DS Unit 09
DS Unit 09
The purpose of the digital signature on a certificate is to state that the certificate
information has been attested to by some other person or entity. The digital signature
does not attest to the authenticity of the certificate as a whole; it vouches only that the
signed identity information goes along with, or is bound to, the public key.
Thus, a certificate is basically a public key with one or two forms of ID
(https://youtu.be/UbMlPIgzT
attached, plus a hearty stamp BB ofxapproval
A(cE- from some other trusted individual.
)
C ommerce)
32
9.3 ACCESS CONTROL
• In the client-server model, which we have used so far, once a
client and a server have set up a secure channel, the client
can issue requests that are to be carried out by the server.
• Requests involve carrying out operations on resources that
are controlled by the server. A general situation is that of an object
server that has a number of objects under its control.
• A request from a client generally involves invoking a method of a
specific object.
• Such a request can be carried out only if the client has sufficient
access rights for that invocation.
• Formally, verifying access rights is referred to as access control,
whereas authorization is about granting access rights.
• The two terms are strongly related to each other and are often used
in an interchangeable way. There are many ways to achieve access
control.
• We start with discussing some of the general issues, concentrating
on different models for handling access control.
• One important way of actually controlling access to resources is to
build a firewall that protects applications or even an entire network.
• Firewalls are discussed separately.
• With the advent of code mobility, access control could no longer be
done using only the traditional methods.
9.3.1 General Issues in Access Control
• In order to understand the various issues involved in access control,
the simple model shown in Fig. 9-25 is generally adopted.
• It consists of subjects that issue a request to access an object. An
object is very much like the objects we have been discussing so far.
• It can be thought of as encapsulating its own state and
implementing the operations on that state.
• The operations of an object that subjects can request to be carried
out are made available through interfaces. Subjects can best be
thought of as being processes acting on behalf of users, but can
also be objects that need the services of other objects in order to
carry out their work
• Controlling the access to an object is all about protecting the object
against invocations by subjects that are not allowed to have specific
(or even any) of the methods carried out.
• Also, protection may include object management issues, such as creating,
renaming, or deleting objects.
• Protection is often enforced by a program called a reference monitor.
• A reference monitor records which subject may do what, and
decides whether a subject is allowed to have a specific operation carried
out.
• This monitor is called (e.g., by the underlying trusted operating
system) each time an object is invoked.
• Consequently, it is extremely important that the reference monitor is itself
tamperproof: an attacker must not be able to fool around with it.
Access Control Matrix
• A common approach to modeling the access rights of subjects
with respect to objects is to construct an access control matrix.
• Each subject is represented by a row in this matrix; each
object is represented by a column.
• If the matrix is denoted M, then an entry M [s,o] lists precisely
which operations subject s can request to be carried out on
object o.
• In other words, whenever a subject s requests the invocation
of method m of object 0, the reference monitor should check
whether m is listed in M [s,o]. If m is not listed in 1\1[s,o], the
invocation fails.
• Considering that a system may easily need to support thousands of
users and millions of objects that require protection, implementing an
access control matrix as a true matrix is not the way to go.
• Many entries in the matrix will be empty: a single subject will generally
have access to relatively few objects.
• Therefore, other, more efficient ways are followed to implement an
access control matrix.
• One widely-applied approach is to have each object maintain a list of
the access rights of subjects that want to access the object.
• In essence, this means that the matrix is distributed column-wise
across all objects, and that empty entries are left out.
• This type of implementation leads to what is called an Access Control
List(ACL). Each object is assumed to have its own associated ACL.
• Another approach is to distribute the matrix row-wise by giving each
subject a list of capabilities it has for each object. In other words, a
capability corresponds to an entry in the access control matrix.
• Not having a capability for a specific object means that the subject
has no access rights for that object.
• A capability can be compared to a ticket: its holder is given certain
rights that are associated with that ticket. It is also clear that a ticket
should be protected against modifications by its holder.
• One approach that is particularly suited in distributed systems and
which has been applied extensively in Amoeba (Tanenbaum et aI.,
1990), is to protect (a list of) capabilities with a signature.
• We return to these and other matters later when discussing security
management.
• The difference between how ACLs and capabilities are used to protect
the access to an object is shown in Fig. 9-26.
• Using ACLs, when a client sends a request to a server, the server's
reference monitor will check whether it knows the client and if that client
is known and allowed to have the requested operation carried out, as
shown in Fig. 9-26(a).
• However, when using capabilities, a client simply sends its request to the
server. The server is not interested in whether it knows the client; the
capability says enough.
• Therefore, the server peed only check whether the capability is valid and
whether the requested operation is listed in the capability. This approach to
protecting objects by means of capabilities is shown in Fig. 9-26(b).
9.3.2 Firewalls
• So far, we have shown how protection can be established using
cryptographic techniques, combined with some implementation of an
access control matrix.
• These approaches work fine as long as all communicating
parties play according to the same set of rules.
• Such rules may be enforced when developing a
standalone distributed system that is isolated from the rest of the
world.
• However, matters become more complicated when outsiders
are allowed to access the resources controlled by a distributed
system.
• Examples of such accesses including sending mail,
downloading files, uploading tax forms, and so on.
• To protect resources under these circumstances, a different
approach is needed.
• In practice, what happens is that external access to any part of a
distributed system is controlled by a special kind of reference
monitor known as a firewall (Cheswick and Bellovin, 2000; and
Zwicky et aI., 2000).
• Essentially, a firewall - disconnects any part of a distributed system
from the outside world, as shown in
• Fig. 9-28. All outgoing, but especially all incoming packets are
routed through a special computer and inspected before they are passed.
• Unauthorized traffic is discarded and not allowed to continue.
• An important issue is that the firewall itself should be heavily protected
against any kind of security threat: it should never fail.
• Firewalls essentially come in two different flavors that are often
combined.
• An important type of firewall is a packet-filtering gateway.
• This type of firewall operates as a router and makes decisions as to
whether or not to pass a network packet based on the source and
destination address as contained in the packet's header.
• Typically, the packet-filtering gateway shown on the outside LAN in
Fig. 9-28 would protect against incoming packets, whereas the one
on the inside LAN would filter outgoing packets.
• For example, to protect an internal Web server against requests from
hosts that are not on the internal network, a packet-filtering gateway
could decide to drop all incoming packets addressed to the Web server.
• The other type of firewall is an application-level gateway.
• In contrast to a packet-filtering gateway, which inspects only the header
of network packets, this type of firewall actually inspects the content of
an incoming or outgoing message.
• A typical example is a mail gateway that discards incoming or outgoing
mail exceeding a certain size.
• More sophisticated mail gateways exist that are, for example, capable
of filtering spam e-mail.
• Another example of an application-level gateway is one that allows
external access to a digital library server, but will supply only abstracts
of documents.
• If an external user wants more, an electronic payment protocol is
started. Users inside the firewall have direct access to the library
service.
• A special kind of application-level gateway is what is known as a proxy
gateway.
• This type of firewall works as a front end to a specific kind of application,
and ensures that only those messages are passed that meet certain
criteria. Consider, for example, surfing the Web.
• As we discuss in the next section, many Web pages contain scripts or
applets that are to be executed in a user's browser.
• To prevent such code to be downloaded to the inside LAN, all Web traffic
could be directed through a Web proxy gateway.
• This gateway accepts regular HTTP requests, either from inside or
outside the firewall.
• In other words, it appears to its users as a normal Web server.
• However, it filters all incoming and outgoing traffic, either by discarding
certain requests and pages, or modifying pages when they contain
executable code.
9.3.3 Secure Mobile Code
• As we discussed in Chap. 3, an important development in modem
distributed systems is the ability to migrate code between hosts instead of
just migrating passive data.
• However, mobile code introduces a number of serious security threats.
• For one thing, when sending an agent across the Internet, its owner will
want to protect it against malicious hosts that try to steal or modify
information carried by the agent.
• Another issue is that hosts need to be protected against malicious agents.
Most users of distributed systems will not be experts in systems
technology and have no way of telling whether the program they are
fetching from another host can be trusted not to corrupt their computer.
• In many cases it may be difficult even for an expert to detect that a
program is actually being downloaded at all.
• Unless security measures are taken, once a malicious program has
settled itself in a computer, it can easily corrupt its host.
• We are faced with an access control problem: the program should
not be allowed unauthorized access to the host's resources.
• As we shall see protecting a host against downloaded
malicious programs is not always easy.
• The problem is not so much as to avoid downloading of programs.
• Instead, what we are looking for is supporting mobile code that we
can allow access to local resources in a flexible, yet fully controlled
manner.
Protecting an Agent
• Before we take a look at protecting a computer system against downloaded
malicious code, let us first take a look at the opposite situation.
• Consider a mobile agent that is roaming a distributed system on behalf of a user.
Such an agent may be searching for the cheapest airplane ticket from Nairobi to
Malindi, and has been authorized by its owner to make a reservation as soon as
it found a flight.
• For this purpose, the agent may carry an electronic credit card.
• Obviously, we need protection here. Whenever the agent moves to a host, that
host should not be allowed to steal the agent's credit card information.
• Also, the agent should be protected against modifications that
make the owner pay much more than actually is needed.
• For example, if Chuck's Cheaper Charters can see that the agent
has not yet visited its cheaper competitor Alice Airlines, Chuck
should be prevented from changing the agent so that it will not
visit Alice Airlines‘ host.
• Other examples that require protection of an agent against
attacks from a hostile host include maliciously destroying an
agent, or tampering with an agent such that it will attack or steal
from its owner when it returns.
Protecting the Target
• Although protecting mobile code against a malicious host is
important, more attention has been paid to protecting hosts against
malicious mobile code.
• If sending an agent into the outside world is considered too
dangerous, a user will generally have alternatives to get the job done
for which the agent was intended.
• However, there are often no alternatives to letting an agent into your
system, other than locking it out completely.
• Therefore, if it is once decided that the agent can come in, the user
needs full control over what the agent can do.
9.3.4 Denial of Service
• Access control is generally about carefully ensuring that resources
are accessed only by authorized processes.
• A particularly annoying type of attack that is related to access
control is maliciously preventing authorized processes from
accessing resources.
• Defenses against such denial-of-service (DoS) attacks are
becoming increasingly important as distributed systems are opened
up through the Internet.
• Where DoS attacks that come from one or a few sources can often
be handled quite effectively, matters become much more difficult
when having to deal with distributed denial of service (DDoS).
• In DDoS attacks, a huge collection of processes jointly
attempt to bring down a networked service.
• In these cases, we often see that the attackers have
succeeded in hijacking a large group of machines
which unknowingly participate in the attack.
• Specht and Lee (2004) distinguish two types of
attacks: those aimed at bandwidth depletion and those
aimed at resource depletion.
9.4 SECURITY MANAGEMENT
• So far, we have considered secure channels and access control, but have
hardly touched upon the issue how, for example, keys are obtained.
• In this section, we take a closer look at security management.
• In particular, we distinguish three different subjects. First, we need to
consider the general management of cryptographic keys, and especially
the means by which public keys are distributed.
• As it turns out, certificates play an important role here.
• Second, we discuss the problem of securely managing a group of servers
by concentrating on the problem of adding a new group member that is
trusted by the current members.
• Clearly, in the face of distributed and replicated services, it is important
that security is not compromised by admitting a malicious process to a
group.
• Third, we pay attention to authorization
management by looking at capabilities and what
are known as attribute certificates.
• An important issue in distributed systems with
respect to authorization management is that one
process can delegate some or all of its access
rights to another process.
• Delegating rights in a secure way has its own
subtleties as we also discuss in this section.
9.4.1 Key Management
• So far, we have described various cryptographic protocols in which we
(implicitly) assumed that various keys were readily available.
• For example, in the case of public-key cryptosystems, we assumed that
a sender of a message had the public key of the receiver at its disposal
so that it could encrypt the message to ensure confidentiality.
• Likewise, in the case of authentication using a key distribution center
(KDC), we assumed each party already shared a secret key with the
KDC.
• However, establishing and distributing keys is not a trivial matter.
• Also, mechanisms are needed to revoke keys, that is, prevent a key from being
used after it has been compromised or invalidated.
• For example, revocation is necessary when a key has been compromised.
Lifetime of Certificates
• An important issue concerning certificates is their longevity.
• First let us consider the situation in which a certification authority
hands out lifelong certificates.
• Essentially, what the certificate then states is that the public
key will always be valid for the entity identified by the certificate.
• Clearly, such a statement is not what we want.
• If the private key of the identified entity is ever compromised, no
unsuspecting client should ever be able to use the public key (let
alone malicious clients).
• In that case, we need a mechanism to revoke the certificate by
making it publicly-known that the certificate is no longer valid,
• There are several ways to revoke a certificate. One common
approach is with a Certificate Revocation List (CRL) published
regularly by the certification authority.
• Whenever a client checks a certificate, it will have to check the
CRL to see whether the certificate has been revoked or not.
• This means that the client will at least have to contact the
certification authority each time a new CRL is published.
• Note that if a CRL is published daily, it also takes a day to revoke a
certificate.
• Meanwhile, a compromised certificate can be falsely used until it is
published on the next CRL.
• Consequently, the time between publishing CRLs cannot be too
long.
• In addition, getting a CRL incurs some overhead.
• An alternative approach is to restrict the lifetime of each
certificate.
• The validity of a certificate automatically expires after some
time.
• If for whatever reason the certificate should be revoked
before it expires, the certification authority can still publish it
on a CRL.
• However, this approach will still force clients to check the
latest CRL whenever verifies a certificate.
• In other words, they will need to contact the certification
authority or a trusted database containing the latest CRL.
Secure Group Management
• Many security systems make use of special services such as Key
Distribution Centers (KDCs) or Certification Authorities (CAs).
• These services demonstrate a difficult problem in distributed
systems.
• In the first place, they must be trusted. To enhance the trust in
security services, it is necessary to provide a high degree of
protection against all kinds of security threats.
• For example, as soon as a CA has been compromised, it
becomes impossible to verify the validity of a public key, making
the entire security system completely worthless.
• On the other hand, it is also necessary that many security services offer
high availability.
• For example, in the case of a KDC, each time two processes want to
set up a secure channel, at least one of them will need to contact the
KDC for a shared secret key.
• If the KDC is not available, secure communication cannot be
established unless an alternative technique for key establishment is
available, such as the Diffie-Hellman key exchange.
• The solution to high availability is replication. On the other hand,
replication makes a server more vulnerable to security attacks.
• We already discussed how secure group communication can take
place by sharing a secret among the group members.
• In effect, no single group member is capable of compromising
certificates, making the group itself highly secure.
Authorization Management
• Managing security in distributed systems is also concerned with
managing access rights.
• So far, we have hardly touched upon the issue of how access rights
are initially granted to users or groups of users, and how they are
subsequently maintained in an unforgeable way.
• It is time to correct this omission.
• In nondistributed systems, managing access rights is relatively easy.
• When a new user is added to the system, that user is given initial
rights, for example, to create files and subdirectories in a specific
directory. create processes, use CPU time, and so on.
• In other words, a complete account for a user is set up for one specific
machine in which all rights have been specified in advance by the
system administrators.
Capabilities and Attribute Certificates
• A much better approach that has been widely applied in
distributed systems is the use of capabilities.
• As we explained briefly above, a capability is an unforgeable
data structure for a specific resource, specifying exactly the
access rights that the holder of the capability has with respect
to that resource.