Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Approaches Phillip Hallam-Baker VeriSign Inc.

Published byTina Iverson Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication Approaches Phillip Hallam-Baker VeriSign Inc."— Presentation transcript:

1 Authentication Approaches Phillip Hallam-Baker VeriSign Inc.

2 Why? Authentication + Authorization = Access Control Authentication –IP Address –Cryptographic Authorization –Email Address Whitelists [alice@example.com] –Domain Whitelists[example.com] –Payment[$0.01 stamp]

3 How Strong is Enough? LIST Kiddies –Like a script kiddie but they pay for the mailing list –Actually a spam victim, they get worthless service in return SPAM Houses –Will adapt to heuristic authentication approaches But it will cost them

4 PKI Infrastructure exists to –Ensure that a party owns the purported domain name –Ensure that legal process can be served on the certificate holder –With a high (but not absolute) degree of confidence SECURITY IS RISK CONTROL NOT RISK ELIMINATION

5 Deployment Argument Authentication Compliments Filtering –Network effect, aka Chicken and Egg problem Avoid false positives –Without creating backdoors ‘Allow all mail from hotmail.com, they use rate limiting’ Allows more aggressive criteria Cryptographic Authentication is robust –Asymmetric work factor –No viable counter-strategies

6 Problem – Email Insecure by Default Downgrade attack –I can tell a signed message comes from the sender –I cannot assume an unsigned message is false Key is to know the security policy of the domain

7 DNS Based Security Policy Reverse IP look up –Some Current Use –Only demonstrates that the IP address has been assigned IPv4 address exhaustion will make this uninteresting –Configuration problem – servers handling 1000’s of domains –Many ISPs do not delegate reverse DNS as they should Get a new ISP is an idiotic deployment strategy

8 Forward DNS Address based authentication –RCPT From [Vixie] –Reverse MX –Pro: Lightweight, almost costless –Pro: Obsoletes most existing spamware –Con: Could be vulnerable to new spamware –Con: Some operational issues –Con: Only works if mail from domain is relayed

9 Generalized Security Policy Security Policy Advertisement Mechanism –Advertise any form of security policy ALWAYS comes from address X, Y or Z OPTIONAL uses STARTTLS, cert root has SHA1 P OPTIONAL uses S/MIME, cert root has SHA1 Q OPTIONAL uses PGP, validate against XKMS R NEVER uses NULL Authentication –Can be generalized to other protocols IPSEC, SSH, NNTP, POP, IMAP…

10 This is Just a Bug We Are going to FIX IT

Download ppt "Authentication Approaches Phillip Hallam-Baker VeriSign Inc."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Signing Email Phill Hallam-Baker. 2 What are the end goals?  Phishing –Organized crime sends email impersonating well known brands –Require means of.

Signing Phill Hallam-Baker. 2 What are the end goals?  Phishing –Organized crime sends impersonating well known brands –Require means of.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Internet Messaging in 60 Minutes Terry Gray -University of Washington Policy Issues Mission Critical Messaging Goals Relevant Standards Standards Update.

Internet Messaging in 60 Minutes Terry Gray -University of Washington Policy Issues Mission Critical Messaging Goals Relevant Standards Standards Update.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Spam May 15 2006 CS239. Taxonomy E-mail (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:

Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
1 A Course-End Conclusions and Future Studies Dr. Rocky K. C. Chang 28 November 2005.

1 A Course-End Conclusions and Future Studies Dr. Rocky K. C. Chang 28 November 2005.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.

Similar presentations

Ads by Google