Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Published byJodie Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity."— Presentation transcript:

1 csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity

2 csci5233 Computer Security2 Outline Introduction Naming & Certificates Identity on the web Anonymity

3 csci5233 Computer Security3 What is identity? An identity specifies a principal. –A principal is a unique entity. –What can be an entity? Subjects: users, groups, roles e.g., a user identification number (UID) identifies a user in a UNIX system Objects: files, web pages, etc. + subjects e.g., an URL identifies an object by specifying its location and the protocol used (such as http://sce.cl.uh.edu/).

4 csci5233 Computer Security4 Authentication vs identity Authentication binds a principal to a representation of identity internal to the computer. Two main purposes of using identities: –Accountability (logging, auditing) –Access control

5 csci5233 Computer Security5 Identity Naming and Certificates In X.509 certificates, distinguished names (that is, X.500 Distinguished Name) are used to identify entities. X.500 Distinguished Name e.g., /O=UHCL/OU=SCE/CN=Andrew Yang/L=Houston/SP=Texas/C=US e.g., /O=UHCL/OU=SCE/CN=UnixLabAdministrator/L=Ho uston/SP=Texas/C=US A certification authority (CA) vouches, at some level, for the identity of the principals to which the certificate is issued.

6 csci5233 Computer Security6 Structure of CAs [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet Electronic Mail: Part II, Certificate- Based Key Management The certificate-based key management infrastructure organizes CAs into a hierarchical, tree-based structure. Each node in the tree corresponds to a CA. A Higher-level CA set policies that all subordinate CAs must follow; it certifies the subordinate CAs.

7 csci5233 Computer Security7 Certificates & Trust A certificate is the binding of an external identity to a cryptographic key and a Distinguished Name. If the certificate issuer can be fooled, all who rely on that certificate may also be fooled. The authentication policy defines the way in which principals prove their identities, relying on nonelectronic proofs of identity such as biometrics, documents, or personal knowledge.

8 csci5233 Computer Security8 Certificates & Trust The goal of certificates is to bind a correct pair of identity and public key. PGP certificates include a series of signature fields, each of which contains a level of trust. The OpenPGP specification defines 4 levels of trusts: 1.Generic: no assertions 2.Persona (i.e., anonymous): no verification of the binding between the user name and the principal 3.Casual: some verification 4.Positive: substantial verification

9 csci5233 Computer Security9 Certificates & Trust Issues with the OpenPGP’s levels of trusts: The trust is not quantifiable. The same terms (such as ‘substantial verification’) can imply different levels of assurance to different signers. The interpretations are left to the verifiers. The point: “Knowing the policy or the trust level with which the certificate is signed is not enough to evaluate how likely it is that the identity identifies the correct principal.” Other knowledge is needed: e.g., how the CA or signer interprets the policy and enforces its requirements

10 csci5233 Computer Security10 Identity on the Internet Host identity: How is a computer identified on the Internet? –ISO/OSI 7-layer model –The possibility of ‘spoofing’ a computer’s IP or MAC address Static vs Dynamic Identifiers –The NAT (Network Address Translation) protocol

11 csci5233 Computer Security11 Domain Name Services DNS provides an association between a host name and an IP address. If the association is corrupted, the identifier in question will be associated with the wrong host (sometimes the malicious one). Attacks on the DNS: Bellovin, Schuba

12 csci5233 Computer Security12 State and Cookies The HTTP protocol is a stateless protocol: basically request/response Other mechanisms (such as cookies or sessions) are needed to maintain states between a client and a server. Def. 14-4: A cookie is a token that contains information about the state of a transaction on a network. pp.369-370: Values in the cookies Cookies may contain sensitive information. Protecting the confidentiality of the cookies may be critical.

13 csci5233 Computer Security13 Anonymity on the Web Anonymity: The ability to hide the identity of a host When would anonymity be needed? Examples: anonymous remailers, mixers  More details in the ‘network security’ course

Download ppt "Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
CS470, A.SelcukE-mail Security1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.Selcuk Security1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Cryptographic Technologies

Cryptographic Technologies
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.

1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.

Similar presentations

Ads by Google