CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity.

Slides:



Advertisements
Similar presentations
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Advertisements

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Grid Security. Typical Grid Scenario Users Resources.
Chapter 5 Network Security Protocols in Practice Part I
Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Authentication James Walden Northern Kentucky University.
Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #13-1 Chapter 14: Identity What is identity Multiple names for one thing Different.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.
Introduction To Windows NT ® Server And Internet Information Server.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #15-1 Chapter 14: Identity What is identity Multiple names for one thing Different.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Internet Basics.
Understanding Networks Charles Zangla. Network Models Before I can explain how connections are made from across the country, I would like to provide you.
Forensic and Investigative Accounting
Computation for Physics 計算物理概論 Introduction to Linux.
CS526: Information Security Chris Clifton October 16, 2003 Authentication.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Unit 1: Protection and Security for Grid Computing Part 2
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Connecting The Network Layer to Data Link Layer. ARP in the IP Layer The Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) Part.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.
The Client-Server Model And the Socket API. Client-Server (1) The datagram service does not require cooperation between the peer applications but such.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Slide #15-1 Chapter 14: Identity What is identity Multiple names for one thing Different contexts, environments Pseudonymity and anonymity.
Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Introduction to Active Directory
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
CSC 382/582: Computer SecuritySlide #1 CSC 382/582: Computer Security Authentication.
Chapter 13. Identity.
Chap 13. Representing Identity
IP: Addressing, ARP, Routing
Grid Security.
Computer Security: Art and Science
Chapter 14: Representing Identity
Chapter 27: System Security
Computer Security: Art and Science
Advanced Computer Networks
Presentation transcript:

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity

CSC 382: Computer SecuritySlide #2 Identity 1.What is Identity? 2.Files and Objects 3.Users 4.Groups and Roles 5.Naming and Certificates 6.Internet Identity and Anonymity

CSC 382: Computer SecuritySlide #3 What is Identity? Computer’s representation of an entity –Entities can be subjects or objects. Authentication binds a principal to an identity. Example: –username expresses your identity. –password binds the person typing to that particular identity (username).

CSC 382: Computer SecuritySlide #4 Purpose of Identity Access Control –Most systems base access rights on identity of principal executing the process. Accountability –Logging and auditing functions. –Need to track identity across account/role changes (e.g., su, sudo ).

CSC 382: Computer SecuritySlide #5 Files and Objects Objects are identified by assigning names Example: UNIX filenames –inode: unique identifier, contains file metadata and location of disk blocks. –file descriptor: abstracts inode on a per-process basis for file reading and writing. –absolute pathnames: describe location in filesystem. –relative pathnames: describe locations of file with respect to current working directory.

CSC 382: Computer SecuritySlide #6 Remote Objects Remote objects require more complex names. Example: URLs –Identifies objects by location and protocol required to access it. – :// ? –example: ftp://abcorp.com/pub/README

CSC 382: Computer SecuritySlide #7 Users Identity tied to a single entity. Example: UNIX UIDs –UNIX identifies user with 15- to 32-bit user ID. –Also provides login names for convenience Each login name corresponds to a single UID. A UID may have multiple login names. –UID=0 is superuser regardless of login name. –Real UID is actual user. –Effective UID (EUID) used for access control. –SetUID programs allow EUID to differ from UID.

CSC 382: Computer SecuritySlide #8 Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. –static: alias for a group of principles. –dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function example: UNIX groups

CSC 382: Computer SecuritySlide #9 Certificates Bind a cryptographic key to a principal. How to identify the principal? –Distinguished Names provide unique names despite people sharing first and last names. –Certification Authorities (CAs) link DNs to a particular person.

CSC 382: Computer SecuritySlide #10 Distinguished Names Hierarchical naming system –Used by X509.3 certificates, LDAP String representation: –Series of key value pairs, separated by /’s Example: /O=University of Toledo/OU=Dept. of EECS/CN=James Walden

CSC 382: Computer SecuritySlide #11 Certification Authorities CA Authentication Policy: Describes level of authentication required to identify a principle to whom a certificate is issued CA Issuance Policy: Describes principals to whom CA will issue certificates

CSC 382: Computer SecuritySlide #12 CA Example: Verisign Authentication Policies 1.Authenticates address 2.Authenticates real name and address 3.Authenticates legal identity via a background check from investigative service Issuance Policies –Issue to individuals –Issue to web servers (organizations)

CSC 382: Computer SecuritySlide #13 CA Hierarchy Hierarchical tree of CAs –Identify CAs by DNs –Root = Internet Policy Registration Authority –Policy Certification Authorities (PCAs) Each has public authentication and issuance policies. Issue certificates to ordinary CA. –Subordinate nodes must follow policies of parents, but can add more restrictions. –Make trust decisions by walking up tree.

CSC 382: Computer SecuritySlide #14 Host Identity Ethernet (MAC) Address –48-bit data link level identifier –example: 00:0B:DB:78:39:8A IP Address –32-bit network level identifier –ex: IPv6 Address –128-bit network level identifier –ex: fe80::2a0:c9ff:fe97:153d/64 Hostname (DNS name) –string application level identifier –ex:

CSC 382: Computer SecuritySlide #15 Anonymity Internet connections are associated with a particular host. What if you don’t want your identity associated with a connection? Solution: anonymizer –A proxy server that performs connection on your behalf. –Internet connection associated with anonymizer, not your IP address.

CSC 382: Computer SecuritySlide #16 Pseudo-anonymous R er 1.Maps anonymous ID to sender. 2.Replaces sender’s addresses and other identifying information. 3.Forwards message to destination host. 4.Replies are also anonymized and forwarded to original sender. Caveat: sender and recipient both known to pseudo-anonymous r er.

CSC 382: Computer SecuritySlide #17 Cypherpunk R er 1.Encipher message with recipient’s public key. 2.No mapping between originator/r er address. 3.Delete header. 4.Decipher one layer of PGP encryption (using r er’s private key). 5.Encipher with PGP public key of next r er. 6.Forward to next r er or destination.

CSC 382: Computer SecuritySlide #18 Traffic Analysis Attacker can still obtain association if r er immediately forwards messages –Delay messages for random time interval. –Randomize processing order of messages. Keep pool of incoming messages. Send random message once n messages in pool. What if attacker sends messages to fill pool? Attacker can obtain associations by watching message size. –Message size decreases with each r ing.

CSC 382: Computer SecuritySlide #19 Mixmaster R er Cypherpunk r er that handles only enciphered messages and pads or fragments all messages to a fixed size before sending. –All messages uniquely numbered to avoid replay attacks. –Messages not re-assembled until last r er.

CSC 382: Computer SecuritySlide #20 Key Points 1.All access control is based on identity. 2.Identity may have multiple representations. 3.Identities are bound to principals. 4.Anonymity allows interaction without knowledge of true identity. psuedo-anonymity: intermediary knows identity. true anonymity: no one knows true identity.

CSC 382: Computer SecuritySlide #21 References 1.Phil Agre. “Your Face is not a Bar Code,” Ross Anderson, Security Engineering, Wiley, Matt Bishop, Introduction to Computer Security, Addison- Wesley, Bruce Schneier, “Biometrics: Truths and Fictions,” Cryptogram, html#biometrics, html#biometrics 5.John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, David Wheeler, Secure Programming for UNIX and Linux HOWTO, programs/Secure-Programs-HOWTO/index.html, programs/Secure-Programs-HOWTO/index.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.