489 research outputs found
Internet X.509 Public Key Infrastructure Operational Protocols -- LDAPv3
This document describes the features of the Lightweight Directory Access Protocol v3 that are needed in order to support a public key infrastructure based on X.509 certificates and CRLs
An Evaluated Certification Services System for the German National Root CA - Legally Binding and Trustworthy Transactions in E-Business and E-Government
National Root CAs enable legally binding E-Business and E-Government
transactions. This is a report about the development, the evaluation and the
certification of the new certification services system for the German National
Root CA. We illustrate why a new certification services system was necessary,
and which requirements to the new system existed. Then we derive the tasks to
be done from the mentioned requirements. After that we introduce the initial
situation at the beginning of the project. We report about the very process and
talk about some unfamiliar situations, special approaches and remarkable
experiences. Finally we present the ready IT system and its impact to
E-Business and E-Government.Comment: 6 pages; 1 figure; IEEE style; final versio
IPv6 Network Mobility
Network Authentication, Authorization, and Accounting has
been used since before the days of the Internet as we know it
today. Authentication asks the question, “Who or what are
you?” Authorization asks, “What are you allowed to do?” And fi nally,
accounting wants to know, “What did you do?” These fundamental
security building blocks are being used in expanded ways today. The
fi rst part of this two-part series focused on the overall concepts of
AAA, the elements involved in AAA communications, and highlevel
approaches to achieving specifi c AAA goals. It was published in
IPJ Volume 10, No. 1[0]. This second part of the series discusses the
protocols involved, specifi c applications of AAA, and considerations
for the future of AAA
Enhanced security architecture for support of credential repository in grid computing.
Grid Computing involves heterogeneous computers and resources, multiple administrative domains and the mechanisms and techniques for establishing and maintaining effective and secure communications between devices and systems. Both authentication and authorization are required. Current authorization models in each domain vary from one system to another, which makes it difficult for users to obtain authorization across multiple domains at one time. We propose an enhanced security architecture to provide support for decentralized authorization based on attribute certificates which may be accessed via the Internet. This allows the administration of privileges to be widely distributed over the Internet in support of autonomy for resource owners and providers. In addition, it provides a uniform approach for authorization which may be used by resource providers from various domains. We combine authentication with the authorization mechanism by using both MyProxy online credential repository and LDAP directory server. In our architecture, we use MyProxy server to store identity certificates for authentication, and utilize an LDAP server-based architecture to store attribute certificates for authorization. Using a standard web browser, a user may connect to a grid portal and allow the portal to retrieve those certificates in order to access grid resources on behalf of the user. Thus, our approach can make use of the online credential repository to integrate authentication, delegation and attribute based access control together to provide enhanced, flexible security for grid system. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2004 .C54. Source: Masters Abstracts International, Volume: 43-01, page: 0231. Adviser: R. D. Kent. Thesis (M.Sc.)--University of Windsor (Canada), 2004
{SoK}: {An} Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment
Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented. Regardless of how protocols came to be, their definitions can contain traps that lead to insecure implementations or deployments. A classical example is insufficiently strict authentication requirements in a protocol specification. The resulting Misconfigurations, i.e., not enabling strong authentication, are common root causes for Internet security incidents. Indeed, Internet protocols have been commonly designed without security in mind which leads to a multitude of misconfiguration traps. While this is slowly changing, to strict security considerations can have a similarly bad effect. Due to complex implementations and insufficient documentation, security features may remain unused, leaving deployments vulnerable. In this paper we provide a systematization of the security traps found in common Internet protocols. By separating protocols in four classes we identify major factors that lead to common security traps. These insights together with observations about end-user centric usability and security by default are then used to derive recommendations for improving existing and designing new protocols---without such security sensitive traps for operators, implementors and users
{SoK}: {An} Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment
Today's Internet utilizes a multitude of different protocols. While some of these protocols were first implemented and used and later documented, other were first specified and then implemented. Regardless of how protocols came to be, their definitions can contain traps that lead to insecure implementations or deployments. A classical example is insufficiently strict authentication requirements in a protocol specification. The resulting Misconfigurations, i.e., not enabling strong authentication, are common root causes for Internet security incidents. Indeed, Internet protocols have been commonly designed without security in mind which leads to a multitude of misconfiguration traps. While this is slowly changing, to strict security considerations can have a similarly bad effect. Due to complex implementations and insufficient documentation, security features may remain unused, leaving deployments vulnerable. In this paper we provide a systematization of the security traps found in common Internet protocols. By separating protocols in four classes we identify major factors that lead to common security traps. These insights together with observations about end-user centric usability and security by default are then used to derive recommendations for improving existing and designing new protocols---without such security sensitive traps for operators, implementors and users
Flexible and Scalable Public Key Security for SSH
A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle attacks, where an adversary substitutes her public key for the server\u27s. This danger particularly threatens a traveling user Bob borrowing a client machine.
Imposing a traditional X.509 PKI on all SSH servers and clients is neither flexible nor scalable nor (in the foreseeable future) practical. Requiring extensive work or an SSL server at Bob\u27s site is also not practical for many users.
This paper presents our experiences designing and implementing an alternative scheme that solves the public-key security problem in SSH without requiring such an a priori universal trust structure or extensive sysadmin work--although it does require a modified SSH client. (The code is available for public download.
- …