"When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short
|
|
- Ariel Little
- 8 years ago
- Views:
Transcription
1 KERBEROS: the fierce watchdog of Haides, depicted as a three headed dog with a serpent's tail, a mane of snakes, and a lion's claws. "And before them a dreaded hound, on watch, who has no pity, but a vile stratagem: as people go in he fawns on all, with actions of his tail and both ears, but he will not let them go back out, but lies in wait for them and eats them up, when he catches any going back through the gates." Theogony
2 "Herakles asked Pluto for Kerberos, and was told to take the hound if he could overpower it without using any of the weapons he had brought with him. He found Kerberos at the gates of Akheron, and there, pressed inside his armour and totally covered by the lion's skin, he threw his arms round its head and hung on, despite bites from the serpent tail, until he convinced the beast with his choke hold. Then, with it in tow, he made his ascent through Troizen. After showing Kerberos to Eurystheus, he took it back to Hades' realm." Apollodorus
3 "When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short time. But you are not permitted to touch that either, for all these and many other distractions are part of the ambush which Venus will set to induce you to release one of the cakes from your hands. Do not imagine that the loss of a mere barley cake is a trivial matter, for if you relinquish either of them, the daylight of this world above will be totally denied you. Posted there is a massive hound with a huge, triple formed head. This monstrous, fearsome brute confronts the dead with thunderous barking, though his menaces are futile since he can do them no harm. He keeps constant guard before the very threshold and the dark hall of Proserpina, protecting that deserted abode of Dis. You must disarm him by offering him a cake as his spoils. Then you can easily pass him, and gain immediate access to Proserpina herself When you have obtained what she gives you, you must make your way back, using the remaining cake to neutralize the dog s savagery.
4 (Modern Times) Distributed authentication service Allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an application server, or just server) without sending data across the network that might allow an attacker or the verifier to subsequently impersonate the principal. Optionally provides integrity and confidentiality for data sent between the client and server. Uses 3 DES in CBC for encryption. Developed in the mid '80s as part of MIT's Project Athena. As its use spread to other environments, changes were needed to support new policies and patterns of use. To address these needs, design of Version 5 of Kerberos began in Though V4 still runs at many sites, V5 is considered to be standard Kerberos.
5 Project Athena: Developed at MIT with cooperation of IBM Creates a distrbuted campus wide computing environment Still in use makes a computer a thin client that downloads applications from servers as needed Started in 1983 Based on the Needham Schroeder protocol Resulted in: kerberos X windows Influenced: Active Directory a directory service LDAP maintains distributed directory services Instant Messaging
6 Built upon the assumption that the network is "unsafe". Example: data sent over the network can be eavesdropped and altered, and addresses can also be faked. Therefore they cannot be used for authentication purposes. Trusted third party service: the kerberos server is trusted by all the entities on the network (users and services, usually called principals). Kerberos cannot be used to connect to unknown or untrusted servers, say in the cloud. All principals share a secret password (or key) with the kerberos server and this enables principals to verify that the messages from the kerberos server are authentic. Thus trusting the kerberos server, users and services can authenticate each other.
7 C Client V Server C@addr address of client K@{C} Secret Key of client known to Authenticating Server K@{V} Secret Key of server known to Authenticating Server K@{C,V} Session Key for secure client/server communication Ticket@{C,V} Ticket issued for client to send to server contains: session key, timestamp, lifetime, client address The client's secret key is the client's password using a hash or key scheduling algorithm The server's secret key is chosen randomly
8 Principals use tickets to prove that they are who they claim to be. Example: Client C wishes to use service V. 1. C sends a ticket request to the Authentication Server AS 2. Ticket@{C,V}=(K@{C,V}, time, lifetime, C@addr) To C: {{Ticket@{C,V}}K@{V}, V, time, K@{C,V}, lifetime}k@{c}
9 3. Before sending a message to V, C creates an authenticator consisting of C's name, C's address, the current time, and a "nonce" chosen by C, all encrypted with the secret session key [{C, C@addr, time, nonce}k@{c,v}]. Authenticator sent together with ticket to V. V decrypts the ticket using V's secret key. V gets session key from ticket. V uses session key to decrypt authenticator. V compares contents of ticket with that of authenticator. V compares the timestamp and nonce to prevent a replay attack. If everything matches, V considers C to be properly authenticated
10 4. Mutual Authentication (Optional) Server extracts C's time from authenticator of 3. Returns it to C encrypted with session key: {time}k@{c,v} (Server was able to decrypt authenticator so if Kerberos Server is OK, Server must be OK since its secret key was used to decrypt the authenticator)
11 Obtaining additional tickets: Protocol allows client with knowledge of user's password to obtain ticket and session key for and to prove its identity to any server registered with the authentication server.
12 Obtaining additional tickets: Protocol allows client with knowledge of user's password to obtain ticket and session key for and to prove its identity to any server registered with the authentication server. Should the user's password be presented each time the user performs authentication with a new server????.
13 Obtaining additional tickets: Protocol allows client with knowledge of user's password to obtain ticket and session key for and to prove its identity to any server registered with the authentication server. Should the user's password be presented each time the user performs authentication with a new server????. Cumbersome: instead, system should support single sign on, where the user logs in to the system once, providing the password at that time, and with subsequent authentication occurring automatically.
14 Obtaining additional tickets: Protocol allows client with knowledge of user's password to obtain ticket and session key for and to prove its identity to any server registered with the authentication server. Should the user's password be presented each time the user performs authentication with a new server????. Cumbersome: instead, system should support single sign on, where the user logs in to the system once, providing the password at that time, and with subsequent authentication occurring automatically. Obvious way to support this: cache user's password on the workstation (dangerous) ticket and key valid for short time, but user's password can be used to obtain tickets, and to impersonate the user until the password is changed.
15 Obtaining additional tickets: Better approach: cache only tickets and encryption keys (collectively called credentials) that will work for a limited period (typically on the order of 8 hours).
16 Obtaining additional tickets: Better approach: cache only tickets and encryption keys (collectively called credentials) that will work for a limited period (typically on the order of 8 hours). This is how Kerberos does it.
17 Obtaining additional tickets: Better approach: cache only tickets and encryption keys (collectively called credentials) that will work for a limited period (typically on the order of 8 hours). This is how Kerberos does it. When user first logs in, an authentication request is issued and a ticket and session key for the ticket granting service is returned by the authentication server.
18 Obtaining additional tickets: Better approach: cache only tickets and encryption keys (collectively called credentials) that will work for a limited period (typically on the order of 8 hours). This is how Kerberos does it. When user first logs in, an authentication request is issued and a ticket and session key for the ticket granting service is returned by the authentication server. This ticket, called a ticket granting ticket, has a relatively short life (8 hours). The response is decrypted, the ticket and session key saved, and the user's password forgotten.
19 Obtaining additional tickets: Subsequently, when user wishes to prove its identity to a new server, a new ticket is requested from the authentication server using the ticket granting exchange.
20 Obtaining additional tickets: Subsequently, when user wishes to prove its identity to a new server, a new ticket is requested from the authentication server using the ticket granting exchange. The ticket granting exchange is identical to the authentication exchange except that the ticket granting request has embedded within it an application request, authenticating the client to the authentication server, and the ticket granting response is encrypted using the session key from the ticket granting ticket, rather than the user's password.
21 1. [C, TGS, time, nonce] 1 and 2. Only on first login 2. [{K@{C,TGS}, TGS, time, nonce}k@{c}, {Ticket@{C,TGS}}K@{TGS}] 3. [{C, C@addr, time, nonce}k@{c,tgs}, {Ticket@{C,TGS}}K@{TGS}, V, time, nonce] 4. [{K@{C,V}, V, time, nonce}k@{c,tgs}, {Ticket@{C,V}}K@{V}] 5. [{time, nonce, Ksubsession}K@{C,V}, {Ticket@{C,V}}K@{V}] 6. [{time}k@{c,v}] (optional mutual authentication)
22 Assume interorganizational communication Users will not be registered with same authentication server Realm: authentication server with registered users Cross Realm Authentication: a principal of one realm proves identity to an authentication server of another realm Client gets cross realm ticket to another TGS:
23 ASV TSV ASV TSV ASV TSV ASC TSC ASV TSV 1. Request for ticket to C V
24 ASV TSV ASV TSV ASV TSV 2. Is in your domain? ASC TSC ASV TSV C V
25 ASV TSV 3. Is in your domain? ASV TSV ASV TSV ASC TSC ASV TSV C V
26 ASV TSV ASV TSV ASV TSV 4. Looking for Auth. Server ASC TSC ASV TSV C V
27 ASV TSV ASV TSV ASV TSV 5. Looking for Auth. Server ASC TSC ASV TSV C V
28 ASV TSV ASV TSV ASV TSV 6. Send a session key for TSv ASC TSC ASV TSV C V
29 ...
30 ASV TSV ASV TSV ASV TSV 9. Send a session key for TSv ASC TSC ASV TSV C V
31 ASV TSV ASV TSV ASV TSV ASC TSC ASV TSV 10. Send a session key for TSv C V
32 ASV TSV ASV TSV ASV TSV ASC TSC ASV TSV 11. Request ticket to V from TSv C V
33 Limitations: Kerberos Kerberos must be integrated with other parts of the system.
34 Limitations: Kerberos Kerberos must be integrated with other parts of the system. Does not protect all messages sent between two computers: only protects the messages from software that has been written or modified to use it.
35 Limitations: Kerberos Kerberos must be integrated with other parts of the system. Does not protect all messages sent between two computers: only protects the messages from software that has been written or modified to use it. While it may be used to exchange encryption keys when establishing link encryption (encryption/decryption on each communication line) and network level security services, this would require changes to the network software of the hosts involved.
36 Limitations: Kerberos Kerberos must be integrated with other parts of the system. Does not protect all messages sent between two computers: only protects the messages from software that has been written or modified to use it. While it may be used to exchange encryption keys when establishing link encryption (encryption/decryption on each communication line) and network level security services, this would require changes to the network software of the hosts involved. Kerberos does not itself provide authorization, but V5 Kerberos passes authorization information generated by other services. In this manner, Kerberos can be used as a base for building separate distributed authorization services
37 Attacks: Password Guessing Not effective against password guessing attacks; if a user chooses a poor password, then an attacker guessing that password can impersonate the user.
38 Attacks: Password Guessing Not effective against password guessing attacks; if a user chooses a poor password, then an attacker guessing that password can impersonate the user. Post Password Theft Kerberos requires a trusted path through which passwords are entered. If the user enters a password to a program that has already been modified by an attacker (a Trojan horse), or if the path between the user and the initial authentication program can be monitored, then an attacker may obtain sufficient information to impersonate the user.
39 Attacks: Impersonating C An impostor, I, could steal the authenticator and the ticket as it is transmitted across the network, and use them to impersonate C. The address in the ticket and the authenticator was added to make it more difficult to perform this attack. To succeed I will have to either use the same machine as C or fake the source addresses of the packets. By including the time stamp in the authenticator, I does not have much time in which to mount the attack.
40 Attacks: Impersonating C An impostor, I, could steal the authenticator and the ticket as it is transmitted across the network, and use them to impersonate C. The address in the ticket and the authenticator was added to make it more difficult to perform this attack. To succeed I will have to either use the same machine as C or fake the source addresses of the packets. By including the time stamp in the authenticator, I does not have much time in which to mount the attack. Impersonating V I can masquerade V's network address, and when C sends its credentials, I just pretends to verify them. C can't be sure that it is talking to I.
41 Defenses: Replay Cache (in Kerberos v.5) Save the authenticators sent during the last few minutes, so that V can detect when someone is trying to retransmit an already used message. Somewhat impractical (mostly regarding efficiency).
42 Defenses: Replay Cache (in Kerberos v.5) Save the authenticators sent during the last few minutes, so that V can detect when someone is trying to retransmit an already used message. Somewhat impractical (mostly regarding efficiency). Mutual Authentication To authenticate V, C requests V send something back that proves V has access to the session key. Example: checksum that C sent as part of authenticator plus 1.
43 Defenses: Replay Cache (in Kerberos v.5) Save the authenticators sent during the last few minutes, so that V can detect when someone is trying to retransmit an already used message. Somewhat impractical (mostly regarding efficiency). Mutual Authentication To authenticate V, C requests V send something back that proves V has access to the session key. Example: checksum that C sent as part of authenticator plus 1. Message Integrity and Confidentiality Session key used to add cryptographic checksums to the messages sent between C and V. Encryption can also be added. This is probably the best approach in all cases.
Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su
Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o Presented by: Smitha Sundareswaran Chi Tsong Su Introduction Kerberos: An authentication protocol based on
More informationHow To Use Kerberos
KERBEROS 1 Kerberos Authentication Service Developed at MIT under Project Athena in mid 1980s Versions 1-3 were for internal use; versions 4 and 5 are being used externally Version 4 has a larger installed
More informationAuthentication Application
Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be
More informationChapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1
Chapter 4 Authentication Applications COSC 490 Network Security Annie Lu 1 OUTLINE Kerberos X.509 Authentication Service COSC 490 Network Security Annie Lu 2 Authentication Applications authentication
More informationCS 4803 Computer and Network Security
Many-to-Many Authentication CS 4803 Computer and Network Security s? Servers Alexandra (Sasha) Boldyreva Kerberos How do users prove their identities when requesting services from machines on the network?
More informationSYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL
INFS 766 Internet Security Protocols Lecture 9 WORK- STATIONS SYSTEM MODEL NETWORK SERVERS NFS GOPHER Prof. Ravi Sandhu LIBRARY KERBEROS 2 PHYSICAL SECURITY KERBEROS OBJECTIVES CLIENT WORKSTATIONS None,
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationTOPIC HIERARCHY. Distributed Environment. Security. Kerberos
KERBEROS TOPIC HIERARCHY Distributed Environment Security Privacy Authentication Authorization Non Repudiation Kerberos ORIGIN MIT developed Kerberos to protect network services. Developed under the Project
More information2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries
Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationKerberos. Guilin Wang. School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk
Kerberos Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Entity Authentication and Key Exchange In the last talk, we discussed key exchange and reviewed some concrete
More informationKerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?).
Kerberos Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). 1 Kerberos Kerberos is an authentication protocol and a software suite implementing this
More informationKerberos. Login via Password. Keys in Kerberos
Kerberos Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos
More informationAuthentication Applications
Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos a private-key authentication service
More informationAuthentication. Agenda. IT Security course Lecture April 14 th 2003. Niels Christian Juul 2. April 14th, 2003
Authentication IT Security course Lecture April 14 th 2003 Niels Christian Juul Computer Science, building 42.1 Roskilde University Universitetsvej 1 P.O. Box 260 DK-4000 Roskilde Denmark Phone: +45 4674
More information4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos 4.2:
More informationChapter 15 User Authentication
Chapter 15 User Authentication 2015. 04. 06 Jae Woong Joo SeoulTech (woong07@seoultech.ac.kr) Table of Contents 15.1 Remote User-Authentication Principles 15.2 Remote User-Authentication Using Symmetric
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationAuthentication Applications
Authentication Applications CSCI 454/554 Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures Kerberos a symmetric-key
More informationTELE 301 Network Management. Lecture 18: Network Security
TELE 301 Network Management Lecture 18: Network Security Haibo Zhang Computer Science, University of Otago TELE301 Lecture 18: Network Security 1 Security of Networks Security is something that is not
More informationCSE331: Introduction to Networks and Security. Lecture 29 Fall 2006
CSE331: Introduction to Networks and Security Lecture 29 Fall 2006 Announcements Project 3 is due Today Can submit electronically (mail savi@seas) By midnight Project 4 will be on the web this afternoon
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationComputing Security. Access Control. Port Protection. Electrostatic Modeling of CMOS sensor array 1. Distributed System Authentication.
Computing Security Distributed System Authentication Bojan Cukic Spring 00 1 Access Control Encryption valuable within the system boundaries. In a distributed system, secure access to data, programs and
More informationA Secure Authenticate Framework for Cloud Computing Environment
A Secure Authenticate Framework for Cloud Computing Environment Nitin Nagar 1, Pradeep k. Jatav 2 Abstract Cloud computing has an important aspect for the companies to build and deploy their infrastructure
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of
More informationSECURITY IMPLEMENTATION IN HADOOP. By Narsimha Chary(200607008) Siddalinga K M(200950034) Rahman(200950032)
SECURITY IMPLEMENTATION IN HADOOP By Narsimha Chary(200607008) Siddalinga K M(200950034) Rahman(200950032) AGENDA What is security? Security in Distributed File Systems? Current level of security in Hadoop!
More informationAuthentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques
Computer Security process of reliably verifying identity verification techniques what you know (eg., passwords, crypto key) what you have (eg., keycards, embedded crypto) what you are (eg., biometric information)
More informationImplementing a Kerberos Single Sign-on Infrastructure
Implementing a Kerberos Single Sign-on Infrastructure Gary Tagg IT Security Consultant, Tagg Consulting Ltd gary.tagg@itsecure.demon.co.uk Abstract Kerberos provides secure authentication, single sign-on
More informationArchitecture of Enterprise Applications III Single Sign-On
Architecture of Enterprise Applications III Single Sign-On Haopeng Chen REliable, INtelligent and Scalable Systems Group (REINS) Shanghai Jiao Tong University Shanghai, China e-mail: chen-hp@sjtu.edu.cn
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationComputer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
More informationInternational Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET) ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 4, Issue 6, November - December (2013), pp. 62-69 IAEME: www.iaeme.com/ijcet.asp Journal
More informationKerberos and Active Directory symmetric cryptography in practice COSC412
Kerberos and Active Directory symmetric cryptography in practice COSC412 Learning objectives Understand the function of Kerberos Explain how symmetric cryptography supports the operation of Kerberos Summarise
More informationEnabling Active Directory Authentication with ESX Server 1
1 Enabling Active Directory Authentication with ESX Server 1 This document provides information about how to configure ESX Server to use Active Directory for authentication. ESX Server system includes
More informationSecure Socket Layer. Introduction Overview of SSL What SSL is Useful For
Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption
More informationAttestation and Authentication Protocols Using the TPM
Attestation and Authentication Protocols Using the TPM Ariel Segall June 21, 2011 Approved for Public Release: 11-2876. Distribution Unlimited. c 2011. All Rights Reserved. (1/28) Motivation Almost all
More informationSECURE USER AUTHENTICATION IN CLOUD COMPUTING USING KERBEROS
SECURE USER AUTHENTICATION IN CLOUD COMPUTING USING KERBEROS R.Vijayakumari Asst. Professor, Dept. of Computer Science, Krishna University, Machilipatnam Abstract Cloud Computing may be considered as the
More informationIntroduction to Computer Security
Introduction to Computer Security Identification and Authentication Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests
More informationBasic network security threats
Basic network security threats Packet sniffing Packet forgery (spoofed from address) DNS spoofing wrong IP address for hostname Assume bad guy controls network - Can read all your packets - Can tamper
More informationChapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All
More informationChapter 16: Authentication in Distributed System
Chapter 16: Authentication in Distributed System Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal
More informationStealing credentials for impersonation
Stealing credentials for impersonation Emmanuel Bouillon manu@veryopenid.net October 29, 2010 Disclaimer Introduction This expresses my own views and does not involve my previous, current and future employers.
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationQ: Why security protocols?
Security Protocols Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Confidentiality Authentication Example:
More informationKey Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn.
CSC 490 Special Topics Computer and Network Security Key Management Dr. Xiao Qin Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn.edu Slide 09-1 Overview Key exchange Session vs. interchange
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationCopyright Warning & Restrictions
Copyright Warning & Restrictions The copyright law of the United States (Title 17, United States Code) governs the making of photocopies or other reproductions of copyrighted material. Under certain conditions
More informationE- Encryption in Unix
UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 537 A. Arpaci-Dusseau Intro to Operating Systems Spring 2000 Security Solutions and Encryption Questions answered in these notes: How does
More informationCSE/EE 461 Lecture 23
CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data
More informationTwo SSO Architectures with a Single Set of Credentials
Two SSO Architectures with a Single Set of Credentials Abstract Single sign-on (SSO) is a widely used mechanism that uses a single action of authentication and authority to permit an authorized user to
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationNetwork Security Protocols
Network Security Protocols EE657 Parallel Processing Fall 2000 Peachawat Peachavanish Level of Implementation Internet Layer Security Ex. IP Security Protocol (IPSEC) Host-to-Host Basis, No Packets Discrimination
More information: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT
Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference
More informationIs your data safe out there? -A white Paper on Online Security
Is your data safe out there? -A white Paper on Online Security Introduction: People should be concerned of sending critical data over the internet, because the internet is a whole new world that connects
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography
More informationMessage authentication and. digital signatures
Message authentication and " Message authentication digital signatures verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non!repudiation
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationKerberos authentication made easy on OpenVMS
Kerberos authentication made easy on OpenVMS Author: Srinivasa Rao Yarlagadda yarlagadda-srinivasa.rao@hp.com Co-Author: Rupesh Shantamurty rupeshs@hp.com OpenVMS Technical Journal V18 Table of contents
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationNetwork Security. HIT Shimrit Tzur-David
Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key
More informationCS 361S - Network Security and Privacy Spring 2014. Homework #1
CS 361S - Network Security and Privacy Spring 2014 Homework #1 Due: 11am CST (in class), February 11, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationSecure cloud access system using JAR ABSTRACT:
Secure cloud access system using JAR ABSTRACT: Cloud computing enables highly scalable services to be easily consumed over the Internet on an as-needed basis. A major feature of the cloud services is that
More informationRemote Administration
Windows Remote Desktop, page 1 pcanywhere, page 3 VNC, page 7 Windows Remote Desktop Remote Desktop permits users to remotely execute applications on Windows Server 2008 R2 from a range of devices over
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More information10.2 World Wide Web Security S-HTTP (secure hypertext transfer protocol) SEA (security extension architecture)
Contents 1 / 55 10.1 Kerberos Kerberos V4 Kerberos V5 10.2 World Wide Web Security S-HTTP (secure hypertext transfer protocol) SEA (security extension architecture) Kerberos V4 / Contents 2 / 55 Kerberos
More informationHow To Protect Your Data From Being Hacked On A Network (Kerberos) On A Pc Or Mac Or Ipad (Ipad) On An Ipad Or Ipa (Networking) On Your Computer Or Ipam (Network
Introduction to Network Security, Authentication Applications Information: is defined as knowledge obtained from investigation, Study or Instruction, Intelligence, news, facts, data, a Signature or Character
More informationIceWarp Server - SSO (Single Sign-On)
IceWarp Server - SSO (Single Sign-On) Probably the most difficult task for me is to explain the new SSO feature of IceWarp Server. The reason for this is that I have only little knowledge about it and
More informationEnhanced Cloud Security through KFAC
Enhanced Cloud Security through KFAC Mahesh S Darak, Dr. N. K. Deshmukh Assistant Professor, School of Computational Sciences, S. R. T. M. University, Nanded, Maharashtra, India ABSTRACT: The current era
More informationThe Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems
The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems
More informationWhy you need secure email
Why you need secure email WHITE PAPER CONTENTS 1. Executive summary 2. How email works 3. Security threats to your email communications 4. Symmetric and asymmetric encryption 5. Securing your email with
More informationChapter 9 Key Management 9.1 Distribution of Public Keys 9.1.1 Public Announcement of Public Keys 9.1.2 Publicly Available Directory
There are actually two distinct aspects to the use of public-key encryption in this regard: The distribution of public keys. The use of public-key encryption to distribute secret keys. 9.1 Distribution
More informationKerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service
Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service Sazzad Masud and Ram Krishnan University of Texas at San Antonio Sazzad.Masud@gmail.com, Ram.Krishnan@utsa.edu Abstract Cloud
More informationPart 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext
Part 2 Plaintext M Encrypt with public key E(M, K) Ciphertext Plaintext M D(E(M, K),K ) Decrypt with private key E(M, K) Public and private key related mathematically Public key can be published; private
More informationBypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken
Bypassing Local Windows Authentication to Defeat Full Disk Encryption Ian Haken Who Am I? Currently a security researcher at Synopsys, working on application security tools and Coverity s static analysis
More informationHow To Protect Your Email From Being Hacked On A Pc Or Mac Or Ipa From Being Stolen On A Network (For A Free Download) On A Computer Or Ipo (For Free) On Your Pc Or Ipom (For An Ipo
The Case for Email Security secure, premium by Erik Kangas, President, Lux Scientiae Section 1: Introduction to Email Security You may already know that email is insecure; however, it may surprise you
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationThe Case For Secure Email
The Case For Secure Email By Erik Kangas, PhD, President, Lux Scientiae, Incorporated http://luxsci.com Contents Section 1: Introduction Section 2: How Email Works Section 3: Security Threats to Your Email
More informationSecuring Session Initiation Protocol for VOIP Services
Securing Session Initiation Protocol for VOIP Services Amina.M.Elmahalwy Information Technology Dept. Faculty of Computers and Information, Menoufia University, Egypt Wail.S.Elkilani Computer Systems Dept.
More informationApache Milagro (incubating) An Introduction ApacheCon North America
Apache Milagro (incubating) An Introduction ApacheCon North America Apache Milagro will establish a new independent security framework for the Internet A Distributed Cryptosystem Secure the Future of the
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationNetwork Security Standards. Key distribution Kerberos SSL/TLS
Network Security Standards Key distribution Kerberos SSL/TLS 1 Many-to-Many Authentication? Users Servers How do users prove their identities when requesting services from machines on the network? Naïve
More informationWeb and Email Security 1 / 40
Web and 1 / 40 Untrusted Clients Repeat: Untrusted Clients Server-Side Storage Cryptographic Sealing Hidden Values Cookies Protecting Data Sidebar: Cookies and JavaScript Cross-Site Scripting (XSS) Why
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationCHAPTER 1 INTRODUCTION
1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing
More informationName: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, 2003 1 /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.
Name: 1 CSE331: Introduction to Networks and Security Final Fall 2003 Dec. 12, 2003 1 /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35 Total /135 Do not begin the exam until you are told to do so. You
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Exercise: Chapters 13, 15-18 18 1. [Kaufman] 13.1
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationSmart Card Authentication. Administrator's Guide
Smart Card Authentication Administrator's Guide October 2012 www.lexmark.com Contents 2 Contents Overview...4 Configuring the applications...5 Configuring printer settings for use with the applications...5
More informationTaming the beast : Assess Kerberos-protected networks
Taming the beast : Assess Kerberos-protected networks [ Work in progress Black Hat EU 2009] Emmanuel Bouillon Commissariat à l'energie Atomique, Centre DAM-Île de France, Bruyères-le-Châtel 91297 Arpajon
More informationKey Management (Distribution and Certification) (1)
Key Management (Distribution and Certification) (1) Remaining problem of the public key approach: How to ensure that the public key received is really the one of the sender? Illustration of the problem
More informationBasic network security threats
Basic network security threats Packet sniffing Packet forgery (spoofed from address) DNS spoofing wrong IP address for hostname Assume bad guy controls network - Can read all your packets - Can tamper
More informationMitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security
Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored
More informationAuthentication, Protocols, Passwords
Authentication, Protocols, Passwords CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration Prof. Sloan s Slides 2007, 2008 Robert
More informationPrinciples of Network Security
he Network Security Model Bob and lice want to communicate securely. rudy (the adversary) has access to the channel. lice channel data, control s Bob Kai Shen data secure sender secure receiver data rudy
More information