Review: Public Key Encryption Details • Idea: Kpublic can be made public, keep Kprivate private CS162 Insecure Channel Operating Systems and Bpublic Bprivate Systems Programming Aprivate Apublic Lecture 27 Alice Insecure Channel Bob Protection and Security II, • Gives message privacy (restricted receiver): – Public keys can be acquired by anyone/used by anyone ManyCore Operating Systems – Only person with private key can decrypt message • What about authentication? – Alice→Bob: [(I’m Alice)Aprivate Rest of message]Bpublic December 8, 2008 – Provides restricted sender and receiver Prof. John Kubiatowicz • Suppose we want X to sign message M? – Use private key to encrypt the digest, i.e. H(M)Xprivate http://inst.eecs.berkeley.edu/~cs162 – Send both M and its signature: » Signed message = [M,H(M)Xprivate] – Now, anyone can verify that M was signed by X » Simply decrypt the digest with Xpublic 12/08/08 » Verify that resultKubiatowicz matches CS162 H(M) ©UCB Fall 2008 Lec 27.2 Goals for Today Security through SSL n • SSL Web Protocol c • Use of Cryptographic Mechanisms – Port 443: secure http ns,certs – Use public-key encryption (pms)Ks • Authorization Mechanisms for key-distribution • Worms and Viruses • Server has a certificate signed by certificate authority – Contains server info (organization, IP address, etc) – Also contains server’s public key and expiration date • Establishment of Shared, 48-byte “master secret” – Client sends 28-byte random value nc to server – Server returns its own 28-byte random value ns, plus its certificate certs – Client verifies certificate by checking with public key of certificate authority compiled into browser » Also check expiration date – Client picks 46-byte “premaster” secret (pms), encrypts Note: Some slides and/or pictures in the following are it with public key of server, and sends to server adapted from slides ©2005 Silberschatz, Galvin, and Gagne. – Now, both server and client have nc, ns, and pms » Each can compute 48-byte master secret using one-way Also, slides on Taint Tracking adapted from Nickolai Zeldovich and collision-resistant function on three values » Random “nonces” nc and ns make sure master secret fresh 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.3 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.4 Recall: Authorization: Who Can Do What? How fine-grained should access control be? • How do we decide who is authorized • Example of the problem: to do actions in the system? – Suppose you buy a copy of a new game from “Joe’s Game • Access Control Matrix: contains World” and then run it. all permissions in the system – It’s running with your userid – Resources across top » It removes all the files you own, including the project due » Files, Devices, etc… the next day… – Domains in columns • How can you prevent this? » A domain might be a user or a group of permissions – Have to run the program under some userid. » Could create a second games userid for the user, which » E.g. above: User D3 can read F2 or execute F3 – In practice, table would be huge and sparse! has no write privileges. • Two approaches to implementation » Like the “nobody” userid in UNIX – can’t do much – Access Control Lists: store permissions with each object – But what if the game needs to write out a file recording » Still might be lots of users! scores? » UNIX limits each file to: r,w,x for owner, group, world » Would need to give write privileges to one particular file » More recent systems allow definition of groups of users (or directory) to your games userid. and permissions for each group – But what about non-game programs you want to use, – Capability List: each process tracks objects has such as Quicken? permission to touch » Now you need to create your own private quicken userid, if » Popular in the past, idea out of favor today you want to make sure tha the copy of Quicken you bought » Consider page table: Each process has list of pages it has can’t corrupt non-quicken-related files access to, not each page has list of processes … – But – how to get this right??? Pretty complex… 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.5 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.6 Authorization Continued How to perform Authorization for Distributed Systems? • Principle of least privilege: programs, users, and systems should get only enough privileges to perform their tasks Different – Very hard to do in practice Authorization » How do you figure out what the minimum set of privileges Domains is needed to run your programs? – People often run at higher privilege then necessary » Such as the “administrator” privilege under windows • Issues: Are all user names in world unique? • One solution: Signed Software – No! They only have small number of characters – Only use software from sources that you trust, thereby » [email protected] → [email protected] → dealing with the problem by means of authentication [email protected] – Fine for big, established firms such as Microsoft, since » However, someone thought their friend was [email protected] they can make their signing keys well known and people and I got very private email intended for someone else… trust them – Need something better, more unique to identify person » Actually, not always fine: recently, one of Microsoft’s • Suppose want to connect with any server at any time? signing keys was compromised, leading to malicious – Need an account on every machine! (possibly with software that looked valid different user name for each account) – What about new startups? – OR: Need to use something more universal as identity » Who “validates” them? » Public Keys! (Called “Principles”) » How easy is it to fool them? » People are their public keys 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.7 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.8 Distributed Access Control Analysis of Previous Scheme Access Control List (ACL) for X: • Positive Points: FileFile XX ACL verifier – Identities checked via signatures and public keys OwnerOwner Key:Key: Hash, Timestamp, R: Key: 0x546DFEFA34… » Client can’t generate request for data unless they have 0x22347EF… 0x22347EF… Signature (owner) RW: Key: 0x467D34EF83… private key to go with their public identity » Server won’t use ACLs not properly signed by owner of file RX: Group Key: 0xA2D3498672… – No problems with multiple domains, since identities Server 1: Domain 2 nt … lie C Kc A designed to be cross-domain (public keys domain neutral) ) C9 X B Read r Group • Revocation: D e GACL ad 7 rv Client 1 e 4 se R 66 K Group ACL: – What if someone steals your private key? Domain 1 ( x a) GACL verifier 0 at » Need to walk through all ACLs with your key and change…! y: (d Hash, Timestamp, Key: 0xA786EF889A… Ke » This is very expensive Signature (group) Key: 0x6647DBC9AC… – Better to have unique string identifying you that people Server 2: Domain 3 place into ACLs » Then, ask Certificate Authority to give you a certificate • Distributed Access Control List (ACL) matching unique string to your current public key – Contains list of attributes (Read, Write, Execute, etc) » Client Request: (request + unique ID)Cprivate; give server with attached identities (Here, we show public keys) certificate if they ask for it. » ACLs signed by owner of file, only changeable by owner » Key compromise⇒must distribute “certificate revocation”, » Group lists signed by group key since can’t wait for previous certificate to expire. – ACLs can be on different servers than data – What if you remove someone from ACL of a given file? » Signatures allow us to validate them » If server caches old ACL, then person retains access! » ACLs could even be stored separately from verifiers » Here, cache inconsistency leads to security violations! 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.9 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.10 Analysis Continued Administrivia • Who signs the data? • Midterm II: Still grading – Or: How does the client know they are getting valid – Solutions are up data? – Will be back by Wednesday (I hope) – Signed by server? – Final date for regrade requests: Friday (12/12) » What if server compromised? Should client trust server? • Final Exam – Signed by owner of file? th » Better, but now only owner can update file! – December 18 ,8:00-11:00AM, Bechtel Auditorium » Pretty inconvenient! – Covers whole course (except last lecture) – Signed by group of servers that accepted latest update? – Two pages of handwritten notes, both sides » If must have signatures from all servers ⇒ Safe, but one • Last Day of Class – Next Wednesday bad server can prevent update from happening » Instead: ask for a threshold number of signatures • Final Topics suggestions (so far). Obviously too many… » Byzantine agreement can help here – Quantum Computers (and factoring) • How do you know that data is up-to-date? – Mobile Operating Systems – Valid signature only means data is valid older version – Freshness attack: – Multicore Systems » Malicious server returns old data instead of recent data – Dragons » Problem with both ACLs and data – User Sessions » E.g.: you just got a raise, but enemy breaks into a server and prevents payroll from seeing latest version of update – Power Management – Hard problem – Data Privacy » Needs to be fixed by invalidating old copies or having a – Berkeley OS History 12/08/08 trusted groupKubiatowicz of servers CS162 (Byzantine ©UCB Fall 2008 Agrement?) Lec 27.11 12/08/08 Kubiatowicz CS162 ©UCB Fall 2008 Lec 27.12 Involuntary Installation Enforcement • What about software loaded without your consent? • Enforcer