4 PKCS#11 PKCS#11 is a standard for cryptographic tokens Smartcards Hardware Security Modules (HSM) Key storage in PKCS#11 devices appeared in 5.4 Deprecating the old opensc/libsectok smartcard code Smartcards can store authentication and CA keys
5 Match example: use a smarcard key ssh -I /opt/lib/mycard-pkcs11.so ssh(1) will dlopen() the specified PKCS#11 provider and use it to enumerate and use keys on the device it supports
7 PKCS#11 future work Currently, using a token means trying all its keys Granular control would be nice We can to some extent using IdentityFile in ssh(1), but this isn't obvious Allow host keys to be stored in PKCS#11 Root compromise!= persistent hostkey theft Add support for certificates (mentioned later)
8 sftp extensions The sftp protocol as OpenSSH implements is actually sftp v.3, or more verbosely draft-ietf-secsh-filexfer-02.txt sftp is a good example of how consensus standards development can produce bad protocols Original versions had an elegant simplicity Basically the Unix file API as protocol methods Open file => handle Read from handle => data Reminiscent of 9p from Plan 9
9 sftp extensions Later versions (up to v.6) accreted features Text mode files to better support Windows Record mode files to better support OpenVMS MIME types, Win32ish ACLs, byte-range locking We think that we already have a do-everything network filesystem protocol in NFS, we don't need another So we stopped implementing features after sftp v.3 This was unfortunate for people who needed new features
10 sftp extensions Fortunately, the sftp protocol is extensible In the initial protocol hello message, client and server can advertise extensions that they support When the protocol is established, named extension methods can be used E.g. Downside: named extensions are more bandwidth hungry than numbered protocol methods.
11 sftp extensions We have added a number of extensions already: Standard sftp v.3 uses a link()+rm() raceless rename Use as rename via sftp(1) in OpenSSH >= 4.8 Use as df via sftp(1) in OpenSSH >= 5.1 Use as ln via sftp(1) in OpenSSH >= 5.7
12 sftp extensions More to come: user/group names for files sftp v.3 only support numeric uid/gid fsync() file handle method O_NOFOLLOW open mode Some of these are very useful for user-space filesystems that use the sftp protocol (though it is inherently racy)
13 Deprecation of SSHv1 We recently completed a staged deprecation of SSHv1 Why? SSHv1 lacks many features of SSHv2 SSHv1 offers no viable extension mechanism SSHv1 suffers from a number of unfixable cryptographic weaknesses
14 SSHv1 CORE-SDI SSH insertion attack Found by CORE SDI in 1998 Fundamental problem is SSHv1's use of CRC as a integrity code CRC is linear; changes in its input lead to predictable changes in its output CORE SDI figured out how to inject data by calculating how to reconstruct a valid CRC Attack cannot be prevented, but can be probabilistically detected Detection code was buggy too! Twice!
15 SSHv1 Use of MD5 in the protocol SSHv1 uses MD5 for key derivation and RSA public key authentication No way to specify a different algorithm MD5 is broken as a cryptographic hash Attackable for the RSA authentication case?
16 SSHv1 downgrade attack If a client and server support SSHv1 and SSHv2, a man-in-the-middle may silently downgrade their connection to SSHv1 SSH advertises supported versions in initial banner: e.g. SSH-1.99-OpenSSH_5.8 SSHv2 checks banners, SSHv1 does not Attacker can modify banners, force use of SSHv1 Attack vulnerable code or protocol components.
17 SSHv1 even more crypto badness Not-quite PFS (ephemeral host key) Probably vulnerable to CPNI "Plaintext Recovery Attack Against SSH", Information Security Group at Royal Holloway, U. London, November 2008 Weak private key file format
18 SSHv1 - weaknesses We deprecated it in two steps 4.7 new server installations no longer enable SSHv1 5.4 client must be explicitly configured to use SSHv1 Quite a few people still liked SSHv1 because of speed It's easy to be fast when you are insecure :) Why is SSHv2 slower? MAC and key exchange We implemented a fast MAC (umac-64) and now a fast key exchange (ECDH)
19 Certificate authentication for OpenSSH A new, very lightweight certificate format (not X.509) Released in OpenSSH-5.4, improved in OpenSSH-5.6 Design goals: simplicity, modest flexibility, minimal attack surface
20 Why (another certificate format) "We have OpenPGP and X.509, why reinvent the wheel?" OpenSSH will not accept complex certificate decoding in the pre-authentication path: o PGP and X.509 (especially) are syntactically and semantically complex o Too much attack surface in the pre-authentication phase o Bitter experience has taught us not to trust ASN.1
21 Differences from X.509 X.509 hierarchical CA structure complex identity structure multi-purpose identity bound by key owner complex encoding infinitely extensible OpenSSH no hierarchy (maybe later) identity is just a string SSH auth only identity bound by CA simple encoding extensible enough (we hope)
22 OpenSSH certificate contents So, what is in an OpenSSH certificate? Nonce Public key (DSA or RSA) Certificate type (User or Host) Key identifier List of valid principals Validity time range Critical options Extensions Reserved field (currently ignored) CA key Signature
23 Critical options and extensions Options that limit or affect certificate validity or use. May be "critical" or not. Critical options cause the server to refuse authorisation if it the option is unrecognised Present options are basically a mapping of.ssh/authorized_keys options into the certificate: Critical force-command source-address Non-critical permit-x11-forwarding permit-agent-forwarding permit-user-rc permit-pty permit-port-forwarding Generally, options that grant privilege are non-critical as ignoring them does not yield security surprises.
24 Certificate encoding The certificate is encoded using SSH-style wire primitives and signed using SSH-style RSA/DSA signatures o Very little new code. o Minimises incremental attack surface Fixed format: all fields must be present (though some subfields may be empty) and must appear in order. Certificates are extensible using new critical options, extensions, new types (in addition to user/host), or the currently-ignored "reserved" field.
25 Certificate integration - User auth User authentication can be trusted CA keys listed in ~/.ssh/authorized_keys or via a sshd-wide trust anchor specified in sshd_config's TrustedCAKeys option Principal names in the cert must match the local account name in the case of authorized_keys. A principals="..." key option allows some indirection here. For certs signed by TrustedCAKeys, an optional AuthorizedPrincipalsFile (e.g. ~/.ssh/authorized_principals) allows listing of certificate principals to accept.
26 Certificate integration - host auth CAs trusted to sign host certificates must be listed in a known_hosts file (either the system /etc/ssh/known_hosts, or the per-user ~/.ssh/known_hosts) Trust of host CA's can be restricted to a specific list of domain localhost,*.mindrot.org,*.djm.net.au ssh-rsa AAAAB3Nz... Fallback: If a host presents a cert from an unrecognised CA, then it is treated as a raw public key for authentication purposes (normal key learning rules apply)
27 Certificate integration - CA operations CA operations are built into ssh-keygen: # Create a keypair $ ssh-keygen -qt ecdsa -C '' -f ~/.ssh/id_ecdsa -N '' # (on the CA) sign the public key to create a user cert $ sudo ssh-keygen -s /etc/ssh/ssh_ca_key \ -I "djm" -n djm,shared-nethack \ -O source-address= /8 \ -O force-command=/usr/bin/nethack \ -O permit-pty \ -V -1d:+52w1d id_ecdsa.pub \ -z Signed user key id_ecdsa-cert.pub: id "djm" serial for djm,shared-nethack valid from T14:28:00 to T14:28:00
28 Certificates - Revocation Revocation story is kind of weak at present. Emphasis is on making certs short-lived rather than revocation User authentication keys can be revoked using a flat file of public keys. Host keys are revoked in known_hosts. Revoked keys print a scary warning on WARNING: REVOKED HOST KEY The RSA-CERT host key for localhost is marked as revoked. This could mean that a stolen key is being used to impersonate this host. Can do an OCSP-like protocol if necessary in the future. (patches welcome)
29 Certificates - Future plans Write a HOWTO-style document Improve revocation Compact CRL format Maybe an OCSP-like protocol Ability to store OpenSSH certs in X.509 certs for smartcard use o OCTET-STRING certificate extension under an OID IETF allocated to the OpenSSH project Combined OpenSSH and X.509 CA tool: sign CSR and OpenSSH pubkey in a single operation Maybe implement chained certificates
30 Elliptic curve cryptography OpenSSH 5.7 introduced Elliptic Curve Cryptographic key exchange and public key types Key Exchange is ECDH New public key type is ECDSA Implemented according to RFC5656 Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer by Douglas Stebila
31 What is ECC? Elliptic Curve Cryptography (ECC) is public-key cryptography calculated using Elliptic Curves over finite fields Contrast with traditional public key algorithms that usually calculate in a finite integer group Elliptic curves over finite fields provide an algebraic group structure in which the discrete logarithm problem is hard Discrete Log problem (DLP): Given g x, find x Solving the DLP is more difficult in curve fields than in prime fields, so key lengths can be shorter
32 What is ECC? Since the DLP is hard, DLP-dependent cryptosystems work DSA => ECDSA DH => ECDA ECRSA isn't common since RSA doesn't rely on the DLP Since key lengths are shorted, ECC-based algorithms are usually faster for a given security level More introductory information at:
33 ECC in OpenSSH: Key Exchange OpenSSH >= 5.7 support Elliptic Curve Diffie-Hellman key exchange (ECDH) Three security levels provided by three different protocol methods, each with its own curve field: ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 (note: not 512) OpenSSL is used for elliptic curve operations, including point serialisation/parsing
35 KEX group size (bits) ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group1-sha Group size (bits)
36 KEX time to complete ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group1-sha Time to complete key exchange (milliseconds)
37 ECDH key exchange On by default if both ends support it in OpenSSH >= 5.7 If you require more than 128 bits of symmetric equivalent security, then you should use the sshd_config KexAlgorithms option to chose the 384 or 521 bit ECC curve field. OpenSSL's ECC implementation is still being optimised 2 x speedup in -current Possibly 4 x speedup if we use a hand-optimised 224- bit curve field.
38 ECC in OpenSSH: keys OpenSSH >= 5.7 supports Elliptic Curve DSA (ECDSA) for user and host keys Again, the curve field is explicit and defines the security level of the algorithm We use the same three curves (mandatory in RFC5656): ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 All hidden behind ecdh key type used on command-line
39 ECC in OpenSSH: keys ECDSA is slightly faster than regular DSA Still a benefit in symmetric-equivalent security Shorter keys too ECDSA keys can appear wherever RSA or DSA keys work: User keys (~/.ssh/id_ecdsa, ~/.ssh/authorized_keys) Host keys (/etc/ssh/ssh_host_ecdsa_key) Certificates (as signed key or as CA) ECDSA keys are preferred when both ends support them
40 Sandboxed privsep - background OpenSSH sshd was one of the first network daemons to use privilege separation to mitigate attacks (postfix and vsftpd were earlier) Concept: split sshd into two processes Privileged monitor implements only those options that require root access Unprivileged child process handles network communication, packet parsing and most crypto Communicate via lightweight RPC over shared socket Pre-authentication child process is chrooted to an empty directory
41 Sandboxed privsep - background Most attack surface runs without privilege, so successful attackers no longer automatically get root A compromised unprivileged child can still be dangerous Act as proxy to relay attacks against other hosts Probe local kernel attack surface, attempt privilege escalation The most critical case is before the user is authenticated (a.k.a preauth) No authentication barrier to attackers A good exploit may be used to create a worm
42 Sandboxed privsep - sandboxing Solution: voluntarily remove capability from the pre-auth child process Ideal case: child is allowed access to precisely the resources (file descriptors) and system calls it needs and nothing more Unfortunately we can't get close to the ideal using POSIX facilities, but many platforms offer APIs to restrict process' power Hardest part in implementing was arranging for pre-auth child to make no socket() calls Was using syslog for logging, now piped to monitor
43 Sandboxed privsep - systrace Sandbox implementation uses OpenBSD's systrace(4) device in unsupervised mode No cradle systrace(8) process to inspect syscall args Just a simple list of allowed syscalls Extended systrace(4) to SIGKILL on policy violation This implementation is pretty close to the ideal Only whitelisted syscalls are permitted Most kernel attack surface is excluded No possibility of attacker opening sockets to proxy Some maintenance burden of permitted syscall list
44 Sandboxed privsep OS X seatbelt Sandbox implementation using Seatbelt / sandbox_init(3) implemented in OS X 10.5 Uses policy ksbxprofilepurecomputation that prohibits access to all operating system services Haven't tested this enforcement in depth Seems to allow creation of sockets, though operations attempted on them fail We also use rlimit sandboxing (see next) for extra paranoia
45 Sandboxed privsep rlimit What about platforms that lack stronger mechanisms? setrlimit(2) to zero hard fd and process limits Prevent opening sockets and fork()-like syscalls Blocks attacker's proxying through compromised sshd Unfortunately does not reduce local kernel attack surface to reduce risk of privilege escalation Doesn't work everywhere some platforms won't set zero fd limit when there remain open descriptors.
46 Sandboxed privsep future work More sandboxes! FreeBSD Capsicum (probably the best API for this) ptrace() sandbox like vsftpd? (maybe not - complexity) Linux is conspicuously lacking a good sanbox at present Pending patch for SELinux based sandbox Kernel lacks a sufficiently general mechanism (see Will Drewry's patches to extend SECCOMP) Make setrlimit() sandbox work in more places Weaken to allow setting low (not zero) fd limit Detect when those fds close unexpectedly
47 OpenSSH what's next? Small features. E.g. Hostname canonicalisation Fetch authorized_keys from agent Refactoring E.g. make key-handling, agent client code available as a library Better testing Unit tests Better feature coverage
49 Bonus Slides
50 Match This feature isn't so new, actually introduced in 4.4 Allows variation of sshd's config depending on Username Group Source address Source hostname (if you trust DNS) Replaces previous hack of multiple instances + AllowUsers/AllowGroups
51 Match Very useful for: Restricted accounts (e.g. mandatory chroot) Limiting authentication by source network (e.g disable password auth from internet)
52 Match example: controlling auth PasswordAuthentication no # Override main configuration Match address /8 PasswordAuthentication yes
53 Match example: controlling options AllowTcpForwarding no Match group wheel,fwd AllowTcpForwarding yes # Wildcard predicates == ok Match user hosted-* PasswordAuthentication no PubkeyAuthentication yes
54 Match example: anonymous sftp Match user anonsftp ForceCommand internal-sftp -R ChrootDirectory /chroot/home PermitEmptyPasswords yes PasswordAuthentication yes AllowAgentForwaring no AllowTcpForwarding no X11Forwarding no
CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration SSL, SSH Department of Computer Science Stevens Institute of Technology Jan Schaumann firstname.lastname@example.org http://www.cs.stevens.edu/~jschauma/615/
June 26, 2007 UniForum Chicago SSH The Secure Shell Hemant Shah email@example.com Platform: Linux and Unix What is SSH? June 26, 2007 Copyright Hemant Shah 2 What is SSH? The Secure Shell It is a protocol
OpenSSH: Secure Shell Remote console access Campus-Booster ID : **XXXXX www.supinfo.com Copyright SUPINFO. All rights reserved OpenSSH: Secure Shell Your trainer Presenter s Name Title: **Enter title or
SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
FreeIPA Training Series SSSD and OpenSSH Integration Jan Cholasta 01-04-2013 Introduction to OpenSSH OpenSSH is an implementation of the SSH protocol Provides both server (sshd) and client (ssh) SSH allows
SSH and FTP on Ubuntu 9.04 WNYLUG Neal Chapman 09/09/2009 SSH (Secure Shell) Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.
GNUTLS a Transport Layer Security Library This is a Draft document Applies to GnuTLS 1.0.13 by Nikos Mavroyanopoulos ii Copyright c 2001,2002,2003 Nikos Mavroyanopoulos Permission is granted to copy, distribute
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https
1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
SSL Tunnels Introduction As you probably know, SSL protects data communications by encrypting all data exchanged between a client and a server using cryptographic algorithms. This makes it very difficult,
2014 IBM Corporation This is the 27 th Q&A event prepared by the IBM License Metric Tool Central Team (ICT) Currently we focus on version 9.x of IBM License Metric Tool (ILMT) The content of today s session
TS-800 Configuring SSH Client Software in UNIX and Windows Environments for Use with the SFTP Access Method in SAS 9.2, SAS 9.3, and SAS 9.4 dsas Table of Contents Overview... 1 Configuring OpenSSH Software
AppleÕs Security Architecture (ASA) Aram PŽrez Chief Security Architect aram@.com Apple Data Security Group Overview Apple Data Security Group Why provide a security architecture? Requirements Building
ENHANCING WEBSITE SECURITY WITH ALGORITHM AGILITY White Paper Enhancing Website Security with Algorithm Agility Enhancing Website Security with Algorithm Agility Contents Introduction 3 Encryption Today
Linux Operating System Security Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class is for students who want to learn how to configure systems to be secure, test the security
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
noway.toonux.com p3.7 10 noway.toonux.com 184.108.40.206 Debian Linux 0 CRITICAL 0 HIGH 5 MEDIUM 2 LOW Running Services Service Service Name Risk General Linux Kernel Medium 22/TCP OpenSSH 5.5p1 Debian 6+squeeze4
Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs SAP AG 1 Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
Technical Note Secure File Transfer Installation Sender Recipient Attached FIles Pages Date Development Internal/External None 11 6/23/08 Overview This document explains how to install OpenSSH for Secure
SECOND EDITION NETWORK SECURITY HACKS 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. Andrew Lockhart O'REILLY Beijing
Secure Shell (SSH) is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application
Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the
SSL/TLS EJ Jung 10/18/10 Authenticity of Public Keys Bob s key? private key Bob public key Problem: How does know that the public key she received is really Bob s public key? Distribution of Public Keys!
Encrypted File Transfer - Customer Testing V1.0 David Wickens McKesson CLASSIFICATION McKesson Technical Guidance Documentation: NOT PROTECTIVELY MARKED VERSION 1.0 SCOPE This guidance document is aimed
Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos a private-key authentication service
Sentora-paranoid version 1.0.1 by: Mario Rodríguez Somohano firstname.lastname@example.org Official web site: http://sentora-paranoid.open-source.tk Forum: http://forum.sentora-paranoid.open-source.tk
Authentication in a Heterogeneous Environment Integrating Linux (and UNIX and Mac) Identity Management in Microsoft Active Directory Mike Patnode VP of Technology Centrify Corporation email@example.com
Security - 1 - OPC UA - Security Security Access control Wide adoption of OPC SCADA & DCS Embedded devices Performance Internet Scalability MES Firewalls ERP Communication between distributed systems OPC
SSL Server Rating Guide version 2009j (20 May 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
Chapter 9: SSL and Certificate Services Page 1 of 9 Chapter 9: SSL and Certificate Services The most widespread concern with the Internet is not the limited amount of bandwidth or the occasional objectionable
Decryption Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used
CHAPTER 4 This chapter describes the steps required to configure a CSS as a virtual SSL server for SSL termination. It contains the following major sections: Overview of SSL Termination Creating an SSL
What s New in MySQL 5.7 Security Georgi Joro Kodinov Team Lead MySQL Server General Team Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information
Software Version 9.0 Copyright Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive
Installation and usage of SSL certificates: Your guide to getting it right So, you ve bought your SSL Certificate(s). Buying your certificate is only the first of many steps involved in securing your website.
EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question
WIRELESS LAN SECURITY FUNDAMENTALS Jone Ostebo November 2015 #ATM15ANZ @ArubaANZ Learning Goals Authentication with 802.1X But first: We need to understand some PKI And before that, we need a cryptography
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application
SUSE Linux Enterprise Server 12 - OpenSSH Server Module v1.0 Version 1.1 Last Update: 2015-10-29 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com
Security 5-1 Learning Objectives This module will help you... Understand the security infrastructure supported by JXTA Understand JXTA's use of TLS for end-to-end security 5-2 Highlights Desired security
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following
White Paper IDENTITIES, ACCESS TOKENS, AND THE ISILON ONEFS USER MAPPING SERVICE Abstract The OneFS user mapping service combines a user s identities from different directory services into a single access
How to Time Stamp PDF and Microsoft Office 2010/2013 Documents with the Time Stamp Server Introduction Time stamping is an important mechanism for the long-term preservation of digital signatures, time
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
CHAPTER 36 This chapter describes how to configure digital certificates and includes the following sections: Information About Digital Certificates, page 36-1 Licensing Requirements for Digital Certificates,
By Jan De Clercq Understanding and Leveraging SSL-TLS for Secure Communications ii Contents Chapter 2: Leveraging SSL/TLS for Secure Web Communications....... 21 Setting Up SSL/TLS on a Web Server..................................
Network security Part 2: protocols and systems (a) Authentication of public keys Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015 Asymmetric cryptosystems fundamental
NCP Secure Entry Mac Client Major Release 2.01 Build 47 May 2011 1. New Features and Enhancements Tip of the Day A Tip of the Day field for configuration tips and application examples is incorporated in
Secure Socket Layer Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings. Abstraction: Crypto building blocks NS HS13 2 Abstraction: The secure channel 1., run a key-exchange
Internet Engineering Task Force (IETF) Request for Comments: 7568 Updates: 5246 Category: Standards Track ISSN: 2070-1721 R. Barnes M. Thomson Mozilla A. Pironti INRIA A. Langley Google June 2015 Deprecating
Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It
Network Security - Secure upper layer protocols - Dr. John Keeney 3BA33 Question from last lecture: What s a birthday attack? might think a m-bit hash is secure but by Birthday Paradox is not the chance
SYSTEM ADMINISTRATION MTAT.08.021 LECTURE 8 SECURITY Prepared By: Amnir Hadachi and Artjom Lind University of Tartu, Institute of Computer Science firstname.lastname@example.org / email@example.com 1 OUTLINE 1.Is
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland firstname.lastname@example.org Abstract Secure Socket Layer (SSL) and Transport Layer
User Guide Supplement S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series SWD-292878-0324093908-001 Contents Certificates...3 Certificate basics...3 Certificate status...5 Certificate
ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on
National Security Agency Perspective on Key Management IEEE Key Management Summit 5 May 2010 Petrina Gillman Information Assurance (IA) Infrastructure Development & Operations Technical Director National
Configuration Guide FIPS 140 2 Revision A McAfee Firewall Enterprise 8.2.1 The McAfee Firewall Enterprise FIPS 140 2 Configuration Guide, version 8.2.1, provides instructions for setting up McAfee Firewall
OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT
Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16 Overview What are Containers? Containers and The Cloud Containerization vs. H/W Virtualization
REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of
SE 4472 / ECE 9064 Information Security Week 11: Transport Layer Security (TLS): Putting it all together Fall 2015 Prof. Aleksander Essex Security at the Transport Layer Where we started in this course:
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
GL-550: Red Hat Linux Security Administration Course Length: 5 days Course Description: This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range
Bugzilla ID: Bugzilla Summary: CAs wishing to have their certificates included in Mozilla products must 1) Comply with the requirements of the Mozilla CA certificate policy (http://www.mozilla.org/projects/security/certs/policy/)