Performance Test Suite for MIT Kerberos

Tato práce se zaměřuje na vyvinutí nástrojů pro výkonnostní testování, které umožní otestovat infrastrukturu systému MIT Kerberos, zjistit její výkonnostní charakteristiky a detekovat potenciální problémy. Práce shrnuje teoretické základy protokolu Kerberos a analyzuje potenciální výkonnostní problémy v různých konfiguracích MIT Kerberosu. Dále práce obsahuje popis návrhu a implementace sady nástrojů pro distribuované testování. Pomocí implementovaných nástrojů bylo odhaleno několik výkonnostních problémů, které jsou v práci popsány spolu s návrhem jejich řešení.The aim of this thesis is to develop performance test suite, which will enable to test MIT Kerberos system infrastructure, assess gained performance characteristics and detect potential bottlenecks. This thesis summarizes necessary theoretical background of Kerberos protocol. Potential performance problems are analyzed on different MIT Kerberos configurations. This thesis describes distributed test suite design and implementation. Several performance problems were discovered using this test suite. These problems are described and some solutions are proposed.

Applying pi-Calculus to Practice: An Example of a Unified Security Mechanism

The Pi-calculus has been developed to reason about behavioural equivalence. Different notions of equivalence are defined in terms of process interactions, as well as the context of processes. There are various extensions of the Pi-calculus, such as the SPI calculus, which has primitives to facilitate security protocol design. Another area of computer security is access control research, which includes problems of access control models, policies and access control mechanism. The design of a unified framework for access control requires that all policies are supported and different access control models are instantiated correctly. In this paper we will utilise the Pi calculus to reason about access control policies and mechanism. An equivalence of different policy implementations, as well as access control mechanism will be shown. Finally some experiences regarding the use of Pi-calculus are presented

Cortex: Open Source Core Financial Processor

A financial processor is the most important component of a credit union‘s IT infrastructure. A database storing member demographic information, account balances, and transaction history, it performs financial calculations, such as interest, dividends, and maturities. It also provides a user interface, allowing tellers and financial service representatives to manage accounts and record transactions. Unfortunately for credit unions, the bargaining power of the financial processor vendors is significant. Commercial financial processors are extremely expensive systems with long-term contracts. Dwindling competition, a lack of innovation, and a substantial barrier to entry characterize the stagnant financial processor market. Our team determined that open source would be an effective development methodology, as well as business model, to develop a new financial processor. Using secure, powerful technologies and frameworks, we were able to design an innovative, modern architecture that meets the business requirements of credit unions better. Our web-based user interface also reflects the internet-driven paradigm with which employees are already comfortable, a dramatic shift from the outdated UI patterns and poor learnability associated with existing financial processors. Our team will continue searching for credit unions interested in forming the community to finish the development and testing necessary for the system to be ready for production use

Tutorial: Identity Management Systems and Secured Access Control

Identity Management has been a serious problem since the establishment of the Internet. Yet little progress has been made toward an acceptable solution. Early Identity Management Systems (IdMS) were designed to control access to resources and match capabilities with people in well-defined situations, Today’s computing environment involves a variety of user and machine centric forms of digital identities and fuzzy organizational boundaries. With the advent of inter-organizational systems, social networks, e-commerce, m-commerce, service oriented computing, and automated agents, the characteristics of IdMS face a large number of technical and social challenges. The first part of the tutorial describes the history and conceptualization of IdMS, current trends and proposed paradigms, identity lifecycle, implementation challenges and social issues. The second part addresses standards, industry initia-tives, and vendor solutions. We conclude that there is disconnect between the need for a universal, seamless, trans-parent IdMS and current proposed standards and vendor solutions

Applying PII fingerprints in security incident analysis

Regulations in many countries govern the use of personally identifiable information (PII) in IT systems. A key aspect of these regulations is to retain PII only as long as necessary and delete it immediately afterwards. Organizations should also consider retaining PII only for the minimum period as business requirements demand it for liability reasons. A difficult sit-uation arises for an organization if the possibility of a compromise of PII is detected after the PII has been deleted. Today, in such a situation, the scope of the potential compromise cannot easily be ascertained. Furthermore, the owner of the PII cannot easily be informed. We propose a novel algorithm to generate PII fingerprints which allows the determination of the scope of the affected PII in case a compromise is confirmed. The benefit is the ability to determine the exact scope of a potential compromise

The Relationship Between Situational Crime Prevention Theory and Campus Employee Computer Misuse

Computer misuse is a leading problem for all industry sectors, including higher education. However, much of the current research related to computer misuse has been conducted in the business sector, leaving higher education a relatively unstudied group. Many theories have been addressed in computer security literature, but only one theory offers a more holistic solution to combating computer misuse, Situational Crime Prevention Theory. Situational Crime Prevention Theory encompasses four categories of countermeasures: countermeasures that Increase the Perceived Effort of the offender, countermeasures that Increase the Perceived Risk of the offender, countermeasures that Reduce the Anticipated Rewards of the offender, and countermeasures that Remove the Excuses to offend. This study endeavored to investigate whether a relationship exists between the categories of ountermeasures found in Situational Crime Prevention and the actual number of computer misuse incidents reported by CIO\u27s of public, four-year colleges and universities. Using a web-accessible, anonymous questionnaire, CIO\u27s of 442 public, four-year colleges and universities were asked to provide information related to the countermeasures that they have in place at their institutions and the number of insider computer misuse incidents their institutions experienced in the year 2009. The data were analyzed with PLS-Graph software to include composite reliability, t statistic and critical value analysis, and R-square analysis. Results showed a significant relationship between two out of four categories of countermeasures and the actual number of computer misuse incidents. These results would be particularly useful to administrators in higher education who are responsible for designing a technology security plan that is focused and cost-effective

Using kerberos for enterprise cloud authentication

The Kerberos authentication protocol has a maturity of approximately thirty years, being widely used in IT systems in the corporate environment, mainly due to its adoption by Microsoft in its operating systems. Moreover, the practical application of the Cloud computing and its concepts is in its early days regarding its adoption by organizations, especially the large companies. This study aims to investigate the practical applications of the Kerberos protocol for authentication of enterprise applications deployed in the cloud, looking from both the f unctional and security perspective. To achieve this goal, it will be necessary to evaluate its applicability to the Cloud and assess whether it keeps the security characteristics found when using it only inside the corporate network.O protocolo de autenticação Kerberos apresenta uma maturidade de aproximadamente trinta anos, sendo amplamente utilizado nos sistemas de TI no meio corporativo, principalmente devido à sua adopção pela Microsoft nos seus sistemas operativos. Por outro lado, a aplicação prática dos conceitos de computação na nuvem encontra-se nos seus primeiros passos no que diz respeito à adopção pelas empresas, principalmente as de grande porte. Este estudo propõe-se a investigar as possibilidades práticas do protocolo Kerberos para autenticação de aplicações corporativas implementadas na nuvem, do ponto de vista funcional e de segurança. Para alcançar esse objectivo, será necessário avaliar sua aplicabilidade à nuvem e fazer um levantamento para validar se o protocolo mantêm as características de segurança encontrada quando utilizado somente na rede corporativa

Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. "Privacy-enhancing" communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high-level, or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable on-line identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework