Authentication Approaches Phillip Hallam-Baker VeriSign Inc.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Signing Phill Hallam-Baker. 2 What are the end goals?  Phishing –Organized crime sends impersonating well known brands –Require means of.
Chapter 7 HARDENING SERVERS.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Internet Messaging in 60 Minutes Terry Gray -University of Washington Policy Issues Mission Critical Messaging Goals Relevant Standards Standards Update.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
1 A Course-End Conclusions and Future Studies Dr. Rocky K. C. Chang 28 November 2005.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Guide to Operating System Security Chapter 10 Security.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
1 Enabling Secure Internet Access with ISA Server.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Securing Microsoft® Exchange Server 2010
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Module 9: Fundamentals of Securing Network Communication.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Translate tech terms into plain English. ?
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Denial-of-Service, Address Ownership,and,Early Authentication in IPv6 World (An Approach) Aditya Vutukuri From article by Pekka Nikander Ericsson Research.
Security Technology Clients and Mail Servers
1 Figure 9-6: Security Technology  Clients and Mail Servers (Figure 9-7) Mail server software: Sendmail on UNIX, Microsoft Exchange,
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
OV Copyright © 2005 Element K Content LLC. All rights reserved. Hardening Internetwork Devices and Services  Harden Internetwork Connection Devices.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security fundamentals Topic 9 Securing internet messaging.
Policy Considerations Phill Hallam Baker. We have a choice.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Sender policy framework. Note: is a good reference source for SPFhttp://
2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
A Plan For No Spam WELCOME TO THE SEMINAR ON A Plan For No Spam by.
Security Operations Chapter 11 Part 3 Pages 1279 to 1309.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
CS 465 Secure Last Updated: Nov 30, 2017.
IIS.
APNIC Trial of Certification of IP Addresses and ASes
The University of Adelaide, School of Computer Science
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Authentication Approaches Phillip Hallam-Baker VeriSign Inc.

Why? Authentication + Authorization = Access Control Authentication –IP Address –Cryptographic Authorization – Address Whitelists –Domain Whitelists[example.com] –Payment[$0.01 stamp]

How Strong is Enough? LIST Kiddies –Like a script kiddie but they pay for the mailing list –Actually a spam victim, they get worthless service in return SPAM Houses –Will adapt to heuristic authentication approaches But it will cost them

PKI Infrastructure exists to –Ensure that a party owns the purported domain name –Ensure that legal process can be served on the certificate holder –With a high (but not absolute) degree of confidence SECURITY IS RISK CONTROL NOT RISK ELIMINATION

Deployment Argument Authentication Compliments Filtering –Network effect, aka Chicken and Egg problem Avoid false positives –Without creating backdoors ‘Allow all mail from hotmail.com, they use rate limiting’ Allows more aggressive criteria Cryptographic Authentication is robust –Asymmetric work factor –No viable counter-strategies

Problem – Insecure by Default Downgrade attack –I can tell a signed message comes from the sender –I cannot assume an unsigned message is false Key is to know the security policy of the domain

DNS Based Security Policy Reverse IP look up –Some Current Use –Only demonstrates that the IP address has been assigned IPv4 address exhaustion will make this uninteresting –Configuration problem – servers handling 1000’s of domains –Many ISPs do not delegate reverse DNS as they should Get a new ISP is an idiotic deployment strategy

Forward DNS Address based authentication –RCPT From [Vixie] –Reverse MX –Pro: Lightweight, almost costless –Pro: Obsoletes most existing spamware –Con: Could be vulnerable to new spamware –Con: Some operational issues –Con: Only works if mail from domain is relayed

Generalized Security Policy Security Policy Advertisement Mechanism –Advertise any form of security policy ALWAYS comes from address X, Y or Z OPTIONAL uses STARTTLS, cert root has SHA1 P OPTIONAL uses S/MIME, cert root has SHA1 Q OPTIONAL uses PGP, validate against XKMS R NEVER uses NULL Authentication –Can be generalized to other protocols IPSEC, SSH, NNTP, POP, IMAP…

This is Just a Bug We Are going to FIX IT