CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
1 Lecture 13: Public Key Infrastructure terms PKI trust models –monopoly with registration authorities with delegated certificate authorities –oligarchy.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Configuring Directory Certificate Services Lesson 13.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University
Digital Signatures and Digital Certificates Monil Adhikari.
Private key
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
CAISO Public Key Infrastructure: Supporting Secure ICCP Leslie DeAnda Senior Information Security Analyst, Information Security, CAISO EMS Users Group.
Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.
Key management issues in PGP
Cryptography and Network Security
Authentication Applications
Information Security message M one-way hash fingerprint f = H(M)
Message Digest Cryptographic checksum One-way function Relevance
Advanced Computer Networks
Presentation transcript:

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz

Revocation  Revocation is a key component of a PKI –Secret keys stolen/compromised, user leaves organization, etc.  This is in addition to expiration dates included in certificates –Certificate might need to be revoked before expiration date –Expiration dates improve efficiency

Cert. revocation lists (CRLs)  CA issues signed list of (un-expired) revoked keys –Must be updated and released periodically –Must include timestamp –Verifier must obtain most recent CRLs before verifying a certificate  Using “delta CRLs” improves efficiency

OLRS  “On-line revocation server”  Verifier queries an OLRS to find out if a certificate is still valid  If OLRS has its own key, it can certify that a certificate is valid at a certain time

“Good lists”  The previous approaches basically use lists of “bad” certificates  Also possible to use a list containing only “good” certificates –Likely to be less efficient

Directories  PKIs do not require directories –Users can store and present their own certificate chains to a trust anchor  Directories can make things easier, and enable non-interactive setup

Finding certificate chains  Two approaches: work “forward” from target toward a trust anchor, or “backward” from trust anchor to target  The better approach depends on implementation details –For example, in system with name constraints, easier to work “backward”

Anonymity

Anonymity vs. pseudonymity  Anonymity –No one can identify the source of any messages –Can be achieved via the use of “persona” certificates (with “meaningless” DNs)  Pseudonymity –No one can identify the source of a set of messages… –…but they can tell that they all came from the same person

Levels of anonymity  There is a scale of anonymity –Ranges from no anonymity (complete identification), to partial anonymity (e.g., crowds),to complete anonymity –Pseudonymity is an orthogonal issue…

Anonymizers  Proxies that clients can connect to, and use to forward their communication –Primarily used for , http  Can also provide pseudonymity –This may lead to potential security flaws if mapping is compromised  Must trust the anonymizer… –Can limit this by using multiple anonymizers

Traffic analysis  If messages sent to r ers are not encrypted, it is easy to trace the sender  Even if encrypted, may be possible to perform traffic analysis –Timing –Message sizes –Replay attacks

Http anonymizers  Two approaches –Centralized proxy/proxies –“Crowds…”

Implications of anonymity?  Is anonymity good or bad? –Unclear… –Can pseudonymity help?

“Cookies”  Cookies are tokens containing state information about a transaction  May contain (for example): –Name/value; expiration time –Intended domain (cookie is sent to any server in that domain) No requirement that cookie is sent by that domain

Security violations?  Cookies potentially violate privacy –E.g., connecting to one server results in a cookie that will be transmitted to another  Storing authentication information in a cookie is also potentially dangerous (unless cookie is kept confidential, or other methods are used)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.