Security Architecture - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Security Architecture

Description:

TTP (E.g Notary, Arbitration) Directory Server. Signature. 48. Security. Auditing. Tools ... PKI/CA. X.509/ Kerberos. Secure. ECommerce. Secure. HTTP/HTML/XML ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 50
Provided by: compu47
Category:

less

Transcript and Presenter's Notes

Title: Security Architecture


1
Security Architecture
  • Prof. Vijay Varadharajan
  • Professor and Microsoft Chair in Computing

2
(No Transcript)
3
Security Architecture
  • Security Threats
  • Security Services
  • Security Mechanisms
  • Security Building Blocks

4
Security Threats
  • Masquerading
  • Unauthorized Access
  • Unauthorized Disclosure of Information
  • Unauthorized Modification of Information
  • Repudiation of Action

5
Security Service
  • Security Information/Attributes
  • Security Mechanisms and Rules
  • Security Authorities

6
Identification and Authentication Service
  • Provides the confidence that at the time of
    request, an entity is not attempting to
    masquerade or to mount a replay attack
  • Identification associates an
    identifier with an entity

7
Identification and Authentication Service
  • Authentication Information
  • Something known to an entity password, key
  • Possession of something physical card
  • Some immutable characteristic of a user retinal
    scan
  • Context location of the entity, time

8
Identification and Authentication
  • Authentication Methods and Mechanisms
  • Model
  • Claimant Entity which is to be authenticated
  • Verifier Entity which verifies the identity
    of the Claimant
  • Simple Password
  • Claimant presents password/key to Verifier
  • Vulnerable to Eavesdropping attack

9
Identification and Authentication
  • Protect Authentication Information using
    Cryptography or One-Way Hash functions
  • Claimant encrypts password/key
    Verifier
  • Vulnerable to Replay attack

10
Identification and Authentication
  • Authentication Methods and Mechanisms
  • Protect against disclosure and replay
  • Using Cryptographic Chaining Techniques
  • Using some unique information
  • suitably enciphered timestamp, random number

11
Identification and Authentication
  • Challenge-Response
  • Claimant Makes an Authentication Request
  • Verifier Provides a Challenge
  • Claimant Transforms Challenge using his
    Authentication Information
    Response
  • Verifier Checks the Response

12
Identification and Authentication
  • Authentication Authorities
  • Authentication between Parties
  • One-Way
  • Mutual

13
Identification and Authentication
  • General Situation
  • Trusted Authority based Authentication
  • Simple Model
  • Trusted Authority Authenticates Claimant
  • Trusted Authority Proves the Claimant
    Authenticity to Verifier
  • Both Claimant and Verifier Trust the Authority
  • Trusted Authorities
  • Authentication Servers, Certification Servers,
    Key Management Servers

14
Access Control and Authorization Service
  • Limits and Controls access to information and
    resources
  • Model Initiator and Target Entities

Initiator
Target
Access Control
15
Access Control and Authorization Service
  • Access Control Information
  • Individual identities of initiators and targets
  • Group identities of initiators and targets
  • Security labels of initiators (clearances) and
    targets (classification)
  • Roles
  • Actions or operations that can be allowed to be
    performed on the Target
  • Contextual information routing, location, time
    periods

16
Access Control and Authorization Service
  • Access Control Policy
  • Rules that define the conditions under which
    initiators can access targets
  • Traditional Access Policies
  • Rule based Policies Mandatory Access Control
  • Rules apply to all entities and information
  • System has access enforcement mechanisms
  • Security Labels Clearance and Classification
  • Identity based Policies
  • Individualized access control information such as
    Identity or Role
  • Discretionary Allows user/administrator to
    control access as they see fit

17
Access Control and Authorization Service
  • Access Control Mechanisms
  • Access Control Lists (ACL)
  • Targets ACL List of Initiators and/or
    Operations
  • Initiators Individual Identity, Group Identity,
    Role
  • Operations Permitted and/or Forbidden
  • ACLs convenient
  • Fine granularity access control is required
  • A Few Initiators
  • ACLs Not Convenient
  • When Initiator population is frequently changing
  • Revocation
  • Modification of ACLs

18
Access Control and Authorization Service
  • Access Control Mechanisms
  • Capabilities
  • Target and Authorized Operations on the Target
  • Target Individual Identity, Group Identity,
    Role
  • Operations Permitted and/or Forbidden
  • Can also identify Initiators
  • Must be unforgeable
  • Convenient
  • Many Initiators accessing a Few Targets

19
Access Control and Authorization Service
  • Access Control Mechanisms
  • Security Labels
  • Secrecy Levels, Integrity Levels, Security
    Compartments
  • Access allowed when Initiators Security Labels
    match with those of the Target
  • Operation match defined by Access Policy
  • Convenient
  • Many Initiators accessing Many protected Targets
  • Coarse level of granularity of access control

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
Information Confidentiality Service
  • Provides protection of information from
    unauthorized disclosure
  • Encryption Mechanisms
  • Symmetric Key and Public Key Schemes
  • Security Information
  • Keys
  • Security Authorities
  • Key Management
  • Certification

24
Information Integrity Service
  • Mechanisms Cryptographic Techniques
    Chaining Techniques
  • Security Information
  • Keys/Parameters associated with Integrity
    Algorithms
  • Security Authorities
  • Key Management

25
Information Integrity Service
  • Provides protection of information from
    unauthorized modification
  • Alteration, Insertion, Deletion, Replay
  • Generation of Integrity Checks (at the
    originating end)
  • Verification of Integrity Checks (at the
    receiving end)

26
Information Integrity Service
  • Mechanisms Cryptographic Techniques
    Chaining Techniques
  • Security Information
  • Keys/Parameters associated with Integrity Checks
    Algorithms
  • Security Authorities
  • Key Management

27
Non-Repudiation Service
  • Provides proof of certain action
  • Origin or delivery of information
  • Protects
  • an originator against false denial by the
    recipient
  • a recipient against the false denial by the
    originator
  • Requires a Trusted Third Party Arbitration of
    Disputes

28
Non-Repudiation Service
  • Service must be in place prior to information
    transfer
  • Common Mechanisms Digital Signatures
  • Senders Signature Non-Repudiation of Origin
  • Receivers Signature of Proof-of-DeliveryNon-Rep
    udiation of Delivery

29
Non-Repudiation Service
  • Classification of Service
  • Basic Non-Repudiation
  • Assurance about the time of event
  • Assurance about the content
  • Security Information
  • Keys/Parameters associated with Digital
    Signatures
  • Security Authorities
  • Key Management
  • Certification

30
Auditing Service
  • Not directly involved in the prevention of
    security violations but assists their detection
  • Test the adequacy of the security controls and
    the conformance of the system with the security
    policy

31
Auditing Service
  • Mechanisms
  • Definition of security related events to be
    audited
  • Definition of audit record
  • Definition and generation of security alarms and
    actions
  • Storage and Analysis of audit trails

32
Auditing Service
  • Authorities
  • Audit Policy Management Authority
  • Audit Agents
  • Audit Service itself requires
  • integrity, authentication and confidentiality
    services

33
Denial of Service
  • Can be regarded as an extreme case of information
    modification in which the information transfer is
    either blocked or delayed
  • Confidentiality, Integrity and Authentication
    Detect Some Attacks

34
Denial of Service
  • Measure
  • Periodic exchange of information between entities
  • Greater the frequency shorter the
    time greater the reduction in
    effective bandwidth

35
Security Management
  • Security Policy Management
  • Security Service Management
  • Security of Management Functions

36
Security Management
  • Security Policy Management
  • Related to Business and Organization
  • Different Managers Responsible
  • Different parts of the Organization
  • Different functions of the Organization

37
Security Management
  • Security Policy Management
  • Different levels of Policies
  • Sub-Organization/Project/Application Levels
  • Separation of Responsibilities
  • Enabling Static Delegation of Responsibility in a
    Hierarchical Manner

38
Security Management
  • Security Service Management
  • Management of Security Information
  • Specification of Mechanisms and Rules
  • Selection of Security Mechanisms
  • Interaction with Security Services

39
Security Management
  • Authentication Management
  • Associating authentication information
    (passwords, identities, tokens, keys) to system
    entities
  • Updating, modifying and revoking authentication
    information
  • Assisting in the verification process

40
Security Management
  • Access Control Management
  • Associating access control information (ACLs,
    Capabilities, Labels, Roles, etc) to system
    entities
  • Establishing and enforcing access control rules
  • Updating, modifying and revoking access control
    information and rules

41
Security Management
  • Key Management
  • Generation of Keys
  • Maintenance of Keys
  • Distribution of Keys
  • Updating, Modifying and Removal of Keys

42
Security Management
  • Audit Management
  • Definition and selection of security relevant
    events
  • Enabling/Disabling of audit trail logging of
    selected events
  • Analysis of audit trails
  • Preparation of audit reports

43
Security Management
  • Security of Management Functions
  • Securing Management Information
  • Security of Management Protocols and
    Communications
  • E.g. Network Administration System

44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
Networked Computing Security Solutions
...
Defence
Telecom
Medical
Finance
Internet Commerce and Services
SECURITY MANAGEMENT
...
...
USERS
USERS
...
...
AP
AP
...
...
Confidentiality
Authentication
Access Control
Non-Repudiation
Auditing
Integrity
OMF
OMF
OS
OS
...
AP Application
...
OMF Object Mgmt. Facility
HW
HW
OS Operating System
Network
HW Hardware
48
Networked Computing Security Services

Personal Inf
User
Smart
Appliances
Card
Login


App B
ACI
App A
Encryption
Signature
Hashing
Encryption
Hashing
Signature
Audit/Monit Server
TTP (E.g Notary, Arbitration)
Directory Server
AuthN/Cert Server
AuthZ Server
49
Security
Write a Comment
User Comments (0)
About PowerShow.com