DOC PREVIEW
USC CSCI 530 - 2.1

This preview shows page 1 out of 3 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 3 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 3 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

2/1/11 1  Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation lists, time-limited keys, real time validation  Group key management o Robustness, forward/backward secrecy  Ideally o Who you are  Practically o Something you know o Something you have o Something about you  Password or Algorithm o e.g. encryption key derived from password  Issues o Someone else may learn it  Find it, sniff it, trick you into providing it o Other party must know how to check o You must remember it  Alice inputs her password, computer verifies this against list of passwords  If computer is broken into, hackers can learn everybody’s passwords o Use one-way functions, store the result for !every valid password o Perform one-way function on input, !compare result against the list  Hackers can compile a list of frequently used passwords, apply one-way function to each and store them in a table – dictionary attack  Host adds random salt to password, applies one-way function to that and stores result and salt value o Randomly generated, unique and long enough2/1/11 2  Someone sniffing on the network can learn the password  Lamport hash or S-KEY – time-varying pass o To set-up the system, Alice enters !random number R o Host calculates !x0=h(R), x1=h(h(R)), x2=h(h(h(R))),..., x100 o Alice keeps this list, host sets her password to x101 o Alice logs on with x100, host verifies h(x100)=x101, resets password to x100 o Next time Alice logs on with x99  Someone sniffing on the network can learn the password o Host keeps a file of every user’s public key o Users keep their private keys o When Alice attempts to log on, !host sends her a random number R o Alice encrypts R with her private key !and sends to host o Host can now verify her identity by !decrypting the message and retrieving R  Key Distribution o Confidentiality not needed for public key o Solves n2 problem  Performance o Slower than conventional cryptography o Implementations used for key distribution, then use conventional crypto for data encryption  Trusted third party still needed o To certify public key o To manage revocation o In some cases, third party may be off-line  Passport  Liberty Alliance  Shibboleth  Two versions of Passport o Centralized and federated  Liberty Alliance o Loosely federated with framework to describe authentication provided by others  Goal is single sign-on o Solves problem of weak or repeated user/pass combinations  Implemented via redirections o Users authenticate themselves to a common server, which gives them tickets o Similar flavor to Kerberos but different environment – many organizations  Widely deployed by Microsoft o Designed to use existing technologies in servers/browsers (HTTP redirect, SSL, cookies, Javascript)2/1/11 3  Client (browser), merchant (Web server), Passport login server  Passport server maintains authentication info for client o Gives merchant access when permitted by client  Divides client data into profile (address) and wallet (credit card) David P. Kormann and Aviel D. Rubin, Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. David P. Kormann and Aviel D. Rubin, Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. SSL Token = 3DES encrypted authentication info!using key merchant shares with passport server Also set cookie at browser  User interface is confusing and may misrepresent the reality  Weak keys may be used for 3DES  Single key is used to encrypt cookies for all clients  Cookies stay on machine, can be stolen o No authenticator (timestamp), like in Kerberos, enables reuse by others  Coupling of Hotmail with Passport David P. Kormann and Aviel D. Rubin, Risks of the Passport Single Signon Protocol, Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. Read more at http://avirubin.com/passport.html  Multiple federated identity providers o E.g. ISPs register own users o One can rely on claims made by other ID providers  Claims o Emails, relationships, authorization for scenarios, ownership of private/public key pair  Need “translators” for different claim languages  Design criteria was most of the issues addressed by Federated Passport, i.e. no central authority  Use SAML (Security Association Markup Language) to describe trust across authorities, and what assertions mean from particular authorities  Four assurance levels o How much we trust a given identity assertion o Little, some, high and very high


View Full Document

USC CSCI 530 - 2.1

Download 2.1
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view 2.1 and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view 2.1 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?