Chapter 4 Protection in General-Purpose Operating Systems
|
|
- Marylou Sharp
- 5 years ago
- Views:
Transcription
1 Chapter 4 Protection in General-Purpose Operating Systems Charles P. Pfleeger & Shari Lawrence Pfleeger, Security in Computing, 4 th Ed., Pearson Education, An operating system has two goals: controlling shared access implementing an interface to allow that access Underneath those goals are support activities, iti including identification and authentication, naming, filing objects, scheduling, communication among processes, and reclaiming i and reusing objects 2
2 Operating system functions can be categorized as access control identity and credential management if information flow audit and integrity protection Each of these activities iti has security implications Protected Objects and Methods of Protection Protected Objects the rise of multiprogramming i meant that several aspects of a computing system required protection: memory sharable I/O devices, such as disks serially reusable I/O devices, such as printers and tape drives sharable programs and subprocedures networks sharable data 4
3 Security Methods of Operating Systems The basis of protection is separation: keeping one user's objects separate from other users. physical separation, in which h different processes use different physical objects temporal separation, in which processes having different security requirements are executed at different times logical separation, in which users operate under the illusion that no other processes exist, as when an operating system constrains a program's accesses so that the program cannot access objects outside its permitted domain cryptographic separation, in which processes conceal their data and computations in such a way that they are unintelligible to outside processes 5 Security Methods of Operating Systems (Cont d) An operating system can support separation and sharing in several ways, offering protection at any of several levels. Do not protect. toperating systems with no protection ti are appropriate when sensitive procedures are being run at separate times. Isolate. When an operating system provides isolation, different processes running concurrently are unaware of the presence of each other. Each process has its own address space, files, and other objects. The operating system must confine each process somehow so that the objects of the other processes are completely concealed. 6
4 Security Methods of Operating Systems (Cont d) An operating system can support separation and sharing in several ways, offering protection at any of several levels (Cont d) Share all or share nothing. The owner of an object declares it to be public or private. A public object is available to all users, whereas a private object is available only to its owner. Share via access limitation. With protection by access limitation, the operating system checks the allowability of each user's potential access to an object. That is, access control is implemented for a specific user and a specific object. 7 Security Methods of Operating Systems (Cont d) An operating system can support separation and sharing in several ways, offering protection at any of several levels (Cont d) Share by capabilities. An extension of limited it access sharing, this form of protection allows dynamic creation of sharing rights for objects. The degree of sharing can depend on the owner or the subject, on the context of the computation, or on the object itself. Limit use of an object. Limits not just the access to an object but the use made of that object after it has been accessed. For example, a user may be allowed to view a sensitive document, but not to print a copy of it. 8
5 4.2. Memory y and Address Protection Fence - a method to confine users to one side of a boundary. 9 Fence register - used a hardware register containing the address of the end of the operating system. The fence cannot protect t one user from another user 10
6 Relocation - the process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory. 11 Base/Bounds Registers With two or more users, none can know in advance where a program will be loaded for execution. The relocation register solves the problem by providing a base or starting address. A variable ibl fence register it is generally known as a base register. A bounds register is an upper address limit. 12
7 Base/Bounds Registers (Cont d) 13 Base/Bounds Registers (Cont d) 14
8 Tagged Architecture In some cases you may want to protect some data values but not all Tagged architecture t Every word of machine memory has one or more extra bits to identify the access rights to that word. These access bits can be set only by privileged (operating system) instructions. The bits are tested every time an instruction accesses that location. 15 Tagged Architecture (Cont d) 16
9 Segmentation Involves the simple notion of dividing diidi a program into separate pieces Each piece has a logical l unity, exhibiting a relationship among all of its code or data values. Each segment has a unique name. A code or data item within a segment is addressed as the pair <name, offset>, where name is the name of the segment containing the data item and offset is its location within the segment 17 Segmentation (Cont d) 18
10 Segmentation (Cont d) Translation of Segment Address. 19 Segmentation (Cont d) Translation of Segment Address (Cont d) The operating system can place any segment at any location or move any segment to any location, even after the program begins to execute. A segment can be removed from main memory (and stored on an auxiliary device) if it is not being used currently. Every address reference passes through the operating system, so there is an opportunity to check each one for protection. 20
11 Segmentation (Cont d) Segmentation offers these security benefits: Each address reference is checked for protection. Many different classes of data items can be assigned different levels of protection. Two or more users can share access to a segment, with potentially different access rights. A user cannot generate an address or access to an unpermitted segment. 21 Paging The program is divided id d into equal-sized pieces called pages. The memory is divided into equal-sized units called page frames. 22
12 Paging 23 Combined Paging with Segmentation Paging offers implementation i efficiency, i while segmentation offers logical protection characteristics The IBM 390 family of mainframe systems used a form of paged segmentation 24
13 Combined Paging with Segmentation (Cont d) Control of Access to General Objects Directory 26
14 Directory (Cont d) Several difficulties i can arise. The list becomes too large if many shared objects Revocation of access - If owner A has passed to user B the right to read file F, an entry for F is made in the directory for B. If A later questions that trust, A may want to revoke the access right of B. Then. Pseudonyms. Owners A and B may have two different files named F, and they may both want to allow access by S. The directory for S cannot contain two entries under the same name for different files. 27 Access Control List There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is. 28
15 Access Control List (Cont d) 29 Access Control Matrix - a table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object. 30
16 Access Control Matrix (Cont d) BIBLIOG TEMP F HELP.TXT C_COMP LINKER SYS_CLOCK PRINTER USER A ORW ORW ORW R X X R W USER B R R X X R W USER S RW R R X X R W USER T R X X R W SYS_MGR RW OX OX ORW O USER_SVCSSVCS O X X R W 31 Capability - an unforgeable token that gives the possessor certain rights to an object. One possible access right to an object is transfer or propagate. A subject having this right can pass copies of capabilities to other subjects. In turn, each of these capabilities also has a list of permitted types of accesses, one of which might also be transfer. 32
17 33 Kerberos Kerberos implements both authentication i and access authorization i by means of capabilities, called tickets, secured with symmetric cryptography Kerberos requires two systems, called the authentication server (AS) and the ticket-granting t server (TGS), which h are both part of the key distribution center (KDC) A user presents an authenticating ti ti credential (such as a password) to the authentication server and receives a ticket showing that the user has passed authentication. ti ti 34
18 Kerberos (Cont d) Suppose Joe wants to access a resource R (for example, a file, printer, or network port). Joe sends the TGS his authenticated ti t ticket t and a request to use R. Assuming Joe is allowed access, the TGS returns to Joe two tickets: One shows Joe that t his access to R has been authorized The second is for Joe to present to R in order to access R. 35 Procedure-Oriented Access Control Ensure that accesses to an object be made through h a trusted interface Role-Based Access Control Associate privileges il with groups 36
19 4.4. File Protection Mechanisms Basic Forms of Protection All-None Protection Unacceptable for several reasons Lack of trust Too coarse Rise of sharing Complexity File listings 37 Basic Forms of Protection (Cont d) Group Protection Focused on identifying groups of users who had some common relationship. All authorized users are separated into groups. A group may consist of several members working on a common project, a department, a class, or a single user. The basis for group membership is need to share. A key advantage of the group protection approach is its ease of implementation. 38
20 Basic Forms of Protection (Cont d) Group Protection (Cont d) Group affiliation. A single user cannot belong to two groups. Multiple personalities. To overcome the one-person one-group restriction, certain people might obtain multiple accounts, permitting them, in effect, to be multiple users. All groups. To avoid multiple personalities, the system administrator may decide that Tom should have access to all his files any time he is active. Limited sharing. Files can be shared only within groups or with the world. 39 Basic Forms of Protection (Cont d) Idiid Individual Permissions i Persistent Permission Temporary Acquired Permission Unix+ operating systems provide an interesting permission scheme based on a three-level user-group-world hierarchy. The Unix designers added a permission called set userid (suid) Per-Object and Per-User Protection 40
21 4.5. User Authentication Authentication mechanisms use any of three qualities to confirm a user's identity. i Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake, h and mother's maiden name are examples of what a user may know. Something the user has. Identity badges, physical keys, a driver's license, or a uniform are common examples of things people have that t make them recognizable. Something the user is. These authenticators, called biometrics, are based on a physical characteristic ti of the user, 41 Passwords as Authenticators Use of Passwords Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system. Suffer from some difficulties of use: Loss. Depending on how the passwords are implemented, it is possible that no one will be able to replace a lost or forgotten password Use. Supplying a password for each access to a file can be inconvenient and time consuming. Disclosure. If a password is disclosed to an unauthorized individual, the file becomes immediately accessible. Revocation. 42
22 Passwords as Authenticators Additional i Authentication i Information Using additional authentication information is called multifactor authentication. Two forms of authentication (which is known as two-factor authentication) are better than one, assuming of course that the two forms are strong. But as the number of forms increases, so also does the inconvenience. 43 Passwords as Authenticators Attacks on Passwords Some ways you might be able to determine a user's password, in decreasing order of difficulty. Try all possible passwords. Try frequently used passwords. Try passwords likely for the user. Search for the system list of passwords. Ask the user. 44
23 Passwords as Authenticators Attacks on Passwords (Cont d) Loose-Lipped Systems Eg E.g., WELCOME TO THE XYZ COMPUTING SYSTEMS ENTER USER NAME: adams INVALID USER NAME / UNKNOWN USER ENTER USER NAME: 45 Passwords as Authenticators Attacks on Passwords (Cont d) Loose-Lipped Systems (Cont d) An alternative arrangement of the login sequence is shown below. WELCOME TO THE XYZ COMPUTING SYSTEMS ENTER USER NAME: adams ENTER PASSWORD: john INVALID ACCESS ENTER USER NAME: 46
24 Passwords as Authenticators Attacks on Passwords (Cont d) Loose-Lipped Systems (Cont d) ENTER USER NAME: adams ENTER PASSWORD: john INVALID ACCESS ENTER USER NAME: adams ENTER PASSWORD: johnq WELCOME TO THE XYZ COMPUTING SYSTEMS 47 Passwords as Authenticators Attacks on Passwords (Cont d) Exhaustive Attack In an exhaustive or brute force attack, the attacker tries all possible passwords, usually in some automated fashion Probable Passwords Passwords Likely for a User 48
25 Users' Password Choices 49 Passwords as Authenticators Attacks on Passwords (Cont d) password guessing steps: no password the same as the user ID. is, or is derived from, the user's name common word list (for example, "password," "secret," "private") plus common names and patterns (for example, "asdfg," "aaaaaa") short college dictionary complete English word list 50
26 Passwords as Authenticators Attacks on Passwords (Cont d) password guessing steps: (Cont d) short college dictionary with capitalizations (PaSsWorD) and substitutions (0 for O, and so forth) complete English with capitalizations and substitutions common non-english dictionaries with capitalization and substitutions brute force, lowercase alphabetic character bsrute force, full character set 51 Passwords as Authenticators Attacks on Passwords (Cont d) Plaintext System Password List Encrypted Password File Indiscreet Users - Get it directly from the user! People often tape a password to the side of a terminal or write it on a card just inside the top desk drawer. 52
27 Passwords as Authenticators Password Selection Ci Criteriai Use characters other than just AZ Choose long passwords. Avoid actual names or words. Choose an unlikely password Change the password regularly. Don't write it down. Don't tell anyone else. The easiest attack is social engineering, in which the attacker contacts the system's administrator or a user to elicit the password in some way. 53 Passwords as Authenticators One-Time Passwords Biometrics: Authentication Not Using Passwords Identification vs Ath Authenticationti ti Much reliable, but less effective 54
28 4.6. Summary y of Security y for Users Addressed four topics: memory protection file protection general object access control user authentication. 55
Operating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationUser Authentication. E.g., How can I tell you re you?
User Authentication E.g., How can I tell you re you? 1 The Basics Unlike real world authentication (e.g., you recognize someone s voice over the phone) computer can t recognize someone (well, not in the
More informationChapter 4. Protection in General-Purpose Operating Systems. ch. 4 1
Chapter 4 Protection in General-Purpose Operating Systems ch. 4 1 Chapter Outline 4.1 Protected Objects and Methods of Protection 4.2 Memory and Address Protection 4.3 Control of Access to General Objects
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationProtecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets
Protecting Information Assets - Week 10 - Identity Management and Access Control MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz Identity Management and
More informationSumy State University Department of Computer Science
Sumy State University Department of Computer Science Lecture 1 (part 2). Access control. What is access control? A cornerstone in the foundation of information security is controlling how resources are
More informationPattern Recognition and Applications Lab AUTHENTICATION. Giorgio Giacinto.
Pattern ecognition and Applications Lab AUTHENTICATION Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Authentication
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationModule 29: Operating System Memory Protection
Module 29: Operating System Memory Protection An operating system is the multiprogramming system allowing multiple users to use concurrently. Operating system is designed in such a way that one user's
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationAuthentication. Chapter 2
Authentication Chapter 2 Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationA Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography
A Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography Ashok Kumar J 1, and Gopinath Ganapathy 2 1,2 School of Computer Science, Engineering and Applications
More informationAccess Control Mechanisms
Access Control Mechanisms Week 11 P&P: Ch 4.5, 5.2, 5.3 CNT-4403: 26.March.2015 1 In this lecture Access matrix model Access control lists versus Capabilities Role Based Access Control File Protection
More informationTrusted Intermediaries
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationIntroduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.
Trusted Intermediaries CSC/ECE 574 Computer and Network Security Topic 7. Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center () Representative solution:
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationCOS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy
Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients
More informationCS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 5 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm next Thursday!!! Read Chapter 2 and 15 of text 10/15/2002 Module 5 - Access Control
More informationTFS WorkstationControl White Paper
White Paper Intelligent Public Key Credential Distribution and Workstation Access Control TFS Technology www.tfstech.com Table of Contents Overview 3 Introduction 3 Important Concepts 4 Logon Modes 4 Password
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.2: OS Security Access Control Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Bogdan Carbunar (FIU)
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationStorage and File System
COS 318: Operating Systems Storage and File System Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics Storage hierarchy File
More informationOverview of Authentication Systems
Overview of Authentication Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCapability based Command Security
Capability based Command Security SCSI commands standard proposal IBM Research Lab in Haifa February 2007 Table of Contents 1 General... 1 1.1 Overview...1 1.2 The Security Manager...2 1.3 Special Considerations...3
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/1516/ Chapter 4: 1 Chapter 4: Identification & Authentication Chapter 4: 2 Agenda User authentication Identification & authentication Passwords
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationIMPLEMENTATION OF KERBEROS BASED AUTHENTICATED KEY EXCHANGE PROTOCOL FOR PARALLEL NETWORK FILE SYSTEMS IN CLOUD
[1] [1] ISSN: 0976-3104 SPECIAL ISSUE: Emerging Technologies in Networking and Security (ETNS) Chandravathi et al. ARTICLE OPEN ACCESS IMPLEMENTATION OF KERBEROS BASED AUTHENTICATED KEY EXCHANGE PROTOCOL
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationIntroduction to Computer Security
Introduction to Computer Security Instructor: Mahadevan Gomathisankaran mgomathi@unt.edu CSCE 4550/5550, Fall 2009 Lecture 17 1 Mid Term Mean = 32.64, Median = 33.53 8 7 6 5 4 3 2 1 0 0-5 5-10 10-15 15-20
More informationRadius, LDAP, Radius used in Authenticating Users
CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO)
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationUser Authentication Principles and Methods
User Authentication Principles and Methods David Groep, NIKHEF User Authentication - Principles and Methods 1 Principles and Methods Authorization factors Cryptographic methods Authentication for login
More informationKey Management and Distribution
2 and Distribution : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 css441y15s2l10, Steve/Courses/2015/s2/css441/lectures/key-management-and-distribution.tex,
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationThe Kerberos Authentication Service
The Kerberos Authentication Service By: Cule Stevan ID#: 0047307 SFWR 4C03 April 4, 2005 Last Revision: April 5, 2005 Stevan Cule 0047307 SOFTWARE ENGINEERING 4C03 WINTER 2005 The Kerberos Authentication
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationFactotum Sep. 24, 2007
15-412 Factotum Sep. 24, 2007 Dave Eckhardt 1 Factotum Left Out (of P9/9P Lecture) The whole authentication thing There is an auth server much like a Kerberos KDC There is an authentication file system
More informationVerteilte Systeme (Distributed Systems)
Verteilte Systeme (Distributed Systems) Lorenz Froihofer l.froihofer@infosys.tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Security Threats, mechanisms, design issues
More informationMU2a Authentication, Authorization & Accounting Questions and Answers with Explainations
98-367 MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations Which are common symptoms of a virus infection? (Lesson 5 p 135-136) Poor system performance. Unusually low
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationAuthentication Objectives People Authentication I
Authentication Objectives People Authentication I Dr. Shlomo Kipnis December 15, 2003 User identification (name, id, etc.) User validation (proof of identity) Resource identification (name, address, etc.)
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationLesson 13 Securing Web Services (WS-Security, SAML)
Lesson 13 Securing Web Services (WS-Security, SAML) Service Oriented Architectures Module 2 - WS Security Unit 1 Auxiliary Protocols Ernesto Damiani Università di Milano element This element
More informationA Two-Fold Authentication Mechanism for Network Security
Asian Journal of Engineering and Applied Technology ISSN 2249-068X Vol. 7 No. 2, 2018, pp. 86-90 The Research Publication, www.trp.org.in A Two-Fold for Network Security D. Selvamani 1 and V Selvi 2 1
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 6 Release 1 System i Security Digital Certificate Manager Version 6 Release 1 Note Before using this information and the product it supports, be sure
More informationCS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms
CS 392/681 - Computer Security Module 6 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm grades Thursday. Read Chapter 2 and 15 th of text Lab 4 postponed - due next week.
More informationAccess Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy
Access Control: enacting a security policy Access Control COMP 435 Fall 2017 Prof. Cynthia Sturton Which users can access which resources and with which rights 2 Access Control: enacting a security policy
More informationIBM. Security Digital Certificate Manager. IBM i 7.1
IBM IBM i Security Digital Certificate Manager 7.1 IBM IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.1 Introduction to Cryptography CSC 474/574 By Dr. Peng Ning 1 Cryptography Cryptography Original meaning: The art of secret writing Becoming a science that
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2018 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationTPM Entities. Permanent Entities. Chapter 8. Persistent Hierarchies
Chapter 8 TPM Entities A TPM 2.0 entity is an item in the TPM that can be directly referenced with a handle. The term encompasses more than objects because the specification uses the word object to identify
More informationPolicy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems
Policy vs. Mechanism CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms q Access control policy is a specification
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Authentication Three basic models 1. Something you know Password,
More informationMU2b Authentication, Authorization and Accounting Questions Set 2
MU2b Authentication, Authorization and Accounting Questions Set 2 1. You enable the audit of successful and failed policy changes. Where can you view entries related to policy change attempts? Lesson 2
More informationCNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management
CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management Authentication Methods Authentication Methods Type 1: Something you know Easiest and weakest method
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationCSE 380 Computer Operating Systems
CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms 1 Policy vs. Mechanism q Access control policy is a specification
More informationCS 356 Lecture 7 Access Control. Spring 2013
CS 356 Lecture 7 Access Control Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,
More informationISSN: EverScience Publications 149
An Eager Strategy for TGT Generation at Client Side for Kerberos Protocol Deepika Yadav M.Tech Scholar, B.S.Anangpuria Institute of Technology &Management, Faridabad. Dr. A.K.Sharma Dean & Prof., Department
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationIdentity, Authentication and Authorization. John Slankas
Identity, Authentication and Authorization John Slankas jbslanka@ncsu.edu Identity Who or what a person or thing is; a distinct impression of a single person or thing presented to or perceived by others;
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More information5. Authentication Contents
Contents 1 / 47 Introduction Password-based Authentication Address-based Authentication Cryptographic Authentication Protocols Eavesdropping and Server Database Reading Trusted Intermediaries Session Key
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationManaged Access Gateway. User Guide
Managed Access Gateway User Guide Version 2.2 Exostar, LLC November 3, 2011 Table of Contents Table of Contents... ii Purpose... 1 Log-in to your MAG Account... 2 Additional MAG Login Options... 2 First
More informationHong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)
Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) This document (IMPS) facilitates an organization to provide relevant information to describe how it fulfils the normative
More informationTest 2 Review. (b) Give one significant advantage of a nonce over a timestamp.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationProtection in General-purpose Operating Systems
Protection in Generalpurpose Operating Systems David Morgan Evolution of operating systems serial processing simple batch systems multiprogrammed batch systems timesharing systems Serial processing no
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationNetwork Security and Cryptography. 2 September Marking Scheme
Network Security and Cryptography 2 September 2015 Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers to the questions,
More informationMULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE
MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE CHAPTER 8 Addressing security demands under fixed budgets and deadline constraints are becoming extremely challenging, time consuming and resource
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationChapter 02: Computer Organization. Lesson 07 Operating Systems
Chapter 02: Computer Organization Lesson 07 Operating Systems Objective Understand concepts of OS, Multiprogramming, Protection and virtual memory Learn OS control of the resources and time slice Understand
More informationManaged Access Gateway. User Guide
Managed Access Gateway User Guide Version 3.0 Exostar, LLC April 20, 2013 Table of Contents Table of Contents...ii Purpose... 1 Log-in to your MAG Account... 2 Additional MAG Login Options... 2 First Time
More informationCSCE 813 Internet Security Kerberos
CSCE 813 Internet Security Kerberos Professor Lisa Luo Fall 2017 What is Kerberos? An authentication server system from MIT; versions 4 and 5 Provide authentication for a user that works on a workstation
More informationNetworks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003
Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003 In Windows NT server, the user manager for domains is the primary administrative tool for managing user accounts,
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users Learning Objectives Explain why authentication is a critical aspect of network security Explain
More informationKEY DISTRIBUTION AND USER AUTHENTICATION
KEY DISTRIBUTION AND USER AUTHENTICATION Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman
More information