bishop chapter 14 representing identity l.
Skip this Video
Loading SlideShow in 5 Seconds..
Bishop: Chapter 14 Representing Identity PowerPoint Presentation
Download Presentation
Bishop: Chapter 14 Representing Identity

Loading in 2 Seconds...

play fullscreen
1 / 12

Bishop: Chapter 14 Representing Identity - PowerPoint PPT Presentation

  • Uploaded on

Bishop: Chapter 14 Representing Identity. Outline. Introduction Naming & Certificates Identity on the web Anonymity. What is identity ?. An identity specifies a principal. A principal is a unique entity. What can be an entity ? Subjects : users, groups, roles

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Bishop: Chapter 14 Representing Identity' - keona

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bishop chapter 14 representing identity

Bishop: Chapter 14Representing Identity

csci5233 Computer Security

  • Introduction
  • Naming & Certificates
  • Identity on the web
  • Anonymity

csci5233 Computer Security

what is identity
What is identity?
  • An identity specifies a principal.
    • A principal is a unique entity.
    • What can be an entity?
      • Subjects: users, groups, roles

e.g., a user identification number (UID) identifies a user in a UNIX system

      • Objects: files, web pages, etc. + subjects

e.g., an URL identifies an object by specifying its location and the protocol used (such as

csci5233 Computer Security

authentication vs identity
Authentication vs identity
  • Authentication binds a principal to a representation of identity internal to the computer.
  • Two main purposes of using identities:
    • Accountability (logging, auditing)
    • Access control

csci5233 Computer Security

identity naming and certificates
Identity Naming and Certificates
  • In X.509 certificates, distinguished names (that is, X.500 Distinguished Name) are used to identify entities.

e.g., /O=UHCL/OU=SCE/CN=Andrew Yang/L=Houston/SP=Texas/C=US

e.g., /O=UHCL/OU=SCE/CN=UnixLabAdministrator/L=Houston/SP=Texas/C=US

  • A certification authority (CA) vouches, at some level, for the identity of the principals to which the certificate is issued.

csci5233 Computer Security

structure of cas
Structure of CAs
  • [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet Electronic Mail: Part II, Certificate-Based Key Management
  • The certificate-based key management infrastructure organizes CAs into a hierarchical, tree-based structure.
  • Each node in the tree corresponds to a CA.
  • A Higher-level CA set policies that all subordinate CAs must follow; it certifies the subordinate CAs.

csci5233 Computer Security

certificates trust
Certificates & Trust
  • A certificate is the binding of an external identity to a cryptographic key and a Distinguished Name.
  • If the certificate issuer can be fooled, all who rely on that certificate may also be fooled.
  • The authentication policy defines the way in which principals prove their identities, relying on nonelectronic proofs of identity such as biometrics, documents, or personal knowledge.

csci5233 Computer Security

certificates trust8
Certificates & Trust
  • The goal of certificates is to bind a correct pair of identity and public key.
  • PGP certificates include a series of signature fields, each of which contains a level of trust.
  • The OpenPGP specification defines 4 levels of trusts:
    • Generic: no assertions
    • Persona (i.e., anonymous): no verification of the binding between the user name and the principal
    • Casual: some verification
    • Positive: substantial verification

csci5233 Computer Security

certificates trust9
Certificates & Trust
  • Issues with the OpenPGP’s levels of trusts:

The trust is not quantifiable.

The same terms (such as ‘substantial verification’) can imply different levels of assurance to different signers.

The interpretations are left to the verifiers.

  • The point:

“Knowing the policy or the trust level with which the certificate is signed is not enough to evaluate how likely it is that the identity identifies the correct principal.”

Other knowledge is needed: e.g., how the CA or signer interprets the policy and enforces its requirements

csci5233 Computer Security

identity on the internet
Identity on the Internet

csci5233 Computer Security

  • Naming of identities & Certificates
  • Identity on the web
  • Anonymity

csci5233 Computer Security

  • Chapter 27: system security

csci5233 Computer Security