1 / 12

Bishop: Chapter 14 Representing Identity

Bishop: Chapter 14 Representing Identity. Outline. Introduction Naming & Certificates Identity on the web Anonymity. What is identity ?. An identity specifies a principal. A principal is a unique entity. What can be an entity ? Subjects : users, groups, roles

margiec
Download Presentation

Bishop: Chapter 14 Representing Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bishop: Chapter 14Representing Identity csci5233 Computer Security

  2. Outline • Introduction • Naming & Certificates • Identity on the web • Anonymity csci5233 Computer Security

  3. What is identity? • An identity specifies a principal. • A principal is a unique entity. • What can be an entity? • Subjects: users, groups, roles e.g., a user identification number (UID) identifies a user in a UNIX system • Objects: files, web pages, etc. + subjects e.g., an URL identifies an object by specifying its location and the protocol used (such as http://sce.cl.uh.edu/). csci5233 Computer Security

  4. Authentication vs identity • Authentication binds a principal to a representation of identity internal to the computer. • Two main purposes of using identities: • Accountability (logging, auditing) • Access control csci5233 Computer Security

  5. Identity Naming and Certificates • In X.509 certificates, distinguished names (that is, X.500 Distinguished Name) are used to identify entities. e.g., /O=UHCL/OU=SCE/CN=Andrew Yang/L=Houston/SP=Texas/C=US e.g., /O=UHCL/OU=SCE/CN=UnixLabAdministrator/L=Houston/SP=Texas/C=US • A certification authority (CA) vouches, at some level, for the identity of the principals to which the certificate is issued. csci5233 Computer Security

  6. Structure of CAs • [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet Electronic Mail: Part II, Certificate-Based Key Management • The certificate-based key management infrastructure organizes CAs into a hierarchical, tree-based structure. • Each node in the tree corresponds to a CA. • A Higher-level CA set policies that all subordinate CAs must follow; it certifies the subordinate CAs. csci5233 Computer Security

  7. Certificates & Trust • A certificate is the binding of an external identity to a cryptographic key and a Distinguished Name. • If the certificate issuer can be fooled, all who rely on that certificate may also be fooled. • The authentication policy defines the way in which principals prove their identities, relying on nonelectronic proofs of identity such as biometrics, documents, or personal knowledge. csci5233 Computer Security

  8. Certificates & Trust • The goal of certificates is to bind a correct pair of identity and public key. • PGP certificates include a series of signature fields, each of which contains a level of trust. • The OpenPGP specification defines 4 levels of trusts: • Generic: no assertions • Persona (i.e., anonymous): no verification of the binding between the user name and the principal • Casual: some verification • Positive: substantial verification csci5233 Computer Security

  9. Certificates & Trust • Issues with the OpenPGP’s levels of trusts: The trust is not quantifiable. The same terms (such as ‘substantial verification’) can imply different levels of assurance to different signers. The interpretations are left to the verifiers. • The point: “Knowing the policy or the trust level with which the certificate is signed is not enough to evaluate how likely it is that the identity identifies the correct principal.” Other knowledge is needed: e.g., how the CA or signer interprets the policy and enforces its requirements csci5233 Computer Security

  10. Identity on the Internet csci5233 Computer Security

  11. Summary • Naming of identities & Certificates • Identity on the web • Anonymity csci5233 Computer Security

  12. Next • Chapter 27: system security csci5233 Computer Security

More Related