Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz."— Presentation transcript:

1 CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz

2 Revocation  Revocation is a key component of a PKI –Secret keys stolen/compromised, user leaves organization, etc.  This is in addition to expiration dates included in certificates –Certificate might need to be revoked before expiration date –Expiration dates improve efficiency

3 Cert. revocation lists (CRLs)  CA issues signed list of (un-expired) revoked keys –Must be updated and released periodically –Must include timestamp –Verifier must obtain most recent CRLs before verifying a certificate  Using “delta CRLs” improves efficiency

4 OLRS  “On-line revocation server”  Verifier queries an OLRS to find out if a certificate is still valid  If OLRS has its own key, it can certify that a certificate is valid at a certain time

5 “Good lists”  The previous approaches basically use lists of “bad” certificates  Also possible to use a list containing only “good” certificates –Likely to be less efficient

6 Directories  PKIs do not require directories –Users can store and present their own certificate chains to a trust anchor  Directories can make things easier, and enable non-interactive setup

7 Finding certificate chains  Two approaches: work “forward” from target toward a trust anchor, or “backward” from trust anchor to target  The better approach depends on implementation details –For example, in system with name constraints, easier to work “backward”

8 Anonymity

9 Anonymity vs. pseudonymity  Anonymity –No one can identify the source of any messages –Can be achieved via the use of “persona” certificates (with “meaningless” DNs)  Pseudonymity –No one can identify the source of a set of messages… –…but they can tell that they all came from the same person

10 Levels of anonymity  There is a scale of anonymity –Ranges from no anonymity (complete identification), to partial anonymity (e.g., crowds),to complete anonymity –Pseudonymity is an orthogonal issue…

11 Anonymizers  Proxies that clients can connect to, and use to forward their communication –Primarily used for email, http  Can also provide pseudonymity –This may lead to potential security flaws if mapping is compromised  Must trust the anonymizer… –Can limit this by using multiple anonymizers

12 Traffic analysis  If messages sent to remailers are not encrypted, it is easy to trace the sender  Even if encrypted, may be possible to perform traffic analysis –Timing –Message sizes –Replay attacks

13 Http anonymizers  Two approaches –Centralized proxy/proxies –“Crowds…”

14 Implications of anonymity?  Is anonymity good or bad? –Unclear… –Can pseudonymity help?

15 “Cookies”  Cookies are tokens containing state information about a transaction  May contain (for example): –Name/value; expiration time –Intended domain (cookie is sent to any server in that domain) No requirement that cookie is sent by that domain

16 Security violations?  Cookies potentially violate privacy –E.g., connecting to one server results in a cookie that will be transmitted to another  Storing authentication information in a cookie is also potentially dangerous (unless cookie is kept confidential, or other methods are used)

Download ppt "CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.

1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

Similar presentations

Ads by Google