A New Simplified Federated Single Sign-on System

The work presented in this MPhil thesis addresses this challenge by developing a new simplified FSSO system that allows end-users to access desktop systems, web-based services/applications and non-web based services/applications using one authentication process. This new system achieves this using two major components: an “Authentication Infrastructure Integration Program (AIIP) and an “Integration of Desktop Authentication and Web-based Authentication (IDAWA). The AIIP acquires Kerberos tickets (for end-users who have been authenticated by a Kerberos single sign-on system in one net- work domain) from Kerberos single sign-on systems in different network domains without establishing trust between these Kerberos single sign-on systems. The IDAWA is an extension to the web-based authentication systems (i.e. the web portal), and it authenticates end-users by verifying the end-users\u27 Kerberos tickets. This research also developed new criteria to determine which FSSO system can deliver true single sign-on to the end-users (i.e. allowing end-users to access desktop systems, web-based services/applications and non-web based services/applications using one authentication process). The evaluation shows that the new simplified FSSO system (i.e. the combination of AIIP and IDAWA) can deliver true single sign-on to the end- users. In addition, the evaluation shows the new simplified FSSO system has advantages over existing FSSO systems as it does not require additional modifications to network domains\u27 existing non-web based authentication infrastructures (i.e. Kerberos single sign- on systems) and their firewall rules

Analysing the behaviour of a smart card based model for secure communication with remote computers over the internet

This dissertation presents the findings of a generic model aimed at providing secure communication with remote computers via the Internet, based on smart cards. The results and findings are analysed and presented in great detail, in particular the behaviour and performance of smart cards when used to provide the cryptographic functionality. Two implemented models are presented. The first model uses SSL to secure the communication channel over the Internet while using smart cards for user authentication and storage of cryptographic keys. The second model presents the SSH for channel security and smart cards for user authentication, key storage and actual encryption and decryption of data. The model presented is modular and generic by nature, meaning that it can easily be modified to accept the newer protocol by simply including the protocols in a library and with a minor or no modification to both server and client application software. For example, any new algorithm for encryption, key exchange, signature, or message digest, can be easily accommodated into the system, which proves that the model is generic and can easily be integrated into newer technologies. Similarly, smart cards are used for cryptography. Two options are presented: first the smart cards only store the algorithm keys and user authentication, and secondly, smart cards are used for storing the algorithm keys, user authentication, and actual data encryption or decryption, as the requirement may dictate. This is very useful, for example, if data to be transferred is limited to a few bytes, then actual data encryption and decryption is performed using smart cards. On the other hand, if a great deal of data is to be transferred, then only authentication and key storage are performed with smart cards. The model currently uses 3DES with smart card encryption and decryption, because this is faster and consumes fewer resources when compared to RSA. Once again, the model design is flexible to accommodate new algorithms such as AES or IDEA. Important aspects of the dissertation are the study and analysis of the security attacks on smart card use. Several smart card attack scenarios are presented in CHAPTER 3, and their possible prevention is also discussed in detail. AFRIKAANS : Hierdie verhandeling bied die bevindinge van 'n generiese model wat daarop gemik is om veilige kommunikasie te voorsien met 'n afstandsrekenaar via die Internet en op slimkaarte gebaseer. Die resultate en bevindings word ontleed en breedvoerig aangebied, veral die gedrag en werkverrigting van slimkaarte wanneer hulle gebruik word om die kriptografiese funksionaliteit te voorsien. Daar word twee geïmplementeerde modelle aangebied. Die eerste model gebruik SSL om die kommunikasiekanaal oor die Internet te beveilig terwyl slimkaarte vir gebruikerbekragtiging en stoor van kriptografiese sleutels gebruik word. Die tweede model bied die SSH vir kanaalsekuriteit en slimkaarte vir gebruikergeldigheidvasstelling, sleutelstoor en werklike kodering en dekodering van data. Die model wat aangebied word, is modulêr en generies van aard, wat beteken dat dit maklik gewysig kan word om die jongste protokolle te aanvaar deur bloot die protokolle by 'n programbiblioteek met geringe of geen wysiging van beide die bediener- en kliënttoepassingsagteware in te sluit. Byvoorbeeld, enige nuwe algoritme vir kodering, sleuteluitruiling, handtekening of boodskapbondeling kan maklik in die stelsel gehuisves word, wat bewys dat die model generies is en maklik in jonger tegnologieë geïntegreer kan word. Slimkaarte word op soortgelyke wyse vir kriptografie gebruik. Daar word twee keuses aangebied: eerstens stoor die slimkaarte slegs die algoritmesleutels en gebruikergeldigheidvasstelling en tweedens word slimkaarte gebruik om die algoritmesleutels, gebruikergeldigheidvasstelling en werklike datakodering en –dekodering te stoor na gelang van wat vereis word. Dit is baie nuttig, byvoorbeeld, wanneer data wat oorgedra moet word, tot 'n paar grepe beperk is, word die eintlike datakodering en – dekodering uitgevoer deur slimkaarte te gebruik. Andersyds, indien 'n groot hoeveelheid data oorgedra moet word, word slegs geldigheidvasstelling en stoor met slimkaarte uitgevoer. Die model gebruik tans 3DES met slimkaartkodering en –dekodering omdat dit vinniger is en minder hulpbronne gebruik vergeleke met RSA. Die modelontwerp is weer eens buigsaam om nuwe algoritmes soos AES of IDEA te huisves. Nog 'n belangrike aspek van die verhandeling is om die sekuriteitaanvalle op slimkaartgebruik te ondersoek en te ontleed. Verskeie slimkaartaanvalscenario's word in Hoofstuk 3 aangebied en die moontlike voorkoming daarvan word ook breedvoerig bespreek.Dissertation (MEng)--University of Pretoria, 2011.Electrical, Electronic and Computer Engineeringunrestricte

The Impact of TLS on SIP Server Performance

This report studies the performance impact of using TLS as a transport protocol for SIP servers. We evaluate the cost of TLS experimentally using a testbed with OpenSIPS, OpenSSL, and Linux running on an Intel-based server. We analyze TLS costs using application, library, and kernel profiling, and use the profiles to illustrate when and how different costs are incurred, such as bulk data encryption, public key encryption, private key decryption, and MAC-based verification. We show that using TLS can reduce performance by up to a factor of 20 compared to the typical case of SIP over UDP. The primary factor in determining performance is whether and how TLS connection establishment is performed, due to the heavy costs of RSA operations used for session negotiation. This depends both on how the SIP proxy is deployed (e.g., as an inbound or outbound proxy) and what TLS options are used (e.g., mutual authentication, session reuse). The cost of symmetric key operations such as AES or 3DES, in contrast, tends to be small. Network operators deploying SIP over TLS should attempt to maximize the persistence of secure connections, and will need to assess the server resources required. To aid them, we provide a measurement-driven cost model for use in provisioning SIP servers using TLS. Our cost model predicts performance within 15 percent on average

Comparison of different ways to avoid internet traffic interception

Projecte fet en col.laboració amb la Norwegian University of Science and Technology. Department of Telematic EngineeringEnglish: The main objective of this thesis is to analyze and compare different ways to avoid the Internet traffic eavesdropping (carried out both by governments or malicious particulars). The analysis consists on a description of the different protocols and technologies involved in each option as well as the difficulties to implement them and the technical knowledge of the users in order to take profit of them

MySmartPi

Nowadays, accessing the Internet in a secure way in a big concern for many people due to the increase of cybersecurity attacks and the vulnerability of the data that is transferred online. In order to address such vulnerabilities, the use of a Virtual Private Network is really important. Not only for security reasons, but also to access resources of the network, such as printers, files or web pages. Considering that many people, especially IT students, have curiosity and enjoy creating their own technologies, this project aims to create a user manual to teach how people can create their own VPN server at home using a Raspberry Pi and to access their files and folders which are in the network. For that, tutorials were used and adapted in order to install the VPN server and NAS. In order to prove that the whole process was successful, some tools, such as, Wireshark, were used to show how the network traffic works once the VPN is used. The process was successful and many concepts were learnt and used such as Cryptography, Port forwarding, dynamic DNS, OpenVPN, etc

Flexible and Scalable Public Key Security for SSH

A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle attacks, where an adversary substitutes her public key for the server\u27s. This danger particularly threatens a traveling user Bob borrowing a client machine. Imposing a traditional X.509 PKI on all SSH servers and clients is neither flexible nor scalable nor (in the foreseeable future) practical. Requiring extensive work or an SSL server at Bob\u27s site is also not practical for many users. This paper presents our experiences designing and implementing an alternative scheme that solves the public-key security problem in SSH without requiring such an a priori universal trust structure or extensive sysadmin work--although it does require a modified SSH client. (The code is available for public download.

Sigurnosni protokoli

The Internet, as a computer network, connects millions of people all around the world and gives them a possibility to access a big quantity of data. Throughout the Internet users exchange data using certain protocols and a part of this communication is private or secret. TCP (Transmission Control Protocol) and IP (Internet Protocol) protocols are the kernel of Internet protocol. Everything that is transmitted through the Internet uses these protocols, but they cannot provide security of data transfer. For example, IP packages can be easily changed and their content can be seen by everybody in every moment, even by an unauthorized person. Today the world is already globally connected and the individuals and institutions need privacy and also the protection from identity theft that is today a very frequent aspect of misuse of the Internet. So, we need transparent and flexible tools to fulfill demands of different users and at the same time capable to achieve the assigned degree of security. Security protocols, as the most prominent SSL (Secure Sockets Layers) and TLS (Transport Layer Security), solve a good part of given problems.Internet, kao računarska mreža, povezuje milione ljudi širom sveta i obezbeđuje im pristup velikoj količini informacija. Korisnici preko Interneta razmenjuju podatke na osnovu određenih protokola, a deo te komunikacije je privatnog ili službeno tajnog karaktera. Pri ovoj razmeni, korisnici resursa računarskih sistema, računara u mrežama i samostalnih računara, pre svega žele da budu sigurni da će pristup njihovim podacima i resursima uopšte imati samo oni kojima se pristup dozvoli. Dakle, analogno sigurnosti fizičke imovine korisnici računarskih sistema žele takozvanu računarsku sigurnost. Jezgro Internet protokola predstavljaju TCP (Transmission Control Protocol) i IP (Internet Protocoll) protokoli. Sve što putuje Internetom koristi ove protokole, ali oni ne obezbeđuje sigurnost prenosa podataka. IP paketi se, na primer, mogu lako izmeniti a njihov sadržaj može u bilo kom trenutku da pregleda ma ko, pa i neovlašćena osoba. U svetu koji je danas već globalno povezan, pojedinci i razne institucije imaju potrebe za privatnošću, kao i za zaštitom od krađe identiteta, koja postaje sve češći vid zloupotrebe globalne mreže. Dakle, potrebna su sredstva koja su transparentna i dovoljno fleksibilna da zadovolje zahteve raznih korisnika, a istovremeno ostvare zadati stepen sigurnosti. U ovom radu, pažnja je usmerena na komunikacijske zaštitne mehanizme definisane sigurnosnim protokolima, pri čemu se smatra da su ispunjene ostale kategorije računarske sigurnosti. Protokoli TLS (Transport Layer Security) i SSL (Secure Sockets Layers) su kriptografski protokoli koji omogućavaju sigurnu komunikaciju na Internetu za poslove elektronskog bankarstva i trgovine, e-mail, fax, pristup udaljenim računarima, a korisnicima rešavaju dobar deo navedenih problema