5 - Protecting Security of Assets

[rainit2006]

[rainit2006]

X.500

• X.500 is the most common directory-management protocol.
• Uses a hierarchical approach to objects in the namespace.
• Win2K domains have DNS names.
• Although Win2K’s DS is based on X.500, the access mechanism uses LDAP(Lightweight Directory Access Protocol). LDAP solves several X.500 problems. X.500 で定義されているプロトコルには、以下のものがある。

  DAP (Directory Access Protocol)
  DSP (Directory System Protocol)
  DISP (Directory Information Shadowing Protocol)
  DOP (Directory Operational Bindings Management Protocol)

  X.500 の中核となる概念は:

• ディレクトリ情報ツリー (Directory Information Tree，DIT)

LDAP(Lightweight Directory Access Protocol)

LDAP 是 Lightweight Directory Access Protocol 的缩写，即 轻量目录访问协议。它基于 X.500 标准下更简单的子集标准开发，因此有时 LDAP 也被称之为 X.500-lite，即轻量级 x.500。 客户端发起 LDAP 会话连接到 LDAP 服务器。默认连接端口是 389（LDAP），或者 636（LDAPS）。客户端发起操作请求到服务器，服务器返回响应结果。客户端无需等待服务器响应即可发送下一个请求。服务器则会依次返回响应结果。

在 LDAP 里， 一切都是等级化的，或者称之为层级化（hiearchical）。 我们在目录信息树里创建一个条目（entry）时，条目的信息存储在属性（attribute）里，属性又被组合成对象类（objectClass），对象类进一步组成了架构（schema）。

LDAP认证是通过WSS3.0加上轻量目录LDAP协议搭建的用户认证方式，通过https加密传输，主要用于做文档管理。LDAP用户认证就是把用户数据放在LDAP服务器上，通过LDAP服务器上的数据对用户进行认证处理。

LDAP用户认证原理 1).每一个登陆，连接请求先去拉取所有的可通过用户的列表，然后去查找是否在已注册用户列表。（不推荐） 2).每一个登陆，连接请求去发送本地的用户、密码给LDAP服务器，然后在LDAP服务器上进行匹配，然后判断是否可以通过认证。（推荐）

LDAP数据库对读操作进行优化的种数据库，在读写比例大于7比1的情况下，LDAP会体现出高的性能。

DN，Distinguished Name分辨名。DN相当于关系数据库表中的关键字,是一个识别属性，通常用于检索 常见的两种DN设置 1）、基于cn（姓名） cn=Fran Smith,ou=employees,dc=foobar,dc=com （dn格式就是这么一大串） 最常见的CN是/etc/group转来的条目 2）、基于uid（User ID） uid=fsmith,ou=employees,dc=foobar,dc=com 最常见的UID是/etc/passwd和/etc/shadow转来的条目

Open LDAP

OpenLDAPは、Lightweight Directory Access Protocol (LDAP) のフリーかつオープンソースの実装であり、OpenLDAP Project が開発している。 By default, OpenLDAP stores the userPassword attribute in the clear.

Meta directory

Through the Meta-Directory synchronization process, a copy of the entries stored in an external database is provided in a LDAP format. Meta-Directory provides a “view” of the external data in what is known as a Connector View. The Connector View contains information from an external data source after it has been mapped into LDAP format. メタディレクトリ組織内の各種システムが個別に管理しているディレクトリ(主として利用者のアカウント)を一元的に処理できるようにするための仕組み(ソフトウェア)。 ### LDAP port - The default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. - Unsecure LDAP uses 389, and unsecure global directory services use 3268. ## SASL The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. SASL并不是一种协议，只是提供给应用和共享库的开发者一种认证、数据完整性校验和加密的机制的框架。

[rainit2006]

Cognitive password

a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. 母親の旧姓は? 初めてのペットの名前は? 通っていた小学校の名前は? などなど

Retinal (视网膜) VS Iris (虹膜)

Retinal scanning is considered to be invasive, iris recognition is not.

A retinal scan is a biometric technique that uses unique patterns on a person's retina blood vessels (血管). Note: Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns

Error type1， type2

把登录过的人识别成别人，而拒绝之 （不放过好人） 把未登录过的人识别成登录的人，而通过 （放过坏人）

CRE

CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, you should assess other biometric systems to find one with a lower CER.

Reference profile/template

The stored sample of a biometric factor is called a reference profile or a reference template

leakage of electric signal

TEMPEST

TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations.

[rainit2006]

Security label

The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.

Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control model. SELinux was specifically created to demonstrate how mandatory access controls can be added to an operating system. In contrast, Windows operating systems use the discretionary access control model.

Software token

one-time password

Synchronous token vs Asynchronous token

A token device can create one-time password for user authentication. There are two basic types: synchronous and Asynchronous. A synchronous token device is driven by time or events （or “counter-based”，or “ Event counting mode”） to authenticate users. An asynchronous token device uses a challenge-based mechanism during its authentication process.

Smart card

Two general categories of smart cards are the contact and the contactless types.

• When a contact smart card is fully inserted into a card reader, electrical fingers wipe against the card in the exact position that the chip contacts are located. This supplies power and data //O to the chip for authentication purposes.
• The contactless smart card has an antenna wire that surrounds the perimeter of the card. When this card comes within an electromagnetic field, the antenna within the card generates enough energy to power the internal chip. Neither card type has its own power supply.

[rainit2006]

SPML, SAML, and XACML

Service Provisioning Markup Language (SPML) Security Assertion Markup Language (SAML) Extensible Access Control Markup Language (XACML)

SAML = Authentication and Authorization SPML = Provisioning XACML = Authorization only

### SPML Used to give provisioning information between organizations in the federation. Uses the concepts of - a Requesting Authority - a Provisioning Service Point - a Provisioning Service Target to handle its core functionality. ### SAML ### XACML Presents a standard for assessing authorization requests. XACML supports Attribute-Based Access Control (ABAC) and evaluation can be done with the additional data retrieved from Policy Information Point (PIP) which is defined by the XACML reference architecture. - Keywords: PIP, PDP, PEP, PAP - Three top-level policy elements: Rule, Policy, PolicySet ## OpenID, OAuth 2.0 `OAuth 2.0 ＋ Identity Layer ＝ OpenID Connect` OpenID Connectは、「OAuth 2.0を使ってID連携をする際に、OAuth 2.0では標準化されていない機能で、かつID連携には共通して必要となる機能を標準化した」OAuth 2.0の拡張仕様の一つである。 OAuth is used to log into third-party websites using existing credentials. OAuth provides the ability to access resources from another service and would meet user’s needs. OpenID would allow the user to use an account from another service with his application. ## Configuring Office365 SAML2 with WSO2 Identity Server for Multiple Domains

[rainit2006]

SSO

Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations。 RADIUS is NOT a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

Kerberos

• use session and secret key, also use ticket.
• Kerberosが利用されている例として、MicrosoftのActive Directory， Hadoopなどがある。

- Kerberos encrypts messages using secret keys, providing protection for authentication traffic. - The KDC both is a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. - Like many authentication methods, Kerberos can be susceptible to password guessing. - The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client. ケルベロスの用語 | 説明 -- | -- KDC （ Key Distribution Center ） | サーバとユーザに関する信頼関係の情報を一括管理する中央データベース AS （ Authentication Server ） | 認証サーバ。ユーザからの認証を受け付けるサーバ TGS （ Ticket Granting Server ） | チケット発行サーバ。各サーバを利用するためのチケットを発行するサーバ プリンシパル （ principal ) | KDCが認証を行うユーザやサーバのこと レルム ( realm ) | 同じKDCの配下にあるシステムをグループとして定義する論理ネットワーク. 相当于Domain。Realm trust：異なるレルム間のプリンシパルが相互に通信できるようにするには、レルム間 Kerberos 信頼を設定する必要があります。デフォルトでは、レルム間信頼は一方向です。  The client in Kerberos logins uses **AES** to encrypt the username and password prior to sending it to the KDC. ## TACACS vs RADIUS By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting. Terminal Access Controller Access Control System or called as TACACS is a authentication protocol and is commonly used within the UNIX based networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS+ is an enhancement to the TACACS security protocol. ## Diameter ## SESAME Secure European System for Applications in a Multivendor Environment (SESAME) is actually a technology built upon the Kerberos foundation. However, SESAME provides different capabilities and uses public key cryptography. SESAME differs from Kerberos in that it uses PACs（Privilege Attribute Certificates） for authentication instead of the Kerberos ticket exchange methodology.

[rainit2006]

Entrapment and Enticement:

• Entrapment (Illegal and unethical):
• Enticement (Legal and ethical):

attack methods

• Emanation(流出) attacks
• object resue
• writetapping（〔他人の電話会話の〕盗聴、通信傍受）
• spoofing （なりすまし）

[rainit2006]

ISO 14443

ISONEC 14443 outlines the following items for smart card standardization: - ISO/EC 14443-1 — Physical characteristics - ISO/EC 14443-2 — Radio frequency power and signal interface - ISO/EC 14443-3 — Initialization and anti-collision - ISO/EC 14443-4 — Transmission protocol

[rainit2006]

Access matrix Capability tables list access control list

### Constrained interface Interface restrictions based on user privileges is an example of a constrained interface. ### Resource-based access Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments. 

[rainit2006]

A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone. A callback to a mobile phone would be a “something you have” factor.

[rainit2006]

Trusted foundry

The Trusted Foundry Program also called the trusted suppliers program is a United States Department of Defense program designed to secure the manufacturing infrastructure for information technology vendors providing hardware to the military.

[rainit2006]

Federated identify

two mode： cross-certification mode and trusted third-party (or bridge) mode

In the cross-certification federated identity model, each organization certifies that every other organization is trusted. This trust is establishedwhen the organizations review each other’s standards. Each organization must verify and certify through due diligence that the other organizations meet or exceed standards. One disadvantage of cross certification is that the number of trust relationships that must be managed can become a problem. In addition, verifying the trustworthiness of other organizations can be time-consuming and resource intensive.

In the trusted third-party (or bridge) federated identity model, each organization subscribes to the standards of a third party. The third party manages verification, certification, and due diligence for all organizations. This is usually the best model if an organization needs to establish federated identity management relationships with a large number of organizations