Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Similar presentations


Presentation on theme: "Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity."— Presentation transcript:

1 csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity

2 csci5233 Computer Security2 Outline Introduction Naming & Certificates Identity on the web Anonymity

3 csci5233 Computer Security3 What is identity? An identity specifies a principal. –A principal is a unique entity. –What can be an entity? Subjects: users, groups, roles e.g., a user identification number (UID) identifies a user in a UNIX system Objects: files, web pages, etc. + subjects e.g., an URL identifies an object by specifying its location and the protocol used (such as http://sce.cl.uh.edu/).

4 csci5233 Computer Security4 Authentication vs identity Authentication binds a principal to a representation of identity internal to the computer. Two main purposes of using identities: –Accountability (logging, auditing) –Access control

5 csci5233 Computer Security5 Identity Naming and Certificates In X.509 certificates, distinguished names (that is, X.500 Distinguished Name) are used to identify entities. X.500 Distinguished Name e.g., /O=UHCL/OU=SCE/CN=Andrew Yang/L=Houston/SP=Texas/C=US e.g., /O=UHCL/OU=SCE/CN=UnixLabAdministrator/L=Ho uston/SP=Texas/C=US A certification authority (CA) vouches, at some level, for the identity of the principals to which the certificate is issued.

6 csci5233 Computer Security6 Structure of CAs [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet Electronic Mail: Part II, Certificate- Based Key Management The certificate-based key management infrastructure organizes CAs into a hierarchical, tree-based structure. Each node in the tree corresponds to a CA. A Higher-level CA set policies that all subordinate CAs must follow; it certifies the subordinate CAs.

7 csci5233 Computer Security7 Certificates & Trust A certificate is the binding of an external identity to a cryptographic key and a Distinguished Name. If the certificate issuer can be fooled, all who rely on that certificate may also be fooled. The authentication policy defines the way in which principals prove their identities, relying on nonelectronic proofs of identity such as biometrics, documents, or personal knowledge.

8 csci5233 Computer Security8 Certificates & Trust The goal of certificates is to bind a correct pair of identity and public key. PGP certificates include a series of signature fields, each of which contains a level of trust. The OpenPGP specification defines 4 levels of trusts: 1.Generic: no assertions 2.Persona (i.e., anonymous): no verification of the binding between the user name and the principal 3.Casual: some verification 4.Positive: substantial verification

9 csci5233 Computer Security9 Certificates & Trust Issues with the OpenPGP’s levels of trusts: The trust is not quantifiable. The same terms (such as ‘substantial verification’) can imply different levels of assurance to different signers. The interpretations are left to the verifiers. The point: “Knowing the policy or the trust level with which the certificate is signed is not enough to evaluate how likely it is that the identity identifies the correct principal.” Other knowledge is needed: e.g., how the CA or signer interprets the policy and enforces its requirements

10 csci5233 Computer Security10 Identity on the Internet

11 csci5233 Computer Security11 Summary Naming of identities & Certificates Identity on the web Anonymity

12 csci5233 Computer Security12 Next Chapter 27: system security


Download ppt "Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity."

Similar presentations


Ads by Google