client/server: practical approaches to sharing secure information

1

Client/Server: Practical Client/Server: Practical Approaches to Sharing Secure Approaches to Sharing Secure

InformationInformation

Dr. Ivor Page,Dr. Ivor Page,

University of Texas at DallasUniversity of Texas at Dallas

2

First Generation SecurityFirst Generation Security

Records Dept.

3

Second Generation SecuritySecond Generation Security

A guard to call the copsif someone breaks inand a dog to bite him if he touches anything.

4

Modern securityModern security

Peace at last

www

5

The ProblemThe Problem

Student Record Systems are databases.Student Record Systems are databases. Increasing number of people (agents) need Increasing number of people (agents) need

instant access to student information.instant access to student information. There are many types of transactions and There are many types of transactions and

different agents need different capabilities. different agents need different capabilities. The database must authenticate agents and The database must authenticate agents and

enforce authorization rules on agents.enforce authorization rules on agents.

6

More ProblemsMore Problems

Some transactions require a “process” in Some transactions require a “process” in which several agents must concur in a strict which several agents must concur in a strict sequence before the transaction is sequence before the transaction is “committed” to the database (a grade change)“committed” to the database (a grade change)

The agents are geographically distributed.The agents are geographically distributed. The system must The system must loglog all transactions and all transactions and

must be able to must be able to undoundo any subset of them and any subset of them and restorerestore itself to a previous state. itself to a previous state.

7

Even More ProblemsEven More Problems

Security is a legal requirement and Security is a legal requirement and must contend with both accidental and must contend with both accidental and malicious attacksmalicious attacks

Agents are humans, some haveAgents are humans, some have Ph.Ds, and some are deans Ph.Ds, and some are deans

At the time when the database is created we At the time when the database is created we cannot think of all the fields and kinds of cannot think of all the fields and kinds of analyses on the data that will be neededanalyses on the data that will be needed

8

Ease of use/CompletenessEase of use/Completeness

Ideally, each agent should be able to access Ideally, each agent should be able to access the data within his/her the data within his/her security scopesecurity scope in any in any authorized fashion, using a authorized fashion, using a query languagequery language that is both easy to learn, yet powerful that is both easy to learn, yet powerful enough for complex analyses, statistical enough for complex analyses, statistical summaries, etc. summaries, etc.

It should rarely be necessary to extract data It should rarely be necessary to extract data for further analysis in another program.for further analysis in another program.

9

Security AgainSecurity Again

The main form of personnel authentication The main form of personnel authentication comes from login validation. We use the comes from login validation. We use the model of the supermarket cash register. The model of the supermarket cash register. The checkout clerk takes the key with her/him checkout clerk takes the key with her/him when absent, even for a short while. when absent, even for a short while.

Unlike the supermarket, the database agent Unlike the supermarket, the database agent has no physical key; we model the key by has no physical key; we model the key by login/logout procedures. login/logout procedures.

10

Network SecurityNetwork Security

The most challenging security problem The most challenging security problem comes from the need for network access.comes from the need for network access.– Agents are located across campus and Agents are located across campus and

communicate with the database via a network.communicate with the database via a network.– Messages to and from the database may pass Messages to and from the database may pass

through network nodes that are not part of the through network nodes that are not part of the student record system. These nodes may be student record system. These nodes may be accessible to students, faculty, and others.accessible to students, faculty, and others.

11


– Networks comprise a huge variety of software Networks comprise a huge variety of software written by many different vendors.written by many different vendors.

– It is rarely possible to redesign an entire It is rarely possible to redesign an entire network. Our records system must work with network. Our records system must work with existing software that may not be secure. existing software that may not be secure.

– Typically, our system sits at the highest layer of Typically, our system sits at the highest layer of the network software hierarchy. Our messages the network software hierarchy. Our messages are passed through many other layers. are passed through many other layers.

12


– Messages are partitioned into Messages are partitioned into packetspackets with with added headers containing the packet types and added headers containing the packet types and the network addresses of senders and recipients. the network addresses of senders and recipients.

– Typically headers are not encrypted. This Typically headers are not encrypted. This makes it easy for anyone to capture all packets makes it easy for anyone to capture all packets going to or from a certain network node.going to or from a certain network node.

– Since we cannot easily prevent adversaries Since we cannot easily prevent adversaries from seeing and collecting our messages, they from seeing and collecting our messages, they must be encrypted.must be encrypted.

13


Lap-top computers, PCs, and workstations Lap-top computers, PCs, and workstations can be connected to the network. can be connected to the network. – We must capture and reject false transactions We must capture and reject false transactions

sent by these computers that attempt to imitate sent by these computers that attempt to imitate (spoof) the transactions of real agents. (spoof) the transactions of real agents.

– Allowing logins to the records system from Allowing logins to the records system from computers connected via telephone networks computers connected via telephone networks greatly increases risk.greatly increases risk.

14

What is a Client/Server System?What is a Client/Server System?

Client/Server systems have two program Client/Server systems have two program components, a client (replicated at each components, a client (replicated at each agent’s site), and a (centralized) server. agent’s site), and a (centralized) server. – The client program calls functions The client program calls functions

within the server program in order within the server program in order to complete its transactions. to complete its transactions.

– The calls are completed by usingThe calls are completed by usingRemote Procedure Calls.Remote Procedure Calls.

15

f(x,y) /* call */

f(int x, int y){- - -}

Local Remote

Client

f(x,y) /* call */

Client stub

NetworkTransport

Server

f(int x,int y)

Server stub

NetworkTransport

Network

Local vs. Remote CallingLocal vs. Remote Calling

16

Why Client/Server?Why Client/Server?

Simplicity: The Client/server paradigm Simplicity: The Client/server paradigm enables a very simple and flexible interface enables a very simple and flexible interface between the computational components. between the computational components.

It is simple to add functionality. It is simple to add functionality. With TCP/IP, the RPC interface constitutes With TCP/IP, the RPC interface constitutes

a reliable connection-oriented network a reliable connection-oriented network protocol.protocol.

17


SecuritySecurity– Having computational power at all agent sites Having computational power at all agent sites

enables a secure communications system in enables a secure communications system in which messages are encrypted.which messages are encrypted.

– Clients and server authenticate all messages.Clients and server authenticate all messages.– Authentication protocols are easier to design if Authentication protocols are easier to design if

a reliable client/server interface is assumed a reliable client/server interface is assumed (Kerberos).(Kerberos).

18


Efficiency/scalability: The client/server Efficiency/scalability: The client/server approach enables some of the computational approach enables some of the computational effort to be carried out in the client. effort to be carried out in the client. – A balance is possible in which the client and A balance is possible in which the client and

server have different functions and work together server have different functions and work together to complete each transaction. to complete each transaction.

– The server’s effort can be minimized allowing The server’s effort can be minimized allowing the size of the network to grow with demand. the size of the network to grow with demand.

19


The Client/Server paradigm closely matches the The Client/Server paradigm closely matches the paradigm of Object Oriented Programming in paradigm of Object Oriented Programming in which computation proceeds through inter-object which computation proceeds through inter-object communication.communication.

The OOP paradigm is said to provide a natural The OOP paradigm is said to provide a natural partitioning of a program into objects that are self partitioning of a program into objects that are self contained and have clean and simple interfaces. contained and have clean and simple interfaces. This should translate into more reliable This should translate into more reliable programs.programs.

20

Authentication and Authorization Authentication and Authorization

Each transaction reaching the server Each transaction reaching the server (student records database) must receive two (student records database) must receive two checks:checks:– Is this request from the agent indicated in the Is this request from the agent indicated in the

transaction? - transaction? - AuthenticationAuthentication..– Is this agent permitted to carry out the Is this agent permitted to carry out the

requested action? - requested action? - AuthorizationAuthorization..

21

Authentication and SecrecyAuthentication and Secrecy

Digital signatures and encrypted messages Digital signatures and encrypted messages are two powerful, but not entirely fail-safe, are two powerful, but not entirely fail-safe, security techniques.security techniques.– A digital signature is a (huge) unforgeable A digital signature is a (huge) unforgeable

password sent with every message that password sent with every message that uniquely identifies the sender.uniquely identifies the sender.

– Modern encryption techniques are considered Modern encryption techniques are considered safe for all but the highest levels of security. safe for all but the highest levels of security.

22

Private Key EncryptionPrivate Key Encryption

E D

message

Encryption Decryption

message

C = Eke(M), M = Dkd(C) = Dkd(Eke(M))

We can make the keys the same: k = ke = kd, so thatC = Ek(M), M = Dk(Ek(M))

The algorithms E and D are public, but k is private.

C

Cyphertext

M M

ke kd

23

DESDES

DES is a private key encryption system.DES is a private key encryption system.– Messages are split into 64 bit chunks and keys Messages are split into 64 bit chunks and keys

of up to 56-bits are used. of up to 56-bits are used. – Encryption and decryption involve key-Encryption and decryption involve key-

independent transpositions and key-dependent independent transpositions and key-dependent bit substitutions. bit substitutions.

– A 56 bit number has 17 decimal digits, A 56 bit number has 17 decimal digits, considered too large to be enumerated.considered too large to be enumerated.

24

Public Key Encryption (RSA)Public Key Encryption (RSA)

E D

message

Encryption Decryption

message

C = Ekp(M), M = Dks(Ekp(M))

In RSA also, M = Dkp(Eks(M)) (Algorithms are inverses)

Algorithms E and D, and the key kp are public, but the key ks is secret. It is impossible to infer ks from knowledge of E, D, and kp.

Cyphertext

M M

kp ksC

25

Public key Encryption, RSAPublic key Encryption, RSA

An agent A with public and secret keys kpAn agent A with public and secret keys kpAA and ksand ksAA can send a message can send a message MM to server B to server B with public and secret keys kpwith public and secret keys kpBB and ks and ksBB using Eusing EkpkpBB(M),(M), the public key of the server. the public key of the server. – Only B can decrypt this message using ksOnly B can decrypt this message using ksBB

E DA B

kpB ksB

26

Public key Encryption, RSAPublic key Encryption, RSA

B can send a message B can send a message MM to A using E to A using EkpkpAA(M), (M),

the public key of the agent.the public key of the agent.– Only A can decrypt this message, using ksOnly A can decrypt this message, using ksAA. .

D EA B

ksA kpA

27

Authentication with RSAAuthentication with RSA

Agent A can send a message Agent A can send a message MM to server B to server B using Eusing EksksAA(M),(M), the agent’s secret key the agent’s secret key – Anyone can decrypt the message using A’s Anyone can decrypt the message using A’s

public key, but only A could have sent it. public key, but only A could have sent it. – Authentication is obtained, but secrecy is not. Authentication is obtained, but secrecy is not.

E DAB or anyone

ksA kpA

28

Authentication Authentication andand Secrecy Secrecy

An agent A can send a message An agent A can send a message MM to server to server B using EB using EkpkpBB(E(EksksAA(M)(M))),, – A first encrypts A first encrypts MM using its secret key, then using its secret key, then

again using the server’s public key. again using the server’s public key. – An adversary would need to discover ksAn adversary would need to discover ksA A to to

construct such a message and ksconstruct such a message and ksBB to decrypt it. to decrypt it.

E1 E2A

ksA kpB

To network

29

Code breakingCode breaking

With public-key encryption, code With public-key encryption, code breaking entails factoring a huge integer.breaking entails factoring a huge integer.– Many of the well-publicized successful Many of the well-publicized successful

encryption breaks have been due to poor encryption breaks have been due to poor selection of the keys.selection of the keys.

– If the keys are carefully chosen, it should take If the keys are carefully chosen, it should take months if not years to break the code (although months if not years to break the code (although we have no formal proof of this).we have no formal proof of this).

30

Question:Question:

Student records could be valuable to a Student records could be valuable to a criminal throughout the students’ lives. criminal throughout the students’ lives. Should our security be sufficient to prevent Should our security be sufficient to prevent captured student records from ever being captured student records from ever being decrypted? decrypted?

If society felt this was so, then current If society felt this was so, then current techniques may not be adequate.techniques may not be adequate.– However, we don’t have anything better...However, we don’t have anything better...

31

Key serverKey server

A A key-serverkey-server is needed to send the public is needed to send the public and secret keys to the database server and and secret keys to the database server and the clients in highly secure fashion. the clients in highly secure fashion. – The Kerberos System (MIT) is based on the The Kerberos System (MIT) is based on the

client/server model and uses the DES private client/server model and uses the DES private key encryption system. key encryption system.

– CCITT X.509 is based upon a public key CCITT X.509 is based upon a public key encryption system. It has a security hole.encryption system. It has a security hole.

34

What are the threats?What are the threats?

Service InterruptionService Interruption– Service becomes unavailable because of Service becomes unavailable because of

corruption of database or network software, or corruption of database or network software, or the injection of false messages that clog-up the the injection of false messages that clog-up the system. system.

– Data InterceptionData Interception– Data captured by a “sniffer,” a security Data captured by a “sniffer,” a security

hole in a network node, or the theft of a tape... hole in a network node, or the theft of a tape...

35


Data ModificationData Modification– Records are illegally alteredRecords are illegally altered

Data FabricationData Fabrication– Fraudulent records are entered. Since we are Fraudulent records are entered. Since we are

moving towards receiving applications via the moving towards receiving applications via the web, and electronic delivery of transcripts, it is web, and electronic delivery of transcripts, it is likely that fraudulent applications and likely that fraudulent applications and transcripts will become a serious problem.transcripts will become a serious problem.

36


Spoofing Spoofing – An adversary is able to An adversary is able to

pretend to be a real agent, pretend to be a real agent, sending and receiving sending and receiving messages in that agent’s guise. messages in that agent’s guise.

– The adversary imitates the real agent’s login The adversary imitates the real agent’s login procedure, or sends fraudulent transactions procedure, or sends fraudulent transactions while the real agent is logged in.while the real agent is logged in.

37


One simple spoofing technique replays One simple spoofing technique replays messages from real agents that were messages from real agents that were obtained by eavesdropping using a sniffer. obtained by eavesdropping using a sniffer. The hope is that the server will respond as if The hope is that the server will respond as if to the real agent. to the real agent. Authentication and time stamping should Authentication and time stamping should

defend against this approach.defend against this approach.

38

Defense Against SpoofingDefense Against Spoofing

Instigate complex login procedures and the Instigate complex login procedures and the associated personnel training and,associated personnel training and,

make sure all messages are authenticated. make sure all messages are authenticated. – Ideally the agent Ideally the agent and the agent’s computerand the agent’s computer

should both be authenticated on every should both be authenticated on every transaction.transaction.

39

InterceptionInterception

Interception may be quite easy. “Sniffers’ Interception may be quite easy. “Sniffers’ are devices connected to the network in an are devices connected to the network in an attempt to capture messages. They might attempt to capture messages. They might simply make copies of all packets going simply make copies of all packets going to/from a certain network address.to/from a certain network address.

Further lengthy analyses of captured Further lengthy analyses of captured messages may reveal security holes, messages may reveal security holes, passwords, keys, etc.passwords, keys, etc.

40

InterceptionInterception

It may be possible to guess the nature of an It may be possible to guess the nature of an interaction by analyzing the lengths of the interaction by analyzing the lengths of the packets and/or the time of the interaction. packets and/or the time of the interaction.

One adversary asks an agent for some One adversary asks an agent for some details while another operates a sniffer.details while another operates a sniffer.– Ideally all packets should be the same length Ideally all packets should be the same length

and agent programs should transmit dummy and agent programs should transmit dummy packets to maintain a relatively constant rate. packets to maintain a relatively constant rate.

41

What is transported to agents?What is transported to agents?

An agent may want to view an entire student’s An agent may want to view an entire student’s transcript, or a class grade-roll. While these transcript, or a class grade-roll. While these data are at the client computer, a security data are at the client computer, a security breach is possible.breach is possible.

It is preferable to have data at the client It is preferable to have data at the client encrypted. The data in the client’s video buffer encrypted. The data in the client’s video buffer and visible data on the screen are not and visible data on the screen are not encrypted. This problem requires a hardware encrypted. This problem requires a hardware solution. solution.

42

What is transported to agents?What is transported to agents?

For statistical summaries, etc., the client For statistical summaries, etc., the client computer should do the computations. computer should do the computations. – If we transport all associated records to the If we transport all associated records to the

client we cause a security weakness. client we cause a security weakness. – Unless essential to the task, the fields Unless essential to the task, the fields

identifying the students should not be sent.identifying the students should not be sent.– Only send the data that are actually needed.Only send the data that are actually needed.

43

Authorization: Data OrganizationAuthorization: Data Organization

Student data are organized naturally by Student data are organized naturally by department and degree level. department and degree level.

There is duplication of data, so There is duplication of data, so consistent consistent updateupdate procedures are needed. procedures are needed. – Students’ grades appear in the students’ own Students’ grades appear in the students’ own

records, in individual course records, and in records, in individual course records, and in summary records. A grade change must affect summary records. A grade change must affect all copies of the grade in all records. all copies of the grade in all records.

44

The Hierarchical Security ModelThe Hierarchical Security Model

Hierarchy:Hierarchy:– Agents are organized into levels with differing Agents are organized into levels with differing

capabilities at each levelcapabilities at each level– The lowest level agents can see only a restricted The lowest level agents can see only a restricted

subset of the data and cannot change any subset of the data and cannot change any records, modify holds, etcrecords, modify holds, etc

– The highest level agents can see and modify The highest level agents can see and modify any record any record

45


This model is simple to maintain, but is This model is simple to maintain, but is probably insufficient on its own. probably insufficient on its own. – A dean should not be able to see or alter A dean should not be able to see or alter

records of students outside his/her school. records of students outside his/her school. The necessary data structure therefore The necessary data structure therefore

becomes a tree.becomes a tree. There are some anomalies, double majors... There are some anomalies, double majors...

46


Reg is tra r

D ean

H ead

C ou rse C ou rse

D ep artm en t D ep artm en t D ep artm en t

S ch oo l S ch oo l S ch oo l

U n ive rs ity

48


The tree-based hierarchical model may be The tree-based hierarchical model may be insufficient. insufficient. – Some agents may have access needs that do not Some agents may have access needs that do not

match the tree structure. For example, honors match the tree structure. For example, honors students may be spread across the departments students may be spread across the departments and courses. The honors program director may and courses. The honors program director may need restricted access to the records of just the need restricted access to the records of just the honors students. honors students.

54

Access List Security ModelAccess List Security Model

Access Lists:Access Lists:– The database contains a matrix giving, for each The database contains a matrix giving, for each

agent and subset of the database, the allowed agent and subset of the database, the allowed actions. actions.

– Any agent can submit any transaction. The Any agent can submit any transaction. The authorization check is within the database.authorization check is within the database.

55

Access ListAccess List

pm

Subset m

Subset n

Subset p

Read, set holds

Read, update

Read, update

Read

Subset Agent x Agent y Agent z

Read

nn

56

Access List Security ModelAccess List Security Model

Maintenance is again a problem.Maintenance is again a problem.– The number of agents could be large. The number of agents could be large. – There could be a huge number of subsets.There could be a huge number of subsets.– The access matrix would then be huge.The access matrix would then be huge.

» Agents could be grouped by common access Agents could be grouped by common access requirements to reduce the size of the matrix.requirements to reduce the size of the matrix.

– Changes to the access matrix must be carried Changes to the access matrix must be carried out by one or two highly trusted supervisors. out by one or two highly trusted supervisors.

58

Overall SecurityOverall Security

No matter what security model is used, and No matter what security model is used, and no matter whether digital signatures and no matter whether digital signatures and encrypted messages are employed, if an encrypted messages are employed, if an adversary can discover the login-id and adversary can discover the login-id and password of a real agent, the data in the password of a real agent, the data in the scope of that agent are at risk.scope of that agent are at risk.

This, and physical security, present the This, and physical security, present the biggest threats. biggest threats.

client/server: practical approaches to sharing secure information

Documents

network access

network nodes

network securitynetworks

network securitythe

network securitylap

network securitymessages

entire network

different agents