Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity.

Published byAlban White Modified over 9 years ago

Similar presentations

Presentation on theme: "CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity."— Presentation transcript:

1 CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity

2 CSC 382: Computer SecuritySlide #2 Identity 1.What is Identity? 2.Files and Objects 3.Users 4.Groups and Roles 5.Naming and Certificates 6.Internet Identity and Anonymity

3 CSC 382: Computer SecuritySlide #3 What is Identity? Computer’s representation of an entity –Entities can be subjects or objects. Authentication binds a principal to an identity. Example: –username expresses your identity. –password binds the person typing to that particular identity (username).

4 CSC 382: Computer SecuritySlide #4 Purpose of Identity Access Control –Most systems base access rights on identity of principal executing the process. Accountability –Logging and auditing functions. –Need to track identity across account/role changes (e.g., su, sudo ).

5 CSC 382: Computer SecuritySlide #5 Files and Objects Objects are identified by assigning names Example: UNIX filenames –inode: unique identifier, contains file metadata and location of disk blocks. –file descriptor: abstracts inode on a per-process basis for file reading and writing. –absolute pathnames: describe location in filesystem. –relative pathnames: describe locations of file with respect to current working directory.

6 CSC 382: Computer SecuritySlide #6 Remote Objects Remote objects require more complex names. Example: URLs –Identifies objects by location and protocol required to access it. – :// ? –example: ftp://abcorp.com/pub/README

7 CSC 382: Computer SecuritySlide #7 Users Identity tied to a single entity. Example: UNIX UIDs –UNIX identifies user with 15- to 32-bit user ID. –Also provides login names for convenience Each login name corresponds to a single UID. A UID may have multiple login names. –UID=0 is superuser regardless of login name. –Real UID is actual user. –Effective UID (EUID) used for access control. –SetUID programs allow EUID to differ from UID.

8 CSC 382: Computer SecuritySlide #8 Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. –static: alias for a group of principles. –dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function example: UNIX groups

9 CSC 382: Computer SecuritySlide #9 Certificates Bind a cryptographic key to a principal. How to identify the principal? –Distinguished Names provide unique names despite people sharing first and last names. –Certification Authorities (CAs) link DNs to a particular person.

10 CSC 382: Computer SecuritySlide #10 Distinguished Names Hierarchical naming system –Used by X509.3 certificates, LDAP String representation: –Series of key value pairs, separated by /’s Example: /O=University of Toledo/OU=Dept. of EECS/CN=James Walden

11 CSC 382: Computer SecuritySlide #11 Certification Authorities CA Authentication Policy: Describes level of authentication required to identify a principle to whom a certificate is issued CA Issuance Policy: Describes principals to whom CA will issue certificates

12 CSC 382: Computer SecuritySlide #12 CA Example: Verisign Authentication Policies 1.Authenticates email address 2.Authenticates real name and address 3.Authenticates legal identity via a background check from investigative service Issuance Policies –Issue to individuals –Issue to web servers (organizations)

13 CSC 382: Computer SecuritySlide #13 CA Hierarchy Hierarchical tree of CAs –Identify CAs by DNs –Root = Internet Policy Registration Authority –Policy Certification Authorities (PCAs) Each has public authentication and issuance policies. Issue certificates to ordinary CA. –Subordinate nodes must follow policies of parents, but can add more restrictions. –Make trust decisions by walking up tree.

14 CSC 382: Computer SecuritySlide #14 Host Identity Ethernet (MAC) Address –48-bit data link level identifier –example: 00:0B:DB:78:39:8A IP Address –32-bit network level identifier –ex: 10.17.0.101 IPv6 Address –128-bit network level identifier –ex: fe80::2a0:c9ff:fe97:153d/64 Hostname (DNS name) –string application level identifier –ex: www.nku.edu

15 CSC 382: Computer SecuritySlide #15 Anonymity Internet connections are associated with a particular host. What if you don’t want your identity associated with a connection? Solution: anonymizer –A proxy server that performs connection on your behalf. –Internet connection associated with anonymizer, not your IP address.

16 CSC 382: Computer SecuritySlide #16 Pseudo-anonymous Remailer 1.Maps anonymous ID to sender. 2.Replaces sender’s email addresses and other identifying information. 3.Forwards message to destination host. 4.Replies are also anonymized and forwarded to original sender. Caveat: sender and recipient both known to pseudo-anonymous remailer.

17 CSC 382: Computer SecuritySlide #17 Cypherpunk Remailer 1.Encipher message with recipient’s public key. 2.No mapping between originator/remailer address. 3.Delete header. 4.Decipher one layer of PGP encryption (using remailer’s private key). 5.Encipher with PGP public key of next remailer. 6.Forward to next remailer or destination.

18 CSC 382: Computer SecuritySlide #18 Traffic Analysis Attacker can still obtain association if remailer immediately forwards messages –Delay messages for random time interval. –Randomize processing order of messages. Keep pool of incoming messages. Send random message once n messages in pool. What if attacker sends messages to fill pool? Attacker can obtain associations by watching message size. –Message size decreases with each remailing.

19 CSC 382: Computer SecuritySlide #19 Mixmaster Remailer Cypherpunk remailer that handles only enciphered messages and pads or fragments all messages to a fixed size before sending. –All messages uniquely numbered to avoid replay attacks. –Messages not re-assembled until last remailer.

20 CSC 382: Computer SecuritySlide #20 Key Points 1.All access control is based on identity. 2.Identity may have multiple representations. 3.Identities are bound to principals. 4.Anonymity allows interaction without knowledge of true identity. psuedo-anonymity: intermediary knows identity. true anonymity: no one knows true identity.

21 CSC 382: Computer SecuritySlide #21 References 1.Phil Agre. “Your Face is not a Bar Code,” http://polaris.gseis.ucla.edu/pagre/bar-code.html, 2003. http://polaris.gseis.ucla.edu/pagre/bar-code.html 2.Ross Anderson, Security Engineering, Wiley, 2001. 3.Matt Bishop, Introduction to Computer Security, Addison- Wesley, 2005. 4.Bruce Schneier, “Biometrics: Truths and Fictions,” Cryptogram, http://www.schneier.com/crypto-gram- 9808.html#biometrics, 1998.http://www.schneier.com/crypto-gram- 9808.html#biometrics 5.John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. 6.David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure- programs/Secure-Programs-HOWTO/index.html, 2003.http://www.dwheeler.com/secure- programs/Secure-Programs-HOWTO/index.html

Download ppt "CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Identity."

Similar presentations

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.

Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.

Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.

Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.

1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #13-1 Chapter 14: Identity What is identity Multiple names for one thing Different.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #13-1 Chapter 14: Identity What is identity Multiple names for one thing Different.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Similar presentations

Ads by Google