>
Purdue University
Pag. 1
Elisa Bertino
Identity
Elisa Bertino
CERIAS and CS &ECE Departments
Purdue University
Purdue University
Pag. 2
Elisa Bertino
Topics
(Chapter 13 of Textbook)
What is identity
Identity for
objects (referred to as naming mechanisms)
Identity for 00sers00/font>
Multiple names for
one thing
Different contexts,
environments
Pseudonymity and
anonymity
Purdue University
Pag. 3
Elisa Bertino
Overview
A simple definition
of identity
Object naming
Users, principals,
and subjects
Certificates and
names
Hosts and domains
State and cookies
Anonymity
Purdue University
Pag. 4
Elisa Bertino
A
Definition of Identity
Identity is simply
a computer00 representation of an entity.
Identity depends
on the context where the object or user are referenced
Purdue University
Pag. 5
Elisa Bertino
Object
Naming
Identity depends
on the system containing the object
Different names
for one object
Human use,
eg. file name
Process use,
eg. file descriptor or handle
Kernel use, eg.
file allocation table entry, inode
In databases, content
information (example, primary keys) is used to identify single records
Purdue University
Pag. 6
Elisa Bertino
Object
Naming
Different names
for one context
Human: aliases,
relative vs. absolute path names
Kernel: deleting
a file identified by name can mean two things:
Delete the object
that the name identifies
Delete the name
given, and do not delete actual object until all names have been
deleted
Semantics of names
may differ
Purdue University
Pag. 7
Elisa Bertino
Example:
Names and Descriptors
Interpretation of
UNIX file name
Kernel maps name
into an inode using iterative procedure
Interpretation of
UNIX file descriptor
Refers to a specific
inode
Refers to same inode
from creation to deallocation
Purdue University
Pag. 8
Elisa Bertino
Example:
Different Systems
Object name must
encode location or pointer to location
rsh, ssh
style: host:object
URLs: protocol://host/object
Example:
Certificates are
issued by certification authorities (CA). A CA handles the certificates
on behalf of his constituency and takes some sort of liability for having
performed the necessary trust and security checks
Purdue University
Pag. 19
Elisa Bertino
Naming
and Certificates
Certificates are
issued to a principal
Principals need
to be uniquely identified to avoid ambiguities
Problem: names may
be ambiguous
Does the name
00att Bishop00refer to:
The author of
the texybook?
A programmer in
Australia?
A stock car driver
in Muncie, Indiana?
Someone else who
was named 00att Bishop00/font>
Purdue University
Pag. 20
Elisa Bertino
Disambiguating
Identity
Include ancillary
information in names
Enough to identify
each principal uniquely
X.509v3 Distinguished
Names provide an approach to the unique identification of each principal
A distinguished
name (DN) consists of a series of fields, each with a key
and a value
Example: X.509v3
DN
/O=University
of California/OU=Davis campus/OU=Department of Computer Science/CN=Matt
Bishop/
refers
to the Matt Bishop (CN is common name) in the Department of Computer
Science (OU is organizational unit) on the Davis Campus of the
University of California (O is organization)
/O=Microsoft Corporation/OU=Quality
assurance/CN=Matt Bishop/
refers
to the Matt Bishop that works at Microsoft
Purdue University
Pag. 21
Elisa Bertino
CAs
and Policies
Each CA has two
main policies controlling how it issues certificates:
CA00 authentication
policy describes the level of authentication required to identify
the principal to whom the certificate is to be issued
CA00 issuance
policy describes the principals to whom the CA will issue certificates
The difference between
these two types of policies is as follows:
The
first simply establishes the level of proof of identity needed for the
CA to accept the principal00 claim of identity whereas the second
answers the question: 00iven the identity of the principal, will the
CA issue a certificate?00/font>
Purdue University
Pag. 22
Elisa Bertino
Example:
Verisign CAs
Class 1 CA issued
certificates to individuals
Authenticated
principal by email address
Idea: certificate
used for sending, receiving email with various security services at
that address
Class 2 CA issued
certificates to individuals
Authenticated
by verifying user-supplied real name and address through an online database
Idea: certificate
used for online purchasing
Purdue University
Pag. 23
Elisa Bertino
Example:
Verisign CAs
Class 3 CA issued
certificates to individuals
Authentication
by background check from investigative service
Idea: higher
level of assurance of identity than Class 1 and Class 2 CAs
Fourth CA issued
certificates to web servers
Same authentication
policy as Class 3 CA
Idea: consumers
using these sites had high degree of assurance the web site was not
spoofed
Purdue University
Pag. 24
Elisa Bertino
Types
of Certificates
Identity certificate:
it binds together a public-key and some information that uniquely identifies
the certificate00 principal 00the certificates we have discussed
so far.
Attribute certificate:
it binds an identity to an authorization, title or role by a digital
signature. That signature is produced by a trusted third party, referred
to as Attribute Authority. This type of certificate is being
increasingly used.
Authorization
certificate: it binds an authorization, role or title directly to
a public key rather than to an identity. This type of certificate has
been proposed to shorten the authorization process. It is not frequently
used.
Purdue University
Pag. 25
Elisa Bertino
Identity
on the Web
Host identity
State and Cookies
Anonymity
Anonymous email
Anonymity: good
or bad?
Purdue University
Pag. 26
Elisa Bertino
Host
Identity
Bound up to networking
If the host is not
connected: pick any name
If the host is connected
Connected: one or more names depending on interfaces, network structure,
context
Each host, conceptually,
has a principal at each layer that communicates with a peer on other
hosts
Databases contain
mappings between different names.
Purdue University
Pag. 27
Elisa Bertino
Example
Layered network
Media Access
Control (MAC) layer
Ethernet address:
00:05:02:6B:A8:21
AppleTalk address:
network 51, node 235
Network layer
IP address: 192.168.35.89
Transport layer
Host name: cherry.orchard.chekhov.ru
Purdue University
Pag. 28
Elisa Bertino
Host
spoofing
Attacker spoofs
identity of another host
Protocols above
the identity being spoofed will fail
They rely on spoofed,
and hence faulty, information
Example: if an attacker
can alter the entries in databases containing the mapping of a lower-level
identity to a higher-level identity, the attacker can spoof one host
by routing the traffic to another
Purdue University
Pag. 29
Elisa Bertino
Domain
Name Servers
The best known mapping
databases is the Domain Name Service (DNS) which associates host names
and IP addresses
In absence of cryptographic
authentication of hosts, the consistency of DNS is used to provide a
weak authentication
Purdue University
Pag. 30
Elisa Bertino
Domain
Name Servers
A DNS maps transport
identifiers (host names) to network identifiers (host addresses)
Forward records:
host names 00/font>
IP addresses
Reverse records:
IP addresses 00/font>
host names
Weak authentication
Not cryptographically
based
Various techniques
used, such as reverse domain name lookup
Purdue University
Pag. 31
Elisa Bertino
Reverse
Domain Name Lookup
Validate identity
of host name
Get IP address of
host
Get associated host
name via DNS
Get IP addresses
associated with host name from DNS
If first IP address
in this set, accept name as correct; otherwise, reject as spoofed
If DNS corrupted,
such an approach would not work
Purdue University
Pag. 32
Elisa Bertino
DNS
Security Issues
Trust is that name/IP
address binding is correct
Goal of attacker:
associate incorrectly an IP address with a host name
Assume attacker
controls name server, or can intercept queries and send responses
Purdue University
Pag. 33
Elisa Bertino
Attacks
to DNS
Change records on
server
Add extra record
to response, giving incorrect name/IP address association
Called 00ache
poisoning00/font>
Attacker sends victim
request that must be resolved by asking attacker
Attacker responds
with answer plus two records for address spoofing (1 forward, 1 reverse)
Called 00sk me00/font>
Purdue University
Pag. 34
Elisa Bertino
Cookies
A cookie is a token
containing information about state of transaction on network
Usual use: refers
to state of interaction between web browsers and clients
Idea is to minimize
storage requirements of servers, and put information on clients
Client sends cookies
to server
Purdue University
Pag. 35
Elisa Bertino
Some
Fields in Cookies
name,
value: are encoded into the cookie and present the status; the interpretation
is that name has an associated value
expires:
how long cookie valid
Expired cookies
discarded, not sent to server
If omitted, cookie
deleted at end of session
domain: domain
for which cookie intended
Consists of last
n fields of domain name of server
Must have
at least one 0000in it
path: it
further restricts the dissemination of the cookie. When a Web server
requests a cookie, it provides a domain (its own). Cookies that match
that domain may be sent to the server.
secure: send
only over secured (SSL, HTTPS) connection
Purdue University
Pag. 36
Elisa Bertino
Example
Caroline puts 2
books in shopping cartcart at books.com
Cookie: name
bought, value BK=234&BK=8753, domain .books.com
Caroline looks at
other books, but decides to buy only those
She goes to the
purchase page to order them
Server requests
cookie, gets above
From cookie,
the server determines books in shopping cart
Purdue University
Pag. 37
Elisa Bertino
Sending
and Requesting Cookies?
A Web server can
only request cookies for its domain
A Web server can
however send to the browser cookies marked for the domain of another
Web server
When the client
accesses the second Web server, this server can request the cookies
marked for its domain but sent by the first server
Purdue University
Pag. 38
Elisa Bertino
Caroline
Example
Server books.com
sends Caroline 2 cookies
First described
earlier
Second has name
00d00 value 00ooks.com00 domain 00dv.com00/font>
Advertisements at
books.com include some from site adv.com
When drawing a page,
Caroline00 browser requests content for ads from server 00dv.com00/font>
Server requests
cookies from Caroline00 browser
By looking at
value, server can tell Caroline visited 00ooks.com00/font>
Purdue University
Pag. 39
Elisa Bertino
Confidentiality
of Cookies
Cookies can contain
authentication information, both user-related and host-related
Depending on the
sensitivity of the interactions with the server, protecting the confidentiality
of these cookies may be critical
Purdue University
Pag. 40
Elisa Bertino
Anonymity
on the Web
Recipients can determine
origin of incoming packets
Sometimes not
desirable
Anonymizer: a site
that hides origins of connections
Usually a proxy
server
User connects
to anonymizer, tells its destination
Anonymizer makes
connection, sends traffic in both directions
Destination host
sees only anonymizer
Purdue University
Pag. 41
Elisa Bertino
Example:
anon.penet.fi
Offered anonymous
email service
Sender sends
letter to it, naming another destination
Anonymizer strips
headers, forwards message
Assigns an ID
(say, 1234) to sender, records real sender and ID in database
Letter delivered
as if from anon1234@anon.penet.fi
Recipient replies
to that address
Anonymizer strips
headers, forwards message as indicated by database entry
Purdue University
Pag. 42
Elisa Bertino
Problem
Anonymizer knows
who sender and recipient really are
Called pseudo-anonymous
remailer or pseudonymous remailer
Keeps mappings
of anonymous identities and associated identities
If you can get the
mappings, you can figure out who sent what
Purdue University
Pag. 43
Elisa Bertino
More
anon.penet.fi
Material claimed
to be copyrighted was sent through the remailer
Finnish court directed
owner to reveal mapping so plaintiffs could determine sender
Although the owner
appealed, he subsequently shut down the site
More sophisticated
approaches have been developed, such as Cypherpunk remailer, and Mixmaster
remailer
Purdue University
Pag. 44
Elisa Bertino
Anonymity
Anonymity provides
a mechanism to protect people from having to associate their identities
with some data or actions
Is this desirable?
Some purposes for
anonymity
Removes personalities
from debate
With appropriate
choice of pseudonym, shapes course of debate by implication
Prevents retaliation
Are these benefits
or drawbacks?
Depends on society,
and who is involved
Purdue University
Pag. 45
Elisa Bertino
Anonymity
and Privacy
Anonymity protects
privacy by obstructing amalgamation of individual records
It is important,
because amalgamation poses 3 risks:
Incorrect conclusions
from misinterpreted data
Harm from erroneous
information
Not being let alone
However, anonymity
hinders monitoring to deter or prevent crime
Conclusion: anonymity
can be used for good or ill
Right to remain
anonymous entails responsibility to use that right wisely
Identity Elisa Bertino CERIAS and CS &ECE Departments
137.5k 
