Cryptographic methods for authentication and authorization

Uz sve prednosti koje dolaze s globalnim povezivanjem, sigurnost informacija je postala problem. Zbog toga postoje različite kriptografske metode koje pružaju korisnicima određenu razinu sigurnosti bez da utječu na njihovo korisničko iskustvo. SASL mehanizmi su jedni od tih sigurnosnih mjera koje štite korisnike i njihove informacije. Postoje različiti mehanizmi s različitim razinama sigurnosti koje pružaju. Jedni od najpoznatijih mehanizama su OTP i OAuth mehanizam koji su široko rasprostranjeni i pružaju najbolju sigurnost svojim korisnicima. Budući mehanizmi trebali bi svakako obratiti pažnju na propuste koje sadašnji mehanizmi imaju, kao što je loša zaštićenost integriteta podataka i povjerljivosti podataka. Također, budući mehanizmi će nastojati implementirati složenije metode autentikacije, kao što je to biometrijska autentikacija. S razvojem tehnologija, sigurnost će biti izložena novim napadima, ali to je također prilika za razvoj boljih i bržih metoda za autentikaciju i autorizaciju.With all the good aspects that come from global connection, there is an issue of information security. That is the reason why there are many different cryptographic methods that provide users with a certain level of security without affecting their user experience. SASL mechanisms are one of those security measures that protect users and their information. There are a lot of different mechanisms with different security levels. The most popular mechanisms are OTP and OAuth mechanisms that are used wide and provide their users with the best security. Future mechanisms should pay attention to flaws of current mechanism that have bad security for data integrity and data confidentiality. Also, future mechanisms should try to implement more complex authentication methods, like biometric authentication. With growth of technology, security will get exposed to new attacks but that is also an opportunity to develop better and faster methods for authentication and authorization

Cryptographic methods for authentication and authorization

Uz sve prednosti koje dolaze s globalnim povezivanjem, sigurnost informacija je postala problem. Zbog toga postoje različite kriptografske metode koje pružaju korisnicima određenu razinu sigurnosti bez da utječu na njihovo korisničko iskustvo. SASL mehanizmi su jedni od tih sigurnosnih mjera koje štite korisnike i njihove informacije. Postoje različiti mehanizmi s različitim razinama sigurnosti koje pružaju. Jedni od najpoznatijih mehanizama su OTP i OAuth mehanizam koji su široko rasprostranjeni i pružaju najbolju sigurnost svojim korisnicima. Budući mehanizmi trebali bi svakako obratiti pažnju na propuste koje sadašnji mehanizmi imaju, kao što je loša zaštićenost integriteta podataka i povjerljivosti podataka. Također, budući mehanizmi će nastojati implementirati složenije metode autentikacije, kao što je to biometrijska autentikacija. S razvojem tehnologija, sigurnost će biti izložena novim napadima, ali to je također prilika za razvoj boljih i bržih metoda za autentikaciju i autorizaciju.With all the good aspects that come from global connection, there is an issue of information security. That is the reason why there are many different cryptographic methods that provide users with a certain level of security without affecting their user experience. SASL mechanisms are one of those security measures that protect users and their information. There are a lot of different mechanisms with different security levels. The most popular mechanisms are OTP and OAuth mechanisms that are used wide and provide their users with the best security. Future mechanisms should pay attention to flaws of current mechanism that have bad security for data integrity and data confidentiality. Also, future mechanisms should try to implement more complex authentication methods, like biometric authentication. With growth of technology, security will get exposed to new attacks but that is also an opportunity to develop better and faster methods for authentication and authorization

Supporting Massive Mobility with stream processing software

The goal of this project is to design a solution for massive mobility using LISP protocol and scalable database systems like Apache Kafka. The project consists of three steps: rst, understanding the requirements of the massive mobility scenario; second, designing a solution based on a stream processing software that integrates with OOR (open-source LISP implementation). Third, building a prototype with OOR and a stream processing software (or a similar technology) and evaluating its performance. Our objectives are: Understand the requirements in an environment for massive mo- bility;Learn and evaluate the architecture of Apache Kafka and similar broker messages to see if these tools could satisfy the requirements; Propose an architecture for massive mobility using protocol LISP and Kafka as mapping system, and nally; Evaluate the performance of Apache Kafka using such architecture. In chapters 3 and 4 we will provide a summary of LISP protocol, Apache Kafka and other message brokers. On these chapters we describe the components of these tools and how we can use such components to achieve our objective. We will be evaluating the di erent mechanisms to 1) authenticate users, 2) access control list, 3) protocols to assure the delivery of the message, 4)integrity and 5)communication patterns. Because we are interested only in the last message of the queue, it is very important that the broker message provides a capability to obtain this message. Regarding the proposed architecture, we will see how we adapted Kafka to store the information managed by the mapping system in LISP. The EID in LISP will be repre- sented by topics in Apache Kafka., It will use the pattern publish-subscribe to spread the noti cation between all the subscribers. xTRs or Mobile devices will be able to play the role of Consumers and Publisher of the message brokers. Every topic will use only one partition and every subscriber will have its own consumer group to avoid competition to consume the messages. Finally we evaluate the performance of Apache Kafka. As we will see, Kafka escalates in a Linear way in the following cases: number of packets in the network in relation with the number of topics, number of packets in the network in relation with the number of subscribers, number of opened les by the server in relation with the number of topics time elapsed between the moment when publisher sends a message and subscriber receives it, regarding to the number of topics. In the conclusion we explain which objectives were achieved and why there are some challenges to be faced by kafka especially in two points: 1) we need only the last location (message) stored in the broker since Kafka does not provide an out of the box mechanism to obtain such messages, and 2) the amount of opened les that have to be managed simultaneously by the server. More study is required to compare the performance of Kafka against other tools

Käyttäjien välinen henkilöllisyyden todentaminen nykyaikaisissa kommunikaatio- ja yhteistyöympäristöissä

This thesis describes a method for person-to-person identification on Google Wave networks. The method can also be used for strong authentication on the Wave network. The solution is based on using a trusted third party. The users must first authenticate themselves to a trusted third party and then prove to it that they control a said Wave user account. After these steps, the trusted third party is then able to identify the users participating in a Wave discussion and report the identification results to the other participants. The users can request the trusted third party to reauthenticate a user if needed. The thesis describes also a federated model for person-to-person identification on the Wave network using multiple trusted third parties. The method described can be generalized to any communication networks where the origin of messages can be reliably traced on a domain name level. A proof-of-concept of the identification model was developed and it was used to evaluate the applicability of the model in the real world.Diplomityössä kuvataan menetelmä käyttäjien väliseen henkilöllisyyden todentamiseen Google Wave-verkossa. Kuvattua menetelmää voidaan käyttää myös henkilöiden vahvaan tunnistamiseen Wave-verkossa. Ratkaisu perustuu luotetun kolmannen tahon käyttöön. Käyttäjien tulee ensin tunnistautua luotetulle kolmannelle taholle ja sen jälkeen osoittaa luotetulle taholle omaavansa tietyn Wave-käyttäjätunnuksen. Tämän jälkeen luotettu kolmas taho voi tunnistaa käyttäjät Wave-verkossa ns. Wave-robotin avulla ja kertoa tunnistamisen tulokset muille osallistujille. Tarvittaessa käyttäjät voivat pyytää robotin avulla luotettua tahoa uudelleentunnistamaan käyttäjät. Työssä esitetään myös malli henkilöiden väliseen tunnistamiseen useamman luotetun tahon avulla. Menetelmä on yleistettävissä käytettäväksi sellaisissa keskusteluverkoissa, joissa voidaan luotettavasti tunnistaa, miltä verkon palvelimelta kommunikaatio on tapahtunut. Työssä toteutettiin tekninen kokeilu kehitetystä todennusmenetelmästä ja arvioitiin menetelmän soveltuvuutta käytäntöön

Practically-exploitable Vulnerabilities in the Jitsi Video Conferencing System

Jitsi Meet is an open-source video conferencing system, and a popular alternative to proprietary services such as Zoom and Google Meet. The Jitsi project makes strong privacy and security claims in its advertising, but there is no published research into the merits of these claims. Moreover, Jitsi announced end-to-end encryption (E2EE) support in April 2020, and prominently features this in its marketing. We present an in-depth analysis of the design of Jitsi and its use of cryptography. Based on our analysis, we demonstrate two practical attacks that compromised server components can mount against the E2EE layer: we show how the bridge can break integrity by injecting inauthentic media into E2EE conferences, whilst the signaling server can defeat the encryption entirely. On top of its susceptibility to these attacks, the E2EE feature does not apply to text-based communications. This is not made apparent to users and would be a reasonable expectation given how Jitsi is marketed. Further, we identify critical issues with Jitsi\u27s poll feature, which allow any meeting participant to arbitrarily manipulate voting results. Our findings are backed by proof-of-concept implementations and were verified to be exploitable in practice. We communicated our findings to Jitsi via a coordinated disclosure process. Jitsi has addressed the vulnerabilities via a mix of technical improvements and documentation changes

NoSQL databases : forensic attribution implications

NoSQL databases have gained a lot of popularity over the last few years. They are now used in many new system implementations that work with vast amounts of data. Such data will typically also include sensitive information that needs to be secured. NoSQL databases are also underlying a number of cloud implementations which are increasingly being used to store sensitive information by various organisations. This has made NoSQL databases a new target for hackers and other state sponsored actors. Forensic examinations of compromised systems will need to be conducted to determine what exactly transpired and who was responsible. This paper examines specifically if NoSQL databases have security features that leave relevant traces so that accurate forensic attribution can be conducted. The seeming lack of default security measures such as access control and logging has prompted this examination. A survey into the top ranked NoSQL databases was conducted to establish what authentication and authorisation features are available. Additionally the provided logging mechanisms were also examined since access control without any auditing would not aid forensic attribution tremendously. Some of the surveyed NoSQL databases do not provide adequate access control mechanisms and logging features that leave relevant traces to allow forensic attribution to be done using those. The other surveyed NoSQL databases did provide adequate mechanisms and logging traces for forensic attribution, but they are not enabled or configured by default. This means that in many cases they might not be available, leading to insufficient information to perform accurate forensic attribution even on those databases.http://www.saiee.org.za/DirectoryDisplay/DirectoryCMSPages.aspx?name=Publications#id=1588&dirname=ARJ&dirid=337am2019Computer Scienc

Instant Messaging Systems

The number of users of instant messaging (IM) has significantly increased in the last few years. Commercial providers are using closed centralized networks and do not enable users to communicate with other networks, although standardized protocols for IM do exist. The present thesis explores an alternative option of IM with the use of the XMPP protocol and a federated network of servers. Furthermore, it includes a description of the basic purpose, additional services and security requirements of IM. In addition, there is a description of the architecture and properties of the XMPP protocol and security tools for end-to-end security. The main goal of the present thesis is to set up an IM open-source Prosody server, and to analyse the possibilities and the use of open-source clients. The conclusion of the thesis presents the advantages and disadvantages of open-source solution versus commercial providers

Forensic attribution challenges during forensic examinations of databases

An aspect of database forensics that has not yet received much attention in the academic research community is the attribution of actions performed in a database. When forensic attribution is performed for actions executed in computer systems, it is necessary to avoid incorrectly attributing actions to processes or actors. This is because the outcome of forensic attribution may be used to determine civil or criminal liability. Therefore, correctness is extremely important when attributing actions in computer systems, also when performing forensic attribution in databases. Any circumstances that can compromise the correctness of the attribution results need to be identified and addressed. This dissertation explores possible challenges when performing forensic attribution in databases. What can prevent the correct attribution of actions performed in a database? Thirst identified challenge is the database trigger, which has not yet been studied in the context of forensic examinations. Therefore, the dissertation investigates the impact of database triggers on forensic examinations by examining two sub questions. Firstly, could triggers due to their nature, combined with the way databases are forensically acquired and analysed, lead to the contamination of the data that is being analysed? Secondly, can the current attribution process correctly identify which party is responsible for which changes in a database where triggers are used to create and maintain data? The second identified challenge is the lack of access and audit information in NoSQL databases. The dissertation thus investigates how the availability of access control and logging features in databases impacts forensic attribution. The database triggers, as dened in the SQL standard, are studied together with a number of database trigger implementations. This is done in order to establish, which aspects of a database trigger may have an impact on digital forensic acquisition, analysis and interpretation. Forensic examinations of relational and NoSQL databases are evaluated to determine what challenges the presence of database triggers pose. A number of NoSQL databases are then studied to determine the availability of access control and logging features. This is done because these features leave valuable traces for the forensic attribution process. An algorithm is devised, which provides a simple test to determine if database triggers played any part in the generation or manipulation of data in a specific database object. If the test result is positive, the actions performed by the implicated triggers will have to be considered in a forensic examination. This dissertation identified a group of database triggers, classified as non-data triggers, which have the potential to contaminate the data in popular relational databases by inconspicuous operations, such as connection or shutdown. It also established that database triggers can influence the normal ow of data operations. This means what the original operation intended to do, and what actually happened, are not necessarily the same. Therefore, the attribution of these operations becomes problematic and incorrect deductions can be made. Accordingly, forensic processes need to be extended to include the handling and analysis of all database triggers. This enables safer acquisition and analysis of databases and more accurate attribution of actions performed in databases. This dissertation also established that popular NoSQL databases either lack sufficient access control and logging capabilities or do not enable them by default to support attribution to the same level as in relational databases.Dissertation (MSc)--University of Pretoria, 2018.Computer ScienceMScUnrestricte