Copyright © cs-tutorial.com

1

What is Security....?Security means protecting information and

information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

2

Security in Distributed SystemsSecurity is by no means the least important principle of

distributed system.

Infact, it is one of the most difficult principles as security needs to be pervasive throughout a system.

A single design flaw with respect to security may render all security measures useless.

3

Security in distributed systems can roughly be divided into two parts:-

1. One part concerns the communication between users or processes, possibly residing on different machines.

2. Authorization, which deals with ensuring that a process gets only those access rights to the resources in a distributed system of which it is entitled to.

4

Attacks, Services and Mechanisms

Security Attack: Any action that compromises the security of information.

Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.

Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

5

Security Attacks

6

Security AttacksInterruption: This is an attack on availabilityInterception: This is an attack on confidentialityModification: This is an attack on integrityFabrication: This is an attack on authenticity.

In fabrication an unauthorized party counterfeits an asset. Example:- an intruder may add records to an

existing database.

7

Security Goals

8

Integrity

Confidentiality

Avaliability

• Confidentiality: ability to ensure that messages and data are available only to those authorized to view them. – Encryption is used to achieve

confidentiality.

• Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party.– A Digital signature is commonly used to

ensure data integrity.

9

• Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet.– Digital Certificate is employed to satisfy

the authentication requirement.

Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions.

10

CryptographyIt is the art and science of achieving security

by encoding messages to make them non-readable.

Fundamental to security in distributed systems is the use of cryptographic techniques.

11

EncryptionEncryption: The process of transforming

plain text or data into cipher text that cannot be read by anyone other than the sender and receiver

Purpose: Secure stored information Secure information transmission

Provides: Message integrity Nonrepudiation Authentication Confidentiality

12

13

encryption decryption

cryptography

plaintext

fubswrjudskb

ciphertext

Symmetric Key Encryption

Also known as secret key encryption.Both the sender and receiver use the same

digital key to encrypt and decrypt messageRequires a different set of keys for each

transaction.Data Encryption Standard (DES): Most widely

used symmetric key encryption today; uses 56-bit encryption key; other types use 128-bit keys up through 2048 bits.

14

Symmetric Key Cryptography

15

encryption decryption

cryptography

plaintext

fubswrjudskb

ciphertextINTELLIGENCE PROBLEM (WWII):

Alice wants to send a crypted message to Bob.

They need to share the same key.

Alice created a key, but how to let Bob know it?

INTELLIGENCE PROBLEM (WWII):

Alice wants to send a crypted message to Bob.

They need to share the same key.

Alice created a key, but how to let Bob know it?

KEY MAY BE INTERCEPTED!!!

16

The Key Distribution Problem• In general, there are two ways to pass a

shared symmetric key between customer and merchant (M) :-

1. First, customer X can obtain the shared symmetric key from M’s physical office.

2. Merchant and customer can obtain the shared symmetric key from a trusted party (key distribution centre) through a secure channel.

– After establishing the first shared secret key, the merchant and the customer can also change the secret key regularly by encrypting the new key with the old key.

17

Symmetric Key Encryption AlgorithmData Encryption Standard (DES):-

encrypts 64-bit data blocks through many stages of transposition and substitution techniques, using a 56-bit encryption key.

IDEA (International Data Encryption Algorithm) :- encrypts 64-bit data blocks with a 128-bit key.

18

Public Key Encryption• Uses two mathematically related digital keys –

public key (widely disseminated) and private key (kept secret by owner).

• Both keys are used to encrypt and decrypt message.

• Once key is used to encrypt message, same key cannot be used to decrypt message.

• For example, sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it.

19

Asymmetrical Cryptography

20

encryption decryption

cryptography

plaintext

fubswrjudskb

ciphertextpublic

keyprivate

key

Asymmetrical Cryptography makes it possible to use separate keys for encryption and decryption.

To exchange messages:- use public key to encrypt- use private key to decrypt

21

Public Key Cryptography

22

1. Bob creates a pair of different keys

2. Bob sends one of the keys to Alice

3. Everyone can get Bob’s public key and use it to encrypt a message

4. But only Bob has the decryption key!

ENCRYPTION KEY

DECRYPTIONKEY

Public Key Cryptography – A Simple Case

23

Electronic Signature

24

encryption decryption

cryptography

plaintext

fubswrjudskb

ciphertextpublic

keyprivate

key

Asymmetrical Cryptography makes it possible to use separate keys for encryption and decryption.

To exchange messages:- use public key to encrypt- use private key to decrypt

To use electronic signature:- use private key to encrypt- use public key to decrypt

25

One application of cryptography in distributed systems is the use of hash functions.

Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string.

A hash function H takes a message m of arbitrary length as input and produces a fixed size value h called message digest (MD).

26

27

Hash FunctionMessage Message digest

• MD is a fixed length (128 or 160 bit) summary of message

• One way: message cannot be recovered from MD

Requirements of a Message Digest

Given a message, it should be very easy to find its corresponding message digest.

Given a message digest, it should be very difficult to find the original message for which the digest was created.

Given any two messages, if we calculate their message digests, the two message digests must be different.

28

To sign a document, sender’s software will crunch down the message into just a few lines by a process called "hashing".

These few lines are called a message digest. (It is not possible to change a message digest back into the original data from which it was created.)

Sender then encrypts the message digest with his private key. The result is the digital signature. 29

Digital SignaturesDigital signatures are one of the most

important inventions of modern cryptography.

A digital signature is a type of asymmetric cryptography used to simulate the security properties of a handwritten signature on paper.

Digital signature schemes uses two keys, one for signing which involves the user's secret or private key, and one for verifying signatures which involves the user's public key. The output of the signature process is called the "digital signature." 30

Digital signatures serves the purpose of validation and authentication of electronic documents.

Validation refers to the process of certifying the contents of the document, while authentication refers to the process of certifying the sender of the document.

The main difference from a handwritten signature is that digital signature of a message is intimately connected with the message, and for different messages is different, whereas the handwritten signature is adjoined to the message and always looks the same.

31

Digital Signatures are computed based on the message that need to be signed and some private information held only by the sender.

In practice for creating digital signature, instead of using the whole message, a hash function is applied to the message to obtain the message digest which is encrypted with the creator’s private key.

32

33

Message DigestEncrypt with

Sender’s Private Key Digital Signature

Digital Signatures

34

35

Digital Certificates

ConclusionSecurity plays an extremely important role in

distributed systems.

A distributed system should provide the mechanisms that allow a variety of different security policies to be enforced.

36

37