate binds identity to public key  Contents signed by a trusted 3rd party  Different trust models / Hierarchy of Trust Source: Stallings 1 2
02/01/15 8 Kerberos  To deal with multiple password management  Provides access transparency Source: Stallings
02/01/15 9 Nonce  To deal with replay  Timestamp, counter, random number  Transformation of a nonce performs an authentication function Source: Stallings 3 4 5
02/01/15 10 Authorization  Granting access rights / verifying access rights  Authorization in Centralized Systems  Access Control Matrix  Access Control List (ACL)  Capability  Security Policies  Authorization in Distributed Systems  Mechanisms are the same – ACLs, CapabilityMechanisms are the same – ACLs, Capability  Issues related to mechanismsIssues related to mechanisms • Centralized • Delegation • Revocation • Flexibility  Solution that addresses those issuesSolution that addresses those issues • Trust management systems
02/01/15 11 Reference Monitor  General model of controlling access to objects  A program that records which subject may do what and decides Source: Raytheon Systems Audit Logs Objects Access Control Database Request for operation Reference Monitor within OS Authorized Request Subjects What’s in this db? Subjects: Processes, Users, Applications Objects: records, blocks, pages, segments, files, directories, directory trees, programs, bits, bytes, words, fields, video displays, keyboards, clocks, printers
02/01/15 12 Access Control Matrix  Mechanism for implementing access control File 1 File 2 File 3 File 4 Person 1 Person 2 Person 3 Person 4 Objects Subjects RWE R E W Access Rights: R = read; W = write; E = execute R E
02/01/15 13 Access Control List  The matrix is distributed column-wise  Each object maintains a list of the access rights of subjects  Empty entries are left out  Must be scanned each time any subject accesses an object  Revocation is trivial  Delegation can’t be done Source: Tanenbaum
02/01/15 14 Capability  Rows of access matrix corresponding to each subject  Give each subject a list of capabilities it has for each object  No capability = No access rights  Like a ticket but must be unforgeable  Revocation is infeasible  Delegation is trivial  High-level administrative authorities can certify lower-level authorities Source: Tanenbaum
02/01/15 15 An Example: Amoeba  Capability-Based System  Generation of a restricted capability from an owner capability Source: Mullender Source: Tanenbaum
02/01/15 16 Security Policies  Discretionary  Mandatory  Identity-Based  Role-Based  Policy-Based  Content-Dependent  Context-Based  View-Based Role-Role- BasedBased AccessAccess ControlControl RoleRole AssignmentAssignment Role Action Resource Roles/Groups table Policy Role-Based Access Control LoginLogin (ID, password)(ID, password) ID Password File Identity-Identity- BasedBased AccessAccess ControlControl LoginLogin (ID, password)(ID, password) UserID, Password UserID Action Resource Password File Policy Identity-Based Access Control Source: Hertzberg
02/01/15 17 Role-Based Access Control Advantages  Flexibility  Granularity of system privilege management  Useful in applications with  A large number of users with  Overlapping user requirements, and  When there is a large number of objects • System privileges are grouped according to their logical association to form roles • Administration of privileges is easier  2K
02/01/15 18 Role-Based Access Control Disadvantages  RBAC was developed for access control in a single organization  A role name is an atomic string  Complexity  Analysis associated with determining system privileges  Understanding the implications of their assignment • Reduce it by decomposing roles into sub-roles
02/01/15 19 Issues  Granularity and labor-intensive management  Flexibility but complexity  If mechanisms are not expressible and flexible  Policy elements must be hard-coded into applications • Changes in security will require  Reconfiguration  Rebuilding  Rewriting of applications  Different applications needs different access- granting/restricting policies • Must adapt to changing environment to deal with changing threats  More complex security policies needed in distributed operating systems
02/01/15 20 Issues (Cont’d)  If mechanisms enforce uniform and implicit policies and trust relations  How can we handle those entities wishing to have a different trust model?  If mechanisms have high level admin authorities that cannot directly specify overall security policy  There would be inconsistencies among locally specified sub-policies. CSU CSUF CSUDH A B C
02/01/15 21 Trust Management Systems  Developed as an answer to the inadequacy of traditional authorization mechanisms  Handles other weak points of ACLs and Capability  Revocation  Delegation  A common language for policies, credentials and trust relationships  Handles security completely and consistently  Handles security in a transparent manner
02/01/15 22  Systematic approach for specifying what’s allowed & for managing  Security policiesSecurity policies  User credentialsUser credentials  Trust relationshipsTrust relationships  Composed of languages that  Describe actionsDescribe actions  Specifies policiesSpecifies policies  Specifies credentialsSpecifies credentials  Consists of mechanisms for  Identifying principalsIdentifying principals  Checking complianceChecking compliance Trust Management Systems (Cont’d)
02/01/15 23 Suggested Design Distributed Authentication  Public Key-Based Kerberos  Requires public key operations each time a service ticket is required  Operations are distributed among the users and the services rather than concentrating them at the KDC  Fully distributed authentication between the users and the services using public key cryptography means  No need to maintain symmetric keys with the KDC  No more KDC to be compromised  Only the CA remains the trusted intermediary
02/01/15 24  Trust management systems Suggested Design Distributed Authorization Credential System Local Policy db Application Signed Credentials Local Policies Key and Action Description Response Compliance Checker (Interpreter) Credentials Action Requests Trust Boundary y = tms(r, c, p)
02/01/15 25 Summary  Differences in  Authentication in OS and distributed OS  Authorization in OS and distributed OS  Concerns in authentication in distributed OS  Answers (encryption, etc.)  Issues in security policies & mechanisms used for authorization in distributed OS  Suggested design  Distributed authentication – Public-Key Kerberos  Distributed authorization – Trust Management Systems
02/01/15 26 Conclusion  A secure distributed OS design depends on  Ability to protect the flow of information through the system  Fine-grain access control  Decentralized solutions  Where are we?  Still using the traditional mechanisms  Why haven’t we moved?  Lack of alternatives suited for distributed OS  Infancy -- Trust management systems and other language/compiler-based protection systems

More Related Content

PDF
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
byMicro Focus
 
PDF
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
byMicro Focus
 
PDF
10 Steps to Better Windows Privileged Access Management
byBeyondTrust
 
PDF
Softvative Microsoft Sharepoint Brainstorming plan V1.1
byFaisal Masood
 
PPTX
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
PPTX
Compliance in Virtualized Environments
bySeccuris Inc.
 
PPTX
How to Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PDF
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
byMicro Focus
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
byMicro Focus
 
10 Steps to Better Windows Privileged Access Management
byBeyondTrust
 
Softvative Microsoft Sharepoint Brainstorming plan V1.1
byFaisal Masood
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
Compliance in Virtualized Environments
bySeccuris Inc.
 
How to Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 

What's hot

PPTX
Defending broken access control in .NET
bySupriya G
 
PDF
Securing DevOps through Privileged Access Management
byBeyondTrust
 
PDF
Windows Host Access Management with CA Access Control
bywebhostingguy
 
PDF
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
byBeyondTrust
 
PPTX
Dell Password Manager Introduction
byAidy Tificate
 
PDF
Bluedog white paper - Our WebObjects Web Security Model
bytom termini
 
PDF
Update to PCI DSS v3.2
byNasos Panagiotidis
 
PPTX
Authentication and Access Control in e-Health Systems in the Cloud Computing
byNafiseh-Kahani
 
PPT
Sql Server Security
byVinod Kumar
 
PPTX
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
byLarus Hjartarson
 
PPTX
Otx introduction sw
byAlienVault
 
PPT
Session 10 Tp 10
bygithe26200
 
PDF
Event log monitoring for the pci dss
bySarahLamusu
 
PPTX
Authentication vs authorization
byFrank Victory
 
PPT
OWASP Logging Project - Presentation at IBWAS09
byMarcChisinevski
 
PPTX
Privileged Access Management - 2016
byLance Peterman
 
PPTX
Decrypting the security mystery with SIEM (Part 1) ​
byZoho Corporation
 
PPT
Module – implement security
byArshad Havaldar
 
PDF
Google GCP-PCSE Certificate Is Your Best Choice
byAmaaira Johns
 
PPTX
Overview of Microsoft Sql Server Security
byGary Manley, MA, PMP
 
Defending broken access control in .NET
bySupriya G
 
Securing DevOps through Privileged Access Management
byBeyondTrust
 
Windows Host Access Management with CA Access Control
bywebhostingguy
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
byBeyondTrust
 
Dell Password Manager Introduction
byAidy Tificate
 
Bluedog white paper - Our WebObjects Web Security Model
bytom termini
 
Update to PCI DSS v3.2
byNasos Panagiotidis
 
Authentication and Access Control in e-Health Systems in the Cloud Computing
byNafiseh-Kahani
 
Sql Server Security
byVinod Kumar
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
byLarus Hjartarson
 
Otx introduction sw
byAlienVault
 
Session 10 Tp 10
bygithe26200
 
Event log monitoring for the pci dss
bySarahLamusu
 
Authentication vs authorization
byFrank Victory
 
OWASP Logging Project - Presentation at IBWAS09
byMarcChisinevski
 
Privileged Access Management - 2016
byLance Peterman
 
Decrypting the security mystery with SIEM (Part 1) ​
byZoho Corporation
 
Module – implement security
byArshad Havaldar
 
Google GCP-PCSE Certificate Is Your Best Choice
byAmaaira Johns
 
Overview of Microsoft Sql Server Security
byGary Manley, MA, PMP
 

Similar to dos_security_final

PPT
Chapter 5-Security Mechanisms and Techniques.ppt
byLina Shimelis
 
PPT
Protection and Security in Operating Systems
byvampugani
 
PPTX
Protection in general purpose operating system
byPrachi Gulihar
 
PPTX
System Security Sem 2(Module 1).pptx
byrahulkumarcscsf21
 
PPT
20-security.ppt
byajajkhan16
 
PPTX
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
PPT
Access Control
byazida3
 
PPT
14-accessCtrl.ppt
byCNSHacking
 
PPT
Design for security in operating system
byBhagyashree Barde
 
PPTX
Least privilege, access control, operating system security
byPrachi Gulihar
 
PPT
Access control (authorisation) in distributed systems.ppt
byangeldna767
 
PPT
Access control (authorization) in distributed systems.ppt
byDesalegn70
 
PPT
2. access control
by7wounders
 
PPT
lecture7-accesscontroool_ct1405.pptx.ppt
bymaneltighiouart7
 
PPTX
System protection in Operating System
bysohaildanish
 
PPTX
Survey of file protection techniques
byPrachi Gulihar
 
PDF
Distributed Operating System Resource Security And Protection: Access and Flo...
byAki Akshaya.D
 
PPTX
resource security and protection in distributed system
bysathiabama40
 
PPT
Authentication and authorization difference
bySaurabh846965
 
PPT
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
Chapter 5-Security Mechanisms and Techniques.ppt
byLina Shimelis
 
Protection and Security in Operating Systems
byvampugani
 
Protection in general purpose operating system
byPrachi Gulihar
 
System Security Sem 2(Module 1).pptx
byrahulkumarcscsf21
 
20-security.ppt
byajajkhan16
 
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
Access Control
byazida3
 
14-accessCtrl.ppt
byCNSHacking
 
Design for security in operating system
byBhagyashree Barde
 
Least privilege, access control, operating system security
byPrachi Gulihar
 
Access control (authorisation) in distributed systems.ppt
byangeldna767
 
Access control (authorization) in distributed systems.ppt
byDesalegn70
 
2. access control
by7wounders
 
lecture7-accesscontroool_ct1405.pptx.ppt
bymaneltighiouart7
 
System protection in Operating System
bysohaildanish
 
Survey of file protection techniques
byPrachi Gulihar
 
Distributed Operating System Resource Security And Protection: Access and Flo...
byAki Akshaya.D
 
resource security and protection in distributed system
bysathiabama40
 
Authentication and authorization difference
bySaurabh846965
 
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 

More from Michele Vincent

PPTX
Predictive Analytics, Predicting LIkely Donors and Donation Amounts
byMichele Vincent
 
PPTX
Predicting Likely Donors and Donation Amounts
byMichele Vincent
 
DOC
resume_mchlvincent_jun2016
byMichele Vincent
 
PDF
Michele Vincent, Marketing Analytics Professional
byMichele Vincent
 
PPT
MRegressionAnalysis
byMichele Vincent
 
DOC
srs_for_linkedin
byMichele Vincent
 
Predictive Analytics, Predicting LIkely Donors and Donation Amounts
byMichele Vincent
 
Predicting Likely Donors and Donation Amounts
byMichele Vincent
 
resume_mchlvincent_jun2016
byMichele Vincent
 
Michele Vincent, Marketing Analytics Professional
byMichele Vincent
 
MRegressionAnalysis
byMichele Vincent
 
srs_for_linkedin
byMichele Vincent
 

dos_security_final

  • 1.
    02/01/1502/01/15 11 Security Aspects in DistributedOperating Systems CPSC 551 – Distributed Operating Systems Presented by: Cynthia Michele Vincent
  • 2.
    02/01/15 2 Overview  Introduction Authentication in OS & Distributed OS  Authorization in OS & Distributed OS  Authorization in Amoeba  Suggested Design using  Distributed Authentication  Distributed Authorization  Conclusion
  • 3.
    02/01/15 3 Introduction  Whysecurity?  Necessary to avoid unintentional or malicious attempts that affects the integrity of the system  Difference between security in OS and security in Distributed OS  One of the functions of OS  Authenticate and authorize users  One of the functions of Distributed OS  Authenticate and authorize users • To handle security across multiple computers, global tables need to be  Created  Maintained  Accessed
  • 4.
    02/01/15 4 Authentication  Areyou really who you say you are?  Authentication in Centralized Systems  Authentication in Distributed Systems  EavesdroppingEavesdropping • Symmetric Cryptography, Public-Key Cryptography  TrustTrust • Certificate Authorities (CA), KDC  Multiple Password ManagementMultiple Password Management • Kerberos, X.509  ReplayReplay • Sequence numbers, Timestamp, Nonce
  • 5.
    02/01/15 5 Symmetric Cryptography To deal with eavesdropping  Shared common key to encrypt and decrypt  Requires a key distribution center (KDC)  Issue is secure key distribution Source: Stallings
  • 6.
    02/01/15 6 Public KeyCryptography  To deal with eavesdropping  No shared common key: public key, private key  Addresses key distribution with no KDC  Addresses digital signatures Source: Stallings
  • 7.
    02/01/15 7 Certificate Authorities To deal with trust  A certificate binds identity to public key  Contents signed by a trusted 3rd party  Different trust models / Hierarchy of Trust Source: Stallings 1 2
  • 8.
    02/01/15 8 Kerberos  Todeal with multiple password management  Provides access transparency Source: Stallings
  • 9.
    02/01/15 9 Nonce  Todeal with replay  Timestamp, counter, random number  Transformation of a nonce performs an authentication function Source: Stallings 3 4 5
  • 10.
    02/01/15 10 Authorization  Grantingaccess rights / verifying access rights  Authorization in Centralized Systems  Access Control Matrix  Access Control List (ACL)  Capability  Security Policies  Authorization in Distributed Systems  Mechanisms are the same – ACLs, CapabilityMechanisms are the same – ACLs, Capability  Issues related to mechanismsIssues related to mechanisms • Centralized • Delegation • Revocation • Flexibility  Solution that addresses those issuesSolution that addresses those issues • Trust management systems
  • 11.
    02/01/15 11 Reference Monitor General model of controlling access to objects  A program that records which subject may do what and decides Source: Raytheon Systems Audit Logs Objects Access Control Database Request for operation Reference Monitor within OS Authorized Request Subjects What’s in this db? Subjects: Processes, Users, Applications Objects: records, blocks, pages, segments, files, directories, directory trees, programs, bits, bytes, words, fields, video displays, keyboards, clocks, printers
  • 12.
    02/01/15 12 Access ControlMatrix  Mechanism for implementing access control File 1 File 2 File 3 File 4 Person 1 Person 2 Person 3 Person 4 Objects Subjects RWE R E W Access Rights: R = read; W = write; E = execute R E
  • 13.
    02/01/15 13 Access ControlList  The matrix is distributed column-wise  Each object maintains a list of the access rights of subjects  Empty entries are left out  Must be scanned each time any subject accesses an object  Revocation is trivial  Delegation can’t be done Source: Tanenbaum
  • 14.
    02/01/15 14 Capability  Rowsof access matrix corresponding to each subject  Give each subject a list of capabilities it has for each object  No capability = No access rights  Like a ticket but must be unforgeable  Revocation is infeasible  Delegation is trivial  High-level administrative authorities can certify lower-level authorities Source: Tanenbaum
  • 15.
    02/01/15 15 An Example:Amoeba  Capability-Based System  Generation of a restricted capability from an owner capability Source: Mullender Source: Tanenbaum
  • 16.
    02/01/15 16 Security Policies Discretionary  Mandatory  Identity-Based  Role-Based  Policy-Based  Content-Dependent  Context-Based  View-Based Role-Role- BasedBased AccessAccess ControlControl RoleRole AssignmentAssignment Role Action Resource Roles/Groups table Policy Role-Based Access Control LoginLogin (ID, password)(ID, password) ID Password File Identity-Identity- BasedBased AccessAccess ControlControl LoginLogin (ID, password)(ID, password) UserID, Password UserID Action Resource Password File Policy Identity-Based Access Control Source: Hertzberg
  • 17.
    02/01/15 17 Role-Based AccessControl Advantages  Flexibility  Granularity of system privilege management  Useful in applications with  A large number of users with  Overlapping user requirements, and  When there is a large number of objects • System privileges are grouped according to their logical association to form roles • Administration of privileges is easier  2K
  • 18.
    02/01/15 18 Role-Based AccessControl Disadvantages  RBAC was developed for access control in a single organization  A role name is an atomic string  Complexity  Analysis associated with determining system privileges  Understanding the implications of their assignment • Reduce it by decomposing roles into sub-roles
  • 19.
    02/01/15 19 Issues  Granularityand labor-intensive management  Flexibility but complexity  If mechanisms are not expressible and flexible  Policy elements must be hard-coded into applications • Changes in security will require  Reconfiguration  Rebuilding  Rewriting of applications  Different applications needs different access- granting/restricting policies • Must adapt to changing environment to deal with changing threats  More complex security policies needed in distributed operating systems
  • 20.
    02/01/15 20 Issues (Cont’d) If mechanisms enforce uniform and implicit policies and trust relations  How can we handle those entities wishing to have a different trust model?  If mechanisms have high level admin authorities that cannot directly specify overall security policy  There would be inconsistencies among locally specified sub-policies. CSU CSUF CSUDH A B C
  • 21.
    02/01/15 21 Trust ManagementSystems  Developed as an answer to the inadequacy of traditional authorization mechanisms  Handles other weak points of ACLs and Capability  Revocation  Delegation  A common language for policies, credentials and trust relationships  Handles security completely and consistently  Handles security in a transparent manner
  • 22.
    02/01/15 22  Systematicapproach for specifying what’s allowed & for managing  Security policiesSecurity policies  User credentialsUser credentials  Trust relationshipsTrust relationships  Composed of languages that  Describe actionsDescribe actions  Specifies policiesSpecifies policies  Specifies credentialsSpecifies credentials  Consists of mechanisms for  Identifying principalsIdentifying principals  Checking complianceChecking compliance Trust Management Systems (Cont’d)
  • 23.
    02/01/15 23 Suggested Design DistributedAuthentication  Public Key-Based Kerberos  Requires public key operations each time a service ticket is required  Operations are distributed among the users and the services rather than concentrating them at the KDC  Fully distributed authentication between the users and the services using public key cryptography means  No need to maintain symmetric keys with the KDC  No more KDC to be compromised  Only the CA remains the trusted intermediary
  • 24.
    02/01/15 24  Trustmanagement systems Suggested Design Distributed Authorization Credential System Local Policy db Application Signed Credentials Local Policies Key and Action Description Response Compliance Checker (Interpreter) Credentials Action Requests Trust Boundary y = tms(r, c, p)
  • 25.
    02/01/15 25 Summary  Differencesin  Authentication in OS and distributed OS  Authorization in OS and distributed OS  Concerns in authentication in distributed OS  Answers (encryption, etc.)  Issues in security policies & mechanisms used for authorization in distributed OS  Suggested design  Distributed authentication – Public-Key Kerberos  Distributed authorization – Trust Management Systems
  • 26.
    02/01/15 26 Conclusion  Asecure distributed OS design depends on  Ability to protect the flow of information through the system  Fine-grain access control  Decentralized solutions  Where are we?  Still using the traditional mechanisms  Why haven’t we moved?  Lack of alternatives suited for distributed OS  Infancy -- Trust management systems and other language/compiler-based protection systems

Editor's Notes

  • #3 The purpose of my research paper is to identify the concerns and the issues in the security of distributed operating systems. It is also intended to discover and study the solutions proposed and/or propose an alternative solution.
  • #4 Security and Protection (page 658 Silverschatz) Security is not unique in OS, although it becomes more important in DOS because of the issues surrounding the nature of DOS. Concerns over protection of data from unauthorized users and unauthorized accesses escalates as resources become distributed over multiple systems. In centralized systems, we only have to worry about the user that’s been authenticated onto that system. The user in a centralized system can do harm only to the nodes attached to the centralized system within a specific area. In DOS, we also have to worry about users migrating from elsewhere in the public network.
  • #5 The question above would involve verification of a valid user. The mechanism used is username and password. What’s the difference between authentication on COS, and authentication in DOS? Authentication in OS – every user can be authenticated everytime he logs in. In NS – same can be done by remote log-in. User can be authenticated again. In DS – it would be impractical because it is supposed to be transparent. Authentication in network operating system would require a remote-login. A distributed operating system must also accommodate the following concerns: eavesdropping, multiple password management, replay, and trust [Galli].
  • #6 To deal with eavesdropping, symmetric cryptosystems can be used. It uses a shared common key to encrypt and decrypt. The problem with symmetric key cryptosystems is that the users are forced to share their keys. In the figure above, authentication scheme is shown using the secret key being used for encryption. Whoever shares the same secret key can decrypt a ciphertext. Since the secret key is shared with only 1 person, if a message is encrypted by the shared secret key, it authenticates the sender since the sender is the only one who could have prepared the message.
  • #7 To deal with eavesdropping, public key cryptosystems can also be used. Public-key is asymmetric; rely on 2 different keys: one key for encryption and a different but related key for decryption such that it is computationally infeasible to determine the decryption key given only the cryptographic algorithm and the encryption key. This came about because with symmetric key cryptosystems, the users were forced to share their keys. With public-key cryptosystems, only the public keys are shared. These public keys are published publicly in a register or file, while the private keys are kept secret, never distributed and kept locally in the system. In the figure above, authentication scheme is shown using the private key being used for encryption. Since Alice owns the private key and she is the only one who knows about this, it proves that the message can only have come from her.
  • #8 Mention that systems could have different trust models. Also could have a hierarchy of trust. How can we use this for authentication? B would know that (1) is from A because the certificate contains identity of A. A certificate binds identity to public key and other info may be included (i.e. period of validity, rights of use) Contents signed by a trusted Public-Key or Certificate Authority (CA) Can be verified by anyone who knows the public-key authorities public-key From Tanenbaum, page 462. Actual distribution of the initial keys is required for both the symmetric and asymmetric cryptosystems. In public-key cryptosystem, the public key is paired to a private key. Public-key distribution takes place by means of public key certificates [Tanenbaum]. This certificate is the public key concatenated with a string identifying the entity (user or device) to which the key is associated. The public key and identifier are signed by a CA. This signature is on the certificate as well. [Stalllings, page 186] There are different 4 ways in distributing public keys. These are public announcement of public keys, publicly available directory, use of public-key authority, and use of public key certificates through certificate authority. The first three mentioned are all vulnerable to tampering. To address this problem, a certificate authority is used. This is also designed in order to address the problem with the use of public-key authority where it could be a bottleneck in the system because the user must appeal to the authority for a public key for every user it wishes to communicate. The certificate authority scheme of distributing keys uses certificates. To deal with trust, KDCs may also be used as opposed to the CA above. The KDCs and CAs offer services that demonstrate a difficult problem in distributed systems [Tanenbaum, page 465]. They must be trusted. They must also offer high availability since users need to contact them for a key or a certificate. We can achieve high availability through replication, however, this poses another threat. How can they be trusted? Parties need to establish some trust in each other On the internet, this trust is facilitated using public key certificates Creation of recognizable and meaningful public key certificates infrastructure for internet wide use is a critical problem for the success of electronic commerce
  • #9 To deal with multiple password management, a Kerberos server may be used. All users are registered with this server. The Kerberos server contains all the user ID and hashed password of all participating users. All servers are also registered with the Kerberos. Kerberos server also has shares a secret key with each server. The authentication steps in the figure above are (1) and (2). (1) User logs onto a workstation and requests service. (2) AS responds. Encryption is based on user’s password enabling AS and client to verify password, and protecting contents of message. (3) User uses the response from (2) to access the TGS. (4) TGS grants a ticket (5) User uses ticket to be authenticated to server. (6) Server responds. X.509 is another server or distributed set of servers that maintains a database of users. The database contains information that includes a mapping from username to other information related to the user. X.509 defines a framework for the provision of authentication services by the X.500 directory to its users [Stallings, page 341]. The directory may be a repository of public-key certificates which is associated with each user. An example of such a directory is the Certificate Authority. It provides a location for users to obtain certificates. X.509 is based on public-key cryptography and digital signatures.
  • #10 [Stallings, pg 304] Another way to deal with replay attacks is to attach a sequence number to each message used in an authentication exchange. If the sequence number is in proper order, then it must not be a replay. There is a problem with this approach since there is an overhead required for each subject or party has to keep track of the last sequence number. Sequence numbers are therefore not used for authentication or key exchange. However, timestamps or challenge/response (nonce) may be used. If timestamps are used, if the timestamp received is close enough to what is expected by sender, then the message is not a replay. This approach requires that clocks are synchronized between the communicating parties. It had been argued that this approach is difficult that it must not be used in connection-oriented applications. The difficulty is caused by needing a protocol that maintains synchronization among the processor clocks. This protocol must be fault-tolerant and must be secure to avoid from being tampered. If there is something wrong with the synchronization, an attack can happen to take advantage of the fault in the clock mechanism of one of the parties. There is also difficulty of synchronization within distributed clocks is affected by variable and unpredictable nature of network delays. Therefore, any timestamp approach must balance between the need to allow for a window that is large enough to accommodate delays but small enough to minimize an opportunity for an attack. If challenge/response approach is used, a nonce (challenge) may be used and if the nonce is contained in the message received, then it is not a replay. The figure above shows an example of how a nonce is used to prevent replay attacks. It also shows an authentication scheme and how a key might be distributed. The latter, however, requires a master key to be shared between the KDC and the party involved. In (1), A requests a session key to use with B from KDC. A includes a nonce. It can be a timestamp, counter, or a random number. The only requirement is that it differs with each request. To prevent masquerade, it must be difficult for an opponent to guess the nonce. In (2), KDC sends the session key requested together with the same nonce A sent in (1). In (4), B uses the session key to encrypt the message for A. B also includes a nonce. In (5), A sends a message to B, encrypted with the session key and included a transformation of the nonce sent by B in (4). This ensures that the message it received in (3) was not a replay. The key distribution steps are (1), (2) and (3). (3), (4) and (5) perform an authentication function. The challenge/response approach is suitable only for connection-oriented application because of the need for handshaking. A session key is a temporary encryption key used between two principals, with a lifetime limited to the duration of a single communications "session". KNOW WHY TRANSFORMATION IS NECESSARY IN (5)
  • #11 After a user is authenticated, it is necessary to check whether a user is authorized to perform an operation. For example, a user has been authenticated to a distributed operating system but is not allowed to modify the database. Authorization’s goal is to prevent invalid operations caused by unauthorized users to prevent them from tampering with data files and system resources.
  • #12 The access control database contains the access control information (I.e. access matrix model that represents the security state of the system with subject to object access definitions. The LDAP contains a list of subjects (users, applications and processes) The objects can be files, directories, pages, devices, ports (for OS), records, fields, transactions (for DBMS), applets and bytecode (for Java) The audit logs contain a list of relevant security events
  • #13 Mechanism (Protection is internal. You protect resources against one another. (Security involves outside world.)
  • #14 Must be scanned each time any subject accesses an object Extra disk I/O required to fetch the ACL each time a file is opened (Performance disadvantage!) Revocation is easy. The ACL is searched for the access right(s) to be revoked, and they are deleted from the list. It can be immediate, general or selective, total or partial, and permanent or temporary [page 643, Silverschatz]
  • #15 Revocation is difficult because capabilities are distributed throughout the system. We must find them before we can revoke them. There are several schemes that implement revocation for capabilities such as reacquisition, back-pointers, indirection and keys [page 644 Silverschatz]. Not having a capability for a specific object means that the subject has no access rights for that object Like a ticket: its holder is given certain rights as associated with that ticket. Must be unforgeable
  • #16 Each object is protected by a capability. Objects are implemented by server processes that manage them. Capabilities have the identity of the object’s server encoded into them so that given a capability, the system can easily find a server process that manages the corresponding object. To create a restricted capability, a client can pass a capability back to the server, along with a bit mask for the new rights. The server takes the original check field from its tables, XORs it with the new rights, and then runs the result through a 1-way function. The server then creates a new capability, with the same value in the object field, but with the new rights field and the output of the one-way function in the check field. The new capability is returned to the caller. The client may send this new capability to another process. A one-way function is one that maps a domain into a range such that every function value has a unique inverse, with the condition that the calculation of the function is easy whereas the calculation of the inverse if infeasible [Stallings, page 171]. In plain English, this means that it’s infeasible to find the input that would produce a certain output. The method of generating restricted capabilities is illustrated. The owner has turned off all the rights except one. For example, the restricted capability might allow the object to be read, but nothing else.
  • #17 I just want to show we have many kinds of security policies. You wish that we have one that takes care of all. Different applications have different access-granting or access-restricting policies. We need something flexible! Discretionary allows a user at his own discretion to specify who can access his files. Mandatory is assigned by the system. Define what granularity is. Policy can be mandatory or discretionary depending on how strictly one wants to enforce it. The finer the granularity, the less likely a user will be granted unnecessary access or denied necessary access. The coarser the granularity, the more likely unnecessary access will be granted. (This is similar to #4 goal of Saltzer). The simplicity in configuring permissions and managing the permissions are also important criteria since if certain permissions are too labor-intensive, then it’s infeasible to provide the granularity desired. User-Based Access Control (UBAC) has also been called as Identity-Based Access Control. The system administrator is the one that defines the permission for each user based on user’s needs. The advantage is that it can result to a fine-grained permissions. There is less chance that the user will be granted or denied unnecessary access. The disadvantage is its being labor-intensive since the administrator makes manual configuration of permissions. In addition, it is very difficult for an administrator to know precisely what access every user needs and update them or maintain them. To make it easy for an administrator, it had been a practice that UBAC is implemented by giving users more access privileges than he could ever need. Role-Based Access Control: There are users, roles and permissions. Permissions are associated with roles. Users are granted membership in appropriate roles, thereby acquiring the role’s permissions.
  • #18 Flexibility A user’s access rights can be varied via different means. For example, revoking the user’s or user group’s authorization to a role puts the privileges in that role beyond the reach of the user. Revoking a user’s membership of a group also takes away from such a user all the privileges associated with the group. Authorization can be given to individual users, groups and/or roles. Granularity of system privilege management Fine grained privilege management can be realized by removing/adding privileges associated with a given role. Offers a very powerful means of administering the distribution and exercise of system privileges.
  • #19 RBAC was developed for access control in a single organization The control of role membership and role permissions are centralized in a few users. This centralized control feature does not work well in distributed collaborative systems Trust Management Systems’ focus is decentralized control. A role name is an atomic string This is sometimes too limited. An organization may contain large numbers of roles with few differences between them. Complexity in the analysis associated with determining system privileges and understanding the implications of their assignment Reduce it by decomposing roles into subroles
  • #20 The finer the granularity, the less likely a user will be granted unnecessary access or denied necessary access. How can we express and enforce complex security policies needed in distributed operating systems? Example of a complex security policy: An electronic banking system must enable a bank to state that at least five bank officers are needed to approve loans of $100,000 or less (a policy) and must also allow a bank employee to prove that he can be counted as 1 out of the required approvers (a credential) and must enable the bank to specify who may issue such credentials (a trust relationship).
  • #21 The finer the granularity, the less likely a user will be granted unnecessary access or denied necessary access. How can we express and enforce complex security policies needed in distributed operating systems? Example of a complex security policy: An electronic banking system must enable a bank to state that at least five bank officers are needed to approve loans of $100,000 or less (a policy) and must also allow a bank employee to prove that he can be counted as 1 out of the required approvers (a credential) and must enable the bank to specify who may issue such credentials (a trust relationship).
  • #23 Checking Compliance: Should I perform this dangerous action? Is security policy being followed? Does the set C of credentials prove that the request R complies with local security policy P? *** Security Policies Who is trusted to do what? User Credentials Delegates trust to someone else A policy signed by someone trusted Trust Relationships ?
  • #25 y = tms(r, c, p) Does the set c of credentials prove that the request r complies with the local security policy p? Outputs a decision about whether compliance with policy has been proven May also output some instructions on how to proceed c and p are ‘assertions’; represented as (f, s) where f is program describing the nature of the authority being granted as well as the party or parties to whom it is being granted and s is source of authority Rules Each entity that receives requests must have a policy that serves as the ultimate source of authority in the local government The policy may directly authorize certain keys to take certain actions, but more typically, it will delegate this responsibility to credential issuers that it trusts to have the required domain expertise as well as relationships with potential requesters.
  • #27 A secure DOS design depends not only on fine-grain access control and a global policy, as DTOS provides, but also on the ability to protect the flow of information through the system; We must have a fine-grain access control. This is not possible if we do not have a flexible policy. Cryptography can be used to protect the flow of information through the system. Decentralized solutions will eliminate the problem of having a centralized server that is a cause for bottleneck or central point of failure. The decentralized solutions may be using authentication using public key and authorization using Trust Mngt Systems Where are we? Why haven’t we moved? The trust management systems is a “language-based” protection. It incorporates protection concepts into programming languages, as a practical tool for system design. It is still in its infancy. When the importance of a suitable language notations in which to express protection requirements is realized, while designing new systems with distributed architectures and with increasingly stringent reqts on data security, trust management systems will be recognized more widely.[page 651 Silverschatz]