- Email: [email protected]
Security in computer networks and distributed systems
computer
communicaNons
ELSEVIER
Computer Communications
19 (1996) 379-388
Tutorial
Security in computer networks and distributed systems Mukesh M. Prabhu, S.V. Raghavan Network Systems Laboratory, Department of Computer Science and Engineering, Indian Institute of Technology, Madras 600 036, India
Received 19 May 1994; revised 11 January 1995
Abstract Data communication networks have become an integral part of modern society. The standardization of communication protocols has made the interconnection of heterogeneous systems and networks a reality. This global connectivity among open systems provides facilities such as remote computing, resource sharing and electronic fund transfer. For all these applications to provide the services that they are designed to provide in a secure manner, it is necessary to evaluate all the possible security violations that may occur. Moreover, the requirements of applications to protect the transfer of information from a range of potential threats should also be assessed. This paper introduces some of the commonly known security threats, together with the security services and state-of-the-art mechanisms that can be used to provide protection against these threats. Keywords: Computer networks; Data communication;
Data security; Open systems
1. Introduction
The need to provide security in communication was recognized long before the invention of computers, when messengers used to carry information from one place to another. In those days, maintaining the secrecy of information with the help of ciphering techniques was the prime goal. Over time, advancements in computing and data communications technology resulted in the establishment of computer networks to exchange information. In addition, standardization efforts [l] have increasingly given rise to large distributed systems which are mostly a collection of smaller heterogeneous systems communicating through the network. The use of these shared networks and computer systems to carry information with various protection requirements is increasing. The very fact that communication is via the insecure global network implies that a breach of security is inevitable. This necessitates the provision of a number of different logical systems superimposed upon a common physical system, with a guaranteed degree of separation between the various logical systems. This paper, which is tutorial in nature, first introduces the various threats for secure communication. It then discusses the security services to either prevent or detect Email:[email protected];
[email protected]
0140-3664/96/$15.00 0 1996 Elsevier Science B.V. All rights reserved SSDI 0140-3664(95)01031-9
these security violations. State of the art mechanisms are presented to realize these services. Finally, security in the OS1 environment is outlined.
2. Network security Network security can be seen as a collection of services which: l
l l
maintain the confidentiality and integrity of the message as well as the network; provide for the authentication of users and services; and make sure of non-repudiation by users and the nondenial of services.
Fig. 1 illustrates this definition of security as a collection of services. The system may provide all or a subset of these services, depending on the requirements of the application. These services are described in more detail later. 2.1. Threats for communication security Security features obviously increase the cost of the system. Therefore, before designing a secure system, it is important to identify the threats against which protection is required. A threat is a potential violation of security. Those threats which do not modify the information
M.M. Prabhu. S. V. RaghavanlComputer
380
Communications l
19 (1996) 379-388
Unauthorized access is the unauthorized
resources intruder.
and
access
of
classified
data
usage of by an
3. Security services
1
Provide
+----y
]ll
L Fig.
j
I ,_,
Non-denialof ---.A I. Network
security.
or the normal operation of the system are called passive threats. For example, in the LAN environment, a station can capture all the packets on the network and learn the content of someone else’s communication, perhaps for possible future misuse. On the contrary, active threats result in the modification of messages or in the operation of the system. Some of the possible security threats [2] are listed and described below: Identity interception is the observation of the identity of
one or more parties involved in a communication for misuse. Replay attack is the recording and subsequent replay of a communication at some later point in time. Masquerading is the impersonation of a user to gain access to information, or to gain accidental privileges. This includes active attacks such as replay and modification of messages. Data interception is the observation of user data during a communication by an unauthorized user. Data manipulation is the unauthorized replacement, insertion, deletion or disordering of user data during communication. Repudiation is the denial by one of the entities involved in a communication of having participated in part or all of a communication. This may be dangerous in the case of electronic commitments. Mis-routing is the misrouting of a communication path intended for one user to another. Denial of service is the prevention or interruption of a communication or the delay of time-critical operations. For example, an intruder may suppress all messages directed to a particular destination or may generate extra traffic. TrafJ analysis is the observation of information about a communication between users. The observation may include the absence/presence of traffic, frequency, direction, sequence, type and amount of traffic.
Many applications have requirements for security to protect against the threats to the communication of information. The realization of security can be viewed in two ways: the first one views security services as an integral part of the communicating system services; the second sees security as the responsibility of the individual applications, i.e. the applications should implement all the necessary security services themselves and the communication systems are concerned only with the transmission of the PDUs. There are two approaches to communication security, viz. a link-oriented approach and an end-to-end approach. In the link-oriented approach, the message traffic is protected independently on each communication link by encryption. If any one of the links is compromised, then the entire system security will be compromised. Also, all the intermediate nodes between the source and destination need to be trusted. The linkoriented approach is expensive in a network with a large number of nodes. Obviously, this approach fits into the realm of providing security services as a part of communicating system services. In contrast to the link-oriented approach, the end-toend approach views the network as a medium for transporting the PDUs in a secure fashion from source to destination, irrespective of the presence or absence of security measures in the intermediate nodes. This approach is less expensive. End-to-end measures are achieved with the help of a basic set of security services, and they can be implemented as part of the communicating system services or left to individual applications to implement, depending upon their requirements. A basic set of security services or functions are described below. Though these services are defined in the ISOjOSI Security Architecture [2], the discussion holds good for any layered architecture. a Conjidentiality service provides protection of data from unauthorized disclosure, thus preventing interception. There can be connection confidentiality and connectionless confidentiality services depending on whether connection-oriented or connectionless data transfer service is used. Similarly, a traffic flow confidentiality service, if used, provides protection against traffic flow analysis and identity interception. l Data integrity service provides proof of the integrity of data in a communication. It can be used to detect and protect against manipulation. Here, too, as in the case of the confidentiality service, there can be a connection integrity service ensuring the integrity of stream data
MM.
Prabhu, S. V. RaghavanlComputer Communications I9 (1996) 379-388
units over a connection for connection-oriented service, and a connectionless data integrity service ensuring the integrity of data in a single data unit if a connectionless mode of data transfer is being used. Peer entity authentication service makes sure that a user, on a certain instance of communication, is indeed the one claimed. There can be two types of authentication: one is single entity authentication, which involves data origin or data recipient authentication; the other is mutual authentication, where both communicating users authenticate each other. This service can be used to protect against masquerading and replay attacks. Non-repudiation service provides proof of the integrity and origin of data, both in an unforgeable relationship which can be verified by any third party at any time. This service can be used to protect against data manipulation and repudiation threats, but mostly it is used for the latter. Access control protects against the unauthorized use of resources. 4. Security mechanisms This section briefly describes the end-to-end mechanisms that may be used to provide the security services discussed above for applications to protect against the threats described earlier. Examples of security mechanisms are encipherment, data integrity, authentication exchange, access control and digital signature. 4.1. Encipherment The cryptographic techniques used make the data in transit unintelligible to everyone except the legitimate parties involved in the communication. This involves two transformation functions: one is enciphering and the other is deciphering. The sender enciphers the data before transmitting it to the receiver. The receiver applies the appropriate deciphering function to get the original data back. There are two types of encryption mechanisms, viz., symmetric and asymmetric encryption. 4.1 .l. Symmetric or shared key encryption
Here we have two functions, Encrypt and Decrypt and an encryption Key. A message encrypted with key k can only be decrypted with the same key k. The process of encryption and decryption can be described as follows: If c = Encrypt(k,m)
381
Table 1 Comparison of speeds of cryptographic operations Hardware (bps)
RSA encrypt
220 K
RSA decrypt DES
Software* (bps/MIPS)*
0.5 K
1.2 G
32 K 400 K
Notes
500 bit modules, exponent 3 S/w uses a 64 KB table per key
* Software run on 0.5 MIPS 8 MHz Intel and 9 MIPS for 20 MHz spare.
It is computationally infeasible to obtain m or k from the received encrypted text c. All classical encryption methods suffer from the key distribution problem - the problem of secure distribution of keys among the communicating parties. The Data Encryption Standard (DES) [3], proposed by the US National Bureau of Standards (NBS), is one of the widely discussed symmetric key encryption scheme. 4.1.2. Asymmetric or public key encryption In public key encryption, the key is divided into two parts: the encryption key, which is usually made public; and the decryption key, which is kept secret. The process of encryption and decryption can be described as follows: If c = Encrypt(k,m) m = Decrypt(k-‘,
then c)
where m is the plain text message, k is the encryption (public) key, k-’ is the decryption (secret) key, and c is the encrypted text. Cryptographic operations on a plain text message m with the key k is sometimes denoted as c = {m}k. With this notation, the above process of public key encryption can be denoted as: c = {m}k
and
m = (C)~-I
This notation is used for the rest of the discussion in this paper. It has been shown that it is computationally infeasible to determine the decryption key (secret key k-‘) from the publicly available encryption key (k) and the encrypted text(c). The Rivest Shamir Adleman (RSA) algorithm [4] is a well known algorithm in this category. The public key scheme, unlike the shared key scheme, does not suffer from key distribution problems, but most of the known public key algorithms are slow in nature. Table 1 gives a comparison of the speeds of cryptographic operations, public vs. shared key encryption [5], which is reproduced here for easy reference.
then
m = Decrypt(k, c)
where m is the plain text message, k is the encryption key and c is the encrypted text.
4.2. Data integrity The main concern of a data integrity service is to provide some kind of proof, so that any unauthorized
M.M. Prabhu, S.V. RaghavanlComputer Communications 19 (1996) 379-388
382
of A, i.e. m = encrypt(k,,s). If the result is a plain text message m, the signature is considered to be valid. The whole process of digital signature rests on some assumptions:
A *B:
It is assumed that the secret key is kept secret by the owner of the key. The validity of the public key is established by some registration procedure which assures both the value of the key and its association with the owner of the key beyond doubt. If the message signature s is tampered with, the encipherment process at the receiver will produce an unacceptable output, which is of course different from the original plain text message. Hence, the receiver will reject the message, saying its integrity is questionable. This requires sufficient redundancy to be provided in the plain text message.
At B:
(rnli’ a
m= encrypt tka
s=decrypt ( k;’ , m) Where m : Plain text message ka
-1 K
: Public key of A Fig. 2. Principle
1
: secret
key of A
s :signature
of the public key signature.
changes to the message in transit can, with a high probability, be detected at the receiving end.
Hence, it follows that only the owner of the secret key can produce a valid signature, but anyone with a knowledge of the public key of that sender can verify that a message has the sender’s signature. It should be noted that, although encipherment and decipherment functions are used, they will not provide any confidentiality, since anyone with knowledge of the sender’s public key can learn the content of the message. If both secrecy and integrity are to be provided for a message, then after generating the signature, the resulting message should be enciphered as explained above. At the receiving end, the message received should be first deciphered as explained earlier, and then signature verification should be done. In a variant of the above method, for ensuring integrity the signature is separated from the message. This method of ensuring integrity is shown in Fig. 3. Here, to ensure the integrity of a message, say m, sender A appends its signature to the message. Generation of the
4.2.1. Integrity using digital signature The essential property that a public key cryptosystem (PKCS) should have to implement a digital signature is that, if a message m is first deciphered and then enciphered, the result is m, i.e. encrypt (k, decrypt (k-*, m)) = m. Fig. 2 shows the principle of the public key signature, using the notation introduced earlier. Consider a message m, from A to B, whose integrity should be maintained. To achieve this, A first deciphers the message m with its secret key (K;‘) to obtain the transformed message s, which is called the signature, i.e. s = decrypt (K;‘,m). This signature is sent over the network to B. To check the signature, B will perform the encipherment operation on the received message s using the public key -1
Key k
Key k
a
-li E
m
m
Message E:Encryption
Fig. 3. Digital
MD:Message
D:Decryption
signature
separated
digest function
from the message.
M.M. Prabhu. S.V. RaghavanjComputer Key
m
Communications 19 (1996) 379-388
Key
k
k
m
Message D:Decryption
E:Encryption Fig.
383
MD:Message
digest function
4. Integrity using symmetric key encryption.
signature proceeds as follows. A one-way function is used to generate a compressed string of some moderate size (typically 64,128 or 256 bits) no matter how large the message m is. This compressed string is usually referred to as the digest of the message, and it depends upon all the bits of the message. Since a one-way function is used, there is no possibility of inverting the function and computing a message with a given digest. Message digest algorithms MD4 and MD5, as suggested by Rivest [6,7], are good practical message digest algorithms. The digest thus generated is transformed by the public key signature method to form the signature of the whole message. At the receiving end, the digest of the message, say D, is computed from the received plain text message. The received signature is enciphered using the public key of the sender to obtain the digest computed at the sending end. If this digest matches D - the digest computed at the receiving end - the signature is said to be valid, and the message integrity is proved beyond doubt. The digital signature as described above is both message and signer-dependent. Hence this signature, in addition to proving the integrity of the message, also proves the authenticity of the originator and the unambiguous relationship between the originator and the data that was transferred. This can be used to provide a nonrepudiation service apart from also providing a data integrity service. 4.2.2. Integrity using symmetric key encryption It is possible also to provide an integrity service using symmetric key encryption. The principle is shown in Fig. 4. This method is similar to the method explained above for ensuring integrity by separating the signature from the message, except that symmetric key encryption is used in the place of public key encryption. At the sending end the message digest is enciphered using the
shared secret key, which is known only to the communicating parties, A and B in this case. The encrypted digest in this case is referred as message authentication code (MAC) or manipulation detection code (MDC). At the receiving end, B will recompute the digest and, at the same time, will decrypt the received MAC to obtain the message digest computed by the sender. If both digests match, the received message is said to be authentic. There exist some more ways of providing an integrity service using symmetric key encryption which exploit the properties of the specific cryptographic algorithm in use; for example, asymmetric use of the DES algorithm helps to provide an integrity service. For more details, the interested reader is referred elsewhere [8]. 4.3. Authentication exchange The goal of authentication is to make two principals believe that they are communicating with each other, and not with intruders. There can be two types of authentication exchanges: 1. Simple authentication: as the name suggests, this is very simple, where only the name and the password supplied by the originating principal are checked by the recipient. 2. Strong authentication: here cryptographic techniques are used to protect the exchange of validating information. Usually there will be more than one set (usually two or three sets) of validating information exchanges to successfully complete the authentication process, at the end of which pairs of principals satisfy themselves about each others’ identity. In this section, three of the strong authentication protocols are discussed in detail, using the notations introduced earlier.
384
MM. Prabiru. S.V. RaghavanlComputer Communications 19 (1996) 379-388
Kb to B: A + B : { ck, A}Kb
(3)
Again, only B will be able to learn Ck and can be sure that A is the originator, since S has authenticated it. At this point, A knows Ck is the fresh session key for communication between A and B, but B is not very clear about the freshness of the key Ck. To confirm that it is not a replay of a previous conversation, B sends to A a nonce Nb encrypted with C,: B + A : {Nb}Ck
(4)
if A sends a related repay which is a function of Nb, say: A+B:{Nb+l}
Fig. 5. Needham-Schroedar authentication protocol. 1. A + S : A, B, N,. 2. s =+ A :{N,, B, c,, {ckr A}K~)K,. 3. A + B: {ckr A)K*. 4. B =-+A : {N,}C,. 5. A + B : {Nb + I}.
Authentication protocols: Case study I: Needham-Schroedar protocol At the heart of this scheme [9] there is a trusted third party called an Authentication server S, which is supposed to hold the secret keys of all communicating parties. Both symmetric and asymmetric encryption can be used for authentication. The protocol illustrated below is based on symmetric key encryption. The authentication protocol is shown in Fig. 5. Let A and B be the two communicating parties. Goal: both A and B should authenticate each other. To begin with, A sends in clear (unencrypted) its own identity and the identity of the desired recepient (B) and a Nonce N, (a Nonce is a random number which is used only once for the purpose) to the Authentication server s: A+S:A,B,N,
(1)
Upon receiving message (l), S generates a fresh session key C, for secret communication between A and B. Now S has to communicate this session key C, secretely to both A and B. S first encrypts C,, and the name of the initiator A with the secret key Kb of B. This message, along with the received nonce N, and a copy of session key C, is encrypted with K, - the secret key of A - and sent to A: S * A : {Na,B, ck, !&r A)&)&
(2)
since A and only A (other than S) is in possession of K,, it can open the envelope and learn the session key Ck. The presence of same N, and B helps A to confirm that this is indeed a reply to the request to S, and not the replay of some old transaction. Now, A sends the part of the message encrypted with
(5)
B can also be sure of the identity of A, which completes the authentication process. This leaves the conversation in a state where both A and B are satisfied about the mutual identities. Case study 2: The CCITT X.509 authentication protocol The authentication protocols need a central repository of information to store the credentials (certified public keys, expiry time of the key, etc.) of the principals. So a directory, as defined by CCITT recommendation X.500 [lo], is a natural place for such storage. The credentials of users are stored as certificates, which are signed by a certification authority - a trusted third party. Each certificate may contain the public key of the user, time of expiry, etc. The strong authentication protocol defined in the X.509 recommendation [l l] makes use of the properties of PKCS. The PKCS to be used in this scheme should have a special property that both keys in the key pair can be used for encipherment. In other words, the PKCS should be able to produce a digital signature. The protocol is intended for signed, secure communication between two principals. The basic approach to authentication here is the corroboration of identity by demonstrating possession of a secret key. The three-way strong authentication protocol is shown in Fig. 6. To begin with, A generates a nonce N, (to detect replay attacks and to prevent forgery), and a time stamp T, consisting of two components: a generation time of token (optional), and the expiry time. A sends message (6) to B: A~B:A,(T,,N,,B,X,,(Y,)Kb)K,-’
(6)
Here { Ya}Kb represents a secret Y, encrypted with the public key of B which could be decrypted only by B, Y, could be some data to be transferred or can be a session key for subsequent exchange of data. A obtains the public key of B using X.500 directory services [lo]. X, is some data whose integrity needs to be maintained, and not the secrecy. X, could be the digest of the whole of the message, so that the integrity of the message could be verified
M.M.
Prabhu. S. V. RaghavanlComputer
3 Fig. 6. X.509 authentication { Y,}Kb}K,-‘. 2. A =+ B : A{Nb}K;‘.
B =+ A
protocol. 1. A + B : A, {T,, N,, B, X,, : B, {Tb, N6, A, NO, X,, { Yb}K,}K;‘. 3.
1. Verifies that A’s certificate has not expired. 2. Verifies the signature and thus the integrity of the signed information. 3. Checks that time stamp is current. 4. Checks that B itself is the intended recipient. 5. Freshness of N, may also be verified. N, is valid until the expiry date indicated by T,. Now B sends to A a message similar to (6): :B,(Tb,Nb,A,N,,Xb,(Yb)K,}K~’
(7)
On receipt of message (7) A carries out the following actions: 1. Verifies the signature and thus the integrity of the signed information. 2. Checks that time stamp Tb is current. 3. Checks that A itself is the intended recipient. 4. Freshness of Ns is verified.
Security defects of the protocol 1. There is no evidence that the sender is actually aware of the data sent in the private part, i.e. Y, in message (6) and Y, in message (7). Possible attack: some third party can intercept the message, remove the existing signature, add his own signature, copy the encrypted section as it is and forward.. . ! Suggested solution: sign the data before encryption. 2. Checking of TOis made optional in the three-way protocol. This leaves the protocol open to a replay attack. Suggested solution: modify the last message (8) as shown in message (9), by including B’s name:
{S, C, addr, time stamp, life,K,, <}KS The format of a Kerberos
(8)
B verifies the integrity of the message and checks that the Nh received is same as that sent in message (7). At the end of three messages (6,7,8), both parties have authenticated each other. The X.509 protocol, to reduce the amount of encryption and decryption while ensuring the integrity of the message, uses a method similar to that shown in Fig. 3. Some security defects have been found in this protocol, and solutions were suggested by Burrows et al. [12]. The interested reader is referred elsewhere [12,13] for a detailed discussion,
(9)
Case study 3: Kerberos authentication server This is probably the most widely used authentication service today. This was developed in the Athena project at MIT [14]. It is being distributed as part of the DEC Ultrix operating system of late. Kerberos is a trusted third-party authentication server based on the Needham-Schroedar model [9]. This is based on symmetric key encryption which makes use of the DES algorithm [3]. The kerberos protocol establishes a shared key between two principals with the help of the authentication server. When a user requests a service, his/her identity must be established. This is done by presenting a ticket to the server along with a proof that the ticket was originally issued to the user and is not a replay. This is achieved in three phases. Two types of credentials are used in Kerberos. One is the ticket, and the other is authenticator. The format of a Kerberos ticket for client C to use server S is shown below:
Now A sends message (8) to B: A =+B : A{Nb}K,-’
385
19 (1996) 379-388
A =+B: A, {B, Nb}K,-’
by the recepient. This message is signed by A using its secret key. The signing of the message helps to prove that A is indeed the originator of the message, since only A has the secret key K-l. On receipt of message (6) B obtains the public key of A and:
B *A
Communications
Abbreviations used in Case study 3
: : : KS addr : TGS, tgs : : 4 K : {a?&K, : T : 1iLY : : A, c
s
client/user server Kerberos server client’s network address Ticket granting server x’s private key session key for x and y abc encrypted in x’s key x’s ticket to use y life time of ticket authenticator for x
authenticator
for client C
M.M. Prabhu, S.V. Raghavanlcomputer
386
Communications 19 (1996) 379-388
5. The user presents the ticket T,,, along with an authenticator A, to the server S to obtain the service: C =+ S : {&h,,,,
{Tc,sh,
(14)
6. If the client also wants the server to prove its identity, then the server increments the time stamp received in the authenticator and sends it back to the client encrypted in the session key Kc,$: S * C : {times lamp f l}K,,,
Fig. 7. Kerberos authentication protocol 1. Request for a TGS ticket. 2. Ticket for TGS. 3. Request for Server ticket. 4. Ticket for Server. 5. Request for actual service.
submitted to server S is as shown below: {C, addr, time stamp}&, c Authentication shown in Fig. 7.
using
Kerberos
follows
the steps
1. The client C requests a ticket from Kerberos (KS): KS: C,TGS
(10)
2. Kerberos sends the ticket for TGS to C, which includes a session key Kc,lgs to be used between C and TGS, current time-stamp and life-time for the ticket encrypted with Ktgs and a copy of session key K c,tgs.This is encrypted with the master key of user C, which is stored by Kerberos prior to the transaction by some off-line process: KS =+ C : {Kc,,, {Tc,tgshcJ~c Secondphase. Now the user requests authentication specific service:
(11)
for a
3. User C generates an authenticator A, and presents this A, and the ticket Tc,lgsobtained from Kerberos to the TGS requesting another ticket to the actual server S from where he/she wants to get the service: C =+ TGS : S, Vch,,tgs,
K,&Ggs
K&G,,
Limitations of Kerberos. This approach seems to work well in limited environments such as universities. However, some limitations have been pointed out in this protocol [15], a few of which are listed below: Kerberos is in possession of all the master keys. Placing this much trust in only one party can cause considerable security threats. l As the number of users and services grows, it becomes infeasible to manage the master keys. 0 It is not a peer-to-peer (user-to-user) system. l Replay attacks are possible. l Insecure time services. l Susceptible to password guessing attacks and spoofed logins. l Exposure of session keys possible. Some of these problems have been corrected in version 5 release of Kerberos. 4.4. Access control The access control can be enforced by maintaining an access control list with every resource. The list basically specifies who can access the resource and other restrictions, if any, on the resource access, such as time or location of access, etc. The access control can be enforced only after a proper authentication check is done and the identity of the peer entity is established beyond doubt. This helps in preventing unauthorized access to resources.
(12)
4. TGS, after verifying the validity of the ticket and the authenticator, generates a ticket for C to access the server S: TGS =+ C : Wc,sb,,
At the end of this, the server is sure that, according to Kerberos, the client is the one claimed, and if mutual authentication is used the client is also convinced that the server is authentic. Now they can converse securely with the session key which is known only to them.
l
I;irst phase. Here the user obtains credentials to be used to request other services:
C+
(15)
(13)
Third phase. In this final phase, the user presents the ticket obtained from TGS to the actual end server S:
4.5. TrajYic padding This involves padding all the data through each link to protect against traffic flow analysis. It may in some cases be necessary to generate dummy traffic to mask the frequency and direction of traffic flow being analysed by the adversary.
M.M. Prabhu, S. V. Raghavan/Computer
Table 2 Summary matrix of security services and layers. Y: Yes, service should be incorporated in the standards for the layer as a provider option; n: not provided; : it should be noted with respect to layer 7 that the application process may itself provide security services Service
Peer entity authentication Access control Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow security Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Data origin authentication Non-repudiation, origin Non-repudiation, delivery
34
n n YY n n YYnYY YYYYnYn n Y YY n n nn YnYnnnY n n n Y n n YY n n n n n n YY n n n n n n YY n n nn n n n n
5
6
n
Yn
i
n Yn nYn n n n Yn n Y n Yn n Y n Yn nYn n Y
n n n
n
5. Security in OS1
l
In the preceding sections, we have discussed the commonly known threats, together with security services and
Peer entity authentication Access control Connection confidentiality Connectionless confidentiality Selective filed confidentiality Traffic flow security Connection integrity with recovery Connection integrity without recovery Selective filed Connection integrity Connectionless integrity Selective field connectionless integrity Data origin authentication Non-repudiation origin Non-repudiation delivery
387
mechanisms that can be used to protect against the perceived threats. The discussion was general without referring to any particular network architecture. Here we will describe how these services are viewed by the OS1 world. The objective of OS1 [l] is to permit the interconnection of heterogeneous computer systems so that useful communication between application processes may be achieved. At various times security controls must be established to protect the information exchanged between the application processes. Such controls must make the cost of obtaining or modifying data greater than the potential value of obtaining or modifying data. The OS1 security architecture [2] has identified a number of security services and mechanisms to realize these services. These services are reproduced in Table 2. In addition, the architecture has also identified the particular layers within which each security service may be incorporated in the seven layer OS1 model. The summary matrix of security services and mechanisms is reproduced in Fig. 8. Some shortcomings of the OSI security architecture have been pointed out [16]. Important among these are:
Layer 12
Communications 19 (1996) 379-388
l
Most of the services can be placed at any one of the seven layers of the OS1 model. Interoperability of these services and mechanisms with
Data integrity
Authentication exchange
Traffic padding
Routing control
Notarization
S
S
S
_
_
S
_
_
_ Y
_ _
Y _
_
_ _
_ _
s
Y
_
_
_
_
_
S
_
Y
_
-
_
_
S
S
-
_
_
Y
_
_
_
_
S
_
_
Y
_
_
_
S
_
_
Y
_
_
S
S
_
Y
_
_
_
S
S
_
Y
_
_
_
S
S
_
Y
_
_
S
S
_
s
_
_
S
_
S
_
_
S
_
S
_
_
S
_
S
_
S
S
Legend: Y : yes; the mechanism is considered to be always appropriate; s : sometimes the mechanism is appropriate; - : the mechanism is considered to be inappropriate. Fig. 8. Summary matrix of security services and mechanisms.
388
l
M.M. Prabhu, S.V. RaghavanlComputer Communications 19 (1996) 379-388
the rest of the system is not specified, i.e. how they should be embedded into the existing services and protocols; how their use is negotiated; how they are activated. The security of the service provided by the entire communications system and not that provided by each layer is important from the user’s point of view. In this respect, the layers are strongly interdependent, hence as integrated view on open systems security is essential.
6. Conclusions This paper has described the security aspects of distributed systems by first introducing possible security violations and then the security services available to counter such violations. Mechanisms such as encipherment, digital signature, data integrity and authentication protocols to provide these services have been discussed. Though openness and security appear to be mutually exclusive, the fact that it need not be so is evident from the efforts of IS0 to define security standards for OSI. The ISOjOSI security standard has identified a set of security services and has given guidelines regarding the placement of these services in the OS1 model. In practice, to provide secure end-to-end communication, it is necessary to negotiate the security services and other parameters specific to the security mechanisms across the communicating systems. This necessitates the provision of a security she0 over the OS1 protocol stack to initiate and manage the secure communication. Efforts are being made to develop such a security shell for open systems.
References [l] IS0 Information Processing Systems, Open Systems Interconnection Reference Model, Part 1: Basic Reference Model, IS0 DIS 7498-1, Geneva, Switzerland (1984). [2] IS0 Information Processing Systems, Open Systems Interconnection Reference Model, Part 2: Security Architecture, IS0 DIS 7498-2, Geneva, Switzerland (1988). [3] National Bureau of Standards Data Encryption Standard, Federal Information Processing Standards Publication 46 (1977). [4] R.I. Rivest, A. Shamir and L. Adleman, ‘A method for obtaining digital signatures and public-key cryptosystems’, Comm. ACM, 21 (February 1978) 120-126. [5] B. Lampson, M. Abadi, M. Burrows and E. Wobber, Authentication in distributed systems: theory and practice. Technical Report 83, DEC Systems Research Centre, Palo Alto, CA (February 1992).
@I R.L. Rivest, The MD4 message digest algorithm, Technical Report 1320, Internet RFC (1992). [71 R.L. Rivest, The MD5 message digest algorithm, Technical Report 1321, Internet RFC (1992). PI D. Davies and W. Price, Security for Computer Networks, Wiley, Chichester (1984). [91 R. Needham and R. Schroeder, ‘Using encryption for authentication in large network of computers’, Comm. ACM, 21 (December 1978) 993-999. [lOI CCITT The Directory - Overview of Concepts, Models and Services, CCITT Recommendation X500, Blue Book, Vol VII, Fascicle VII.8, Geneva, Switzerland (1989). [ill CCITT The Directory - Part 8: Authentication Framework, CCITT Recommendation X509, Blue Book, Vol VII, Fascicle VII. 8, Geneva, Switzerland (1989). WI M. Burrows, M. Abadi and R. Needham, ‘A logic of authentication’, ACM Trans. Comput. Syst., 8 (February 1990) 18-36. 131 C. I’Anson and C. Mitchell, ‘Security defects in CCITT recommendation X.509 the directory authentication frame work’, ACM Comput. Comm. Rev., 20 (April 1990) 30-34. 141 J. Steiner, C. Neuman and J. Schiller, Kerberos: an authentication service for open network systems: Project Athena, Technical report, MIT (1988). D51 SM. Bellovin, ‘Limitations of the Kerberos authentication system’, Comput. Comm. Rev., 20 (1990) 119-132. 1161 A.T. Karilla, Open systems security - an architectural frame work, PhD thesis, Telecom Finland, finland (1990). 1171 M.M. Prabhu and S.V. Raghavan, ‘Design and implementation of security shell for OSInet’, Defense Sci. J. (communicated).
S V Raghavan is a member of the faculty of the Department of Computer Science and Engineering, Indian Institute of Technology, Madras, India. He is also the Chief Investigator of the project on Education and Research in Computer Networking jointly funded by the Department of Electronics, Government of India, and the UN Development Programme. He is on the Board of Editors of the Journal of Institute of Electronics and Telecommunication Engineers (IETE) for computers and control and Computer Communications.
Mukesh M Prabhu is a research scholar in the Department of Computer Science and EngiIndian Institute of Technology, neering, Madras, India. He obtained his BTech in computer engineering from the University of Mangalore, India in 1990. His research interests include network security and management.
communicaNons
ELSEVIER
Computer Communications
19 (1996) 379-388
Tutorial
Security in computer networks and distributed systems Mukesh M. Prabhu, S.V. Raghavan Network Systems Laboratory, Department of Computer Science and Engineering, Indian Institute of Technology, Madras 600 036, India
Received 19 May 1994; revised 11 January 1995
Abstract Data communication networks have become an integral part of modern society. The standardization of communication protocols has made the interconnection of heterogeneous systems and networks a reality. This global connectivity among open systems provides facilities such as remote computing, resource sharing and electronic fund transfer. For all these applications to provide the services that they are designed to provide in a secure manner, it is necessary to evaluate all the possible security violations that may occur. Moreover, the requirements of applications to protect the transfer of information from a range of potential threats should also be assessed. This paper introduces some of the commonly known security threats, together with the security services and state-of-the-art mechanisms that can be used to provide protection against these threats. Keywords: Computer networks; Data communication;
Data security; Open systems
1. Introduction
The need to provide security in communication was recognized long before the invention of computers, when messengers used to carry information from one place to another. In those days, maintaining the secrecy of information with the help of ciphering techniques was the prime goal. Over time, advancements in computing and data communications technology resulted in the establishment of computer networks to exchange information. In addition, standardization efforts [l] have increasingly given rise to large distributed systems which are mostly a collection of smaller heterogeneous systems communicating through the network. The use of these shared networks and computer systems to carry information with various protection requirements is increasing. The very fact that communication is via the insecure global network implies that a breach of security is inevitable. This necessitates the provision of a number of different logical systems superimposed upon a common physical system, with a guaranteed degree of separation between the various logical systems. This paper, which is tutorial in nature, first introduces the various threats for secure communication. It then discusses the security services to either prevent or detect Email:[email protected];
[email protected]
0140-3664/96/$15.00 0 1996 Elsevier Science B.V. All rights reserved SSDI 0140-3664(95)01031-9
these security violations. State of the art mechanisms are presented to realize these services. Finally, security in the OS1 environment is outlined.
2. Network security Network security can be seen as a collection of services which: l
l l
maintain the confidentiality and integrity of the message as well as the network; provide for the authentication of users and services; and make sure of non-repudiation by users and the nondenial of services.
Fig. 1 illustrates this definition of security as a collection of services. The system may provide all or a subset of these services, depending on the requirements of the application. These services are described in more detail later. 2.1. Threats for communication security Security features obviously increase the cost of the system. Therefore, before designing a secure system, it is important to identify the threats against which protection is required. A threat is a potential violation of security. Those threats which do not modify the information
M.M. Prabhu. S. V. RaghavanlComputer
380
Communications l
19 (1996) 379-388
Unauthorized access is the unauthorized
resources intruder.
and
access
of
classified
data
usage of by an
3. Security services
1
Provide
+----y
]ll
L Fig.
j
I ,_,
Non-denialof ---.A I. Network
security.
or the normal operation of the system are called passive threats. For example, in the LAN environment, a station can capture all the packets on the network and learn the content of someone else’s communication, perhaps for possible future misuse. On the contrary, active threats result in the modification of messages or in the operation of the system. Some of the possible security threats [2] are listed and described below: Identity interception is the observation of the identity of
one or more parties involved in a communication for misuse. Replay attack is the recording and subsequent replay of a communication at some later point in time. Masquerading is the impersonation of a user to gain access to information, or to gain accidental privileges. This includes active attacks such as replay and modification of messages. Data interception is the observation of user data during a communication by an unauthorized user. Data manipulation is the unauthorized replacement, insertion, deletion or disordering of user data during communication. Repudiation is the denial by one of the entities involved in a communication of having participated in part or all of a communication. This may be dangerous in the case of electronic commitments. Mis-routing is the misrouting of a communication path intended for one user to another. Denial of service is the prevention or interruption of a communication or the delay of time-critical operations. For example, an intruder may suppress all messages directed to a particular destination or may generate extra traffic. TrafJ analysis is the observation of information about a communication between users. The observation may include the absence/presence of traffic, frequency, direction, sequence, type and amount of traffic.
Many applications have requirements for security to protect against the threats to the communication of information. The realization of security can be viewed in two ways: the first one views security services as an integral part of the communicating system services; the second sees security as the responsibility of the individual applications, i.e. the applications should implement all the necessary security services themselves and the communication systems are concerned only with the transmission of the PDUs. There are two approaches to communication security, viz. a link-oriented approach and an end-to-end approach. In the link-oriented approach, the message traffic is protected independently on each communication link by encryption. If any one of the links is compromised, then the entire system security will be compromised. Also, all the intermediate nodes between the source and destination need to be trusted. The linkoriented approach is expensive in a network with a large number of nodes. Obviously, this approach fits into the realm of providing security services as a part of communicating system services. In contrast to the link-oriented approach, the end-toend approach views the network as a medium for transporting the PDUs in a secure fashion from source to destination, irrespective of the presence or absence of security measures in the intermediate nodes. This approach is less expensive. End-to-end measures are achieved with the help of a basic set of security services, and they can be implemented as part of the communicating system services or left to individual applications to implement, depending upon their requirements. A basic set of security services or functions are described below. Though these services are defined in the ISOjOSI Security Architecture [2], the discussion holds good for any layered architecture. a Conjidentiality service provides protection of data from unauthorized disclosure, thus preventing interception. There can be connection confidentiality and connectionless confidentiality services depending on whether connection-oriented or connectionless data transfer service is used. Similarly, a traffic flow confidentiality service, if used, provides protection against traffic flow analysis and identity interception. l Data integrity service provides proof of the integrity of data in a communication. It can be used to detect and protect against manipulation. Here, too, as in the case of the confidentiality service, there can be a connection integrity service ensuring the integrity of stream data
MM.
Prabhu, S. V. RaghavanlComputer Communications I9 (1996) 379-388
units over a connection for connection-oriented service, and a connectionless data integrity service ensuring the integrity of data in a single data unit if a connectionless mode of data transfer is being used. Peer entity authentication service makes sure that a user, on a certain instance of communication, is indeed the one claimed. There can be two types of authentication: one is single entity authentication, which involves data origin or data recipient authentication; the other is mutual authentication, where both communicating users authenticate each other. This service can be used to protect against masquerading and replay attacks. Non-repudiation service provides proof of the integrity and origin of data, both in an unforgeable relationship which can be verified by any third party at any time. This service can be used to protect against data manipulation and repudiation threats, but mostly it is used for the latter. Access control protects against the unauthorized use of resources. 4. Security mechanisms This section briefly describes the end-to-end mechanisms that may be used to provide the security services discussed above for applications to protect against the threats described earlier. Examples of security mechanisms are encipherment, data integrity, authentication exchange, access control and digital signature. 4.1. Encipherment The cryptographic techniques used make the data in transit unintelligible to everyone except the legitimate parties involved in the communication. This involves two transformation functions: one is enciphering and the other is deciphering. The sender enciphers the data before transmitting it to the receiver. The receiver applies the appropriate deciphering function to get the original data back. There are two types of encryption mechanisms, viz., symmetric and asymmetric encryption. 4.1 .l. Symmetric or shared key encryption
Here we have two functions, Encrypt and Decrypt and an encryption Key. A message encrypted with key k can only be decrypted with the same key k. The process of encryption and decryption can be described as follows: If c = Encrypt(k,m)
381
Table 1 Comparison of speeds of cryptographic operations Hardware (bps)
RSA encrypt
220 K
RSA decrypt DES
Software* (bps/MIPS)*
0.5 K
1.2 G
32 K 400 K
Notes
500 bit modules, exponent 3 S/w uses a 64 KB table per key
* Software run on 0.5 MIPS 8 MHz Intel and 9 MIPS for 20 MHz spare.
It is computationally infeasible to obtain m or k from the received encrypted text c. All classical encryption methods suffer from the key distribution problem - the problem of secure distribution of keys among the communicating parties. The Data Encryption Standard (DES) [3], proposed by the US National Bureau of Standards (NBS), is one of the widely discussed symmetric key encryption scheme. 4.1.2. Asymmetric or public key encryption In public key encryption, the key is divided into two parts: the encryption key, which is usually made public; and the decryption key, which is kept secret. The process of encryption and decryption can be described as follows: If c = Encrypt(k,m) m = Decrypt(k-‘,
then c)
where m is the plain text message, k is the encryption (public) key, k-’ is the decryption (secret) key, and c is the encrypted text. Cryptographic operations on a plain text message m with the key k is sometimes denoted as c = {m}k. With this notation, the above process of public key encryption can be denoted as: c = {m}k
and
m = (C)~-I
This notation is used for the rest of the discussion in this paper. It has been shown that it is computationally infeasible to determine the decryption key (secret key k-‘) from the publicly available encryption key (k) and the encrypted text(c). The Rivest Shamir Adleman (RSA) algorithm [4] is a well known algorithm in this category. The public key scheme, unlike the shared key scheme, does not suffer from key distribution problems, but most of the known public key algorithms are slow in nature. Table 1 gives a comparison of the speeds of cryptographic operations, public vs. shared key encryption [5], which is reproduced here for easy reference.
then
m = Decrypt(k, c)
where m is the plain text message, k is the encryption key and c is the encrypted text.
4.2. Data integrity The main concern of a data integrity service is to provide some kind of proof, so that any unauthorized
M.M. Prabhu, S.V. RaghavanlComputer Communications 19 (1996) 379-388
382
of A, i.e. m = encrypt(k,,s). If the result is a plain text message m, the signature is considered to be valid. The whole process of digital signature rests on some assumptions:
A *B:
It is assumed that the secret key is kept secret by the owner of the key. The validity of the public key is established by some registration procedure which assures both the value of the key and its association with the owner of the key beyond doubt. If the message signature s is tampered with, the encipherment process at the receiver will produce an unacceptable output, which is of course different from the original plain text message. Hence, the receiver will reject the message, saying its integrity is questionable. This requires sufficient redundancy to be provided in the plain text message.
At B:
(rnli’ a
m= encrypt tka
s=decrypt ( k;’ , m) Where m : Plain text message ka
-1 K
: Public key of A Fig. 2. Principle
1
: secret
key of A
s :signature
of the public key signature.
changes to the message in transit can, with a high probability, be detected at the receiving end.
Hence, it follows that only the owner of the secret key can produce a valid signature, but anyone with a knowledge of the public key of that sender can verify that a message has the sender’s signature. It should be noted that, although encipherment and decipherment functions are used, they will not provide any confidentiality, since anyone with knowledge of the sender’s public key can learn the content of the message. If both secrecy and integrity are to be provided for a message, then after generating the signature, the resulting message should be enciphered as explained above. At the receiving end, the message received should be first deciphered as explained earlier, and then signature verification should be done. In a variant of the above method, for ensuring integrity the signature is separated from the message. This method of ensuring integrity is shown in Fig. 3. Here, to ensure the integrity of a message, say m, sender A appends its signature to the message. Generation of the
4.2.1. Integrity using digital signature The essential property that a public key cryptosystem (PKCS) should have to implement a digital signature is that, if a message m is first deciphered and then enciphered, the result is m, i.e. encrypt (k, decrypt (k-*, m)) = m. Fig. 2 shows the principle of the public key signature, using the notation introduced earlier. Consider a message m, from A to B, whose integrity should be maintained. To achieve this, A first deciphers the message m with its secret key (K;‘) to obtain the transformed message s, which is called the signature, i.e. s = decrypt (K;‘,m). This signature is sent over the network to B. To check the signature, B will perform the encipherment operation on the received message s using the public key -1
Key k
Key k
a
-li E
m
m
Message E:Encryption
Fig. 3. Digital
MD:Message
D:Decryption
signature
separated
digest function
from the message.
M.M. Prabhu. S.V. RaghavanjComputer Key
m
Communications 19 (1996) 379-388
Key
k
k
m
Message D:Decryption
E:Encryption Fig.
383
MD:Message
digest function
4. Integrity using symmetric key encryption.
signature proceeds as follows. A one-way function is used to generate a compressed string of some moderate size (typically 64,128 or 256 bits) no matter how large the message m is. This compressed string is usually referred to as the digest of the message, and it depends upon all the bits of the message. Since a one-way function is used, there is no possibility of inverting the function and computing a message with a given digest. Message digest algorithms MD4 and MD5, as suggested by Rivest [6,7], are good practical message digest algorithms. The digest thus generated is transformed by the public key signature method to form the signature of the whole message. At the receiving end, the digest of the message, say D, is computed from the received plain text message. The received signature is enciphered using the public key of the sender to obtain the digest computed at the sending end. If this digest matches D - the digest computed at the receiving end - the signature is said to be valid, and the message integrity is proved beyond doubt. The digital signature as described above is both message and signer-dependent. Hence this signature, in addition to proving the integrity of the message, also proves the authenticity of the originator and the unambiguous relationship between the originator and the data that was transferred. This can be used to provide a nonrepudiation service apart from also providing a data integrity service. 4.2.2. Integrity using symmetric key encryption It is possible also to provide an integrity service using symmetric key encryption. The principle is shown in Fig. 4. This method is similar to the method explained above for ensuring integrity by separating the signature from the message, except that symmetric key encryption is used in the place of public key encryption. At the sending end the message digest is enciphered using the
shared secret key, which is known only to the communicating parties, A and B in this case. The encrypted digest in this case is referred as message authentication code (MAC) or manipulation detection code (MDC). At the receiving end, B will recompute the digest and, at the same time, will decrypt the received MAC to obtain the message digest computed by the sender. If both digests match, the received message is said to be authentic. There exist some more ways of providing an integrity service using symmetric key encryption which exploit the properties of the specific cryptographic algorithm in use; for example, asymmetric use of the DES algorithm helps to provide an integrity service. For more details, the interested reader is referred elsewhere [8]. 4.3. Authentication exchange The goal of authentication is to make two principals believe that they are communicating with each other, and not with intruders. There can be two types of authentication exchanges: 1. Simple authentication: as the name suggests, this is very simple, where only the name and the password supplied by the originating principal are checked by the recipient. 2. Strong authentication: here cryptographic techniques are used to protect the exchange of validating information. Usually there will be more than one set (usually two or three sets) of validating information exchanges to successfully complete the authentication process, at the end of which pairs of principals satisfy themselves about each others’ identity. In this section, three of the strong authentication protocols are discussed in detail, using the notations introduced earlier.
384
MM. Prabiru. S.V. RaghavanlComputer Communications 19 (1996) 379-388
Kb to B: A + B : { ck, A}Kb
(3)
Again, only B will be able to learn Ck and can be sure that A is the originator, since S has authenticated it. At this point, A knows Ck is the fresh session key for communication between A and B, but B is not very clear about the freshness of the key Ck. To confirm that it is not a replay of a previous conversation, B sends to A a nonce Nb encrypted with C,: B + A : {Nb}Ck
(4)
if A sends a related repay which is a function of Nb, say: A+B:{Nb+l}
Fig. 5. Needham-Schroedar authentication protocol. 1. A + S : A, B, N,. 2. s =+ A :{N,, B, c,, {ckr A}K~)K,. 3. A + B: {ckr A)K*. 4. B =-+A : {N,}C,. 5. A + B : {Nb + I}.
Authentication protocols: Case study I: Needham-Schroedar protocol At the heart of this scheme [9] there is a trusted third party called an Authentication server S, which is supposed to hold the secret keys of all communicating parties. Both symmetric and asymmetric encryption can be used for authentication. The protocol illustrated below is based on symmetric key encryption. The authentication protocol is shown in Fig. 5. Let A and B be the two communicating parties. Goal: both A and B should authenticate each other. To begin with, A sends in clear (unencrypted) its own identity and the identity of the desired recepient (B) and a Nonce N, (a Nonce is a random number which is used only once for the purpose) to the Authentication server s: A+S:A,B,N,
(1)
Upon receiving message (l), S generates a fresh session key C, for secret communication between A and B. Now S has to communicate this session key C, secretely to both A and B. S first encrypts C,, and the name of the initiator A with the secret key Kb of B. This message, along with the received nonce N, and a copy of session key C, is encrypted with K, - the secret key of A - and sent to A: S * A : {Na,B, ck, !&r A)&)&
(2)
since A and only A (other than S) is in possession of K,, it can open the envelope and learn the session key Ck. The presence of same N, and B helps A to confirm that this is indeed a reply to the request to S, and not the replay of some old transaction. Now, A sends the part of the message encrypted with
(5)
B can also be sure of the identity of A, which completes the authentication process. This leaves the conversation in a state where both A and B are satisfied about the mutual identities. Case study 2: The CCITT X.509 authentication protocol The authentication protocols need a central repository of information to store the credentials (certified public keys, expiry time of the key, etc.) of the principals. So a directory, as defined by CCITT recommendation X.500 [lo], is a natural place for such storage. The credentials of users are stored as certificates, which are signed by a certification authority - a trusted third party. Each certificate may contain the public key of the user, time of expiry, etc. The strong authentication protocol defined in the X.509 recommendation [l l] makes use of the properties of PKCS. The PKCS to be used in this scheme should have a special property that both keys in the key pair can be used for encipherment. In other words, the PKCS should be able to produce a digital signature. The protocol is intended for signed, secure communication between two principals. The basic approach to authentication here is the corroboration of identity by demonstrating possession of a secret key. The three-way strong authentication protocol is shown in Fig. 6. To begin with, A generates a nonce N, (to detect replay attacks and to prevent forgery), and a time stamp T, consisting of two components: a generation time of token (optional), and the expiry time. A sends message (6) to B: A~B:A,(T,,N,,B,X,,(Y,)Kb)K,-’
(6)
Here { Ya}Kb represents a secret Y, encrypted with the public key of B which could be decrypted only by B, Y, could be some data to be transferred or can be a session key for subsequent exchange of data. A obtains the public key of B using X.500 directory services [lo]. X, is some data whose integrity needs to be maintained, and not the secrecy. X, could be the digest of the whole of the message, so that the integrity of the message could be verified
M.M.
Prabhu. S. V. RaghavanlComputer
3 Fig. 6. X.509 authentication { Y,}Kb}K,-‘. 2. A =+ B : A{Nb}K;‘.
B =+ A
protocol. 1. A + B : A, {T,, N,, B, X,, : B, {Tb, N6, A, NO, X,, { Yb}K,}K;‘. 3.
1. Verifies that A’s certificate has not expired. 2. Verifies the signature and thus the integrity of the signed information. 3. Checks that time stamp is current. 4. Checks that B itself is the intended recipient. 5. Freshness of N, may also be verified. N, is valid until the expiry date indicated by T,. Now B sends to A a message similar to (6): :B,(Tb,Nb,A,N,,Xb,(Yb)K,}K~’
(7)
On receipt of message (7) A carries out the following actions: 1. Verifies the signature and thus the integrity of the signed information. 2. Checks that time stamp Tb is current. 3. Checks that A itself is the intended recipient. 4. Freshness of Ns is verified.
Security defects of the protocol 1. There is no evidence that the sender is actually aware of the data sent in the private part, i.e. Y, in message (6) and Y, in message (7). Possible attack: some third party can intercept the message, remove the existing signature, add his own signature, copy the encrypted section as it is and forward.. . ! Suggested solution: sign the data before encryption. 2. Checking of TOis made optional in the three-way protocol. This leaves the protocol open to a replay attack. Suggested solution: modify the last message (8) as shown in message (9), by including B’s name:
{S, C, addr, time stamp, life,K,, <}KS The format of a Kerberos
(8)
B verifies the integrity of the message and checks that the Nh received is same as that sent in message (7). At the end of three messages (6,7,8), both parties have authenticated each other. The X.509 protocol, to reduce the amount of encryption and decryption while ensuring the integrity of the message, uses a method similar to that shown in Fig. 3. Some security defects have been found in this protocol, and solutions were suggested by Burrows et al. [12]. The interested reader is referred elsewhere [12,13] for a detailed discussion,
(9)
Case study 3: Kerberos authentication server This is probably the most widely used authentication service today. This was developed in the Athena project at MIT [14]. It is being distributed as part of the DEC Ultrix operating system of late. Kerberos is a trusted third-party authentication server based on the Needham-Schroedar model [9]. This is based on symmetric key encryption which makes use of the DES algorithm [3]. The kerberos protocol establishes a shared key between two principals with the help of the authentication server. When a user requests a service, his/her identity must be established. This is done by presenting a ticket to the server along with a proof that the ticket was originally issued to the user and is not a replay. This is achieved in three phases. Two types of credentials are used in Kerberos. One is the ticket, and the other is authenticator. The format of a Kerberos ticket for client C to use server S is shown below:
Now A sends message (8) to B: A =+B : A{Nb}K,-’
385
19 (1996) 379-388
A =+B: A, {B, Nb}K,-’
by the recepient. This message is signed by A using its secret key. The signing of the message helps to prove that A is indeed the originator of the message, since only A has the secret key K-l. On receipt of message (6) B obtains the public key of A and:
B *A
Communications
Abbreviations used in Case study 3
: : : KS addr : TGS, tgs : : 4 K : {a?&K, : T : 1iLY : : A, c
s
client/user server Kerberos server client’s network address Ticket granting server x’s private key session key for x and y abc encrypted in x’s key x’s ticket to use y life time of ticket authenticator for x
authenticator
for client C
M.M. Prabhu, S.V. Raghavanlcomputer
386
Communications 19 (1996) 379-388
5. The user presents the ticket T,,, along with an authenticator A, to the server S to obtain the service: C =+ S : {&h,,,,
{Tc,sh,
(14)
6. If the client also wants the server to prove its identity, then the server increments the time stamp received in the authenticator and sends it back to the client encrypted in the session key Kc,$: S * C : {times lamp f l}K,,,
Fig. 7. Kerberos authentication protocol 1. Request for a TGS ticket. 2. Ticket for TGS. 3. Request for Server ticket. 4. Ticket for Server. 5. Request for actual service.
submitted to server S is as shown below: {C, addr, time stamp}&, c Authentication shown in Fig. 7.
using
Kerberos
follows
the steps
1. The client C requests a ticket from Kerberos (KS): KS: C,TGS
(10)
2. Kerberos sends the ticket for TGS to C, which includes a session key Kc,lgs to be used between C and TGS, current time-stamp and life-time for the ticket encrypted with Ktgs and a copy of session key K c,tgs.This is encrypted with the master key of user C, which is stored by Kerberos prior to the transaction by some off-line process: KS =+ C : {Kc,,, {Tc,tgshcJ~c Secondphase. Now the user requests authentication specific service:
(11)
for a
3. User C generates an authenticator A, and presents this A, and the ticket Tc,lgsobtained from Kerberos to the TGS requesting another ticket to the actual server S from where he/she wants to get the service: C =+ TGS : S, Vch,,tgs,
K,&Ggs
K&G,,
Limitations of Kerberos. This approach seems to work well in limited environments such as universities. However, some limitations have been pointed out in this protocol [15], a few of which are listed below: Kerberos is in possession of all the master keys. Placing this much trust in only one party can cause considerable security threats. l As the number of users and services grows, it becomes infeasible to manage the master keys. 0 It is not a peer-to-peer (user-to-user) system. l Replay attacks are possible. l Insecure time services. l Susceptible to password guessing attacks and spoofed logins. l Exposure of session keys possible. Some of these problems have been corrected in version 5 release of Kerberos. 4.4. Access control The access control can be enforced by maintaining an access control list with every resource. The list basically specifies who can access the resource and other restrictions, if any, on the resource access, such as time or location of access, etc. The access control can be enforced only after a proper authentication check is done and the identity of the peer entity is established beyond doubt. This helps in preventing unauthorized access to resources.
(12)
4. TGS, after verifying the validity of the ticket and the authenticator, generates a ticket for C to access the server S: TGS =+ C : Wc,sb,,
At the end of this, the server is sure that, according to Kerberos, the client is the one claimed, and if mutual authentication is used the client is also convinced that the server is authentic. Now they can converse securely with the session key which is known only to them.
l
I;irst phase. Here the user obtains credentials to be used to request other services:
C+
(15)
(13)
Third phase. In this final phase, the user presents the ticket obtained from TGS to the actual end server S:
4.5. TrajYic padding This involves padding all the data through each link to protect against traffic flow analysis. It may in some cases be necessary to generate dummy traffic to mask the frequency and direction of traffic flow being analysed by the adversary.
M.M. Prabhu, S. V. Raghavan/Computer
Table 2 Summary matrix of security services and layers. Y: Yes, service should be incorporated in the standards for the layer as a provider option; n: not provided; : it should be noted with respect to layer 7 that the application process may itself provide security services Service
Peer entity authentication Access control Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow security Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Data origin authentication Non-repudiation, origin Non-repudiation, delivery
34
n n YY n n YYnYY YYYYnYn n Y YY n n nn YnYnnnY n n n Y n n YY n n n n n n YY n n n n n n YY n n nn n n n n
5
6
n
Yn
i
n Yn nYn n n n Yn n Y n Yn n Y n Yn nYn n Y
n n n
n
5. Security in OS1
l
In the preceding sections, we have discussed the commonly known threats, together with security services and
Peer entity authentication Access control Connection confidentiality Connectionless confidentiality Selective filed confidentiality Traffic flow security Connection integrity with recovery Connection integrity without recovery Selective filed Connection integrity Connectionless integrity Selective field connectionless integrity Data origin authentication Non-repudiation origin Non-repudiation delivery
387
mechanisms that can be used to protect against the perceived threats. The discussion was general without referring to any particular network architecture. Here we will describe how these services are viewed by the OS1 world. The objective of OS1 [l] is to permit the interconnection of heterogeneous computer systems so that useful communication between application processes may be achieved. At various times security controls must be established to protect the information exchanged between the application processes. Such controls must make the cost of obtaining or modifying data greater than the potential value of obtaining or modifying data. The OS1 security architecture [2] has identified a number of security services and mechanisms to realize these services. These services are reproduced in Table 2. In addition, the architecture has also identified the particular layers within which each security service may be incorporated in the seven layer OS1 model. The summary matrix of security services and mechanisms is reproduced in Fig. 8. Some shortcomings of the OSI security architecture have been pointed out [16]. Important among these are:
Layer 12
Communications 19 (1996) 379-388
l
Most of the services can be placed at any one of the seven layers of the OS1 model. Interoperability of these services and mechanisms with
Data integrity
Authentication exchange
Traffic padding
Routing control
Notarization
S
S
S
_
_
S
_
_
_ Y
_ _
Y _
_
_ _
_ _
s
Y
_
_
_
_
_
S
_
Y
_
-
_
_
S
S
-
_
_
Y
_
_
_
_
S
_
_
Y
_
_
_
S
_
_
Y
_
_
S
S
_
Y
_
_
_
S
S
_
Y
_
_
_
S
S
_
Y
_
_
S
S
_
s
_
_
S
_
S
_
_
S
_
S
_
_
S
_
S
_
S
S
Legend: Y : yes; the mechanism is considered to be always appropriate; s : sometimes the mechanism is appropriate; - : the mechanism is considered to be inappropriate. Fig. 8. Summary matrix of security services and mechanisms.
388
l
M.M. Prabhu, S.V. RaghavanlComputer Communications 19 (1996) 379-388
the rest of the system is not specified, i.e. how they should be embedded into the existing services and protocols; how their use is negotiated; how they are activated. The security of the service provided by the entire communications system and not that provided by each layer is important from the user’s point of view. In this respect, the layers are strongly interdependent, hence as integrated view on open systems security is essential.
6. Conclusions This paper has described the security aspects of distributed systems by first introducing possible security violations and then the security services available to counter such violations. Mechanisms such as encipherment, digital signature, data integrity and authentication protocols to provide these services have been discussed. Though openness and security appear to be mutually exclusive, the fact that it need not be so is evident from the efforts of IS0 to define security standards for OSI. The ISOjOSI security standard has identified a set of security services and has given guidelines regarding the placement of these services in the OS1 model. In practice, to provide secure end-to-end communication, it is necessary to negotiate the security services and other parameters specific to the security mechanisms across the communicating systems. This necessitates the provision of a security she0 over the OS1 protocol stack to initiate and manage the secure communication. Efforts are being made to develop such a security shell for open systems.
References [l] IS0 Information Processing Systems, Open Systems Interconnection Reference Model, Part 1: Basic Reference Model, IS0 DIS 7498-1, Geneva, Switzerland (1984). [2] IS0 Information Processing Systems, Open Systems Interconnection Reference Model, Part 2: Security Architecture, IS0 DIS 7498-2, Geneva, Switzerland (1988). [3] National Bureau of Standards Data Encryption Standard, Federal Information Processing Standards Publication 46 (1977). [4] R.I. Rivest, A. Shamir and L. Adleman, ‘A method for obtaining digital signatures and public-key cryptosystems’, Comm. ACM, 21 (February 1978) 120-126. [5] B. Lampson, M. Abadi, M. Burrows and E. Wobber, Authentication in distributed systems: theory and practice. Technical Report 83, DEC Systems Research Centre, Palo Alto, CA (February 1992).
@I R.L. Rivest, The MD4 message digest algorithm, Technical Report 1320, Internet RFC (1992). [71 R.L. Rivest, The MD5 message digest algorithm, Technical Report 1321, Internet RFC (1992). PI D. Davies and W. Price, Security for Computer Networks, Wiley, Chichester (1984). [91 R. Needham and R. Schroeder, ‘Using encryption for authentication in large network of computers’, Comm. ACM, 21 (December 1978) 993-999. [lOI CCITT The Directory - Overview of Concepts, Models and Services, CCITT Recommendation X500, Blue Book, Vol VII, Fascicle VII.8, Geneva, Switzerland (1989). [ill CCITT The Directory - Part 8: Authentication Framework, CCITT Recommendation X509, Blue Book, Vol VII, Fascicle VII. 8, Geneva, Switzerland (1989). WI M. Burrows, M. Abadi and R. Needham, ‘A logic of authentication’, ACM Trans. Comput. Syst., 8 (February 1990) 18-36. 131 C. I’Anson and C. Mitchell, ‘Security defects in CCITT recommendation X.509 the directory authentication frame work’, ACM Comput. Comm. Rev., 20 (April 1990) 30-34. 141 J. Steiner, C. Neuman and J. Schiller, Kerberos: an authentication service for open network systems: Project Athena, Technical report, MIT (1988). D51 SM. Bellovin, ‘Limitations of the Kerberos authentication system’, Comput. Comm. Rev., 20 (1990) 119-132. 1161 A.T. Karilla, Open systems security - an architectural frame work, PhD thesis, Telecom Finland, finland (1990). 1171 M.M. Prabhu and S.V. Raghavan, ‘Design and implementation of security shell for OSInet’, Defense Sci. J. (communicated).
S V Raghavan is a member of the faculty of the Department of Computer Science and Engineering, Indian Institute of Technology, Madras, India. He is also the Chief Investigator of the project on Education and Research in Computer Networking jointly funded by the Department of Electronics, Government of India, and the UN Development Programme. He is on the Board of Editors of the Journal of Institute of Electronics and Telecommunication Engineers (IETE) for computers and control and Computer Communications.
Mukesh M Prabhu is a research scholar in the Department of Computer Science and EngiIndian Institute of Technology, neering, Madras, India. He obtained his BTech in computer engineering from the University of Mangalore, India in 1990. His research interests include network security and management.