ADDING PERFECT FORWARD SECRECY TO KERBEROS

Kerberos system is a powerful and widely implemented authentication system. Despite this fact it has several problems such as the vulnerability to dictionary attacks which is solved with the use of public key cryptography. Also an important security feature that is not found in Kerberos is perfect forward secrecy. In this work the lack of this feature is investigated in Kerberos in its original version. Also a public key based modification to Kerberos is presented and it is shown that it lacks the prefect forward secrecy too. Then some extensions are proposed to achieve this feature. The extensions are based on public key concepts (Diffie-Hellman) with the condition of keeping the password based authentication; this requires little modifications to the original Kerberos. Four extensions are proposed; two of them modify the (Client-Authentication Server) exchange achieving conditional perfect forward secrecy, while the remaining two modify the Client-Server exchange achieving perfect forward secrecy but with increased overhead and delay

A Method for Authentication Services in Wireless Networks

With the widespread use of wireless network services and applications, security is a major concern. From wireless network security aspects, authentication for services is very important especially in Internet banking. In this paper, an authentication method for wireless networks using dynamic key theory is presented. The dynamic key theory is used to produce “one time keys” for authentication. These one time keys will improve the efficiency and security of wireless authentication. It can be applied for Internet banking and services in wireless networks

Evaluation Theory for Characteristics of Cloud Identity Trust Framework

Trust management is a prominent area of security in cloud computing because insufficient trust management hinders cloud growth. Trust management systems can help cloud users to make the best decision regarding the security, privacy, Quality of Protection (QoP), and Quality of Service (QoS). A Trust model acts as a security strength evaluator and ranking service for the cloud and cloud identity applications and services. It might be used as a benchmark to setup the cloud identity service security and to find the inadequacies and enhancements in cloud infrastructure. This chapter addresses the concerns of evaluating cloud trust management systems, data gathering, and synthesis of theory and data. The conclusion is that the relationship between cloud identity providers and Cloud identity users can greatly benefit from the evaluation and critical review of current trust models

UbiPAL : secure messaging and access control for ubiquitous computing

textThe ubiquitous computing environment and modern trends in personal computing, such as body sensor networks and smart houses, create unique challenges in privacy and access control. Lack of centralized computing and the dynamic nature of human environments and access rules render most access control systems insufficient for this new category of systems. UbiPAL is an object-oriented communication framework for ubiquitous systems which provides secure communication and decentralized access control. UbiPAL uses a modified SecPAL implementation to provide reliable, ad hoc access control. The UbiPAL system uses cryptographically signed, publicly held namespace certificates and access control lists in the style of TLS certificates. This approach allows message authentication and authorization in an ad hoc, completely decentralized method while maintaining human readability of policy language. UbiPAL was implemented as a C++ library, made freely available at (1), and evaluated to have minimized overhead. Even on the slowest device evaluated, a Raspberry Pi, UbiPAL authentication and authorization adds less than 20 milliseconds to the delivery a message with a message overhead of 153 bytes. The UbiPAL programming model separates access policy from application programming and results in small amounts of code required from the application programmer, creating an accessible paradigm for programming ubiquitous computing systems.Computer Science

On the State of Crypto-Agility

The demand for crypto-agility, although dating back for more than two decades, recently started to increase in the light of the expected post-quantum cryptography (PQC) migration. Nevertheless, it started to evolve into a science on its own. Therefore, it is important to establish a unified definition of the notion, as well as its related aspects, scope, and practical applications. This paper presents a literature survey on crypto-agility and discusses respective development efforts categorized into different areas, including requirements, characteristics, and possible challenges. We explore the need for crypto-agility beyond PQC algorithms and security protocols and shed some light on current solutions, existing automation mechanisms, and best practices in this field. We evaluate the state of readiness for crypto-agility, and offer a discussion on the identified open issues. The results of our survey indicate a need for a comprehensive understanding. Further, more agile design paradigms are required in developing new IT systems, and in refactoring existing ones, in order to realize crypto-agility on a broad scale

Automatic Generation of Security Protocols Attacks Specifications and Implementations

Confidence in a communication protocol’s security is a key requirement for its deployment and long-term maintenance. Checking if a vulnerability exists and is exploitable requires extensive expertise. The research community has advocated for a systematic approach with formal methods to model and automatically test a protocol against a set of desired security properties. As verification tools reach conclusions, the applicability of their results still requires expert scrutiny. We propose a code generation approach to automatically build both an abstract specification and a concrete implementation of a Dolev-Yao intruder from an abstract attack trace, bridging the gap between theoretical attacks discovered by formal means and practical ones. Through our case studies, we focus on attack traces from the OFMC model checker, Alice&Bob specifications and Java implementations. We introduce a proof-of-concept workflow for concrete attack validation that allows to conveniently integrate, in a user-friendly way, formal methods results into a Model-Driven Development process and at the same time automatically generate a program that allows to demonstrate the attack in practice. In fact, in this contribution, we produce high-level and concrete attack narrations that are both human and machine readable

Performance Test Suite for MIT Kerberos

Tato práce se zaměřuje na vyvinutí nástrojů pro výkonnostní testování, které umožní otestovat infrastrukturu systému MIT Kerberos, zjistit její výkonnostní charakteristiky a detekovat potenciální problémy. Práce shrnuje teoretické základy protokolu Kerberos a analyzuje potenciální výkonnostní problémy v různých konfiguracích MIT Kerberosu. Dále práce obsahuje popis návrhu a implementace sady nástrojů pro distribuované testování. Pomocí implementovaných nástrojů bylo odhaleno několik výkonnostních problémů, které jsou v práci popsány spolu s návrhem jejich řešení.The aim of this thesis is to develop performance test suite, which will enable to test MIT Kerberos system infrastructure, assess gained performance characteristics and detect potential bottlenecks. This thesis summarizes necessary theoretical background of Kerberos protocol. Potential performance problems are analyzed on different MIT Kerberos configurations. This thesis describes distributed test suite design and implementation. Several performance problems were discovered using this test suite. These problems are described and some solutions are proposed.

A security architecture for distributed grid applications with sensitive delay requirements

147 σ.Η αρχιτεκτονική ασφαλείας που προτείνεται στην διατριβή είναι προσανατολισμένη στο να δώσει λύσεις σε κατανεμημένες εφαρμογές Πλέγματος (Grid) ευαίσθητες σε χρόνο απόκρισης. Πεδίο εφαρμογής της είναι τα Πλέγματα Μετρήσεων και Ελέγχου (Instrumentation Grids), επέκταση των Συστημάτων Υπολογιστικού Πλέγματος (Computational Grids). Τα Instrumentation Grids είναι κατανεμημένα συστήματα τεχνολογιών πλέγματος, τα οποία προσφέρουν απομακρυσμένη πρόσβαση σε όργανα «μετρήσεων και ελέγχου». Βασική προδιαγραφή στα περιβάλλοντα αυτά αφορά στον περιορισμένο χρόνο απόκρισης των κατανεμημένων λειτουργιών των οργάνων. Η αρχιτεκτονική ασφαλείας που υιοθετείται στα παραδοσιακά Grids βασίζεται σε Υποδομή Δημοσίου Κλειδιού (PKI) και δημιουργεί συνήθως μεγάλες καθυστερήσεις. Για τον λόγο αυτό προτείνουμε μια νέα αρχιτεκτονική ασφαλείας βασισμένη στο πρωτόκολλο Kerberos. Η αρχιτεκτονική μας αποτελείται τέσσερα υποσυστήματα: Το Kerberos KDC που αποτελεί την Τρίτη Έμπιστη Οντότητα του συστήματος, το KrbClient που αλληλεπιδρά με την αρχιτεκτονική εκ μέρους του λογισμικού πελάτη, ο Access Control Manager (ACM) που προστατεύει τις υπηρεσίες ελέγχου του Instrumentation Grid και το Policy Repository που αποθηκεύει τους κανόνες πρόσβασης (authorization) των κατανεμημένων πόρων. Στα πλαίσια της διατριβής υλοποιήθηκε πρότυπη αρχιτεκτονική ασφαλείας βασισμένη σε ενδιάμεσο λογισμικό Υπηρεσιών Ιστού (Web Services). Οι μετρήσεις που πραγματοποιήσαμε επιβεβαιώνουν πως η προτεινόμενη αρχιτεκτονική βελτιώνει σημαντικά την απόδοση στις λειτουργίες ασφαλείας (Ταυτοποίηση, Εξουσιοδότηση και Ακεραιότητα Μηνύματος) αντικαθιστώντας την Κρυπτογραφία Δημοσίου Κλειδιού των Computational Grids με Συμμετρική Κρυπτογραφία. Η βελτίωση γίνεται εντονότερη κάτω από υψηλό υπολογιστικό φορτίο στις υπηρεσίες μετρήσεων και ελέγχου των οργάνων.In this thesis we propose a security architecture that provides a solution to distributed Grid applications with delay sensitive requirements. These applications are usually encountered within an Instrumentation Grid, an extension of a Computational Grid. Instrumentation Grids are distributed systems that follow Grid technologies to interact with remote distributed instruments. One of their main requirements is low latency times. This may not be satisfied with security architectures adopted in Computational Grids based on Public Key Infrastructure (PKI). For that reason we propose an alternate security architecture based on the Kerberos protocol. Our architecture is composed of four components: The Kerberos KDC that acts as a Third Trusted Party, the KrbClient that represents the client, the Access Control Manager (ACM) that protects the services of the Instrumentation Grid and the Policy Repository which stores the access rules (authorization) of the distributed resources. We validated our architecture by implementing a prototype built on Web Service middleware. Our experiments showed a significant performance improvement in authentication, authorization and message integrity processes over legacy Grid security architectures. The improvement becomes substantial under heavy processing load of the remote instrumentation services.Αθανάσιος Μ. Μώραλη