405 research outputs found
Performance Test Suite for MIT Kerberos
Tato práce se zaměřuje na vyvinutĂ nástrojĹŻ pro vĂ˝konnostnĂ testovánĂ, kterĂ© umoĹľnĂ otestovat infrastrukturu systĂ©mu MIT Kerberos, zjistit jejĂ vĂ˝konnostnĂ charakteristiky a detekovat potenciálnĂ problĂ©my. Práce shrnuje teoretickĂ© základy protokolu Kerberos a analyzuje potenciálnĂ vĂ˝konnostnĂ problĂ©my v rĹŻznĂ˝ch konfiguracĂch MIT Kerberosu. Dále práce obsahuje popis návrhu a implementace sady nástrojĹŻ pro distribuovanĂ© testovánĂ. PomocĂ implementovanĂ˝ch nástrojĹŻ bylo odhaleno nÄ›kolik vĂ˝konnostnĂch problĂ©mĹŻ, kterĂ© jsou v práci popsány spolu s návrhem jejich Ĺ™ešenĂ.The aim of this thesis is to develop performance test suite, which will enable to test MIT Kerberos system infrastructure, assess gained performance characteristics and detect potential bottlenecks. This thesis summarizes necessary theoretical background of Kerberos protocol. Potential performance problems are analyzed on different MIT Kerberos configurations. This thesis describes distributed test suite design and implementation. Several performance problems were discovered using this test suite. These problems are described and some solutions are proposed.
Mitigating Botnet-based DDoS Attacks against Web Servers
Distributed denial-of-service (DDoS) attacks have become wide-spread on the Internet. They continuously target retail merchants, financial companies and government institutions, disrupting the availability of their online resources and causing millions of dollars of financial losses. Software vulnerabilities and proliferation of malware have helped create a class of application-level DDoS attacks using networks of compromised hosts (botnets). In a botnet-based DDoS attack, an attacker orders large numbers of bots to send seemingly regular HTTP and HTTPS requests to a web server, so as to deplete the server's CPU, disk, or memory capacity.
Researchers have proposed client authentication mechanisms, such as CAPTCHA puzzles, to distinguish bot traffic from legitimate client activity and discard bot-originated packets. However, CAPTCHA authentication is vulnerable to denial-of-service and artificial intelligence attacks. This dissertation proposes that clients instead use hardware tokens to authenticate in a federated authentication environment. The federated authentication solution must resist both man-in-the-middle and denial-of-service attacks. The proposed system architecture uses the Kerberos protocol to satisfy both requirements. This work proposes novel extensions to Kerberos to make it more suitable for generic web authentication.
A server could verify client credentials and blacklist repeated offenders. Traffic from blacklisted clients, however, still traverses the server's network stack and consumes server resources. This work proposes Sentinel, a dedicated front-end network device that intercepts server-bound traffic, verifies authentication credentials and filters blacklisted traffic before it reaches the server. Using a front-end device also allows transparently deploying hardware acceleration using network co-processors. Network co-processors can discard blacklisted traffic at the hardware level before it wastes front-end host resources.
We implement the proposed system architecture by integrating existing software applications and libraries. We validate the system implementation by evaluating its performance under DDoS attacks consisting of floods of HTTP and HTTPS requests
Shibboleth and the challenge of authentication in multiple servers on a e-learning environment
L' objectiu d’aquest treball és l’estudi, implementació i prova d'un sistema de
autentificaciĂł compartida per a mĂşltiples servidors. Encara que des d'un principi es
sabia que es treballaria amb Shibboleth també s’han tingut en compte altres possibles
solucions. Shibboleth Ă©s un projecte desenvolupat per els membres de les universitats
que formen el consorci Internet2 amb l’ objectiu de desenvolupar un nou middleware
per a realitzar les funcions d’autentificació compartida en múltiples servidors i pensat
especĂficament per facilitar la col·laboraciĂł entre institucions i l’accĂ©s a continguts
digitals.
Shibboleth és una solució complerta ja que contempla des de l’autentificació ,
autoritzaciĂł i accounting, fins al sistema de login i els atributs a emprar. La qual cosa fa
que es converteixi en un entorn de treball molt segur però amb l’avantatge d’aportar
privacitat als usuaris.
El primer objectiu ha estat identificar les peculiaritats i requeriments dels entorns de elearning
distribuĂŻts, per això s’ha estudiat conceptes especĂfics de seguretat aixĂ com la
manera d’adaptar-los a l’entorn requerit. Desprès s’ha fet una comparativa de les
solucions existents al mercat amb una funcionalitat similar a Shibboleth, per tal de
presentar els avantatges i desavantatges de Shibboleth vers aquests.
Posteriorment, el treball ha consistit en entendre la estructura i els principis de
funcionament de Shibboleth, quin tipus de requeriments tenia, el funcionament i
objectius de cada part, estudiar els requeriments de l’entorn especĂfic per al qual ha
estat dissenyat (e-learning) i donar una idea general de com s’ hauria de fer la
implementació. També s’han estudiat totes les tecnologies i requeriments necessaris
per desenvolupar Shibboleth.
Una vegada estudiat Shibboleth i l'entorn especĂfic en el que s’hauria d’integrar, s’ha
muntat un escenari per a la posada en marxa i proves d’aquest, provant especĂficament
cada part i entenent amb les proves reals el funcionament. Amb l’escenari en
funcionament, la idea era integrar Shibboleth amb Sakai i Blackboard, els CMS (Course
Management System) utilitzats a on-campus, el campus virtual de la Fachhochschule
LĂĽbeck.
Per a finalitzar i a mode de conclusions s'ha fet una petita explicaciĂł dels resultats
obtinguts, una valoraciĂł de com Shibboleth resoldria les necessitats plantejades i
algunes propostes de millora
Using quantum key distribution for cryptographic purposes: a survey
The appealing feature of quantum key distribution (QKD), from a cryptographic
viewpoint, is the ability to prove the information-theoretic security (ITS) of
the established keys. As a key establishment primitive, QKD however does not
provide a standalone security service in its own: the secret keys established
by QKD are in general then used by a subsequent cryptographic applications for
which the requirements, the context of use and the security properties can
vary. It is therefore important, in the perspective of integrating QKD in
security infrastructures, to analyze how QKD can be combined with other
cryptographic primitives. The purpose of this survey article, which is mostly
centered on European research results, is to contribute to such an analysis. We
first review and compare the properties of the existing key establishment
techniques, QKD being one of them. We then study more specifically two generic
scenarios related to the practical use of QKD in cryptographic infrastructures:
1) using QKD as a key renewal technique for a symmetric cipher over a
point-to-point link; 2) using QKD in a network containing many users with the
objective of offering any-to-any key establishment service. We discuss the
constraints as well as the potential interest of using QKD in these contexts.
We finally give an overview of challenges relative to the development of QKD
technology that also constitute potential avenues for cryptographic research.Comment: Revised version of the SECOQC White Paper. Published in the special
issue on QKD of TCS, Theoretical Computer Science (2014), pp. 62-8
Tutorial: Identity Management Systems and Secured Access Control
Identity Management has been a serious problem since the establishment of the Internet. Yet little progress has been made toward an acceptable solution. Early Identity Management Systems (IdMS) were designed to control access to resources and match capabilities with people in well-defined situations, Today’s computing environment involves a variety of user and machine centric forms of digital identities and fuzzy organizational boundaries. With the advent of inter-organizational systems, social networks, e-commerce, m-commerce, service oriented computing, and automated agents, the characteristics of IdMS face a large number of technical and social challenges. The first part of the tutorial describes the history and conceptualization of IdMS, current trends and proposed paradigms, identity lifecycle, implementation challenges and social issues. The second part addresses standards, industry initia-tives, and vendor solutions. We conclude that there is disconnect between the need for a universal, seamless, trans-parent IdMS and current proposed standards and vendor solutions
- …