Authentication is not Authorization?! And what is a "digital signature" anyway?

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Authentication is not Authorization?! And what is a "digital signature" anyway?"

Transcription

1 Authentication is not Authorization?! And what is a "digital signature" anyway? Prepared by R. David Vernon Revised 12/01 Introduction REV 1A As part of the IT Architecture Initiative, the Office of Information Technologies (OIT) is producing a series of papers outlining directions in information technology architecture. In the spirit of RFCs, the papers are written to help understand and to open dialogue about information technology trends at Cornell, with the ultimate goal of improving the use and interoperability of information technology services throughout Cornell. Synopsis This paper briefly outlines issues Cornell faces to ensure a trusted exchange of information across the Cornell data network and the Internet at large. It includes Definitions of authentication and authorization Review authentication and authorization from a historic Cornell context General authentication and authorization architectures and technologies Practical implications Action items Closing thoughts What Is "Network" Authentication and Authorization? At Cornell and throughout the world, information is exchanged and access to computers is enabled by the Internet. Moreover, the access to resources via the Internet is sometimes only intended for specific network entities. The requirement to authorize access between authenticated entities drives the need for a network "access-management" architecture at Cornell. 1

2 Authentication and authorization are each critical in its own light and are unique parts of the larger accessmanagement architecture. Authentication is the process of ensuring knowledge of who or what (in other words, what person or what computer) is accessing "your" resource, your information, or both. Authentication is also the process of ensuring "irrefutable knowledge" of whose service you are accessing. Authorization is the process used to determine what services can be accessed by an irrefutable known (in other words, authenticated) network user or computer. Thus, authentication enables users and computers on the Internet to know with whom they are communicating. Authorization determines the allocation of services to an authenticated user. Reviewing Authentication and Authorization from a Historic Cornell Context New access-management-service requirements at Cornell warrant review. Traditionally, authentication services helped a computer identify a person attempting to gain access, or to "log on." Now, however, new authentication needs have evolved that go beyond the traditional scope of Cornell's authentication system. These new requirements include Digital signatures: As the name implies, this process marks an electronic document to signify its association with the author. Think broadly of the terms "document" and "author." An author could be a human or a machine, and a document could be anything from an message to radio telescope telemetry. Identity Management: As more people use greater numbers of network-attached devices to support a growing number of services, forging the "best" architecture to manage these network Principals is a critical and complex challenge. Trust: Trust dictates the value of a digital signature. Trusting the validation process is key to any new authentication service. Although Cornell constituents might trust Cornell s authentication service, extending this trust outside of Cornell is a challenge. Privacy: This is not directly related to authentication, but with authentication technology, encrypted information can be sent efficiently across the Internet. An authentication system that allows digital signatures can also be the core service that exchanges encrypted information, thus ensuring the privacy of the communication. These new service needs, DIGITAL SIGNATURES, IDENTITY MANAGEMENT, TRUST, and PRIVACY are the driving force behind Cornell's retooling of its traditional access-management-service suite. General Authentication and Authorization Architectures and Technologies To provide context for new authentication and authorization challenges, here is a brief review of current and potential authentication services. Current Cornell deployed Kerberos authentication service Future Public Key Infrastructure (PKI) services 2

3 KERBEROS: The foundation for a Cornell wide authentication system was implemented in the early 1990s. The initial intent was to create a single sign-on process for a mix of central administrative hosts. This authentication system was based on Kerberos. Although new service needs are now apparent, Kerberos at Cornell remains the default authentication and sometime authorization service. A detailed history and current CIT plans for service enhancements are available in CIT's Authentication at Cornell Past, Present, and Future. 1 Kerberos acts as a "key distribution center" (KDC) to provide network Principals (users and computers) encryption "keys" to exchange through packages known as session tickets. KDC allocated tickets and the means in which they are interpreted allow Principals to authenticate confidently and securely with whom they are exchanging information. So what does this mean in layman's terms? Simply put, Kerberos economically facilitates secure (encrypted) logons to campus computers. Conceptually it accomplishes this as follows: Think of a Kerberos service as a universally trusted friend in the Cornell network family. First, users and computers register themselves with the trusted friend. In other words, there is a manual process of showing the trusted friend you are who you say you are. After this initial process, users then identify themselves to the trusted friend with a username and password agreed upon during the registration process. Logically this process works well to gain knowledge about who is communicating with the friend, but the goal is to extend this information to other network services. To accomplish this the friend provides encrypted identification codes that users can exchange as a proxy for their identification. In turn, when these proxies are presented to network services (or other users), the process that reads these identification codes ensures the code was given out only by the trusted friend, and, in turn, the identity of the requesting user. Although the technical nuances of how this information is exchanged between client and server is beyond the scope of this paper, the important concept is users and computers on a network "trust" the Kerberos service as a secure and robust means of authentication. For more detailed information about how Kerberos works, see web.mit.edu/kerberos/www/. PKI AND DIGITAL SIGNATURES: Theoretically, if all network users at Cornell were authenticated through Kerberos, a high degree of confidence that all user interactions could be attributed to known entities would exist. To some degree, this strong trust of Kerberos authentication at Cornell has become a proxy for the "signature" of the requesting user. But using Kerberos at Cornell, however ubiquitous, will not satisfy the need to know about users beyond our Kerberos realm. Moreover, Kerberos does not readily attach a digital signature to a document. To provide authentication through "digital signatures" across the Internet, support is growing for an authentication service known as Public Key Infrastructure (PKI). Like Kerberos, PKI uses a trusted service to get irrefutable knowledge about a network user. But unlike Kerberos, PKI uses the open and operationally efficient exchange of a "public" key. In a PKI authentication system, a user registers with a PKI service, often referred to as a certificate authority (CA). This registration process is required to associate the user with a pair of encryption keys that encrypt and decrypt information. One unique key is private; one unique key is public. The private key is kept secret by the registered user, but the public key is shared with the world. In turn, the Certificate Authority is trusted to associate the public key with a known Principal. This pair of "asymmetric" keys can then be used by the public to associate a digitally signed document with a user known to a trusted CA. PKI registered users digitally sign a document by using their PKI private key to encrypt a small mathematic summary of the document. This encrypted summary is sent along with the document. The public then takes the document and uses the PKI public key posted by the CA to decrypt the summary. At 1 3

4 this point, communicating Principals mathematically summarize the document. If the two summaries are the same, Principals know who sent the document (authenticated) the document was not changed after it was sent In addition to PKI's ability to authenticate the author of a document, PKI can also facilitate encrypting and transferring large amounts of data. To do this, clients use PKI encryption to encrypt a new non PKI key that was used to efficiently encrypt a "large" document. A different encryption process is used because Public Key Encryption is mathematically intensive and therefore not considered suitable for encrypting more than a small amount of data. In this scenario, the public would use the intended recipient's public key to encrypt the new key used earlier to encrypt a "large" document. The new key-encrypted document and the PKI encrypted new key would be sent to the intended recipient. Only the destination user's PKI private key can decrypt the key used to encrypt the document, so the transfer is considered secure. For more information about using PKI systems to deliver "symmetric" keys, see additional information about protocols such as Secure Socket Layer (SSL) 2. This process alone does not authenticate the author of the document to do this, the author would also need to sign the document digitally. CHALLENGES FOR PKI IMPLEMENTATION AT CORNELL: Although PKI offers clear benefits, its use at Cornell brings challenges. Two key challenges are trust key management As with Kerberos, the value of PKI is subordinate to the trust users have for the certificate authority. If the CA is not trustworthy, the digital signatures are worthless. In context, PKI Certificate authorities generally distribute information about registered users using a structured form known as an X.509 certificate how would Cornell verify the integrity of X.509 certificates delivered by a peer Ivy school? How would a peer Ivy verify Cornell's? Even with the simplified key management enabled by PKI schemes, 3 the best way to extend trust across the CA's realms is not universally agreed upon by industry experts. Fortunately an interim solution will afford Cornell and similar organizations with an institutionally trusted CA service today. This Certificate Authority service will come from an external and independent agency, from which there are several to choose. 4 These for-fee independent corporations offer user-authentication classes based on the institution s ability to verify the requesting user s identity. Even if Cornell elects to outsource its PKI services, this does not eliminate Cornell s responsibility to understand and manage the operational ramifications of PKI key pairs being doled out for Cornell business and research communications. Many digitally signed and encrypted documents will be associated with an individual, and with the campus at large, how Cornell goes about revoking keys and ensuring institutional access to private PKI keys will be critical. Practical Implications A growing consensus prevails that for Cornell to have a viable and flexible authentication architecture, it must incorporate both private (Kerberos) and Public Key (PKI) strategies. But these services should not be developed blindly of each other Cornell must examine common implementation requirements and service 2 home.netscape.com/eng/ssl3/draft302.txt 3 Management of PKI keys: the "public" key is much simpler to manage than the "private" encryption keys used by systems such as Kerberos. 4 Cornell has a limited contract with VeriSign to provide CA services. 4

5 synergies for Kerberos and PKI. These synergies include creating a common directory structure and coordinating encryption key exchange services to enhance privacy tools. But given the limitations of current Cornell authentication and authorization perspectives and the need for an expanded suite of authentication services, PKI may well work. Although the components of Kerberos at Cornell could offer digital signature services and general privacy tools, the intention is to maintain Kerberos as a client / server authentication service. Simply stated, the new needs of broader digital signatures and extended privacy are better addressed with PKI resources, because these tools are easier to manage and have a large national backing. One challenge at Cornell is the tendency to associate an authenticated user with a default suite of service access. In addition, Cornell has a tendency to associate authorized Network IDs as a "right" to consume Cornell resources. Current events have proven the problematic nature of this thinking. If network IDs can be assigned only to official members of Cornell, and anyone with a network ID can get access to EZ- Remote, how does Cornell give Network IDs required for access to library printers to people who are not members of Cornell? The problem is clear and the required rethink is simple; authentication and authorization must be separated. Although a Kerberos ticket can be a prerequisite to authorizing the use of Cornell service, a ticket does not and should never imply default authorization to a service. Authorization to a service as rich and unique as creative minds at Cornell may create must be delegated to the owners of services and never be assumed as part of the authentication process. Yet just because authorization is not authentication does not mean the authentication system has no value to an authorization process. As authentication securely exchanges knowledge of a user s identity, it can also send along a bit of demographic information. For example, this user is a Cornell student, staff member, guest, and so forth. If demographic data is exchanged, service providers can easily offer and authorize "group" services to users with a common attribute. Architecturally, these attributes can be collected by the Kerberos server from a trusted campus directory service, such as the pending Cornell Lightweight Directory Access Protocol (LDAP) server or other viable directory resources. Of course, transmitting these attributes rests on forging a campus consensus of what classifies a student, staff member, or guest. Action Items Enhancing services at Cornell will require developing new tools and rethinking old perspectives. The challenges being addressed include Re-articulate the notion that authentication is not authorization. Develop university policy to address ownership and management of encryption keys. Explore developing and managing a Cornell operated certificate authority or a campuswide contract with a private corporation for large-scale Cornell CA services. Forge a suite of common attributes to associate with Cornell Principals, thus providing efficient authorization schemas for service providers. Design LDAP services that act as a common directory resource for PKI and Kerberos authentication systems. Educate users on the concepts of digital signatures and the use of PKI infrastructures to help transfer encrypted information. Explore Kerberos ticket exchanges as a way to deliver symmetric encryption keys for general data encryption services. 5

6 Extend authorization services to new classes of network devices that will require authentication for access (for example, network switches and wireless hubs). Watch national trends and work with peer institution projects to ensure Cornell's participation in developing PKI interrealm-trust strategies. Closing Thoughts Advanced authorization services are not a future need there is a University need today for extended digital signature services and trust relationships with peer institutions certificate authorities. Multiple national initiatives and evolving state and federal laws on privacy rights, such as HIPAA 5, require the secure exchange of information. Now advanced authentication and privacy services are a baseline for Internet information exchange. In addition, new demands on authentication services at Cornell will force a broader review of Cornell's traditional perspective on the scope of an "authentication service." New client demands driven by authentication paradigms such as authentication and authorization to access campus network services or to associate resource consumption for billing purposes will place unprecedented demands on the authentication infrastructure. These facts, combined with the growing University dependency on Internet based delivery of services and communication, will all but force Cornell to invest rapidly in the retooling and education needed to ensure extended authorization capabilities. Today this may be best enabled with a flexible access-management strategy leveraging past investments in Kerberos while adding integrated PKI services in cooperation with peer institutions to afford cost-effective authentication and encryption services across a wide area. Over time, this dual Kerberos and PKI strategy should be reviewed to see if the PKI / Kerberos systems should be replaced by a single PKI based authentication service

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

Network Security Protocols

Network Security Protocols Network Security Protocols EE657 Parallel Processing Fall 2000 Peachawat Peachavanish Level of Implementation Internet Layer Security Ex. IP Security Protocol (IPSEC) Host-to-Host Basis, No Packets Discrimination

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Digital Certificate Infrastructure

Digital Certificate Infrastructure Digital Certificate Infrastructure Frequently Asked Questions Providing secure, low cost, and easy access to distributed instructional and research resources is a growing problem for campus library and

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

GT 6.0 GSI C Security: Key Concepts

GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts Overview GSI uses public key cryptography (also known as asymmetric cryptography) as the basis for its functionality. Many of the

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

PRIVACY, SECURITY AND THE VOLLY SERVICE

PRIVACY, SECURITY AND THE VOLLY SERVICE PRIVACY, SECURITY AND THE VOLLY SERVICE Delight Delivered by EXECUTIVE SUMMARY The Volly secure digital delivery service from Pitney Bowes is a closed, secure, end-to-end system that consolidates and delivers

More information

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions A Fundamental Requirement for Internet Transactions May 2007 Copyright 2007 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

Digital certificates and SSL

Digital certificates and SSL Digital certificates and SSL 20 out of 33 rated this helpful Applies to: Exchange Server 2013 Topic Last Modified: 2013-08-26 Secure Sockets Layer (SSL) is a method for securing communications between

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

Public Key Infrastructure

Public Key Infrastructure UT DALLAS Erik Jonsson School of Engineering & Computer Science Public Key Infrastructure Murat Kantarcioglu What is PKI How to ensure the authenticity of public keys How can Alice be sure that Bob s purported

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Royal Roads University_ Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they

More information

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software WHITE PAPER: COMPARING TCO: SYMANTEC MANAGED PKI SERVICE........ VS..... ON-PREMISE........... SOFTWARE................. Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Internet Programming. Security

Internet Programming. Security Internet Programming Security Introduction Security Issues in Internet Applications A distributed application can run inside a LAN Only a few users have access to the application Network infrastructures

More information

What Are They, and What Are They Doing in My Browser?

What Are They, and What Are They Doing in My Browser? Digital Certificates, p.1 07/29/02 Digital Certificates What Are They, and What Are They Doing in My Browser? By Judith V. Boettcher and Amanda Powell Digital certificates provide a means to authenticate

More information

WIRELESS PUBLIC KEY INFRASTRUCTURE FOR MOBILE PHONES

WIRELESS PUBLIC KEY INFRASTRUCTURE FOR MOBILE PHONES WIRELESS PUBLIC KEY INFRASTRUCTURE FOR MOBILE PHONES Balachandra Muniyal 1 Krishna Prakash 2 Shashank Sharma 3 1 Dept. of Information and Communication Technology, Manipal Institute of Technology, Manipal

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: McGill University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1 PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions February 2005 All rights reserved. Page i Entrust is a registered trademark of Entrust,

More information

Chapter 9 Key Management 9.1 Distribution of Public Keys 9.1.1 Public Announcement of Public Keys 9.1.2 Publicly Available Directory

Chapter 9 Key Management 9.1 Distribution of Public Keys 9.1.1 Public Announcement of Public Keys 9.1.2 Publicly Available Directory There are actually two distinct aspects to the use of public-key encryption in this regard: The distribution of public keys. The use of public-key encryption to distribute secret keys. 9.1 Distribution

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information

Lecture 10 - Authentication

Lecture 10 - Authentication Lecture 10 - Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Kerberos: What to know 1) Alice T rent : {Alice + Bob

More information

A Study on Secure Electronic Medical DB System in Hospital Environment

A Study on Secure Electronic Medical DB System in Hospital Environment A Study on Secure Electronic Medical DB System in Hospital Environment Yvette E. Gelogo 1 and Sungwon Park 2 * 1 Catholic University of Daegu, Daegu, Korea 2 Department of Nursing, Hannam University, 133

More information

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu International Center for Advanced Internet Research Outline Security Mechanisms Access Control Schemes

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants

More information

Securing your Online Data Transfer with SSL

Securing your Online Data Transfer with SSL Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does

More information

What is an SSL Certificate?

What is an SSL Certificate? Security is of the utmost importance when doing business on the Web. Your customers want to know that their information is protected when crossing data lines. A Thawte SSL Web Server Certificate or SuperCert

More information

Document Type: Best Practice

Document Type: Best Practice Global Architecture and Technology Enablement Practice Hadoop with Kerberos Architecture Considerations Document Type: Best Practice Note: The content of this paper refers exclusively to the second maintenance

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes

More information

Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES 1. Federation Participant Information 1.1 The InCommon Participant Operational Practices information below is for: InCommon Participant organization

More information

An Overview of the Secure Sockets Layer (SSL)

An Overview of the Secure Sockets Layer (SSL) Chapter 9: SSL and Certificate Services Page 1 of 9 Chapter 9: SSL and Certificate Services The most widespread concern with the Internet is not the limited amount of bandwidth or the occasional objectionable

More information

White Paper. Enhancing Website Security with Algorithm Agility

White Paper. Enhancing Website Security with Algorithm Agility ENHANCING WEBSITE SECURITY WITH ALGORITHM AGILITY White Paper Enhancing Website Security with Algorithm Agility Enhancing Website Security with Algorithm Agility Contents Introduction 3 Encryption Today

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Victoria Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture Introduction... 3 Identity management... 3 What is Identity

More information

Wireless VPN White Paper. WIALAN Technologies, Inc. http://www.wialan.com

Wireless VPN White Paper. WIALAN Technologies, Inc. http://www.wialan.com Wireless VPN White Paper WIALAN Technologies, Inc. http://www.wialan.com 2014 WIALAN Technologies, Inc. all rights reserved. All company and product names are registered trademarks of their owners. Abstract

More information

Security Solutions for HIPAA Compliance Issues 1

Security Solutions for HIPAA Compliance Issues 1 :6B)73 6HFXULW\6ROXWLRQVIRU +,3$$&RPSOLDQFH +RZ:6B)73&DQ+HOS +,3$$7KH+HDOWK,QVXUDQFH3RUWDELOLW\DQG $FFRXQWDELOLW\$FWRIZDVHQDFWHGWR HVWDEOLVKJXLGHOLQHVZLWKLQWKHKHDOWKFDUHLQGXVWU\ WRHQVXUHWKHSULYDF\RISDWLHQWVDQGWKHSK\VLFDO

More information

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Course Number: 70 299 Length: 1 Day(s) Course Overview This course is part of the MCSA training.. Prerequisites

More information

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos KERBEROS TOPIC HIERARCHY Distributed Environment Security Privacy Authentication Authorization Non Repudiation Kerberos ORIGIN MIT developed Kerberos to protect network services. Developed under the Project

More information

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Understanding Digital Certificates and Secure Sockets Layer (SSL) Understanding Digital Certificates and Secure Sockets Layer (SSL) Author: Peter Robinson January 2001 Version 1.1 Copyright 2001-2003 Entrust. All rights reserved. Digital Certificates What are they?

More information

Lecture 10 - Authentication

Lecture 10 - Authentication CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 10 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013 2013 PKI Made Easy: Managing Certificates with Dogtag Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013 Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST Future

More information

LDAP Authentication Configuration Appendix

LDAP Authentication Configuration Appendix 1 Overview LDAP Authentication Configuration Appendix Blackboard s authentication technology is considered a focal point in the company s ability to provide true enterprise software. Natively, the Blackboard

More information

How much do you pay for your PKI solution?

How much do you pay for your PKI solution? Information Paper Understand the total cost of your PKI How much do you pay for your PKI? A closer look into the real costs associated with building and running your own Public Key Infrastructure and 3SKey.

More information

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS 70 CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS 4.1 INTRODUCTION In this research work, a new enhanced SGC-PKC has been proposed for improving the electronic commerce and

More information

Use of EASE Code of Practice. This code of practice is also qualified by The University of Edinburgh computing regulations, found at:

Use of EASE Code of Practice. This code of practice is also qualified by The University of Edinburgh computing regulations, found at: Use of EASE Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document. http://www.ed.ac.uk/schools-departments/information-services/about/policiesandregulations/security-policies/security-policy

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

Cryptography and Network Security Chapter 14. Fifth Edition by William Stallings

Cryptography and Network Security Chapter 14. Fifth Edition by William Stallings Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Key Management: Generation, Transportation, and Distribution The Key Exchange Problem Although symmetric encryption is commonly

More information

Authentication. Agenda. IT Security course Lecture April 14 th 2003. Niels Christian Juul 2. April 14th, 2003

Authentication. Agenda. IT Security course Lecture April 14 th 2003. Niels Christian Juul 2. April 14th, 2003 Authentication IT Security course Lecture April 14 th 2003 Niels Christian Juul Computer Science, building 42.1 Roskilde University Universitetsvej 1 P.O. Box 260 DK-4000 Roskilde Denmark Phone: +45 4674

More information

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES contents UNDERSTANDING SSL CERTIFICATES...1 What Is SSL and What Are SSL Certificates?...1 Features of SSL...1 Encryption...1

More information

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C Cunsheng Ding, HKUST Lecture 06: Public-Key Infrastructure Main Topics of this Lecture 1. Digital certificate 2. Certificate authority (CA) 3. Public key infrastructure (PKI) Page 1 Part I: Digital Certificates

More information

SSL Overview for Resellers

SSL Overview for Resellers Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an

More information

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005 Lecture 31 Security April 13, 2005 Secure Sockets Layer (Netscape 1994) A Platform independent, application independent protocol to secure TCP based applications Currently the most popular internet crypto-protocol

More information

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act White Paper Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act The recent activation of the privacy requirement of the Health Insurance Portability

More information

Public Key Infrastructure

Public Key Infrastructure Motivation: Public Key Infrastructure 1. Numerous people buy/sell over the internet hard to manage security of all possible pairs of connections with secret keys 2. US government subject to the Government

More information

Secure Email Inside the Corporate Network: INDEX 1 INTRODUCTION 2. Encryption at the Internal Desktop 2 CURRENT TECHNIQUES FOR DESKTOP ENCRYPTION 3

Secure Email Inside the Corporate Network: INDEX 1 INTRODUCTION 2. Encryption at the Internal Desktop 2 CURRENT TECHNIQUES FOR DESKTOP ENCRYPTION 3 A Tumbleweed Whitepaper Secure Email Inside the Corporate Network: Providing Encryption at the Internal Desktop INDEX INDEX 1 INTRODUCTION 2 Encryption at the Internal Desktop 2 CURRENT TECHNIQUES FOR

More information

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper Rev 1.0 HIPAA Security Considerations for Broadband Fixed Wireless Access Systems This white paper will investigate

More information

Authentication in WLAN

Authentication in WLAN Authentication in WLAN Flaws in WEP (Wired Equivalent Privacy) Wi-Fi Protected Access (WPA) Based on draft 3 of the IEEE 802.11i. Provides stronger data encryption and user authentication (largely missing

More information

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman The Slow Convergence of PKI and Kerberos At Connectathon 1995 Dan Nessett of Sun Microsystems was quoted saying Kerberos will

More information

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer Arcot Systems, Inc. Securing Digital Identities FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer Today s Agenda Background Who is Arcot Systems? What is an ArcotID? Why use

More information

NETWORK SERVICE BILLING STRATEGIES AT CORNELL

NETWORK SERVICE BILLING STRATEGIES AT CORNELL REV1. NETWORK SERVICE BILLING STRATEGIES AT CORNELL Prepared by R. David Vernon Introduction As part of the IT Architecture Initiative, the Office of Information Technologies (OIT) is producing a series

More information

Snow Agent System Pilot Deployment version

Snow Agent System Pilot Deployment version Pilot Deployment version Security policy Revision: 1.0 Authors: Per Atle Bakkevoll, Johan Gustav Bellika, Lars, Taridzo Chomutare Page 1 of 8 Date of issue 03.07.2009 Revision history: Issue Details Who

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Lethbridge 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led Course Description During this five-day course, students will learn how to design an Active

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES Understanding SSL Certificates 2 Secure Socket Layer (SSL) certificates are widely used to help secure and authenticate

More information

Authentication Application

Authentication Application Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-layer protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway Unifying Information Security Implementing TLS on the CLEARSWIFT SECURE Email Gateway Contents 1 Introduction... 3 2 Understanding TLS... 4 3 Clearswift s Application of TLS... 5 3.1 Opportunistic TLS...

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: RESEARCH RESEARCH LTD. 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

Managing Credentials with

Managing Credentials with Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/ What is MyProxy? A service for managing

More information

Certification Practice Statement

Certification Practice Statement FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification

More information

2014 IBM Corporation

2014 IBM Corporation 2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session

More information

PaperClip Incorporated 3/7/06; Rev 9/18/09. PaperClip Compliant Email Service Whitepaper

PaperClip Incorporated 3/7/06; Rev 9/18/09. PaperClip Compliant Email Service Whitepaper Incorporated 3/7/06; Rev 9/18/09 PaperClip Compliant Email Service Whitepaper Overview The FTC Safeguard Rules require Financial, Insurance and Medical providers to protect their customer s private information

More information

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Types. Password-based Authentication. Off-Line Password Guessing Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:

More information

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server Inhalte Teil 01 Network Architecture Standards Network Components and Terminology Network Architecture Network Media Access Control Methods

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution. Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution. 1 Opening quote. 2 The topics of cryptographic key management

More information

Integration with Active Directory. Jeremy Allison Samba Team

Integration with Active Directory. Jeremy Allison Samba Team Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls,

More information

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key. The way the world does business is changing, and corporate security must change accordingly. For instance, e-mail now carries not only memos and notes, but also contracts and sensitive financial information.

More information

Advanced Authentication

Advanced Authentication White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

More information

Attestation and Authentication Protocols Using the TPM

Attestation and Authentication Protocols Using the TPM Attestation and Authentication Protocols Using the TPM Ariel Segall June 21, 2011 Approved for Public Release: 11-2876. Distribution Unlimited. c 2011. All Rights Reserved. (1/28) Motivation Almost all

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

PKI: Public Key Infrastructure

PKI: Public Key Infrastructure PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Computing in Kansas June 3, 2004 Wes Hubert Information Services The University of Kansas Why? PKI adoption

More information

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Leverage Active Directory with Kerberos to Eliminate HTTP Password Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com

More information

Key Management (Distribution and Certification) (1)

Key Management (Distribution and Certification) (1) Key Management (Distribution and Certification) (1) Remaining problem of the public key approach: How to ensure that the public key received is really the one of the sender? Illustration of the problem

More information