Wednesday, 11 January 2012

Security Features of X.500

X.500 Directory service is a standard way to develop an electronic directory of people in an organization making it possible for it to be part of a global directory available to anyone in the world with internet access. The main idea is for it to be able to look up people in a user friendly way by either name, department or organization. Information in an X.500 directory may be distributed or replicated among different directory servers.





Security Features of X.500


X.500 offers different level of authentication in order to handle different security requirements.

Public Key Infrastructure for authentication:
1) It treats every computer and user as an object. It has a server, backup and a system admin. The database schema for each of them should be consistent. If there is a need to modify any of the schema to accommodate one of the data from one company that is not present, it won’t be able to do so.


2) It standardize the storage of files regarding user attributes and permissions.


3) They center on the individuals that wish to access to it rather than on a static list such as passwords.

Strong authentication
Establishes trust between X.500 directory components, authorize identity of directory users for access control and protects against denial of service attacks









Posted by at 1 comment:

Tuesday, 10 January 2012

LDAP Security Feature

Lightweight Directory Access Protocol(LDAP) is a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access.





Features of LDAP security would include the followings:
- Using basic authentication or Microsoft Windows NT LAN Manager NTLM as a limited access to authorized users
- It also supports Negotiation method
- Secure Socket Layer (SSL) protocol that ensure data is not sniffed by outsiders or hackers using physical access to network
- RootDSE – LDAP version 3 as server maintains a supportedLDAP version attribute in the root DSE that identifies LDAP versions for implementations
- RootDSE – Extension refers to server maintains a supportedExtension attribute in the rootDSE that enables extended operations





Posted by at 2 comments:

Microsoft’s Active Directory Security Feature

What is Microsoft's Active Directory?

Active Directory (AD) is a directory service created by Microsoft for Windows domain networks. It is included in most Windows sever operating systems. It serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers.



The security feature of Microsoft’s Active Directory includes:
· Delegation of administration
o User creation, manage users, groups, computer accounts and other objects.
· Directory object security.
o Per property access control
o Per property auditing
· Organization Units (OU) to organize the directory name space
o Users, groups, computers in separate containers





http://www.usenix.org/events/lisa-nt99/invited_talks/lieberman_html/sld069.htm


http://msdn.microsoft.com/en-us/library/windows/desktop/aa746492(v=vs.85).aspx
Posted by at No comments:

Wednesday, 4 January 2012

E-Tutorial 1 (GPRS Security Feature, Threats and Solution)

General Packet Radio Service (GPRS) ARCHITECTURE


GPRS Security Feature

A description of security features, threats and solution the threats offered by GPRS are as follows:

Integrity: Integrity is a security service that assures that data cannot be altered in an unauthorized or malicious manner.

Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized third parties.

Authentication: Authentication provides assurance that a party in data communication is who or what they claim to be.

Authorization: Authorization is a security service that ensures that a party may only perform the actions that they’re allowed to perform

Availability: Availability means that data services are usable by the appropriate parties in the manner intended.


Threats

Denial of service(DOS) is the common threats in GPRS. There are many types of DOS. One of them is Domain Name Server (DNS) flood of which the DNS servers on the network can be flooded. DNS queries thereby deny users to properly locate GGSN to use as an external gateway. There is also DNS Cache poisoning whereby the attacker forge DNS queries and responses that causes the user’s APN to go to the wrong GGSN or none at all.Besides DOS, bandwidth saturation is also a threat. Attackers may be able to flood the link from the PDN to the mobile operator with network traffic which prohibiting legitimate traffic to pass.

Solution

Stateful packet inspection: it uses a security policy that only allows the MS to initiate connections to the public network and implement stateful packet filtering so that the MS never sees traffic that is initiated from the public network. Ingress and egress packet filtering whereby it helps to prevent the possibility of spoofed MS to MS data by blocking incoming traffic with the source addresses which are the same as those assigned to an MS for public network access


THE GPRS TRACKING (EXTRA INFO)


http://critis06.lcc.uma.es/files/Vulnerabilities%20and%20Possible%20Attacks%20against%20the%20GPRS%20Backbone%20Network.pdf
Posted by at No comments:

E-Tutorial 1 (GSM Security Feature, Threats and Solution)

SECURITY FEATURES:


  • Authenticate of mobile user for the network: KI(Individual Subscriber Authentication Key) is a random 128-bits number for authenticating mobile subscriber to the network. It's strictly protected and is stored in SIM and AuC.


  • Provide anonymity of subscriber identity: Replacing IMSI with a 32-bit Temporary Mobile Subscriber Identity (TMSI). It prevents eavesdropper to track a particular subscriber.

  • Using SIM as a security module: It's a cryptographic smart card that contains some security attribute. IMSI (International Mobile Subscriber Identity) and KI (Individual Subscriber Authentication Key) are stored on every SIM. IMSI provide a 15 digits uniquely provided to every mobile subscriber.KI is a random 128-bits number for authenticating mobile subscriber to the network. PIN (Personal Identification Number) and PUK (PIN Unlock) is an option to protect the SIM.



THREATS :



  • Anyone with a receiver is able to passively monitor the airwaves: Sending challenges over the air to the SIM and analyzing the response but it may take several hours to do so.

  • SIM card cloning: COMP128 algorithm help to extract KI in 8 hours by sending many challenges to the SIM. Besides that, partitioning attack makes attacker capable of extracting KI if they could access the subscriber SIM for just a minute.


  • Vulnerability of replay attacks: The attacker can misuse the previously exchanged messages between the subscriber and network in order to perform the attack


  • Absence of integrity protection: No provision for any integrity protection of information. Thus, recipient can't verify whether a message has been tampered with,



SOLUTION:



  • Using secure algorithms for A3/A8 implementations: This can counter the SIM card cloning but a new SIM card must be distributed and modifying the software of HLR must be done.


  • Using secure ciphering algorithms: Operators can use new and more secure algorithm such as A5/3 but upgrading this alone won't be enough as attacker can impersonate the real network and force the MS to deactivate the chipering mode.


  • Securing the backbone traffic: Encrypting the traffic between the network components can prevent attacker to eavesdrop or modify the transmitted data.









Posted by at 10 comments:
Subscribe to: Posts (Atom)