Identity Management and DNS Services Tianyi XING.

Slides:



Advertisements
Similar presentations
Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.
Advertisements

Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DOSGi Application Platform for MobiCloud Long Qiu Xinyi Dong.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
5205 – IT Service Delivery and Support
Secure Search Engine Ivan Zhou Xinyi Dong. Project Overview  The Secure Search Engine project is a search engine that utilizes special modules to test.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
Identity Management and DNS Services Tianyi XING.
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.
Chapter 10: Authentication Guide to Computer Network Security.
Sumit Kumar Archana Kumar Group # 4 CSE 591 : Virtualization and Cloud Computing.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Dynamic and Secure DNS Tianyi Xing.  Establish a dynamic and secure DNS service in the mobicloud system.
Managing Windows Server 2008 R2 Lesson 2. Objectives.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Secure Search Engine Ivan Zhou Xinyi Dong. Introduction  The Secure Search Engine project is a search engine that utilizes special modules to test the.
draft-kwatsen-netconf-zerotouch-01
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.
Unit 1: Protection and Security for Grid Computing Part 2
Module 9: Fundamentals of Securing Network Communication.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
DNSSEC deployment in NZ Andy Linton
Cloud Computing Project By:Jessica, Fadiah, and Bill.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.
Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.
Retina Network Security Scanner
Security Vulnerabilities in A Virtual Environment
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Trusted Operating Systems
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Abdullah Alshalan Garrett Drown Group #4 CSE591 - Virtualization and Cloud Computing.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Secure Search Engine Ivan Zhou Xinyi Dong. Project Overview  The Secure Search Engine project is a search engine that utilizes special modules to test.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
COMP1321 Digital Infrastructure Richard Henson March 2016.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Key management issues in PGP
Outline What does the OS protect? Authentication for operating systems
Introduction to Hyperledger Fabric
Outline What does the OS protect? Authentication for operating systems
NET 311 Information Security
DHCP, DNS, Client Connection, Assignment 1 1.3
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 8: DNS Security
Presentation transcript:

Identity Management and DNS Services Tianyi XING

Project Goal Establish a DNSSEC server for letting each VM to be identified in the cloud system in a dynamic way.

Project Description (cont.) So far, VMs in mobicloud System has ip addresses and specific port number for remote access. But it is hard user to remember all the port number of VMs, and impossible for users to communicate with other Users via VMs in cloud with only knowing user ID.

Project Description (cont.) Tasks – Research on DNSSEC Protocol – Establish the DNSSEC service in our mobicloud Assign a domain name based on user’s ID. Automatically generate the ip(can be multiple) and domain name(should be unique) pair Automatically update any change from the user to make sure users are still able to access from outside Task allocation – Tianyi Xing 100%

Project Description (cont.) The project solves the following problems: – How public users to locate and access to the VM in our cloud private network with a secure and easier way. – Assign each VM a domain name based on user’s ID. Like for user terry, its VM domain name is probbaly terry.mobicloud.asu.edu, which provides a easier way for users to access to their VMs.

Technical Details Software – OpenDNSSEC – Linux OS (Debian 5.0, Mac Osx 10.5, OpenBSD 4.4, Red Hat Enterprise Linux 5, Solaris 10 and Ubuntu 10.04) – XenServer – XenCenter Hardware – Server for OpenDNSSEC – Dell Cloud Server (Several VMs) – Dell Switch

DNS Today Name servers are subject to many types of attacks – Denial of service – Buffer overruns Name servers are (relatively) easily spoofed – Security measures (e.g., access lists) and mechanisms (e.g., credibility) can make spoofing more difficult, but not impossible

DNSSEC DNSSEC, the DNS Security Extensions, augments the current DNS standard to add – Data origin authentication – Data integrity checking DNSSEC supports data origin authentication and data integrity checking through the use of digital signatures

DNS Digital Signatures In DNSSEC, each zone has its own public and private key The zone’s private key is used to sign each RRset in the zone – An RRset comprises all resource records with the same owner, class and type – The digital signature for the RRset is added to the zone in the form of a new record type, called a SIG record

DNS Digital Signatures The zone’s public key is stored in another new record type, called a KEY record – The zone’s KEY record is signed, too, by the zone’s parent – This allows a name server that knows the parent zone’s public key to discover the subzone’s public key and verify it

What verification proves Verifying the DNS data – proves that the records your name server looked up really came from the right zone For example, that the address of really came from the One True acmebw.com zonewww.acmebw.com – proves the data hasn’t been modified since it was signed

Zone file acmebw.com. KEY 0x ( AvqyXgKk/uguxkJF/hbRpYzxZFG3x8EfNX389l7GX6w7rlLy BJ14TqvrDvXr84XsShg+OFcUJafNr84U4ER2dg6NrlRAmZA1 jFfV0UpWDWcHBR2jJnvgV9zJB2ULMGJheDHeyztM1KGd2oGk Aensm74NlfUqKzy/3KZ9KnQmEpj/EEBr48vAsgAT9kMjN+V3 NgAwfoqgS0dwj5OiRJoIR4+cdRt+s32OUKsclAODFZTdtxRn XF3qYV0S8oewMbEwh3trXi1c7nDMQC3RmoY8RVGt5U6LMAQ KITDyHU3VmRJ36vn77QqSzbeUPz8zEnbpik8kHPykJZFkcyj JZoHT1xkJ1tk ) The KEY record’s fields are: – 0x4101, the flags field (use for confidentiality prohibited, zone key, valid for signing) – 3, the protocol octet (DNSSEC) – 3, the KEY algorithm number (DSA) – The public key itself

OpenDNSSEC features Scalable – Sing zones contains anything from a few records up to millions of records. – Signed zone can be migrated from one OpenDNSSEC to another. Flexible – Works with all different version of the Unix OS Secure – Stores sensitive cryptographic data in an HSM – Includes an auditing function that compares the incoming unsigned zone with the outgoing signed zone – Supports RSA/SHA1 and SHA2 signatures

Technical Details Network topology and requirements

Logical Design

Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system – Configure the network to make sure DNSSEC server serve the right purpose in the mobicloud system By Final – Perfect its function Dynamically cooperate with the user ID and IP address Dynamically update the ip(ID) and domain pair – Documentation

Risk and Benefit Novel aspects of this project: – Dynamic DNSSEC for VM of mobile device – Secure DNS service in mobicloud framwork Risks/challenges: – How to cooperate with the user’s ID authentication. Potential applications & benefits: – Dynamic DNSSEC management application

Thanks, Question ?