Internet X.509 Public Key Infrastructure Operational Protocols -- LDAPv3

This document describes the features of the Lightweight Directory Access Protocol v3 that are needed in order to support a public key infrastructure based on X.509 certificates and CRLs

Enabling the Internet White Pages Service -- the Directory Guardian

The Internet White Pages Service (IWPS) has been slow to materialise for many reasons. One of them is the security concerns that organisations have, over allowing the public to gain access to either their Intranet or their directory database. The Directory Guardian is a firewall application proxy for X.500 and LDAP protocols that is designed to alleviate these fears. Sitting in the firewall system, it filters directory protocol messages passing into and out of the Intranet, allowing security administrators to carefully control the amount of directory information that is released to the outside world. This paper describes the design of our Guardian system, and shows how relatively easy it is to configure its filtering capabilities. Finally the paper describes the working demonstration of the Guardian that was built for the 1997 World Electronic Messaging Association directory challenge. This linked the WEMA directory to the NameFLOWParadise Internet directory, and demonstrated some of the powerful filtering capabilities of the Guardian

The Globe Infrastructure Directory Service

To implement adaptive replication strategies for Web documents, we have developed a wide area resource management system. This system allows servers to be managed on a local and global level. On a local level the system manages information about the resources and services provided by the servers, while on a global level the system allows servers to be searched for, added to, and removed from the system. As part of the system, and also in order to implement adaptive replication strategies, we introduce a hierarchical location representation for network elements such as servers, objects, and clients. This location representation allows us to easily and efficiently find and group network elements based on their location in a worldwide network. Our resource management system can be implemented using standard Internet technologies and has a broader range of applications besides making adaptive replication strategies possible for Web documents

Processing of XML Descriptions of OTP

Tato práce se zaměřuje na návrh a implementaci modulárního programu pro zpracování XML popisu OTP klíčů používaných především v zařízeních od výrobců Yubico a RSA. Zároveň také práce popisuje návrh a implementaci modulu pro vložení získaných informací do adresářového serveru 389DS. Součástí práce je seznámení s OTP, standartem PSKC a protokolem LDAP. Dále je v práci uveden návrh a implementace obou částí programu. V závěru práce rozebírá možnosti dalšího vývoje aplikace.The focus of this thesis is the design and implementation of a modular application for parsing XML descriptions of OTP keys used mainly by hardware solutions of RSA and Yubico. The thesis also describes the design and implementation of a module used to upload the parsed information onto a 389DS directory server. This thesis acquaints the reader with the basics of one time passwords, the PSKC standard and the LDAP protocol. Finally this thesis analyzes the possibilities of future development of the application.

Detection of Lightweight Directory Access Protocol Query Injection Attacks in Web Applications

The Lightweight Directory Access Protocol (LDAP) is a common protocol used in organizations for Directory Service. LDAP is popular because of its features such as representation of data objects in hierarchical form, being open source and relying on TCP/IP, which is necessary for Internet access. However, with LDAP being used in a large number of web applications, different types of LDAP injection attacks are becoming common. The idea behind LDAP injection attacks is to take advantage of an application not validating inputs before being used as part of LDAP queries. An attacker can provide inputs that may result in alteration of intended LDAP query structure. LDAP injection attacks can lead to various types of security breaches including (i) Login Bypass, (ii) Information Disclosure, (iii) Privilege Escalation, and (iv) Information Alteration. Despite many research efforts focused on traditional SQL Injection attacks, most of the proposed techniques cannot be suitably applied for mitigating LDAP injection attacks due to syntactic and semantic differences between LDAP and SQL queries. Many implemented web applications remain vulnerable to LDAP injection attacks. In particular, there has been little attention for testing web applications to detect the presence of LDAP query injection attacks. The aim of this thesis is two folds: First, study various types of LDAP injection attacks and vulnerabilities reported in the literature. The planned research is to critically examine and evaluate existing injection mitigation techniques using a set of open source applications reported to be vulnerable to LDAP query injection attacks. Second, propose an approach to detect LDAP injection attacks by generating test cases when developing secure web applications. In particular, the thesis focuses on specifying signatures for detecting LDAP injection attack types using Object Constraint Language (OCL) and evaluates the proposed approach using PHP web applications. We also measure the effectiveness of generated test cases using a metric named Mutation Score

User Provisioning Processes in Identity Management addressing SAP Campus Management

This document is the report of the work of an ISWA working team on a WUSKAR case study. This study tackles on the desire of meta directory synchronisation with a proprietary SAP R/3 system in the context of an identity management system. Early tasks concern identifying exact desires and scenarios, modelling the synchronisation process, identifying what relevant data is to be processed, as well as proposing templates for the matching and transformation process. Intermediate tasks are related to the technical aspects of the case study, as well as problem task division and progress management, regular review of strategic and technical choices

Self-adaptive Grid Resource Monitoring and discovery

The Grid provides a novel platform where the scientific and engineering communities can share data and computation across multiple administrative domains. There are several key services that must be offered by Grid middleware; one of them being the Grid Information Service( GIS). A GIS is a Grid middleware component which maintains information about hardware, software, services and people participating in a virtual organisation( VO). There is an inherent need in these systems for the delivery of reliable performance. This thesis describes a number of approaches which detail the development and application of a suite of benchmarks for the prediction of the process of resource discovery and monitoring on the Grid. A series of experimental studies of the characterisation of performance using benchmarking, are carried out. Several novel predictive algorithms are presented and evaluated in terms of their predictive error. Furthermore, predictive methods are developed which describe the behaviour of MDS2 for a variable number of user requests. The MDS is also extended to include job information from a local scheduler; this information is queried using requests of greatly varying complexity. The response of the MDS to these queries is then assessed in terms of several performance metrics. The benchmarking of the dynamic nature of information within MDS3 which is based on the Open Grid Services Architecture (OGSA), and also the successor to MDS2, is also carried out. The performance of both the pull and push query mechanisms is analysed. GridAdapt (Self-adaptive Grid Resource Monitoring) is a new system that is proposed, built upon the Globus MDS3 benchmarking. It offers self-adaptation, autonomy and admission control at the Index Service, whilst ensuring that the MIDS is not overloaded and can meet its quality-of-service,f or example,i n terms of its average response time for servicing synchronous queries and the total number of queries returned per unit time

Security slicing for auditing common injection vulnerabilities

Cross-site scripting and injection vulnerabilities are among the most common and serious security issues for Web applications. Although existing static analysis approaches can detect potential vulnerabilities in source code, they generate many false warnings and source-sink traces with irrelevant information, making their adoption impractical for security auditing. One suitable approach to support security auditing is to compute a program slice for each sink, which contains all the information required for security auditing. However, such slices are likely to contain a large amount of information that is irrelevant to security, thus raising scalability issues for security audits. In this paper, we propose an approach to assist security auditors by defining and experimenting with pruning techniques to reduce original program slices to what we refer to as security slices, which contain sound and precise information. To evaluate the proposed approach, we compared our security slices to the slices generated by a state-of-the-art program slicing tool, based on a number of open-source benchmarks. On average, our security slices are 76% smaller than the original slices. More importantly, with security slicing, one needs to audit approximately 1% of the total code to fix all the vulnerabilities, thus suggesting significant reduction in auditing costs

Disseny i implantació d'un directori d'empleats i sistema de login únic

El objetivo de este proyecto es implantar una solución de directorio de empleados que unifique toda la información de empleados, usuarios, grupos y controles de acceso a aplicaciones de una multinacional farmacéutica