Security

in Distributed Systems
Importance
Overview

Distributed systems consist of multiple interconnected

components that communicate over a network, often
spanning across different physical locations. These
systems are inherently complex and involve the exchange
of sensitive data, making them vulnerable to various
security threats.
Key Risks
Data Breach(Confidentiality, Authenticity):
Unauthorized access to confidential data.
Service Disruption(Availability):
Interruptions due to attacks like Denial-of-Service (DoS).
Data Integrity:
Ensuring that data is not altered during transmission or storage.
Example Scenarios
E-commerce: Protecting credit card details during online transactions.
Healthcare: Securing patient records across distributed medical systems.
Fundamental Security
Concerns
Confidentiality
Ensuring that information is accessible only to those authorized to have access.
Techniques: Encryption methods (e.g., Advanced Encryption Standard (AES),
RSA(Ron Rivest, Adi Shamir and Leonard Adleman) to prevent unauthorized
access to data.
Real-world Example: Encrypted email communication where only the intended
recipient can read the content.
Integrity
Integrity is important to ensure that information has not been tampered with or
modified in an unauthorized way.
Techniques: Hash functions (e.g., SHA-256), Message Authentication Codes
(MAC), Cyclic redundancy check
Real-world Example: A bank transaction record that is digitally signed to ensure it
has not been tampered with.
Availability
Availability ensures that authorized users have access to information and
resources when needed.
Techniques: Redundancy, Load Balancing, DDoS protection mechanisms.
Real-world Example: Online services that remain operational even under heavy
load or attack.
Authenticity
Authenticity ensures that the identity of a user or system is genuine and verified.
Techniques: Digital certificates, public key infrastructure (PKI), and multi-factor
authentication (MFA).
Real-world Example: Logging into an online banking account using a password
and a one-time code sent to your phone to confirm your identity.
Non Repudiation
Non Repudiation ensures that a party cannot deny the authenticity of their
signature on a document or a message they sent or an action they performed.

Techniques: Digital signatures and Audit logs.

Real-world Example: An online purchase receipt signed by the vendor, which they
cannot later dispute.
Common Security Threats in Distributed Systems
Eavesdropping
Attack on Confidentiality
Unauthorized interception of data being
transmitted over a network.
Mitigation: Use of strong encryption
protocols (e.g., TLS/SSL).
Example: Intercepting login credentials
during transmission over an unsecured
network.
Use HTTPs over HTTP
Tampering
Attack on Integrity
Unauthorized alteration of data
during transmission or storage.
Mitigation: Use of cryptographic
hash functions, digital signatures.
Example: Altering the contents of a
financial transaction during its
transmission.
Denial of Service

Attack on Availability
An attack that aims to make a service unavailable to legitimate users by overwhelming it with excessive requests.
Mitigation: Implement rate limiting, use firewalls, and deploy Distributed Denial of Service (DDoS) protection
services.
Example: A website becomes inaccessible because it is flooded with millions of fake requests in a DDoS attack.
Impersonation (Masquerading)
Attack on Authenticity
Pretending to be another user or
system to gain unauthorized access.
Mitigation: Strong authentication
mechanisms (e.g., multi-factor
authentication).
Example: A phishing attack where an
attacker impersonates a legitimate
website to steal user credentials.
Repudiation

Attack on Non-Repudiation
Denial by one of the parties in a communication
of having participated in all or part of the
communication.
Mitigation: Use of digital signatures and audit
logging.
Contracts - Legal / Third party entities help
resolve.
Example: A user denying that they sent a
particular email.