126 research outputs found

    Authentication for mobile computing

    Get PDF
    Host mobility is becoming an increasingly important feature with the recent arrival of laptop and palmtop computers, the development of wireless network interfaces and the implementation of global networks. Unfortunately, this mobile environment is also much more vulnerable to penetration by intruders. A possible means of protection can be authentication. This guarantees the identity of a communication peer. This thesis studies the constraints imposed on the mobile environment with respect to authentication. It compares the two prevailing authentication mechanisms, Kerberos and SPX, and tries to make suggestions of how a mechanism can be adapted to the mobile environment

    Detection of Active Directory attacks

    Get PDF
    Organizace, které využívají Active Directory pro správu identit, musí chránit svá data před protivníky a bezpečnostními hrozbami. Tato práce analyzuje známé útoky na Active Directory a možnosti jejich detekce založené na Windows Security auditu. Implementační část je zaměřená na návrh detekčních pravidel pro analyzované scenáře útoků. Pravidla byla navrhnuta a implementována v technologii Splunk, následně otestována a vyhodnocena vykonáním útoků ve virtuálním prostředí. Navrhnutá pravidla, případně detekční principy v nich použité, mohou sloužit jako základ implementace bezpečnostního monitorování Active Directory prostředí v organizacích, a to nezávisle na vybrané technologii. Příloha práce obsahuje navrhnutá pravidla ve formě Analytic Stories, která rozširují obsah existující aplikace Splunk ES Content Update. Analytic Stories jsou navíc doplněna o relevantní vyhledávání, která poskytují kontext využitelný pro investigaci.Organizations that use Active Directory for managing identities have to protect their data from adversaries and security threats. This thesis analyses known attacks targeting Active Directory and the possibilities of detection based on Windows Security auditing. The implementation part focuses on designing detection rules covering the analyzed attack scenarios. The rules were designed and implemented in Splunk; tested and evaluated by performing the attacks in a virtual environment. The rules, or the detection principles used in them, can serve as a baseline for implementation of Active Directory security monitoring in organizations, regardless of the chosen technology. The appendix contains the designed rules set in the form of Analytic Stories, extending the content of an existing application Splunk ES Content Update. The Stories are supplemented by related searches providing context useful for investigation

    Operator authentication and accountability for SCADA servers when requests are forwarded by a middle layer

    Get PDF
    Due to their critical nature, the actions performed by operators on Industrial Control Systems (ICS) are subject to source authentication and accountability. When commands are not send directly by the user, but forwarded by middle servers, the compromise of those severs threatens the security of the whole architecture. This Master thesis provides a solution for that problem, guaranteeing authentication end-to-end while fulfilling cost and performance requirements. Based on an analysis of several potential solutions, digital signatures were assessed to be the most flexible and secure option. Moreover, the proposed solution relies on Microsoft's Active Directory, which manages credentials on the target architecture, for securely linking public keys with user identities. A prototype implementation of the proposed design is included, together with a limited performance evaluation. They have proven the validity of the design, that guarantees end-to-end authentication and accountability of command requests, while maintaining low implementation and maintenance costs and a negligible impact in latency per message

    Context-aware multi-factor authentication

    Get PDF
    Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia InformáticaAuthentication systems, as available today, are inappropriate for the requirements of ubiquitous, heterogeneous and large scale distributed systems. Some important limitations are: (i) the use of weak or rigid authentication factors as principal’s identity proofs, (ii) non flexibility to combine different authentication modes for dynamic and context-aware interaction criteria, (iii) not being extensible models to integrate new or emergent pervasive authentication factors and (iv) difficulty to manage the coexistence of multi-factor authentication proofs in a unified single sign-on solution. The objective of this dissertation is the design, implementation and experimental evaluation of a platform supporting multi-factor authentication services, as a contribution to overcome the above limitations. The devised platform will provide a uniform and flexible authentication base for multi-factor authentication requirements and context-aware authentication modes for ubiquitous applications and services. The main contribution is focused on the design and implementation of an extensible authentication framework model, integrating classic as well as new pervasive authentication factors that can be composed for different context-aware dynamic requirements. Flexibility criteria are addressed by the establishment of a unified authentication back-end, supporting authentication modes as defined processes and rules expressed in a SAML based declarative markup language. The authentication base supports an extended single sign-on system that can be dynamically tailored for multi-factor authentication policies, considering large scale distributed applications and according with ubiquitous interaction needs

    Cross-enterprise access control security for electronic health records: Technical, practical and legislation impact

    Get PDF
    In this thesis we investigate the relationship of security, privacy, legislation, computational power in relation to Cross-Enterprise User Assertions (XUA), which allows us to develop the recommendations for the appropriate, architecture, functionality, cryptographic algorithms, and key lengths. The evolution of health records from paper to electronic media promises to be an important part of improving the quality of health care. The diversity of organizations, systems, geography,laws and regulations create a significant challenge for ensuring the privacy of Electronic Health Records (EHRs), while maintaining availability. XUA is a technology that attempts to address the problem of sharing EHRs across enterprise boundaries. We rely on NSA suite B cryptography to provide the fundamental framework of the minimum security requirements at the 128 bit security level. We also recommend the use of the National Institute of Standards and Technologys (NIST) FIPS 140-2 specification to establish confidence in the software\u27s security features

    Study and development of a remote biometric authentication protocol

    Get PDF
    This paper reports the phases of study and implementation of a remote biometric authentication protocol developed during my internship at the I.i.t. of the C.n.r. in Pisa. Starting from the study of authentication history we had a look from the first system used since the 60ies to the latest technology; this helped us understand how we could realize a demonstration working protocol that could achieve a web remote authentication granting good reliability: to do this we choosed to modify the SSL handshake with biometric tests and we decided to use smart-cards a secure vault for the sensible biometric data involved. In the first chapter you will find a brief definition of authentication and an introduction on how we can achieve it, with a particular focus on new biometric techniques. In the second chapter there\u27s the history of authentication from the very first password system to actual ones: new token and smart card technolgies are longer stressed in order to introduce the reader to the last chapter. In the third chapter you will find the project framework, the development of our implementation choiches and the source code of the demo project

    Security mechanisms for next-generation mobile networks

    Get PDF
    Basic concepts and definitions -- Motivation and research challenges -- Research objectives -- Mobile value-added service access -- UMTS access security -- DoS attacks in mobile networks -- A lightweight mobile service access based on reusable tickets -- Background work and motivation -- Service access through tickets -- System security analysis -- Comparisons with related work -- Enhancing UMTS AKA with vector combination -- Overview of UMTS AKA -- UMTS AKA weaknesses- -- Vector combination based AKA -- Security analysis of VC-AKA -- Mobility-oriented AKA in UMTS -- Mobility-oriented authentication -- Security analysis of MO-AKA -- A fine-grained puzzle against DOS attacks -- Quasi partial collision -- Fine-grained control over difficulties -- Lightweight to mobile devices -- Against replay attacks -- Confidentiality, integrity and user privacy

    Adaptive management of emerging battlefield network

    Get PDF
    The management of the battlefield network takes place in a Network Operations Center (NOC). The manager, based on the importance of the managed network, is sometimes required to be present all the time within the physical installations of the NOC. The decisions regard a wide spectrum of network configurations, fault detection and repair, and network performance improvement. Especially in the case of the battlefield network operations these decisions are sometimes so important that can be characterized as critical to the success of the whole military operation. Most of the times, the response time is so restricted that exceeds the mean physical human response limits. An automated response that also carries the characteristics of human intelligence is needed to overcome the restrictions the human nature of an administrator imposes. The research will establish the proper computer network management architecture for an adaptive network. This architecture will enhance the capabilities of network management and in terms of cost and efficiency.http://archive.org/details/adaptivemanageme109451678Lieutenant Commander, Hellenic NavyApproved for public release; distribution is unlimited

    Big Data and Large-scale Data Analytics: Efficiency of Sustainable Scalability and Security of Centralized Clouds and Edge Deployment Architectures

    Get PDF
    One of the significant shifts of the next-generation computing technologies will certainly be in the development of Big Data (BD) deployment architectures. Apache Hadoop, the BD landmark, evolved as a widely deployed BD operating system. Its new features include federation structure and many associated frameworks, which provide Hadoop 3.x with the maturity to serve different markets. This dissertation addresses two leading issues involved in exploiting BD and large-scale data analytics realm using the Hadoop platform. Namely, (i)Scalability that directly affects the system performance and overall throughput using portable Docker containers. (ii) Security that spread the adoption of data protection practices among practitioners using access controls. An Enhanced Mapreduce Environment (EME), OPportunistic and Elastic Resource Allocation (OPERA) scheduler, BD Federation Access Broker (BDFAB), and a Secure Intelligent Transportation System (SITS) of multi-tiers architecture for data streaming to the cloud computing are the main contribution of this thesis study
    corecore