Attacks on the Internet Trust Fabric
|
|
- Melanie Anne Golden
- 6 years ago
- Views:
Transcription
1 Attacks on the Internet Trust Fabric The Impact to Enterprise Trust +1 (801)
2 About DigiCert Table of Contents Slide Title 3 Recent Attacks On Certification Authorities 4 Why Attack CAs? 9 Proposed Solutions to Mitigate Attacks 18 DigiCert Your Trust Partner 19 Who Uses DigiCert? 20 Testimonials 22 Features & Innovations 23 Products 25 Managed PKI 26 Promotional Code
3 Recent Attacks On Certification Authorities Comodo Mar 2011 Multiple RA breaches : mis-issuance of at least 9 certificates Italian & Brazilian RAs were targeted StartCom Jun 2011 Breach of Server : no certificates mis-issued DoS of services to StartCom customers result DigiNotar Jul 2011 (didn't disclose until Aug 2011) Major Breach : 500+ certs issued caused by poor security CA now out of business Globalsign Sept 2011 Breach of Server : but no certificates were mis-issued DigiCert Malaysia (no relationship to US company) Oct 2011 Issues certificates with weak keys, lacking extensions to revoke them Bad certs were re-purposed to sign malware CA certificate was revoked KPN (Dutch CA related to DigiNotar) Nov 2011 Breach of Server : no certificates mis-issued DoS of services to KPN customers result
4 Why Attack CAs? There are a number CA Trust Anchor (TA) certificates that come pre-installed in various Applications that are trusted to perform various security tasks Verify identity of web sites, establish secure connections, encrypt data to/from Verify identity of software makers, applications or plug-ins given kernel level privileges i.e. trusted extension of the Operating System Verify identity of individuals, or source/destination of communications/data Many applications trust the set of pre-installed TAs in the underlying Operating System Depending which application on which operating system you are using, there may be a different set of TAs to contend with Original architecture for TAs was aimed at having/dealing with just around 100 of these, yet current currently many platforms now have several hundred pre-installed
5 Why Attack CAs? Not only are there TAs that must be trusted, but any subordinate CA to a TA must also be trusted There are various methods (platform specific) for how these sub- CAs are managed For an application to trust a credential, it must be issued by an authority (TA, or sub-ca that chains back to a TA) that is trusted for the intended purpose by the OS Warnings are given to the user when this is not the case Attackers are trying to get control of a credential issued by a trusted CA so that unsuspecting users can be fooled into trusting a transaction that comes from a malicious source, without getting any warnings
6 Why Attack CAs? PKI certificates are only ½ of the equation When creating a request, you generate a key pair, a private key, and a public key Public keys are embedded into the certificate, but private keys MUST be secured because that is how you prove you are the one authorized behind the public certificate that represents you Instead of attacking a web site directly to try to gain access to its private key, and thus impersonate you, and be trusted just like they were you, an attack is more efficient if it can target the issuing CA directly This allows the attacker to generate as many keys as it wants and submit to a trusted CA : as long as they can convince the CA that they are really you Instead of just one domain compromise resulting from the attack, they can potentially get many for the price of one
7 Why Attack CAs? Not all CAs are created equal Out of the many hundreds of CAs trusted as TAs for an application, some perform better than others in protecting their customers with better processes and more secure systems As evidenced earlier, attackers are targeting lots of different CAs looking for any weaknesses they can exploit One issue identified with the current TA system, is that all CAs are typically treated equally trusted, when in fact they should/are not An important decision for service owners is to choose a CA that is more secure, more trusted, less likely to be compromised
8 Overhaul the whole CA system? Some folks are calling for an overhaul of the entire CA system To eliminate the weakest link issue To standardize the processes used in identity verification and issuance To be able to represent TAs as having differing levels of trust for different purposes (rather than a one size fits all) To be better able to manage the TAs and the certificates that are issued by them
9 Proposed Solutions to Mitigate Attacks DANE Convergence Perspectives MECAI (Mutually Endorsing CA Infrastructure) CA Pinning CAA Record in DNSSEC Sovereign Keys HSTS Pinning Minimum Identification/Issuance Requirements
10 DANE DANE see - Overview: DANE stands for DNS-based Authentication of Named Entities and is actually an IETF working group item. The basis of the DANE approach is to leverage signed DNS entries (DNSSEC) to make some inferences about the legitimate certificates or potentially just keys that are protecting web sites. If a certificate (or public key) is seen by a client (e.g. browser) that isn t consistent with the DANE record, it can be treated with suspicion - this will help eliminate Man-In-The-Middle (MITM) attacks, and can also facilitate elimination of false issuance problems from the set of authorized CAs An issue with DANE relying upon DNSSEC is that DNSSEC only provides integrity checks on source data and not authentication of that data. It also potentially moves the responsibility of web site security into the span of control of DNS operators who typically have not needed to deal with security elements.
11 Perspectives Perspectives see - Overview: This is a project that began around 2008 at Carnegie-Mellon. The objective was to improve the security of "trust on first use" (TOFU) services e.g. typical SSH connections or (relevant to SSL industry), browser based SSL connections using self-signed certificates. The idea is to reduce Man-In-The-Middle (MITM) attacks in these scenarios by not letting an attacker inject an untrusted key at that critical first use point. Using a set of distributed notary servers, one is able to get a "perspective" of what key was expected from the target service from a number of different locations, and over time. This reduces the vulnerability of localized attacks (the typical attack vector of most MITM) by exposing them with the broad "perspective" required for consensus by multiple notaries.
12 Convergence Convergence see- Overview : This is a project started by security researcher Moxie Marlinspike, and announced at this year's Black Hat conference, and is based on previous work from the Perspectives Project as detailed previously. This project however, is aimed squarely at replacing the existing SSL CA system - that is its stated goal. Similar to the Perspectives strategy, Convergence authenticates connections by contacting external notaries, but unlike the Carnegie based notaries, Convergence notaries can also use a number of different strategies beyond network perspective in order to reach a verdict - it calls this extensible trust agility. Technologies touted as additional mechanisms within the system that might allow a trust decision to "Converge" are DNSSEC, BGP data, "SSL observatory" results, or even the existing CA validation system it seeks to subvert. Another difference from Perspectives is that ANYONE can run a Convergence notary, there is no notary authority, and it is a much more flexible mechanism (in terms of operations and configurability) of managing trust.
13 Mutually Endorsing CA Infrastructure MECAI see- Overview : The MECAI system makes use of Vouching Servers (VS), in which a CA that did NOT issue the certificate in question acts as a Vouching Authority (VA) for others Similar to the Perspectives and Convergence strategy, MECAI authenticates connections by contacting external notaries (the VS), but unlike the previous notary proposed systems, MECAI notaries MUST be actually other CAs. When a client connects to a server, the client may pick a vouching CA (or list of candidate vouching CAs) that it trusts. A VS is required to keep a list of the currently accepted root CA certificates (trust anchors) as accepted by each of the Trust Lists the VA supports. A VS is required to be in active human contact with the people that maintain the various Trust Lists
14 CA Pinning CA Pinning / HSTS Pinning / CAA record in DNSSEC / Sovereign Keys Overview : Sites may want to also restrict the CAs who can issue certificates for their domain to one or a few that they trust. This can be accomplished via a list of certificate fingerprints/names/keys that are exclusively allowed to act as trust anchors for a given domain This list can be included in specific site HTML or HSTS headers or in a DNS record served up over DNSSEC
15 CA Common Requirements Another approach to mitigating attacks on CAs is to implement a common set of requirements on any CA that is trusted as a TA EV standards already exist as published by the CAB forum for high assurance in e-commerce transactions EV certificates are identified as higher assurance controls in browsers Green Bar or equivalent recognition in browsers CAB Forum has drafted a new set of Basic Requirements for Internet CA BR certificates will become a new minimum requirement for TAs from July 2012
16 CABF Basic Requirements 12 Commandments for BR: Minimum standards in validation of certificate information RA audit requirements (applicable where the RA can cause cert issuance Sunset date for 5 year certificates CAs are required to provide a notice to applicants that the use of certificates containing an internal (NetBIOS) name has been deprecated. CAs are not allowed to issue certificates with internal names that have an expiration date after Nov 1, 2015 On October , all CAs are required to revoke certificates with internal names. Elimination of issuance directly from a root cert Mandatory OCSP Mandatory background checks on employees and sub contractors (including RAs) Document and data retention requirements (7 years) Minimum audit standards and self-audit requirements Security requirements (these are being expanded in the Forum's minimum security guidelines, currently under discussion) Private Key Protection requirements Key Ceremony requirements
17 Choosing Your CA There are a number of considerations to take into account when choosing a CA for issuing your certificates Is your CA trusted in the platforms/applications you wish to support? Does you CA have high standards for identity verification and issuance processes Does you CA support EV certificates Will your CA support BR standards Review the identity practices utilized in identifying and issuing certificates Does your CA have a record of strong security practices? Does your CA proactively provide you with information that might be pertinent to the protection of your certificates? How good is the Customer Service? Can you rely upon your CA to respond quickly and efficiently if you have any issues, concerns or problems with your certificates?
18 DigiCert Your Trust Partner Third largest High-Assurance certificate provider Member of:
19 About DigiCert Who Uses DigiCert? DigiCert provides encryption and authentication services to around 50,000 customers globally.
20 About DigiCert Testimonials DigiCert features more 5-star reviews than any other Certificate Authority on sslshopper.com. Here are a few user-generated quotes: This company is 5/5 for me, and I m the kind of guy who could rate something as 4.97 / 5 out of sheer pickiness (Dec 16, 2010) These guys have provided the best level of customer service I have ever experienced anywhere. (Dec 22, 2010) Miles above the other well known names. Thanks a million to DigiCert and their team (Oct 22, 2010)
21 Customer Ratings
22 About DigiCert Features DigiCert SSL Certificates Feature: 99.5% Browser Compatibility Unlimited Server License Issues Extended Validation Certificates Supports BRs and is already compliant Has certified Security Practices in place Secure Trust Seal Award-winning 24/7 customer support $1,000,000 Warranty
23 About DigiCert Products DigiCert provides strong encryption and authentication services for SSL Certificates.
24 About DigiCert Support DigiCert provides an extensive set of online tools to support customers.
25 About DigiCert Managed-PKI Easily manage thousands of SSL certificates with our enterprise-grade, web-based PKI. Instantly approve or reject certificate requests. Intuitive user interface with multiple levels of authority. Assign business units to subaccounts with limited access. Centralize control while distributing workload. Issue trusted Client and SMIME certificates
26 About DigiCert Make the Switch Make the switch to DigiCert today and receive 15% off your next certificate order! Promotional Code 15% Discount Valid till February 29, 2012
27 DigiCert Competition Raffle DigiCert is offering 5 lucky attendees at tonight s presentation the chance to win a DigiCert Helicopter prizes will be sent directly to your listed address: DigiCert remote controlled helicopter actually flies with control unit to perform precise forward, backward, rotation, hover maneuvers. USB charging capability included.
28 DigiCert Contacts Website: Scott Rea: (801) ,
+1 (801)
SEARCH for Trust SSL/TLS Enhancement or Alternatives for Realizing CA Homogeneity (SEARCH) for Trust Research by Dartmouth College and New York University Reported by: Scott Rea Sr. PKI Architect, DigiCert
More informationSSL/TLS and Why the CA System is Broken
SSL/TLS and Why the CA System is Broken or: How China can read your email James Schwinabart james@schwinabart.com September 6, 2011 What is SSL/TLS? Secure Sockets Layer or Transport Layer Security A protocol
More informationABOUT COMODO. Year Established: 1998 Ownership: Private Employees: over 700
ABOUT COMODO Comodo is Creating Trust Online because none of us can realize the full potential of the Internet unless it s a trusted place to interact and conduct business. Year Established: 1998 Ownership:
More informationComodo Certificate Manager
Comodo Certificate Manager Simple, Automated & Robust SSL Management from the #1 Provider of Digital Certificates 1 Datasheet Table of Contents Introduction 3 CCM Overview 4 Certificate Discovery Certificate
More informationLet s Encrypt and DANE
Let s Encrypt and DANE CaribNOG 13 Barbados 18 Apr 2017 The Deploy360 Programme The Challenge: The IETF creates protocols based on open standards, but some are not widely known or deployed People seeking
More informationSCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich
SCION: PKI Overview Adrian Perrig Network Security Group, ETH Zürich PKI Concepts: Brief Introduction PKI: Public-Key Infrastructure Purpose of PKI: enable authentication of an entity Various types of
More informationAeroMACS Public Key Infrastructure (PKI) Users Overview
AeroMACS Public Key Infrastructure (PKI) Users Overview WiMAX Forum Proprietary Copyright 2019 WiMAX Forum. All Rights Reserved. WiMAX, Mobile WiMAX, Fixed WiMAX, WiMAX Forum, WiMAX Certified, WiMAX Forum
More informationInnovative uses as result of DNSSEC
Innovative uses as result of DNSSEC AKA: Some happenings in the DANE* WG in the IETF. * DNS-based Authentication of Named Entities Some background... When you connect to https://www.example.com you use
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationDANE, why we need it. Daniel Stirnimann Bern, 29. March SWITCH 1
DANE, why we need it Daniel Stirnimann daniel.stirnimann@switch.ch Bern, 29. March 2017 2017 SWITCH 1 Why do we trust this website? 2017 SWITCH 2 Why do we trust this website? 1. DNS lookup for www.credit-suisse.com
More informationBrowser Trust Models: Past, Present and Future
Wednesday June 5, 2013 (9:00am) Browser Trust Models: Past, Present and Future Jeremy Clark & Paul C. van Oorschot School of Computer Science Carleton University, Ottawa, Canada 1 Quick Review: SSL/TLS
More informationSHA-1 to SHA-2. Migration Guide
SHA-1 to SHA-2 Migration Guide Web-application attacks represented 40 percent of breaches in 2015. Cryptographic and server-side vulnerabilities provide opportunities for cyber criminals to carry out ransomware
More informationWHITEPAPER. Vulnerability Analysis of Certificate Validation Systems
WHITEPAPER Vulnerability Analysis of Certificate Validation Systems The US Department of Defense (DoD) has deployed one of the largest Public Key Infrastructure (PKI) in the world. It serves the Public
More informationExposing The Misuse of The Foundation of Online Security
Exposing The Misuse of The Foundation of Online Security HLA ID: 90FZSBZFZSB 56BVCXVBVCK 23YSLUSYSLI 01GATCAGATC Cyber space is very similar to organic realm Keys & certificates are like HLA tags But,
More informationX.509. CPSC 457/557 10/17/13 Jeffrey Zhu
X.509 CPSC 457/557 10/17/13 Jeffrey Zhu 2 3 X.509 Outline X.509 Overview Certificate Lifecycle Alternative Certification Models 4 What is X.509? The most commonly used Public Key Infrastructure (PKI) on
More informationLessons from the Human Immune System Gavin Hill, Director Threat Intelligence
Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence HLA ID: 90FZSBZFZSB 56BVCXVBVCK 23YSLUSYSLI 01GATCAGATC Cyber space is very similar to organic realm Keys & certificates are
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationSecurity Aspects of Trust Services Providers
Security Aspects of Trust Services Providers Please replace background with image European Union Agency for Network and Information Security 24 th September 2013 www.enisa.europa.eu Today s agenda 09:30-10:00
More informationAUDIT GUIDELINES FOR A GOV TSP TSP OF THE BASQUE ADMINISTRATION
AUDIT GUIDELINES FOR A GOV TSP TSP OF THE BASQUE ADMINISTRATION IZENPE: A GOV TSP Created in 2003. Owners: Basque Government and Regional Governments of the Basque Country ISO 27001, ETSI TS 101 456 and
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationComodo Certificate Manager. Centrally Managing Enterprise Security, Trust & Compliance
Centrally Managing Enterprise Security, Trust & Compliance SSL Certificate Management - PKI With an ever-increasing abundance of web-enabled, collaborative and mobile applications, as well as netaccessible
More informationCertificate reputation. Dorottya Papp
Certificate reputation Dorottya Papp Motivation Verification on a digital certificate does not reveal important factors Is it a fake certificate? (Hash collision) Was it mistakenly issued? (Comodo scandal)
More informationAKAMAI CLOUD SECURITY SOLUTIONS
AKAMAI CLOUD SECURITY SOLUTIONS Whether you sell to customers over the web, operate data centers around the world or in the cloud, or support employees on the road, you rely on the Internet to keep your
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationBugzilla ID: Bugzilla Summary:
Bugzilla ID: Bugzilla Summary: CAs wishing to have their certificates included in Mozilla products must 1) Comply with the requirements of the Mozilla CA certificate policy (http://www.mozilla.org/projects/security/certs/policy/)
More information(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and
SUB-LRA AGREEMENT BETWEEN: (1) Jisc (Company Registration Number 05747339) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and (2) You, the Organisation using the Jisc
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution
Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University
More informationCreating Trust Online TM. Extended Validation (EV) High Assurance SSL Certificate Reseller Program
Creating Trust Online TM Extended Validation (EV) High Assurance SSL Certificate Reseller Program Introduction: Comodo is proud to introduce the EV SSL Reseller Program specifically designed to give you
More informationSSH Communications Tectia SSH
Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: December 8, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product
More informationTrusted Computing Group
Trusted Computing Group Backgrounder May 2003 Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved Trusted Computing Group Enabling the Industry to Make Computing
More informationA Free, Automated, and Open Certificate Authority. Josh Aas Co-Founder, Executive Director
A Free, Automated, and Open Certificate Authority Josh Aas Co-Founder, Executive Director What is HTTPS HTTPS is HTTP over a connection secured by TLS (used to be called SSL). It s how websites encrypt
More informationCOMODO CA SSL CERTIFICATES
COMODO CA SSL CERTIFICATES Key Features and Comparisons Thank you for considering Comodo CA as your SSL security provider. This document contains a feature and price comparison of the Comodo range of certificates.
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationCOMODO CA SSL CERTIFICATES
COMODO CA SSL CERTIFICATES Key Features and Comparisons Thank you for considering Comodo CA as your SSL security provider. This document contains a feature and price comparison of Comodo s range of certificates.
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationPublic Key Infrastructures
Public Key Infrastructures Ralph Holz Network Architectures and Services Technische Universität München November 2014 Ralph Holz: Public Key Infrastructures 1 Part 3: Proposals to enhance or replace X.509
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationCIP Security Pull Model from the Implementation Standpoint
CIP Security Pull Model from the Implementation Standpoint Jack Visoky Security Architect and Sr. Project Engineer Rockwell Automation Joakim Wiberg Team Manager Technology and Platforms HMS Industrial
More informationCertDigital Certification Services Policy
CertDigital Certification Services Policy Page: 2 ISSUED BY : DEPARTAMENT NAME DATE ELECTRONIC SERVICES COMPARTMENT COMPARTMENT CHIEF 19.03.2011 APPROVED BY : DEPARTMENT NAME DATE MANAGEMENT OF POLICIES
More informationSSL Certificates Certificate Policy (CP)
SSL Certificates Last Revision Date: February 26, 2015 Version 1.0 Revisions Version Date Description of changes Author s Name Draft 17 Jan 2011 Initial Release (Draft) Ivo Vitorino 1.0 26 Feb 2015 Full
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationComodo Internet Security Essentials Software Version 1.3
Comodo Internet Security Essentials Software Version 1.3 User Guide Guide Version 1.3.010518 Comodo Security Solutions 1255 Broad Street Clifton, NJ, 07013 United States Table of Contents Comodo Internet
More informationComodo HackerGuardian PCI Approved Scanning Vendor
Creating Trust Online TM E N T E R P R I S E Enterprise Security Solutions TM Comodo HackerGuardian PCI Approved Scanning Vendor Compliancy drives commerce: A reseller's Case Study - Merchant-Accounts.ca
More informationManaging SSL Security in Multi-Server Environments
Managing SSL Security in Multi-Server Environments Easy-to-Use VeriSign Web-Based Services Speed SSL Certificate Management and Cut Total Cost of Security CONTENTS + A Smart Strategy for Managing SSL Security
More informationCertification Authority
Certification Authority Overview Identifying CA Hierarchy Design Requirements Common CA Hierarchy Designs Documenting Legal Requirements Analyzing Design Requirements Designing a Hierarchy Structure Identifying
More informationegov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO
egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO e-government Survey 2014 United Nations Page 2 EGDI: E-Government Development Index National ID & Digital Signature Estonian Prime Minister Andrus Ansip
More informationCS Computer and Network Security: PKI
CS 5410 - Computer and Network Security: PKI Professor Kevin Butler Fall 2015 Reminders No in-person class on Friday, October 2nd. We have pre-recorded the second half of the PKI lecture which will be
More informationConfiguring Certificate Authorities and Digital Certificates
CHAPTER 43 Configuring Certificate Authorities and Digital Certificates Public Key Infrastructure (PKI) support provides the means for the Cisco MDS 9000 Family switches to obtain and use digital certificates
More informationCertification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
More informationUELMA Exploring Authentication Options Nov 4, 2011
UELMA Exploring Authentication Options Nov 4, 2011 A U T H E N T I C A T I O N M E T H O D S P R E L I M I N A R Y R E P O R T B R A D L E E C H A N G X C E N T I A L G R O U P B R A D @ X C E N T I A
More informationDevelopment Authority of the North Country Governance Policies
Development Authority of the North Country Governance Policies Subject: Electronic Signature Policy Adopted: March 28, 2018 (Annual Meeting) Resolution: 2018-03-35 Table of Contents SECTION 1.0 INTRODUCTION...
More informationTechnical Trust Policy
Technical Trust Policy Version 1.2 Last Updated: May 20, 2016 Introduction Carequality creates a community of trusted exchange partners who rely on each organization s adherence to the terms of the Carequality
More informationCloud SSL Certificate Services
Cloud SSL Certificate Services Security Beyond the Certificate 0844 334 3347 www.cloudssl.co.uk Why Cloud SSL? Trusted by more than 5,000 organizations in 85 countries Complete line of digital certificates
More informationBlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module
BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE Cryptographic Appliances with Integrated Level 3+ Hardware Security Module The BlackVault hardware security platform keeps cryptographic material
More informationDigiCert Products. SSL Certificates
DigiCert Products A leading online trust provider, DigiCert offers multiple products to suit the security needs of enterprises within the finance, healthcare, education, government and Fortune 500 sectors.
More informationConsiderations for using short-term certificates
Considerations for using short-term certificates draft-nir-saag-star Yoav Nir Thomas Fossati Yaron Sheffer Toerless Eckert Why are we doing this? Lots of interest in short-term certificates In the standards
More informationCertification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive
Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive Asseco Data Systems S.A. Podolska Street 21 81-321 Gdynia, Poland Certum - Powszechne
More informationVSP18 Venafi Security Professional
VSP18 Venafi Security Professional 13 April 2018 2018 Venafi. All Rights Reserved. 1 VSP18 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for:
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationSmart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff
Smart Grid Security Selected Principles and Components Tony Metke Distinguished Member of the Technical Staff IEEE PES Conference on Innovative Smart Grid Technologies Jan 2010 Based on a paper by: Anthony
More informationTrust Infrastructure of SSL
Trust Infrastructure of SSL CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL Trust 1 SSL/TLS The main workhorse of secure Internet communication. Everyday, billions of
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationIntroduction to the DANE Protocol
Introduction to the DANE Protocol ICANN 46 April 10, 2013 Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: Case Studies Tutorials
More informationSecurity Fundamentals
COMP 150-IDS: Internet Scale Distributed Systems (Spring 2015) Security Fundamentals Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah Copyright 2012 & 2015 Noah
More informationhidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION
HID ActivOne USER FRIENDLY STRONG AUTHENTICATION We understand IT security is one of the TOUGHEST business challenges today. HID Global is your trusted partner in the fight against data breach due to misused
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationSecuring Office 365 & Other SaaS
Securing Office 365 & Other SaaS PrecisionAccess Vidder, Inc. Securing Office 365 & Other SaaS 1 Executive Summary Securing Office 365 means securing Email, SharePoint, OneDrive, and a number of other
More informationHigher Education PKI Initiatives
Higher Education PKI Initiatives (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009 Overview What are the drivers for PKI in Higher Education? Stronger authentication to resources and services
More informationSSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
More informationJim Reavis CEO and Founder Cloud Security Alliance December 2017
CLOUD THREAT HUNTING Jim Reavis CEO and Founder Cloud Security Alliance December 2017 A B O U T T H E BUILDING SECURITY BEST PRACTICES FOR NEXT GENERATION IT C L O U D S E C U R I T Y A L L I A N C E GLOBAL,
More informationTen Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Presented by Joshua Schiffman & Archana Viswanath Ten Risks of PKI : What You re not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier Trust Models Rooted Trust Model! In a
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationSeptember Copyright (C) The Internet Society (2000). All Rights Reserved.
Network Working Group Request for Comments: 2941 Obsoletes: 1416 Category: Standards Track T. Ts o, Editor VA Linux Systems J. Altman Columbia University September 2000 Telnet Authentication Option Status
More informationWHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs
ENSURING SECURITY WITH OPEN APIs Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs The security features that banks must build into their financial solutions
More informationSend documentation comments to
CHAPTER 6 Configuring Certificate Authorities and Digital Certificates This chapter includes the following topics: Information About Certificate Authorities and Digital Certificates, page 6-1 Default Settings,
More informationDNS security extensions
DNS security extensions ENOG IV / RIPE NCC Regional Meeting 23 24 October 2012, Moscow Security related RR CERT TLSA, SMIMEA* (DANE) CAA* SSHFP SPF PKIX problems Self-signed certificates (~48% web servers)
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationA GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING
A GUIDE TO 12 CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING There is a major difference between perceived and actual security. Perceived security is what you believe to be in place at
More informationTHE BUSINESS VALUE OF EXTENDED VALIDATION
THE BUSINESS VALUE OF EXTENDED VALIDATION How Internet Browsers Support EV and Display Trusted Websites +1-888-690-2424 entrust.com Table of contents Introduction Page 3 Objectives Page 4 How to bring
More information2015 VORMETRIC INSIDER THREAT REPORT
Research Conducted by Research Analyzed by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security GLOBAL EDITION #2015InsiderThreat EXECUTIVE PERSPECTIVE 1 INSIDER THREATS:
More informationWhat is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections
Digital Certificates, Certification Authorities, and Public Key Infrastructure Sections 14.3-14.5 Basic Problem What does a public-key signature verification tell you? Verification parameters include public
More informationDigital Certificates, Certification Authorities, and Public Key Infrastructure. Sections
Digital Certificates, Certification Authorities, and Public Key Infrastructure Sections 14.3-14.5 Basic Problem What does a public-key signature verification tell you? Verification parameters include public
More informationSecurity for an age of zero trust
Security for an age of zero trust A Two-factor authentication: Security for an age of zero trust shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationIntroduction to SSL. Copyright 2005 by Sericon Technology Inc.
Introduction to SSL The cornerstone of e-commerce is a Web site s ability to prevent eavesdropping on data transmitted to and from its site. Without this, consumers would justifiably be afraid to enter
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More information2015 Online Trust Audit & Honor Roll Methodology
2015 Online Trust Audit & Honor Roll Methodology Jeff Wilbur VP Marketing, Iconix Craig Spiezle Executive Director & President, OTA 2015 All rights reserved. Online Trust Alliance (OTA) Slide 1 Who Is
More informationIHE Change Proposal. Tracking information: Change Proposal Status: Date of last update: Sep 13, 2018 Charles Parisot, Vassil Peytchev, John Moehrke
IHE Change Proposal Tracking information: IHE Domain IT Infrastructure Change Proposal ID: CP-ITI-1145 Change Proposal Status: Final Text Date of last update: Sep 13, 2018 Person assigned: Charles Parisot,
More informationSSL/TLS Server Test of grupoconsultorefe.com
SSL/TLS Server Test of grupoconsultorefe.com Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. GRUPOCONSULTOREFE.COM FINAL
More informationHow Next Generation Trusted Identities Can Help Transform Your Business
SESSION ID: SPO-W09B How Next Generation Trusted Identities Can Help Transform Your Business Chris Taylor Senior Product Manager Entrust Datacard @Ctaylor_Entrust Identity underpins our PERSONAL life 2
More informationWhen HTTPS Meets CDN
When HTTPS Meets CDN A Case of Authentication in Delegated Service Jinjin Liang 1, Jian Jiang 1, Haixin Duan 1, Kang Li 2, Tao Wan 3, Jianping Wu 1 1 Tsinghua University 2 University of Georgia 3 Huawei
More informationLast mile authentication problem
Last mile authentication problem Exploiting the missing link in end-to-end secure communication DEF CON 26 Our team Sid Rao Doctoral Candidate Aalto University Finland Thanh Bui Doctoral Candidate Aalto
More information