412 research outputs found

    Library and Tools for Server-Side DNSSEC Implementation

    Get PDF
    Tato práce se zabývá analýzou současných open source řešení pro zabezpečení DNS zón pomocí technologie DNSSEC. Na základě provedené rešerše je navržena a implementována nová knihovna pro použití na autoritativních DNS serverech. Cílem knihovny je zachovat výhody stávajících řešení a vyřešit jejich nedostatky. Součástí návrhu je i sada nástrojů pro správu politiky a klíčů. Funkčnost vytvořené knihovny je ukázána na jejím použití v serveru Knot DNS.This thesis deals with currently available open-source solutions for securing DNS zones using the DNSSEC mechanism. Based on the findings, a new DNSSEC library for an authoritative name server is designed and implemented. The aim of the library is to keep the benefits of existing solutions and to eliminate their drawbacks. Also a set of utilities to manage keys and signing policy is proposed. The functionality of the library is demonstrated by it's use in the Knot DNS server.

    Security of Health Information Databases

    Get PDF
    Tundlike andmete turvaline kogumine ja hoiustamine on väga vajalik. Olenevalt olukorrast võib see osutuda aga oodatust keerulisemaks. Andmebaasis olevate andmete turvalisus võib jääda tähelepanuta või seda võidakse ülehinnata. Rakenduse poolel andmete krüpteerimine on üks moodus laialdaselt esinevate probleemide ennetamiseks. Selle töö eesmärk on esitada näidisrakendus andmete turvalise kogumise kohta. See implementatsioon esitab andmete kogumise protsessi. Me katsetame kahte odavama hinnaklassi riistvaralisi turvamoodulit rakendusega siduda. Tulemustest on näha kaasnevaid raskusi, lootusega et protsessi saab parendada. Näidisrakendust saab kasutada tundlike andmete kogumise meetodite lisamisel olemasolevatesse andmehaldusrakendustesse.Secure storage of sensitive data is a strong requirement in current times. Depending on the scenario it could prove more difficult than first expected. Data security on the database side is often overlooked or underestimated. Application side encryption can be used to avoid many of the common issues. In the thesis we aim to give an implementation of one scheme for secure data gathering and storage. The implementation consists of three applications to display the process of gathering data. We also attempt to integrate two low budget Hardware Security Modules (HSMs) into our scheme. The thesis shows the difficulties with the hope, that the process could be improved. The given example can be used to add specialised sensitive data collection methods to existing data management software

    Sähköisen identiteetin toteuttaminen TPM 2.0 -laitteistolla

    Get PDF
    Most of the financial, healthcare, and governmental services are available on Internet, where traditional identification methods used on face-to-face identification are not possible. Identification with username and password is a mediocre solution and therefore some services require strong authentication. Finland has three approved strong authentication methods: smart cards, bank credentials, and mobile ID. Out of the three authentication methods, only the government issued smart card is available to everyone who police can identify reliably. Bank credentials require identification with an identity document from Finland or other European Economic Area (EEA) country. Mobile ID explicitly require identification with Finnish identity document. The problem with smart cards is the requirement for a reader, slow functioning, and requirement for custom driver. A TPM could function as a replacement for a smart card with accompanying software library. In this thesis, I created a PKCS #11 software library that allows TPM to be used for browser based authentication according to draft specification by Finnish population registry. The keys used for authentication are created, stored and used securely inside the TPM. TPMs are deemed viable replacement for smart cards. The implemented system is faster to use than smart cards and has similar security properties as smart cards have. The created library contains implementations for 30% of all TPM 2.0 functions and could be used as a base for further TPM 2.0 based software.Pankki-, terveys- ja julkiset palvelut ovat suureksi osin saatavilla internetin välityksellä. Tunnistautuminen käyttäjätunnuksella ja salasanalla ei takaa riittävää luotettavuutta, vaan joissain palveluissa on käytettävä vahvaa tunnistautumista. Suomessa on tällä hetkellä käytössä kolme vahvaa tunnistautumisvälinettä: pankkien käyttämät verkkopankkitunnukset, Väestörekisterikeskuksen kansalaisvarmenne ja teleyritysten mobiilivarmenteet. Näistä kolmesta kansalaisvarmenne on ainoa, joka ei vaadi asiakkuutta ja on täten kaikille saatavilla, jotka poliisi voi luotettavasti tunnistaa. Verkkopankkitunnukset vaativat tunnistautumisen suomalaisella tai Euroopan talousalueen (ETA) valtion myöntämällä henkilötodistus. Mobiilivarmenne myönnetään vain henkilölle, joka voidaan tunnistaa suomalaisella henkilötodistuksella. Kansalaisvarmenne on kuitenkin älykortti kaikkine älykortin ongelmineen: sen käyttämiseen tarvitaan erillinen lukija, sen toiminta on hidasta ja se vaatii erillisen laiteajurin. Tämän työn tavoitteena on luoda ratkaisu, jolla älykorttipohjainen tunnistautuminen voidaan toteuttaa tietokoneissa olevan TPM-piirin avulla. Tässä diplomityössä luotiin PKCS #11 -rajapinnan täyttävä ohjelmistokirjasto, joka mahdollistaa TPM-piirin käyttämisen tunnistautumiseen selaimessa Väestörekisterikeskuksen laatiman määritelmän luonnoksen mukaan. Tunnistautumisavaimet luodaan, tallennetaan ja niitä käytetään TPM:ssa, mikä varmistaa avainten luottamuksellisuuden. Älykortin toiminnallisuudet todettiin mahdolliseksi toteuttaa TPM-piirillä. Toteutettu järjestelmä on nopeampi käyttää kuin älykortti ja se takaa älykortteja vastaavan tietoturvatason. Työn tuloksena tehty kirjasto toteuttaa 30 % kaikista TPM 2.0 -ohjelmistorajapinnoista, ja kirjastoa voidaan käyttää osana tulevia TPM 2.0 -ohjelmistoja

    Type-Based Analysis of Generic Key Management APIs

    Get PDF
    In the past few years, cryptographic key management APIs have been shown to be subject to tricky attacks based on the improper use of cryptographic keys. In fact, real APIs provide mechanisms to declare the intended use of keys but they are not strong enough to provide key security. In this paper, we propose a simple imperative programming language for specifying strongly-typed APIs for the management of symmetric, asymmetric and signing keys. The language requires that type information is stored together with the key but it is independent of the actual low-level implementation. We develop a type-based analysis to prove the preservation of integrity and confidentiality of sensitive keys and we show that our abstraction is expressive enough to code realistic key management APIs

    Strong Electronic Identification: Survey & Scenario Planning

    Get PDF
    The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

    Strong Electronic Identification: Survey & Scenario Planning

    Get PDF
    The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

    A protocol for programmable smart cards

    Get PDF
    This paper presents an open protocol for interoperability across multi-vendor programmable smart cards. It allows exposition of on-card storage and cryptographic services to host applications in a unified, card-independent way. Its design, inspired by the standardization of on-card Java language and cryptographic API, has been kept as generic and modular as possible. The protocol security model has been designed with the aim of allowing multiple applications to use the services exposed by the same card, with either a cooperative or a no-interference approach, depending on application requirements. With respect to existing protocols for smart card interoperability, defining sophisticated card services intended to be hard-coded into the device hardware, this protocol is intended to be implemented in software on programmable smart cards

    Citizen Electronic Identities using TPM 2.0

    Full text link
    Electronic Identification (eID) is becoming commonplace in several European countries. eID is typically used to authenticate to government e-services, but is also used for other services, such as public transit, e-banking, and physical security access control. Typical eID tokens take the form of physical smart cards, but successes in merging eID into phone operator SIM cards show that eID tokens integrated into a personal device can offer better usability compared to standalone tokens. At the same time, trusted hardware that enables secure storage and isolated processing of sensitive data have become commonplace both on PC platforms as well as mobile devices. Some time ago, the Trusted Computing Group (TCG) released the version 2.0 of the Trusted Platform Module (TPM) specification. We propose an eID architecture based on the new, rich authorization model introduced in the TCGs TPM 2.0. The goal of the design is to improve the overall security and usability compared to traditional smart card-based solutions. We also provide, to the best our knowledge, the first accessible description of the TPM 2.0 authorization model.Comment: This work is based on an earlier work: Citizen Electronic Identities using TPM 2.0, to appear in the Proceedings of the 4th international workshop on Trustworthy embedded devices, TrustED'14, November 3, 2014, Scottsdale, Arizona, USA, http://dx.doi.org/10.1145/2666141.266614

    Study and development of a remote biometric authentication protocol

    Get PDF
    This paper reports the phases of study and implementation of a remote biometric authentication protocol developed during my internship at the I.i.t. of the C.n.r. in Pisa. Starting from the study of authentication history we had a look from the first system used since the 60ies to the latest technology; this helped us understand how we could realize a demonstration working protocol that could achieve a web remote authentication granting good reliability: to do this we choosed to modify the SSL handshake with biometric tests and we decided to use smart-cards a secure vault for the sensible biometric data involved. In the first chapter you will find a brief definition of authentication and an introduction on how we can achieve it, with a particular focus on new biometric techniques. In the second chapter there\u27s the history of authentication from the very first password system to actual ones: new token and smart card technolgies are longer stressed in order to introduce the reader to the last chapter. In the third chapter you will find the project framework, the development of our implementation choiches and the source code of the demo project
    corecore