Security architectures for distributed systems Flashcards
Introduction on Security architectures for distributed systems
- We’ve talked about single-machine security – but that’s not enough any more
- Multiple machines within a single workflow
- Multiple services being consumed * So we need to consider the effects on security of having several machines co-operating
- Providing services
- Acting as user agents
How does Distribution make things more “insecure”?
Note: Accessing remote machines almost intrinsically introduces security problems.
- Fundamentally less information about users
- More points of attack
- Often more value in a given attack: attack the bank rather than just one customer
- Greater anonymity, harder to track
What is meant by a DDOS attack?
Meaning: A type of cyber attack involves the system being forced into a state where normal services are unavailable or where service provision is significantly degraded.
Note: Prevent anyone accessing the server, website, service, etc.
Note: Attack a router nearby or just flood it with fake traffic to prevent any genuine traffic getting through.
Note: Often this is enough, as businesses lose money as a result and disrupt customer’s access to services.
What is meant by a Back-Door?
Meaning: A way to log-into or control a system other than through the normal secured channels.
Note: Why is it used? Because sometimes a vendor or provider needs to get in when there’s a problem for the usual route.
Note: Programmers leave themselves a way to get in even if the regular security has been compromised or disabled.
- Perhaps require console (i.e., physical) access
- Perhaps an alternative network route in
- Perhaps different credentials
Problems:
1. The system’s owners may not known the back door exists, so this could introduce a zero-day exploit.
2. Even well-regulated back doors can be vulnerable.
Key-Note:
- What one person can devise, another can break.
- No-one has a monopoly on technical skills.
Notes on identifying users on remote machines
Note: Local machine has potentially more information about a user than a remote one.
- For example, can definitely determine that there’s a USB dongle in the USB slot (from local machine)
- It’s possible to undermine this, for example by re-soldering the hardware
- Difficult to do, may be obvious to a user
Note: A remote machine can’t have this level of confidence
- Relies on messages about the user, for example, “This USB dongle contains this information”, but has no direct evidence for it.
Note: Since the message comes from a remote machine.
- Machine might be compromised
- Machine’s hardware might have been changed (which isn’t visible)
Notes on Identity
Identity is more subtle in a large-scale setting.
- A username for each machine or service
- But not necessarily common across services
- How do we know someone here is the same there?
Many systems use email addresses as usernames
- Guaranteed to be unique
- Provide a route to confirmation: person needs to have access to the address to confirm its use
- Tricky to make robust to changes in address
* Badly-written sites use email addresses as primary database keys, and then can’t allow them to be changed.
Dangers of Passwords in a distributed environment
Extra dangers of passwords in a distributed environment.
- Replay: steal a password and re-present it
- Reuse: steal a password from one place, use it in many places – weakest link (again)
Password Managers are increasingly popular.
- Replay: don’t store actual passwords, or store them encrypted
- Reuse: generate long random password for each site
- Of course this makes them an attractive target
SSH Certificates to Identify users
- The Secure Shell ssh can use certificates instead of passwords. Involves the following:
- A keypair
- Public key is installed (somehow) onto all remote machines we want to log-in to
- Performs a key exchange algorithm to create a secure channel between the machines
- Possession of the private key is sufficient
- Often create multiple keypairs for different uses/roles
- If a key is compromised, the damage is limited
How can we identify users on a distributed environment?
- Passwords
- SSH Certificate
Out-sourcing security
Note: Because we have a system with lots of services, we have more flexibility in designing our security.
- In other words, rather than managing our usernames, passwords and 2FA by ourselves, we can offload it to a third party (A trusted party, such as Facebook, Twitter, Google, etc).
Note: We can re-use the credentials from another service.
- Since many (most?) people have some form of social media, make use of these services’ credentials
- They have significant reputations to protect, so will tend to be careful with their security
- Let the experts deal with it.
Open Authorisation
Meaning: A standard that allows users to grant access to their data without sharing their login credentials.
Note: OAuth allows users to grant access to their data without sharing their login credentials. Instead, OAuth provides access tokens to third-party services.
Note: A structured bearer token protocol to re-use credentials.
- Access tokens delegate some permissions to client (possibly none).
Steps:
1. The client requests access token from authorisation server.
- This may generate an interaction with the user to confirm what permissions to delegate.
2. The client receives access token
- The access token can encode permissions that the user allows the client to exercise on their behalf.
3. The client presents token to resource server to manipulate its data.
Note: OAuth tokens also expire, and there’s a related protocol for re-acquiring a new one.
What are the advantages and disadvantages of delegating your authentication.
Pros:
1. Convenient (A single username/password to control)
2. You want need multiple passwords for multiple sites, instead you have on password linked to multiple sites
3. Providers don’t have to build their own security infrastructure for authenticating users.
4. Shared Identity at many different services.
Note: Even if no permissions delegated the token is still useful as proof of identity
Cons:
1. Shared Identity makes profiling and surveillance easier.
2. Increases the damage that might be done by a breach
- Your shared account is now a prime target for potential theft.
Using Biometrics for identifying users in distribution.
We can store faces/fingerprints
- Makes for a very tempting target.
- Can be re-used beyond the intended purpose.
Note: It is simply to risky to have biometric data stored on a central service, this makes it a target for theft.
Makes use of distribution
- Authenticate local devices (e.g., on a phone)
- Generate a hash (using biometric data) that can be used a password.
- Use OAuth or similar to do the key exchange.
- Key-Note: Biometrics never leave the user device.
Identifying machines
Key-Note: Machines have identities too,
- MAC Addresses: a unique 12-digit hexadecimal number that identifies a device on a network.
- IP Addresses: a unique address that identifies a device on the internet.
- DNS Names: a memorable website name that is translated by the DNS into an IP Address.
When we build systems we typically make use of these identities.
- Remote log-in to a machine identified by its name.
- Opening a URL
Opens up to some easy attacks, like easily-mistyped domains.
- Leveraging human limitations again.
Notes on DNS
Key-Note: The Domain Name System maps structured network and machine names to IP addresses.
Extra-Note: Like many internet services it’s a relic of a more trusting time.
- Returns information to anyone who asks.
- Utterly essential to network operations.
Key-Note: We can create more secure layers, such as constructing a list of “suspect/dodgy” domains and check for requests from them.
