Bishop: Chapter 14 Representing Identity csci 5233 Computer Security 1
Outline • Introduction • Naming & Certificates • Identity on the web • Anonymity csci 5233 Computer Security 2
What is identity? • An identity specifies a principal. – A principal is a unique entity. – What can be an entity? • Subjects: users, groups, roles e. g. , a user identification number (UID) identifies a user in a UNIX system • Objects: files, web pages, etc. + subjects e. g. , an URL identifies an object by specifying its location and the protocol used (such as http: //sce. cl. uh. edu/). csci 5233 Computer Security 3
Authentication vs identity • Authentication binds a principal to a representation of identity internal to the computer. • Two main purposes of using identities: – Accountability (logging, auditing) – Access control csci 5233 Computer Security 4
Identity Naming and Certificates • In X. 509 certificates, distinguished names (that is, X. 500 Distinguished Name) are used to identify entities. e. g. , /O=UHCL/OU=SCE/CN=Andrew Yang/L=Houston/SP=Texas/C=US e. g. , • /O=UHCL/OU=SCE/CN=Unix. Lab. Administrator/L=Ho uston/SP=Texas/C=US A certification authority (CA) vouches, at some level, for the identity of the principals to which the certificate is issued. csci 5233 Computer Security 5
![Structure of CAs • • [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet](https://present5.com/presentation/ff42d10e9f4304f99c894157432ffc7e/image-6.jpg "Structure of CAs • • [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet")
Structure of CAs • • [RFC 1422, S. Kent, 1993] Privacy Enhancement for internet Electronic Mail: Part II, Certificate. Based Key Management The certificate-based key management infrastructure organizes CAs into a hierarchical, tree-based structure. Each node in the tree corresponds to a CA. A Higher-level CA set policies that all subordinate CAs must follow; it certifies the subordinate CAs. csci 5233 Computer Security 6
Certificates & Trust • A certificate is the binding of an external identity to a cryptographic key and a Distinguished Name. • If the certificate issuer can be fooled, all who rely on that certificate may also be fooled. • The authentication policy defines the way in which principals prove their identities, relying on nonelectronic proofs of identity such as biometrics, documents, or personal knowledge. csci 5233 Computer Security 7
Certificates & Trust • The goal of certificates is to bind a correct pair of identity and public key. • PGP certificates include a series of signature fields, each of which contains a level of trust. • The Open. PGP specification defines 4 levels of trusts: 1. Generic: no assertions 2. Persona (i. e. , anonymous): no verification of the binding between the user name and the principal 3. Casual: some verification 4. Positive: substantial verification csci 5233 Computer Security 8
Certificates & Trust • Issues with the Open. PGP’s levels of trusts: The trust is not quantifiable. The same terms (such as ‘substantial verification’) can imply different levels of assurance to different signers. The interpretations are left to the verifiers. • The point: “Knowing the policy or the trust level with which the certificate is signed is not enough to evaluate how likely it is that the identity identifies the correct principal. ” Other knowledge is needed: e. g. , how the CA or signer interprets the policy and enforces its requirements csci 5233 Computer Security 9
Identity on the Internet csci 5233 Computer Security 10
Summary • Naming of identities & Certificates • Identity on the web • Anonymity csci 5233 Computer Security 11
Next • Chapter 27: system security csci 5233 Computer Security 12
Скачать презентацию Bishop Chapter 14 Representing Identity csci 5233 Computer
ff42d10e9f4304f99c894157432ffc7e.ppt