Chapter 7

Networking & Distributed

Security (Part B)
Network Security Controls:
Distributed authentication
Two issues:
a. To protect a single system from unauthorized remote
users distributed user authentication
b. To protect a network node from unauthorized access
coming from other nodes  computer-to-computer
authentication
Several approaches:
 Distributed Authentication (by Digital, DEC)
 Kerberos (by MIT)
 DCE - Distributed Computing Environment (by OSF)
 SESAME (a European R&D project)
 CORBA – Common Object Request Broker Architecture (by
OMG)

Sawma V., Computer Security and Their Data 2

Digital Distributed Authentication
1989, 1990
Gasser, Morrie, and Ellen McDermot.
“An Architecture for Practical Delegation in a Distributed Syste
m
”. Proceedings of the 1990 IEEE Symposium on Security and
Privacy. 5/1990.
Issues to be resolved:
1. Impersonation of a server by a rogue process
2. Interception / modification of data exchanged btwn
servers
3. Replay of a previous authentication
Approach:
• Creation of a session key using public keys
• The session key is used to encrypt further
communications between the servers.
Implementation
Sawma V., Computer Securityissues:
and Theirpublic
Data key distribution & certification 3
Kerberos
Kerberos (Greek): a 3-headed dog that in Greek mythology guards
the entrance to Hades
[Steiner, J., Neuman, C., and J. Schiller, 1988] "Kerberos: An
Authentication Service for Open Network Systems", pp. 191-202 in
Usenix Conference Proceedings, 2/1988.
[Kohl, J. and C. Neuman, 1993] The Kerberos Network
Authentication Service (V5). RFC1510. 9/1993.
Purpose: authentication in distributed systems

Two types of servers:

A Kerberos server (KS) – establish a session key btwn a user
and the TGS
A ticket granting server (TGS) – grant a ticket to a user
request access to a resource

Sawma V., Computer Security and Their Data 4

Kerberos
Using Kerberos:
1. The user obtains a session key (SG)and a ticket (TG)from
the KS. The KS also sends the session key and the user’s id
to the TGS. (Fig. 9-21, p.413)
Q. What is the session key for?
Q. What information are contained in the ticket?
Q. To whom would the user present the ticket?
Q. Does the user transmit his password to the KS?
2. The user requests access to an object by obtaining from
the TGS a ticket (TF) and a session key (SF). (Fig. 9-22)
Q. What is the session key for?
Q. What information are contained in the ticket? SF (p.414)
Q. To whom would the user present the ticket? Fig. 9-23
Q. Can the ticket be read, modified or forged? Why or why not?
Sawma V., Computer Security and Their Data 5
Kerberos
Strength:
+ No passwords are transmitted on the network.
+ Cryptographic protection against spoofing: Every
access is checked by the TGS and the respective
resource server.
+ Limited period of validity: Every ticket has a time
stamp.
+ Time stamps to prevent replay attack: Use of a
reliable universal clock is required.
+ Mutual authentication: A secure channel btwn a
user and a server can be established, via the
use of a ticket and a session key. Both the
serve and the user can authenticate each other.
How?
Sawma V., Computer Security and Their Data 6
Kerberos
Weakness :
 A continuously available TGS is required. Both reliability
and performance may be potential problems.
 Trust between the TGS and every server is required.
Trust in a distributed environment is hard to establish.
 Timely transactions are required.
 A subverted workstation can save and later replay user
passwords.
 Password guessing works.
 Kerberos does not scale well. Why? Fig. 9-23, p.415.
 To enable the use of Kerberos in a distributed system, it is
required that all applications use Kerberos.
Q. Can the Kerberos server and the TGS be combined? Yes
(see DCE).
Q. What are the trade-offs?

Sawma V., Computer Security and Their Data 7

Distributed Computing Environment
An OSF project, 1992 (now the Open Group,
http://www.opengroup.org/dce/)
OSF DCE provides a foundation on which other distributed
services and applications may be built. Fig. 9-24, p.416.
DCE is called "middleware" or "enabling technology“. It is not
intended to exist alone, but instead should be bundled into a
vendor's operating system offering, or integrated in by a third-party
vendor.
DCE is not an application in itself, but is used to build custom
applications or to support purchased applications.
The security service in DCE is based on Kerberos, with the KS
and the TGS combined into a Security Server.
A cell is an administrative domain, consisting of the set of
subjects and objects managed together.
OSF Distributed Computing Environment FAQ
DCE RFCs
Sawma V., Computer Security and Their Data 8
SESAME
A European Commission’s R&D project
Similar to DCE
It uses Kerberos extensively.
It preceded both Kerberos and DCE in use of public key
technology for secure authentication and distributing privilege
attributes and tickets to users.
Note: Both Kerberos and DCE used symmetric keys initially,
but have moved to support public keys.

Sawma V., Computer Security and Their Data 9

CORBA
Common Object Request Broker Architecture
An OMG specification, http://www.omg.org/corba/
An ORB is a traffic director that joins clients’ requests to
appropriate servers.
Cross-platform interoperability
“Using the standard protocol IIOP (Internet Inter-ORB
Protocol), a CORBA-based program from any vendor, on
almost any computer, operating system, programming
language, and network, can interoperate with a CORBA-
based program from the same or another vendor, on
almost any other computer, operating system,
programming language, and network.“
(http://www.omg.org/gettingstarted/corbafaq.htm#WhatIsIt)

Sawma V., Computer Security and Their Data 10

CORBA
The separation of interface from implementation,
enabled by OMG IDL, is the essence of CORBA.

Sawma V., Computer Security and Their Data 11

CORBA Security Services
OMG standards define two levels of CORBA security services.
 Level 1 is intended for applications that may need to be

secure, but where the code itself need not be aware of

security issues.
In such a case, all security operations should be handled
by the underlying ORB.
 Level 2 supports other advanced security features, and the
application is likely to be aware of these.

Most CORBA’s security features are built into the underlying

IIOP protocol, which supports secure communication using
cryptography.
Mutual authentication is possible between the server and the
user.

Sawma V., Computer Security and Their Data 12

CORBA
Strength of CORBA:
 Flexibility of security policy: Any security policy

may be supported, at the level of the ORB.

 Independence of security technology: security

technology neutral
 Interoperability

Drawback:
 CORBA specifications describe the means by

which security functionality can be linked to a

CORBA object, but there is no requirement to do
so.
 Implementations of the CORBA specification vary

widely in terms of supported functionalities.

Sawma V., Computer Security and Their Data 13

Network Security Controls:
Traffic control
Traffic (flow) analysis
an attack launched by an interceptor who examines the traffic
of a network to gather and/or to infer information
The mere existence of messages flowing from one point to
another can be sensitive information.
Examples: p.418

Control against traffic analysis:

Spurious messages between points of low traffic

Sawma V., Computer Security and Their Data 14

Network Security Controls:
Data Integrity Control
The goal: To ensure that data is correctly stored, communicated,
and modified in the network
Types of controls:
1. Cryptographic checksums
2. Parity bits
Byte parity bit: 1 if the sum of bits in a byte is even; 0
otherwise
Longitudinal parity bit + byte parity bit: p.421
3. Other error checking codes: hash value, message digest
4. Digital signatures: In a network, digital signatures are used
to check authenticity of a message and also to enable
auditability/traceability of data change.
5. Notarization: a 3rd party authority (notary) between two
users in a network
Sawma V., Computer Security and Their Data 15
Electronic Mails
Security Goals vs Threats

Goals Threats
confidentiality 1. interception
integrity 2. interception and subsequent replay
3. content modification
4. content forgery by outsider
5. content forgery by recipient
6. origin forgery by recipient
authenticity 7. origin modification
8. origin forgery by outsider
nonrepudiation  Threats 2 through 8 above
reliable delivery  interception (blocked delivery)
 denial of message transmission
Sawma V., Computer Security and Their Data 16
Privacy-enhanced E-Mails (PEM)
Internet standards
1987: RFC989 (PEM version 1)
1989: RFC1113 (version 2)
1993: RFC1421, 1422, 1423, 1424 (Part I, II, III, IV), version 3
Protection of privacy-enhanced emails occurs in the body of the
message. The header of the message is not changed to ensure
compatibility with the then existing email systems.

Overview: Fig. 9-27, 9-28 (p.424)

1) The message header and body is encrypted under a symmetric
key, K  E (message, K)
2) K is encrypted by the recipient’s public key  Rpub (K)
3) A duplicate header is prepended to the message, which contains
both Rpub(K) and E(message, K).
Q: In step 2, can symmetric key, instead of the recipient’s public
key, be used to encrypt the message key?
Sawma V., Computer Security and Their Data 17
Privacy-enhanced E-Mails (PEM)

The answer: YES. See p.425.

Q: What would be the requirements if symmetric key is used?
Proc-Type field: processing type
DEK-Info field: data exchange key field
Key-Info: key exchange

Message encryption: DES

Key exchange: DES or RSA
In principle, any encryption algorithms can be used.

Sawma V., Computer Security and Their Data 18

Privacy-enhanced E-Mails (PEM)
Security features:
Confidentiality – message encryption
Authenticity - ?
Nonrepudiability - ?
Integrity - ?
Answers: p.425

Sawma V., Computer Security and Their Data 19

Privacy-enhanced E-Mails (PEM)

Advantages:
The user may choose to use PEM or not in sending an email.
PEM provide strong end-to-end security for emails.

Problems?
1. Key management
2. The end points may not be secure.

Yet another privacy enhanced email protocol:

PGP: p.426

Sawma V., Computer Security and Their Data 20

Firewalls
Q: Which is more important, protection of emails or
protection of network-connected resources?
A firewall works in a way similar to a filter, which lets
through only desirable interactions while keeping all others
out of the protected network.
Analogy: a gate keeper, a security gateway
A firewall is a device or a process that filters all traffic
between a protected (inside) network and a less trustworthy
(outside) network.
Scenarios:
o Internal users sending company secrets outside
o Outside people breaking into systems inside

Sawma V., Computer Security and Their Data 21

Firewalls
Alternative security policies:
• To block all incoming traffic, but allow outgoing traffic to
pass.
• To allow accesses only from certain places
• To allow accesses only from certain users
• To allow accesses for certain activities (such as specific port
numbers)
o Port 79: finger; Port 23: telnet; Port 513: rlogin;
o Port 21: ftp; Port 177: X Windows
o ICMP messages: the PROTOCOL field of IP header = 1

o Each of these mechanisms is a potential back door into

the system.

Sawma V., Computer Security and Their Data 22

Types of Firewalls
Screening Routers
• The simplest, but may be the most effective type of
firewalls.
• A router plays the role of a ‘gateway’ between two
networks. (Fig. 7-31)
• A screening router takes advantage of a router’s ability of
“screening” passing-through packets and forwards only
packets that are desirable.
• Example: Fig. 7-32.
• A router has a unique advantage because it sits between
an outside and the inside network. (Fig. 7-33)

Sawma V., Computer Security and Their Data 23

Types of Firewalls
Proxy Gateways
• “proxy”: authority or power to act for another
• A firewall that simulates the effects of an application by
running “pseudo-applications”.
• To the inside it implements part of the application
protocol to make itself look as if it is the outside
connection.
• To the outside it implements part of the application
protocol to act just like the inside process would.

• It examines the content, not just the header, of a packet.

Sawma V., Computer Security and Their Data 24

Types of Firewalls
Guards
• A “sophisticated” proxy firewall
• A guard firewall examines and interprets the content of a
packet.
• A guard usually implements and enforces certain
business policies.
• Example: enforcing an email “quota”
• Other examples
• Trade-offs?
• Table 7-3 Comparing the types of firewalls

Sawma V., Computer Security and Their Data 25

Firewalls
Examples of Firewall Configurations
• Screening router only: Fig. 7-35
• Proxy firewall only: Fig. 7-36
• A combined approach: Fig. 7-37
Q: Does it make sense to reverse the position of the
screening router and the proxy firewall in Fig. 7-37?

Sawma V., Computer Security and Their Data 26

DMZ (Demilitarized zone)

The segment in a network bounded by two firewalls.

Sawma V., Computer Security and Their Data 27

Considerations about Firewalls

Firewalls provide perimeter protection of a network, if the

network’s perimeter is clearly defined and can be controlled
by the firewall.
A firewall is a prime target to attack.
A firewall does not solve all security problems. Why not?
A firewall may have a negative effect on software portability.

Sawma V., Computer Security and Their Data 28

Summary

Network security is a rich area, in terms of

complexity of the problem and research
opportunities.
• Intrusion detection
• Honeypots
• Security versus performance
• …

Sawma V., Computer Security and Their Data 29