Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic."— Presentation transcript:

1 Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 sarbari@electrosoft-inc.com http://www.electrosoft-inc.com Security Characteristics of Cryptographic Mobility Solutions

2 © Electrosoft, 2002 1 st Annual PKI Workshop2 Agenda What is a Cryptographic Mobility (CM) Solution? Functional Architecture Phases of Operation Characteristics that impact security Potential Security Issues Usage and Applicability Product Sampler Concluding Remarks

3 © Electrosoft, 2002 1 st Annual PKI Workshop3 What is a CM Solution? Roaming users need access to their cryptographic credentials from a variety of systems/workstations Available mechanisms for Roaming Access: –Portable Tokens Software Tokens Hardware Tokens –Credential Server Solutions ( Cryptographic Mobility Solutions ) Characteristics of CM Solutions: –No hardware or software tokens required –Vendor-specific Client Software may be required –User Credentials (partial or whole) stored on Online Server –User authentication to Online Server to obtain access to credentials –Ability to use crypto credentials from any connected workstation

4 © Electrosoft, 2002 1 st Annual PKI Workshop4 Functional Architecture Client Station Authentication Server(s) Credential Server(s) Client Software Secure interactions with PKI peers user authentication credential download or usage Initialization Server Certification Authority credential initialization

5 © Electrosoft, 2002 1 st Annual PKI Workshop5 Phases of Operation Credential Initialization –Generation and/or Packaging of credentials for roaming usage Authentication –Roaming user authentication to Remote Servers Credential Download –Part of whole credential downloaded to user local system Credential Usage –Application of credential to secure online transactions Credential Release –Removal of local copy of credential to prevent reuse

6 © Electrosoft, 2002 1 st Annual PKI Workshop6 Characteristics that Impact Security Client Station is shared by multiple users –Low assurance of hardware and OS software –More vulnerable to hacking if remnants of cryptographic session remain Client software downloaded to Client Station –Vulnerable to spoofing –Difficult to establish trust Authentication Server available online –Exposed to online attacks on Authentication Database –Vulnerable to Denial-of-Service attacks Credential Server available online –Vulnerable to online attacks - high value system holding a large number of credentials –Vulnerable to Denial-of-Service attacks Protocol interactions over untrusted networks –Online protocols may be exposed to attacks

7 © Electrosoft, 2002 1 st Annual PKI Workshop7 Potential Security Concerns (I) Key Initialization Issues –Key pair generation location –Mechanism of credential transport to Server Key Storage Issues –Accessibility of private keys to Server –Cryptographic protection of credentials stored on Server –Impact of compromise of Credential Server Authentication Issues –Authentication spoofing –Eavesdropping –Denial-of-service Credential Download Issues –Capture of credential during download

8 © Electrosoft, 2002 1 st Annual PKI Workshop8 Potential Security Concerns (II) Credential Usage Issues –Credential usage location – client station or server? Credential Release Issues –Disabling credential reuse Client Station Trust Issues –Establishing trust in Client Software –Client misuse of User authentication data –Client misuse of User Credential information

9 © Electrosoft, 2002 1 st Annual PKI Workshop9 Usage and Applicability Requirements that drive CM Usage –Highly mobile users –Use of multiple workstations not under organizational control –Software tokens not practical or secure enough –Simple user interface needed – account names and passwords –Strong (PKI) authentication needed by application Contraindications for CM Usage –Strong non-repudiation is a must –Recovery of encryption keys is essential –Zero tolerance for denial-of-service

10 © Electrosoft, 2002 1 st Annual PKI Workshop10 Product Sampler Entrust Roaming PKI VeriSign Roaming Arcot ID Mobility SingleSignOn.Net Appliance Microsoft Roaming Profiles RSA Security Keon Web Passport Baltimore UniCert Option for Roaming Hush Communications HushMail (See paper for brief descriptions)

11 © Electrosoft, 2002 1 st Annual PKI Workshop11 Concluding Remarks No major weaknesses found in the cryptography or the protocols used Common Security Concerns Remain: –Basis of trust on Client Station shaky at best –Susceptibility to Denial-of-Service attacks –Authentication Servers susceptible to attack/compromise –Credential Servers represent high value targets –Non-repudiation is weaker if Servers have direct/indirect access to private keys However, CM Solutions represent: –Much needed functionality –A category of PKI implementations that are easy to use and deploy –Improved security compared to software token solutions –Sufficient security for most online secure transactions

12 © Electrosoft, 2002 1 st Annual PKI Workshop12 Thank You! Questions??

Download ppt "Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic."

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Beyond Compliance: Advanced SmartGrid Authentication Paul Miller Uniloc.

Beyond Compliance: Advanced SmartGrid Authentication Paul Miller Uniloc.
Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.

Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.

1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Similar presentations

Ads by Google