The role of identity David D.Clark July, 2012. 2 The role of identity A requirement for identity comes up often: Detect misdirection attacks on communication.

Slides:

Advertisements

Similar presentations

Architecture from the top down David D. Clark MIT CSAIL April, 2009.

Advertisements

Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego.

1 Designing a future Internet: Architecture and requirements David Clark MIT CSAIL August 2008.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Information-Centric Networks02b-1 Week 2 / Paper 2 Tussle in Cyberspace: Defining Tommorow’s Internet –David D. Clark, John Wroclawski, Karen R. Sollins.

Network Security Introduction Security technologies protect mission-critical networks from corruption and intrusion. Network security enables new business.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

4/27/2015Slide 1 Rethinking the design of the Internet: The end to end arguments vs. the brave new world Marjory S. Blumenthal Computer Science and Telecomms.

1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

Risks with IP-based Emergency Services draft-ietf-ecrit-trustworthy-location.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Chapter 12 Network Security.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

Chapter 3 Constructs, Variables, and Definitions.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Health Systems and the Cycle of Health System Reform

A Survey on Interfaces to Network Security

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Social Networking in Education Presented by Justin R. Clark.

Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.

CNRI Handle System and its Applications

What does it take to define an architecture? (Part 2) David D. Clark July, 2012.

Security David D. Clark July, Aspects of security Attacks on the network Routing, supply chain Attacks on communication Confidentiality and integrity.

1 The Internet today and tomorrow: social implications of evolving technology David Clark MIT CSAIL November 2008.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

1 An Introduction to the future of the Internet (part 1) David Clark MIT CSAIL July 2012.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

TTA activity for countering BOTNET attack and tracing cyber attacks 14 July, 2008 Heung-youl Youm TTA, Korea DOCUMENT #:GSC13-GTSC6-07 FOR:Presentation.

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

7-Oct-15 Threat on personal data Let the user be aware Privacy and protection.

STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.

Lecture 12 E-Commerce and Digital Cash. As communication technologies, such as the Internet and wireless networks, have advanced, new avenues of commerce.

1 The Internets we did not build David Clark MIT CSAIL November 2008.

Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Introduction to Computer Security PA Turnpike Commission.

IT Incident Response The goals How to achieve this Policies Standards Architecture People Process & Technology What can we really.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Privacy Engineering for Digital Rights Management Systems By XiaoYu Chen.

CSC 104 December 13,2012. Internet Regulation: States that it is about restricting or controlling certain pieces of information. This consisting of censorship.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Critical Decisions, Myths & Lessons Learned in Networking What is important at the time may be only apparent with hindsight What seems important at the.

Application Architecture Internet Architecture David D. Clark MIT CSAIL September 2005.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Unit 1 The Concept of Law. What is a Commonplace?  The set of everyday truths about a given subject matter providing us a shared subject matter for inquiry.

Cybersecurity Essentials Lesson 1 Protecting Your Identity ICT Demonstrate an Understanding of Internet Safety and Ethics 3.08 Identify and apply.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Goals of soBGP Verify the origin of advertisements

U.S. Department of Justice

Privacy Through Anonymous Connection and Browsing

Design Yaodong Bi.

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Presentation transcript:

The role of identity David D.Clark July, 2012

2 The role of identity A requirement for identity comes up often: Detect misdirection attacks on communication. Detect invalid (unauthentic) pieces of information. Validate identity/authority of incoming connections to prevent infiltration attacks. Allow application/network to pick desired communication pattern, to insert the desired degree of checking into the path between communicating parties, depending on the degree of trust between the parties. Hold parties accountable for their actions. Should a future Internet include identity mechanisms?

3 Designing identity schemes There is more than one way we could approach identity. A private matter among end-nodes. E.g. encrypted or meaningless except at end points. Signal of identity that is visible in the network. Surveillance cameras in cyberspace. Facilitate both policing (perhaps) and repression. Third-party credentials vs. continuity-based familiarity. Revocable anonymity. Anonymity can only be revoked by its creators. Probably need all in different circumstances, so architecture should not constrain. These are not choices to be made by technologists alone. Need a multi-disciplinary conversation. I am very fearful of getting this wrong.

Deterrence and identity Deterrence implies the ability to impose a cost on an actor that carries out an inappropriate action. Which implies the need to identify the actor. Which has led to calls in Washington for an “accountable” Internet. Which could be both ineffective and harmful.

Consider attribution as a tool Sort out various dimensions of attribution. Person, machine, aggregate entity. Private vs. visible. Identify key non-technical issues Jurisdiction Variation in laws and norms Relate to design of attacks Multi-stage attacks. Draw a few conclusions.

Attribution today—packets At the packet level, IP addresses. Directly identify a machine. Only indirectly linked to person. DMCA and the RIAA. Rules depend on jurisdiction. Can be mapped (imprecisely) to larger aggregates such as countries and institutions. Commercial practice today for web queries. Can be forged, but too much is made of that. Can be observed in the network by third parties.

Attribution today--applications Many applications include methods by which each end can verify the identity of the others. Banking. Sometimes a third party is involved. E-commerce, certificates. Sometimes the identity is private to the parties. Self-signed certificates. Sometimes the goal is “no identity”. Sites providing health information. Identity information can be hidden in transit.

A seeming dichotomy Two kinds of attribution. Machine-level visible to third parties. Personal identity selectively deployed and private to the end-points. Is this structure an accident? Not really. Consistent with a general approach to do “no more than necessary” as a requirement.

What sort of deterrence? Criminal prosecution. Might seem to require “person-level” identity of forensic quality. But this may not be right. Prosecutors like physical evidence. Use of network-based attribution may be more important in guiding the investigation. Espionage Often want to assign responsibility to an institution or a state. Cyber-warfare Again, need state/actor-level attribution.

Anti-attribution Critical for many purposes. Current approaches: TOR Freegate VPNs. Note: they serve to mask IP-level information.

Designing attacks Many attacks are “multi-stage”. Person at computer A penetrates machine B to use it as a platform to attack machine C. DDoS is obvious example, but not only one. Intended to make attribution harder. Attackers are clever. A form of identity theft. Tracing an attack “back to A” implies: Support at intermediate points: issue of jurisdiction. Use of machine addresses.

Issues of jurisdiction Many sorts of variation. Rules for binding identity to IP addresses. Rules for when this can be disclosed. And to whom. Support for timely traceback of multi-stage attacks. Attackers “venue-shop”. Might imply a two-level response. Both at the actor and the jurisdiction level.

13 Identity schemes invite deception Both a human and a technical problem. How do you know what information to trust? Credentials? Continuity? Collaborative filtering (trust again). Identity itself should be rich and heterogeneous Integrity through availability. How can we avoid illusion on the screen? Remember that a human is not always present. Need ability (perhaps in restricted circumstances) to delegate decision to a program.

Some conclusions IP addresses are more useful than sometimes thought. Any proposals/policies for better attribution should take into account: Multi-stage attacks. The need for “anti-attribution. Cross-jurisdiction issues are central. Within one jurisdiction, with a single stage activity, RIAA has demonstrated deterrence.

More conclusions Research should focus on mitigating multi-stage attacks, not “better tools for identity”. Multi-stage attack imply identity theft. Solutions will not be purely technical. Redesign of applications can mitigate many problems. Problems arise at that level… Integrate attribution into the application in ways consistent with needs of the dominant actor. Tight controls or none, depending on circumstances. Different patterns of communication.

16 A final issue—private association An essential characteristic of a civil society is freedom of association. Can join and leave groups at will. Can participate without fear or harassment. “Private association”. Protection can be legal or technical. Should we try for technical? Any form of identity revealed in the network provides a basis for third parties to observe patterns of association. In vocabulary of security: traffic analysis. But this is what is being called for to attribute bad actions to perpetrators. What constitutes a bad action, and who gets to say? Technology works the same everywhere.

My conclusion Better tools for personal attribution should not be a primary part of a future Internet. Does not do much good; does much harm. Applications should tailor their use of identity to the specifics of the situation.