Bishop: Chapter 14 Representing Identity - PowerPoint PPT Presentation

1 / 13

About This Presentation

Title:

Bishop: Chapter 14 Representing Identity

Description:

Number of Views:93

Avg rating:3.0/5.0

Slides: 14

Provided by: T168

Learn more at: http://sceweb.sce.uhcl.edu

Category:

more less

Transcript and Presenter's Notes

Title: Bishop: Chapter 14 Representing Identity

1
Bishop Chapter 14Representing Identity
2
Outline

3
What is identity?

An identity specifies a principal.
A principal is a unique entity.
What can be an entity?
Subjects users, groups, roles
e.g., a user identification number (UID)
identifies a user in a UNIX system
Objects files, web pages, etc. subjects
e.g., an URL identifies an object by specifying
its location and the protocol used (such as
http//sce.cl.uh.edu/).

4
Authentication vs identity

Authentication binds a principal to a
representation of identity internal to the
computer.
Two main purposes of using identities
Accountability (logging, auditing)
Access control

5
Identity Naming and Certificates

In X.509 certificates, distinguished names (that
is, X.500 Distinguished Name) are used to
identify entities.
e.g., /OUHCL/OUSCE/CNAndrew Yang/LHouston/SPT
exas/CUS
e.g., /OUHCL/OUSCE/CNUnixLabAdministrator/LHou
ston/SPTexas/CUS
A certification authority (CA) vouches, at some
level, for the identity of the principals to
which the certificate is issued.

6
Structure of CAs

RFC 1422, S. Kent, 1993 Privacy Enhancement for
internet Electronic Mail Part II,
Certificate-Based Key Management
The certificate-based key management
infrastructure organizes CAs into a hierarchical,
tree-based structure.
Each node in the tree corresponds to a CA.
A Higher-level CA set policies that all
subordinate CAs must follow it certifies the
subordinate CAs.

7
Certificates Trust

A certificate is the binding of an external
identity to a cryptographic key and a
Distinguished Name.
If the certificate issuer can be fooled, all who
rely on that certificate may also be fooled.
The authentication policy defines the way in
which principals prove their identities, relying
on nonelectronic proofs of identity such as
biometrics, documents, or personal knowledge.

8
Certificates Trust

The goal of certificates is to bind a correct
pair of identity and public key.
PGP certificates include a series of signature
fields, each of which contains a level of trust.
The OpenPGP specification defines 4 levels of
trusts
Generic no assertions
Persona (i.e., anonymous) no verification of the
binding between the user name and the principal
Casual some verification
Positive substantial verification

9
Certificates Trust

Issues with the OpenPGPs levels of trusts
The trust is not quantifiable.
The same terms (such as substantial
verification) can imply different levels of
assurance to different signers.
The interpretations are left to the verifiers.
The point
Knowing the policy or the trust level with which
the certificate is signed is not enough to
evaluate how likely it is that the identity
identifies the correct principal.
Other knowledge is needed e.g., how the CA or
signer interprets the policy and enforces its
requirements

10
Identity on the Internet

11
Domain Name Services

DNS provides an association between a host name
and an IP address.
If the association is corrupted, the identifier
in question will be associated with the wrong
host (sometimes the malicious one).
Attacks on the DNS Bellovin, Schuba

12
State and Cookies

The HTTP protocol is a stateless protocol
basically request/response
Other mechanisms (such as cookies or sessions)
are needed to maintain states between a client
and a server.
Def. 14-4 A cookie is a token that contains
information about the state of a transaction on a
network.
pp.369-370 Values in the cookies
Cookies may contain sensitive information.
Protecting the confidentiality of the cookies may
be critical.

13
Anonymity on the Web