internet security certficate extensions and attributes
play

Internet Security Certficate Extensions and Attributes Supporting - PowerPoint PPT Presentation

Feb 25, 2024 •200 likes •560 views

Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN Daniel Schwarz Nrnberg, Internet Security Dozent: Prof. Dr. Trommler 27.April 2004 Overview: 1. Introduction I. PKIX 2. Basics

  1. Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN Daniel Schwarz Nürnberg, Internet Security Dozent: Prof. Dr. Trommler 27.April 2004

  2. Overview: 1. Introduction I. PKIX 2. Basics I. PPP II. EAP III. 802.1x IV. X.509 – certificate extensions 3. PKIX Internet Draft – certificate extensions and attributes supporting authentication in PPP and wireless LAN I. EAP extended key usage values II. WLAN SSID Public Key Certificate Extension III. WLAN SSID Attribute Certificate Attribute 4. EAP & 802.1x I. EAPOL II. EAP-TLS III. Alternatives 5. Conclusion Nürnberg, Internet Security 2 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  3. 1.1 PKIX • established in 1995 • intent of developing Internet standards needed to support an X.509-based PKI • the scope of PKIX work has expanded beyond this initial goal • PKIX not only profiles ITU (International Telecommunication Union) PKI standards, but also develops new standards apropos to the use of X.509- based PKIs in the Internet. Nürnberg, Internet Security 3 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  4. 27.April 2004 Nürnberg, 2. Basics 4 / 35 Dozent: Prof. Dr. Trommler Internet Security

  5. 2.1. PPP • standard-method for communication between two hosts • most commonly used for dial-up internet access • part of the Layer 2 Tunneling Protocol • integrated error correction • compression of the IP-header • LCP (link configuration protocol): responsible for the configuration, for the establishment and the clearing of a PPP-connection Nürnberg, Internet Security 5 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  6. 2.2. EAP • sits inside of PPP’s authentication protocol • provides a generalized framework for several different authentication methods • does not select a specific authentication mechanism at Link Control Phase (LCP) but rather postpones this until the Authentication phase -> this allows the authenticator to request more information before determining the specific authentication mechanism Nürnberg, Internet Security 6 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  7. 2.2. EAP three communication steps: a) after the Link Establishment phase is complete, the authenticator sends one or more Requests to authenticate the peer - examples of Request types: Identity, MD5-challenge, One-Time Passwords, Generic Token Card,… b) the peer sends a Response packet in reply to each Request c) the authenticator ends the authentication phase with a Success or Failure packet Nürnberg, Internet Security 7 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  8. 2.2. EAP a) Link Establishment LCP-packets peer authenticator b) Request phase 1..n Requests peer authenticator Nürnberg, Internet Security 8 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  9. 2.2. EAP c) Response phase 1..n Responses peer authenticator d) End of authentication success or failure packet peer authenticator Nürnberg, Internet Security 9 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  10. 2.2. EAP advantages: • multiple authentication mechanisms without having to pre-negotiate a particular one during LCP phase • certain devices do not necessarily have to understand each request type and may be able to simply act as a passthrough agent for some kind of “back-end” server on a host disadvantages: • PPP implementation needs to be modified • focus on authenticating a peer to an authenticator: -> the peer doesn’t request any authentication from the authenticator -> EAP-TLS Nürnberg, Internet Security 10 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  11. 2.3. 802.1x • enables authenticated access to IEEE 802 media (Ethernet, Token Ring, 802.11 WLAN, …) • RADIUS support is optional but it is expected that many IEEE 802.1x Authenticators will function as RADIUS clients • provides “network port authentication” for IEEE 802 media (including Ethernet, WLAN, …) -> port-based network access protocol • standard “for passing EAP messages over LAN or WLAN” • EAP messages are packed in Ethernet frames without using PPP • used in situations where other protocols than TCP/IP are needed or the overhead and complexity of using PPP is undesirable Nürnberg, Internet Security 11 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  12. 2.3. 802.1x • three important terms: 1.) supplicant: user or client that wants to be authenticated 2.) authentication server: actual server doing the authentication 3.) authenticator: device in between • authenticator can be simple and dumb -> ideal for WLAN access points (little memory and processing power) • the protocol in 802.1x is called EAP encapsulation over LANs (EAPOL) • it is defined for Ethernet-like LAN (802.11 WLAN, Token Ring, …) • different modes of operation (the most common one acts as follows) Nürnberg, Internet Security 12 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  13. 2.3. 802.1x a) EAP-Request/ Identity-packet authenticator authentication server supplicant b) EAP-Response/ EAP-Response/ Identity-packet Identity-packet authenticator authentication server supplicant Nürnberg, Internet Security 13 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  14. 2.3. 802.1x c) challenge challenge authenticator authentication server supplicant d) challenge challenge reply reply authenticator authentication server supplicant Nürnberg, Internet Security 14 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  15. 2.3. 802.1x e) success success authenticator authentication server supplicant f) access supplicant Nürnberg, Internet Security 15 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  16. 2.4. X.509 X.509 is an ITU standard for PKI (Public Key • Infrastructure) • X.509 specifies, amongst other things, standard formats for public key certificates • X.509 is part of the hierarchical X.500 standard and thus assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates • X.509 usually refers to the X.509 v3 certificate specified in RFC2459 Nürnberg, Internet Security 16 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  17. 2.4. X.509 - certificate extensions • the extensions defined for X.509 v3 certificates provide methods for associating additional attributes with users or public keys • it is also allowed for communities to define private extensions to carry information unique to those communities • each extension in a certificate is specified as either critical (system must reject the certificate if it doesn’t recognize the extension) or non-critical (system may ignore the extension) Nürnberg, Internet Security 17 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  18. 2.4. X.509 - certificate extensions key usage extension: • defines the purpose of the key contained in the certificate • should be marked critical extended key usage extension: • this extension indicates one or more purposes for which the certified public key may be used • it is used in addition or in place of the basic purpose indicated in the key usage extension • may be marked critical or non-critical Nürnberg, Internet Security 18 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  19. 2.4. X.509 - certificate extensions predefined values in RFC 3280: id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -- TLS WWW server authentication -- Key usage bits that may be consistent: digitalSignature, -- keyEncipherment or keyAgreement id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -- TLS WWW client authentication -- Key usage bits that may be consistent: digitalSignature -- and/or keyAgreement id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } -- Signing of downloadable executable code -- Key usage bits that may be consistent: digitalSignature Nürnberg, Internet Security 19 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  20. 2.4. X.509 - certificate extensions predefined values in RFC 3280: id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } -- E-mail protection -- Key usage bits that may be consistent: digitalSignature, -- nonRepudiation, and/or (keyEncipherment or keyAgreement) id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } -- Binding the hash of an object to a time -- Key usage bits that may be consistent: digitalSignature -- and/or nonRepudiation id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } -- Signing OCSP responses -- Key usage bits that may be consistent: digitalSignature -- and/or nonRepudiation Nürnberg, Internet Security 20 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  21. 3. PKIX Internet Draft certificate extensions and attributes supporting authentication in PPP and wireless LAN Nürnberg, Internet Security 21 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

  22. 3.1. EAP extended key usage values new values from the Internet Draft: 1) id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } indicates that the certified public key is appropriate for use with EAP in the PPP environment 2) id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } indicates that the certified public key is appropriate for use with EAP in the LAN environment -> inclusion of both values indicates that the certified public key is appropriate for use in either of the environments Nürnberg, Internet Security 22 / 35 Dozent: Prof. Dr. Trommler 27.April 2004

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with Carnegie Mellon University. It is a cross-sector, internationally- based trade association devoted to cyber security. ISA has individual corporate

349 views • 30 slides
On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer ajudmayer@sba-research.org ajudmayer@auto.tuwien.ac.at On the security of security extensions for IP-based KNX networks 1 SBA Research P1.1: Risk Management

1.06k views • 51 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Internet Security Internet Security Secure Email Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l10,

450 views • 25 slides
New gTLD Basics New Internet Extensions Agenda Overview of

New gTLD Basics New Internet Extensions Agenda Overview of

New gTLD Basics New Internet Extensions Agenda Overview of domain names The history of the program What is a registry Why ICANN is

531 views • 34 slides
Influence of BGP Community Attributes on Routing and Internet Traffic Final talk for the IDP by

Influence of BGP Community Attributes on Routing and Internet Traffic Final talk for the IDP by

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Influence of BGP Community Attributes on Routing and Internet Traffic Final talk for the IDP by Fabian Raab B.Sc. advised by Oliver Gasser,

755 views • 48 slides
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon Universitys Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance

294 views • 10 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
New gTLD Basics New Internet Extensions Agenda Overview about domain names, gTLD timeline and

New gTLD Basics New Internet Extensions Agenda Overview about domain names, gTLD timeline and

New gTLD Basics New Internet Extensions Agenda Overview about domain names, gTLD timeline and the New gTLD Program Why is ICANN doing this; potential impact of this initiative to businesses, governments, Internet communities and users

555 views • 30 slides
61A Lecture 16 Terminology: Python object system: Functions are objects. Wednesday, October 3

61A Lecture 16 Terminology: Python object system: Functions are objects. Wednesday, October 3

Terminology: Attributes, Functions, and Methods All objects have attributes, which are name-value pairs Classes are objects too, so they have attributes Instance attributes: attributes of instance objects Class attributes: attributes of class

522 views • 3 slides
The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting The attacks could result

517 views • 20 slides
Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things (IoT)? Why is IoT Security so Important? Dyn DDOS Attack What are the security challenges of an IoT network? A Proposed Taxonomy

176 views • 14 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet Week Guyana 11 th October 2017 | 1 What Does ICANN Mean for the End User? POLIC Y The Domain Name System Policy Development is an L-Root is one

636 views • 32 slides
LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

544 views • 6 slides
4. Web Security - Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions,

4. Web Security - Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions,

All papers can be found by Google Scholar. For those papers accepted by S&P 2019, you can download them from this website: https://www.ieee- security.org/TC/SP2019/program-papers.html The below papers are published in the top security

290 views • 5 slides
ENABLING SSH PROTOCOL VISIBILITY IN FLOW MONITORING Wednesday 10 th April, 2019 Pavel ELEDA

ENABLING SSH PROTOCOL VISIBILITY IN FLOW MONITORING Wednesday 10 th April, 2019 Pavel ELEDA

ENABLING SSH PROTOCOL VISIBILITY IN FLOW MONITORING Wednesday 10 th April, 2019 Pavel ELEDA Petr VELAN, Benjamin KRL Ondej KOZK Introduction SSH Secure Shell provides secure connection over an unsecured network remote command-line

543 views • 18 slides
How Guestnet is Magic Tim Clark (eclipse) February 24, 2011 Tim Clark (eclipse) How Guestnet is

How Guestnet is Magic Tim Clark (eclipse) February 24, 2011 Tim Clark (eclipse) How Guestnet is

Introduction Wireless Wired Finally How Guestnet is Magic Tim Clark (eclipse) February 24, 2011 Tim Clark (eclipse) How Guestnet is Magic Introduction Wireless Wired Finally What is Guestnet Lets you connect to the SUCS network SUCS

346 views • 16 slides
How to Pay for College Tuesday, October 3 rd SVHS Auditorium Agenda Cost of Attendance

How to Pay for College Tuesday, October 3 rd SVHS Auditorium Agenda Cost of Attendance

Financial Aid Night: How to Pay for College Tuesday, October 3 rd SVHS Auditorium Agenda Cost of Attendance Financial Aid 101 FAFSA Other Financial Aid Forms Scholarships Loans Award Letters Wrap-Up THE PRIMARY

676 views • 55 slides
Monitoring unternehmenskritischer Anwendungen unter Verwendung modellbasierter Performance

Monitoring unternehmenskritischer Anwendungen unter Verwendung modellbasierter Performance

Monitoring unternehmenskritischer Anwendungen unter Verwendung modellbasierter Performance Constraints BachelorKolloquium Andreas Textor atext001@student.informatik.fh-wiesbaden.de Fachbereich Design Informatik Medien Fachhochschule

353 views • 31 slides
IPFQR Program: Keys to Successful FY 2017 Reporting Presentation Transcript Moderator/Speaker:

IPFQR Program: Keys to Successful FY 2017 Reporting Presentation Transcript Moderator/Speaker:

Inpatient Psychiatric Facility (IPF) Quality Reporting Program Support Contractor IPFQR Program: Keys to Successful FY 2017 Reporting Presentation Transcript Moderator/Speaker: Evette Robinson, MPH Project Lead, Inpatient Psychiatric Facility

456 views • 24 slides
progress in a low-growth world 2015 MEDIUM TERM BUDGET POLICY STATEMENT Sustaining progress

progress in a low-growth world 2015 MEDIUM TERM BUDGET POLICY STATEMENT Sustaining progress

Sustaining progress in a low-growth world 2015 MEDIUM TERM BUDGET POLICY STATEMENT Sustaining progress in a low-growth world The world economy is experiencing a sustained period of low growth. All countries particularly developing

533 views • 19 slides
EBS IT Meeting 19 14 September 2016 Conference Call Details Conference call : UK Numbers

EBS IT Meeting 19 14 September 2016 Conference Call Details Conference call : UK Numbers

EBS IT Meeting 19 14 September 2016 Conference Call Details Conference call : UK Numbers Tel: 0808 238 9819 or Tel: 0207 950 1251 Participant code: 4834 7876

601 views • 34 slides

More recommend