CMSC 414 Computer and Network Security Lecture 15
- Slides: 23
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz
Review of cryptography… ¨ Private-key (key shared in advance) – Private-key encryption – Message authentication codes (MACs) ¨ Public-key (PK distributed/SK secret) – Public-key encryption – Signature schemes
Review of cryptography… – Encryption does not provide integrity – Signatures/MACs do not provide secrecy – Signing is not the same as (public key) encryption/decryption – A “checksum” is not the same as a MAC – Deterministic encryption is not secure – CBC-MAC is not the same as CBC encryption
Midterm stats ¨ Average: 65 ¨ (Roughly: ) – 80 -100: A – 60 -80: B – 45 -60: C – <45: D/F
Administrative items ¨ HW 3 ¨ Project coming soon…
Representing Identity (Chapter 14)
Identity ¨ An identity specifies a principal (a unique entity) ¨ Authentication binds a principal to a (representation of an) identity ¨ Identities are used for, e. g. , accountability and access control (among others)
Example: files and objects ¨ Note: the name of an object may depend on the context – E. g. , a filename for human use, a file descriptor for process use, and a file allocation entry used by the kernel – E. g. , user with different accounts
Example: groups ¨ An “entity” may be a set of entities, i. e. , a group ¨ Two implementations of groups 1. Group is an alias for a set of principals; principals stay in their groups 2. Principals can change groups; rights depend upon current group membership
Roles ¨ A role is a group that ties membership to function – When a principal assumes a role, the principal is given the rights belonging to that role
Naming and certificates ¨ Identifiers correspond to principals – Must uniquely identify the principal – (Real) names alone are not enough!
E. g. , X. 509 certificates ¨ Distinguished names identify a principal – Series of fields, each with key and value • E. g. /O=University of Maryland/OU=College Park/OU=Computer Science/CN=J. Katz • “O” - organization; “OU” - organizational unit; “CN” = common name
Certificates ¨ Certification authorities vouch for the identity of the principal to whom a certificate is issued ¨ CA authentication policy determines the level of authentication needed to identify the principal before the certificate is issued ¨ CA issuance policy describes the principals to whom the CA will issue certificates ¨ A single CA can “act” as multiple CAs, each with their own policies…
Example: Verisign (1996) ¨ Three levels of authentication – Verification of valid email address – Verification of name/address – Background check ¨ Different authentication policies; same issuance policy (individuals) ¨ Another issuance policy was for issuing certificates to web servers
Certificate infrastructure ¨ Hierarchical structure of CAs – Nodes correspond to CAs – Children of a CA are constrained by the policies of their parents – Example… ¨ We will revisit cert. infrastructures later…
Example ¨ Internet Policy Registration Authority (IPRA) issues certificates for policy certification authorities (PCAs) ¨ PCAs certify other CAs – Note that their policies cannot conflict with those of the IPRA
Conflicts ¨ What if a single CA issues certificates under different policies? ¨ What if a CA issues a certificate tied to an email address, but the owner of this address changes? ¨ What if two CAs have the same dist. name? ¨ What if two different CAs issue certificates for the same distinguished name (to different principals)?
Easy solution ¨ For organizational certificates, the last type of conflict can be prevented by incorporating CA name into distinguished name ¨ Does not solve the other problems, in general…
Handling conflicts ¨ Conflict detection database… ¨ Before a PCA may issue a certificate to a CA, it checks for a conflict in the database – Sends a hash of the CAs dist. name, the CAs public key, and the dist. name of the PCA ¨ If first two fields conflict with a database entry, the two PCAs must resolve the conflict ¨ Note that this only ensures uniqueness of (DN, PK) pairs
Handling conflicts (in action) ¨ Two CAs with same dist. name? – Will have different public keys… ¨ Same CA with two different policies? – Will use different public keys for each
What does identity mean? ¨ Ultimately, identity is proved using physical means – Driver’s license, fingerprints, etc. ¨ If these are compromised, then certificates are irrelevant! – Certificate is just a binding between external identity and (DN, PK)
Anonymity vs. pseudonymity ¨ Anonymity – No one can identify the source of any messages – Can be achieved via the use of “persona” certificates (with “meaningless” DNs) ¨ Pseudonymity – No one can identify the source of a set of messages… – …but they can tell that they all came from the same person
Levels of anonymity ¨ There is a scale of anonymity – Ranges from no anonymity (complete identification), to partial anonymity (e. g. , crowds), to complete anonymity – Pseudonymity is an orthogonal issue…
- Cmsc 414
- Cmsc 414
- Cmsc 414
- Cmsc 414
- Computer security 161 cryptocurrency lecture
- Wireless security in cryptography
- Security security security
- Computer and network security
- Osi standard for security architecture is
- Security guide to network security fundamentals
- Electronic mail security in network security
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- 01:640:244 lecture notes - lecture 15: plat, idah, farad
- Computer & network security
- Gcd of 414 and 662
- Types of network topology
- Mil-std-414
- Military standard 414
- Mil-std 414
- 414 climate change
- Cs 414
- Cse 414
- Graph neural network lecture