security purposes
play

Security Purposes draft-iab-identifier-comparison-00 Dave Thaler - PowerPoint PPT Presentation

Sep 07, 2022 •401 likes •510 views

Issues in Identifier Comparison for Security Purposes draft-iab-identifier-comparison-00 Dave Thaler dthaler@microsoft.com 1 Issues in Identifier Comparison for Security Purposes Identifiers are often compared for security purposes,

  1. Issues in Identifier Comparison for Security Purposes draft-iab-identifier-comparison-00 Dave Thaler dthaler@microsoft.com 1

  2. Issues in Identifier Comparison for Security Purposes • Identifiers are often compared for security purposes, e.g.: – Generation : • Create a “unique” value that is “different” from previously generated ids – Authentication : • Match a security principal id to get keying material • Match keying material – Authorization: • Match a resource name to get ACL • Match a security principal id in ACL 2

  3. Example of a Simple Security Exchange 3

  4. Types of Identifiers • Absolute: exact comparison – Ex: (binary) IPv4 address • Definite: single globally-agreed on comparison – Ex: URI scheme name is ASCII-only case-insensitive and contains no %-escapes • Indefinite: no single globally-agreed on algo. – Ex: human name 4

  5. It’s probably worse than you think… Many identifiers are at best Definite and often turn out to be Indefinite. Example: IPv4 literals or not? And do these match or not? – 192.168.1.2 – 192.168.258 – 0xC0.0xA8.0x1.0x2 – 030052000402 Answer for all of the above: Maybe. Even the term “standard dotted decimal” is ambiguous. 5

  6. Effect of False Positives/Negatives “Grant on match” “Deny on match” False positive “match” Elevation of Privilege Denial of Service False negative Denial of Service Elevation of Privilege • EoP almost always far worse than DoS – E.g. RFC 3986 for URIs "comparison methods are designed to minimize false negatives while strictly avoiding false positives". • Using URIs in a "deny on match" system can thus be problematic. 6

  7. Strawman Recommendations (1/2) • Any system using both grant-on-match AND deny-on-match should not use Indefinite identifiers (Absolute ids have least chance of bugs). • Any new identifiers should specify an Absolute or Definite comparison algorithm. • If extensibility is allowed then the comparison algorithm should remain invariant, so that unrecognized extensions can be compared. 7

  8. Strawman Recommendations (2/2) • Some issues (e.g. unrecognized extensions) can be mitigated by treating such ids as invalid (see RFC 3696). • Security protocols designed for use with other protocols should either: a) specify the comparison algorithm, and ONLY be used by protocols that use the same algorithm, or b) Support “matching algorithm” agility and use the one indicated by the using protocols. • When a collection of protocols are used together this may still mean all need to use the same algorithm. 8

  9. Discussion • i18n-discuss@iab.org 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OVERVIEW OF RESIDENCY FOR TAX PURPOSES Is Residency for tax purposes a choice? NO We do not

OVERVIEW OF RESIDENCY FOR TAX PURPOSES Is Residency for tax purposes a choice? NO We do not

PAYROLL SERVICES Presents: OVERVIEW OF RESIDENCY FOR TAX PURPOSES Is Residency for tax purposes a choice? NO We do not get to choose residency for tax purposes 6/11/2009 2 Objectives Understand the rules and regulations pertaining

872 views • 71 slides
NOTE: The presentation is for informational purposes only and does not constitute legal advice.

NOTE: The presentation is for informational purposes only and does not constitute legal advice.

NOTE: The presentation is for informational purposes only and does not constitute legal advice. Main Federal Agencies Involved in Immigration Department of Homeland Security (DHS) U.S. Citizenship and Immigration Services (USCIS)

328 views • 30 slides
Type Qualifiers and Security This presentation will discuss two papers that use qualifiers for

Type Qualifiers and Security This presentation will discuss two papers that use qualifiers for

Type Qualifiers and Security This presentation will discuss two papers that use qualifiers for security purposes Qualifiers are used to extend the normal C type system to provide more rigorous (and clever) type checking, both statically

443 views • 41 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Disclaimer This presenta,on is for informa,on purposes only.

Disclaimer This presenta,on is for informa,on purposes only.

Bulk berths Container yard Extension area Main security gate Port access Container gate berths 1 Access road Disclaimer This presenta,on is for informa,on purposes only. Neither this presenta,on

582 views • 24 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Portfolios can serve multiple purposes They can support learning, play an assessment

Portfolios can serve multiple purposes They can support learning, play an assessment

Portfolios can serve multiple purposes They can support learning, play an assessment role, or support employment. PORTFOLIOS Professional Professional Purposes Educational Purposes Purposes Educational Purposes

262 views • 24 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
The Paycheck Protection Program under the Coronavirus Aid, Relief, and Economic Security Act

The Paycheck Protection Program under the Coronavirus Aid, Relief, and Economic Security Act

4/2/2020 The Paycheck Protection Program under the Coronavirus Aid, Relief, and Economic Security Act What Broker-Owners Need to Know 2 April 2020 For Informational Purposes Only and Broker-Owner Edu-tainment 1 Disclosures Atrox Partners,

145 views • 13 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
3 Swinburne University of Technology 1 Mass-luminosity relation from

3 Swinburne University of Technology 1 Mass-luminosity relation from

Mass-luminosity relation from observational data 3 Swinburne University of Technology 1 Mass-luminosity relation from observational data 3 Log L/L Log M/M 2 Hertzsprung- Russel diagram

271 views • 8 slides
Concepts Introduced in Chapter 8 register assignment instruction selection run-time

Concepts Introduced in Chapter 8 register assignment instruction selection run-time

Concepts Introduced in Chapter 8 register assignment instruction selection run-time stack management followed by Fig. 8.1 1 EECS 665 Compiler Construction Target Program The target program can be Absolute machine language

329 views • 8 slides
Ray Tracing Assignment Goal is to reproduce the following Whitted, 1980 1 Ray Tracing

Ray Tracing Assignment Goal is to reproduce the following Whitted, 1980 1 Ray Tracing

So You Want to Write a Ray Tracer Checkpoint 7 Tone Reproduction Ray Tracing Assignment Goal is to reproduce the following Whitted, 1980 1 Ray Tracing Assignment Seven checkpoints Setting the Scene Camera Modeling

454 views • 17 slides
. . How would you group . . . . . . . . . . The price of crude oil has

. . How would you group . . . . . . . . . . The price of crude oil has

12/11/17 What is Clustering? Clustering: k-means, Expectation-Maximization Given some instances of data: group them such that Ethics: Ethical Questions in AI Examples within a group are similar Examples in different groups are

238 views • 6 slides
Building Local Allies in the Push for Affordable Housing Login at:

Building Local Allies in the Push for Affordable Housing Login at:

May 2019 RESULTS U.S. Poverty National Webinar Building Local Allies in the Push for Affordable Housing Login at: https://results.zoom.us/j/873308801 or dial (929) 436-2866 or (669) 900- 6833, Meeting ID: 873 308 801. RESULTS is a movement of

746 views • 35 slides
Making Sound Design Decisions Using Quantitative Security Metrics Bill Sanders University of

Making Sound Design Decisions Using Quantitative Security Metrics Bill Sanders University of

Making Sound Design Decisions Using Quantitative Security Metrics Bill Sanders University of Illinois at Urbana-Champaign January 6, 2012 | 1 ADVISE Team University of Illinois Urbana-Champaign Mike Ford Ken Keefe Elizabeth LeMay Bill

464 views • 44 slides
CPSC 410/611: Week 1 - Introduction to OSs What is an Operating System? Architectural

CPSC 410/611: Week 1 - Introduction to OSs What is an Operating System? Architectural

CPSC-410 Operating Systems Introduction CPSC 410/611: Week 1 - Introduction to OSs What is an Operating System? Architectural Support for Operating Systems Basic Organization of an Operating System Reading: Silberschatz (7 th

524 views • 19 slides
Resources, Services, and Interfaces 2A. Operating Systems Services 2B. System Service Layers

Resources, Services, and Interfaces 2A. Operating Systems Services 2B. System Service Layers

3/31/2016 Resources, Services, and Interfaces 2A. Operating Systems Services 2B. System Service Layers and Mechanisms Operating Systems Principles 2C. Service Interfaces and Standards Resources, Services, and Interfaces 2D. Service and

685 views • 12 slides

More recommend