Global ETD Search

1	A roadmap for ensuring SAML authentication using Identity server for on- premises and cloud Kodam, Triveni January 2019 (has links) Cloud-based applications especially SaaS applications have become essential for startups and various sized businesses. Adapting to these web applications helps to reduce operational costs and further provide flexibility in accessing individual data of the users. On the other hand, usage of these cloud services poses security-related issues such as authentication, authorization, web application security. Additionally, if the on-premises application is moved to the cloud then the traditional Identity solutions will not work, which affects the user authentication. This thesis considers ‘Authentication’ as one of the main security issues to be addressed. Thus, a new federated Identity and Access Management (IAM) system needs to be realized, which can be used for both on-premises and cloud to authenticate users correctly and securely. To meet the described challenges within the cybersecurity domain, this thesis focuses on two aspects of IT Security: 1) SaaS application rely on IAM; 2) IAM for securely authenticating users. This thesis work addresses both these aspects in two parts. First, by developing a SaaS web application that includes an authentication module with the support of the SAML 2.0 standard protocol. Second, the use of open source WSO2 IAM server for authenticating the users securely. To implement a SaaS application, a play framework PAC4j security library is used to support SAML SSO profile for authenticating users. The profile provides functionality for the two scenarios: SAML- Service provider and SAML- Identity Provider. The developed SaaS application acts as a service provider while WSO2 identity server acts as an Identity Provider. The SAML request-response authentication workflow between these providers are verified to prove the correctness and security of user login information. The research presented in this thesis is helpful for startup companies, that are initially looking to minimize application cost that works both on-premises and cloud without compromising on the security of user’s login information. SAML IDP IAM Identity server SP Computer Systems Datorsystem
2	XML bezpečnost a její uplatnění v univerzitním informačním prostředí Brechlerová, Dagmar January 2008 (has links) XML security je komplexem bezpečnostních řešení, která spojují rysy XML a internetu k řešení bezpečnosti zejména v rozsáhlých počítačových sítích. XML security se velmi dynamicky rozvíjí, v současnosti jsou některé části (podpis, šifrování) již ve fázi konečného vývoje, jiné stále procházejí velmi rychlým vývojem, který je velmi obtížné sledovat. Hlavním cílem práce bylo kriticky zmapovat oblast XML security, popsat výhody, zápory i rizika proti jiným bezpečnostním řešením, a navrhnout některé možnosti použití v univerzitním informačním systému.
3	Autentisering, hantering och provisionering av användare : Ett koncepttest med PhenixID Hellberg, Axel January 2021 (has links) The goal of this project has been to configure and present a solution that covers a customer’s needs for user authentication, identity and access management and identity provisioning. The solution consists of products from PhenixID and the configuration is carried out on behalf of a company acting as a consultant. At the same time, the project is intended to generate new knowledge within the company about the possibilities and functions of the products used. The resulting solution enables the provisioning of users from a simple CSV file to a central user directory, and from this directory to Google. Identity Provisioning software is used for this purpose. The solution includes a recommendation for the same process to Azure through a first-party solution from Microsoft. The solution includes a configuration of the PhenixID Authentication Services system that can be used by the provisioned users to log in to Google and Microsoft services, so-called single sign-on, SSO. This authentication is SAML-based and adopts multi-factor authentication through a mobile application. A web-based and role-based identity and access management system, Identity Manager, is configured to manage users in the central user directory. Through this system, roles with associated rights are used with the purpose of delegating user management to the necessary instances of the customer’s organization. The overall configuration represents a proof of concept of the products for the customer's use cases and is therefore relatively fundamental in nature. / Målet med detta arbete har varit att konfigurera och presentera en lösning som omfattar en kunds behov av system för autentisering, hantering och provisionering av användare. Lösningen tillämpar produkter från PhenixID och konfigurationsarbetet sker på uppdrag av en verksamhet som här agerar konsult åt kunden. Arbetet ämnar samtidigt att ge upphov till ny kunskap inom verksamheten om de tillämpade verktygens möjligheter och funktioner. Den resulterande lösningen möjliggör provisionering av användare från en enkel CSV-fil till ett central användarkatalog, via denna katalog till Google. Till detta används programvaran Identity Provisioning. Lösningen omfattar en rekommendation för samma process till Azure genom ett första-partslösning från Microsoft. Lösningen omfattar konfiguration av autentiseringssystemet PhenixID Authentication Services som kan användas av de provisionerade användarna till att logga in på tjänster från Google och Microsoft, så kallad single sign-on, SSO. Denna autentisering är SAML-baserad och tillämpar multifaktorsautentisering genom en mobilapplikation. Ett webbaserat system för rollbaserad användarhantering, Identity Manager, konfigureras till att hantera användare i den centrala användarkatalogen. Genom detta system tillämpas roller med associerade rättigheter vars syfte är att delegera användarhanteringen till de nödvändiga instanserna av en verksamhet. Den sammantagna konfigurationen utgör ett koncepttest av produkterna för kundens användningsområden och är därför relativt grundläggande till naturen. provisionering autentisering användarhantering behörighetsstyrning SAML SSO Computer Engineering Datorteknik
4	Comparison of Methods of Single Sign-On : Post authentication methods in single sign on Topal, Baran January 2016 (has links) Single sign-on (SSO) is a session verification mechanism that allows a client to use a single password and name combination to be able to access multiple applications. The mechanism validates the client for all the applications and eliminates the need for authentication prompts when a user switches between applications within a session. SSO mechanisms can be classified as software versus hardware or customer-requirements oriented versus server-side arrangements. The five commonly used mechanisms of Single Sign-On currently are: Web Single Sign-On, Enterprise Single Sign-On, Kerberos (or Ticket/Token Authentication), Open ID, and Federation or Federated Identity. SSO has the main benefit of allowing a user to access many different systems without having to log on to each and every one of them separately. However, SSO introduces a security risk as once an attacker gains access to a single system, then the attacker has access to all of the systems. This thesis describes SSO technology, the Security Assertion Markup Language, and the advantages and risks involved in using SSO. It examines authentication mechanisms and their suitability for SSO integration. The main emphasis is a description of a mechanism that ameliorates some of the disadvantages of SSO by monitoring the user behavior with respect to a template. If a user performs actions that fit the defined template behavior, then the post authentication mechanism will not get activated. If, on the other hand, a user does something unforeseen, the mechanism will not perform authentication for this user, but rather trigger manual authentication. If this manual authentication succeeds, then the user will continue to interact with the system, otherwise user session will be ended. This behavior extension authentication mechanism is a method that eases the authentication process in which users are not expected to remember any username and password that can be forgotten easily or have a biometric attribute that can change over time. This method can be integrated to existing web application without a major risk and increase in cost. / Single sign-on (SSO) är en sessionkontrollmekanism som gör det möjligt för en kund att använda en ett enda par av lösenord och namn för att kunna få tillgång till flera olika program. Mekanismen validerar klienten för alla anrop och eliminerar behovet av ytterligare inloggningsdialoger när en användare växlar mellan program inom en session. SSO-mekanismer kan klassificeras enligt olika kriterier, såsom programvara kontra hårdvara eller kunder krav orienterade mot serversidan arrangemang. De fem vanligen använda mekanismerna för Single Sign-On är närvarande: Web Single Sign-On Enterprise Single Sign-On, Kerberos (eller Token autentisering), Open ID och Federation eller Federated Identity. SSO har den stora fördelen att en användare kan få tillgång till många olika system utan att behöva logga in på vart och ett av dem separat. Men SSO inför också en säkerhetsrisk i och med att tillgång till ett enda av systemen också automatiskt innebär tillgång till samtliga. Denna avhandling beskriver SSO-teknik, Security Assertion Markup Language, och fördelarna och riskerna med att använda SSO, samt undersöker autentiseringsmekanismer och deras lämplighet för SSO integration. Tyngdpunkten är en beskrivning av en mekanism som minskar några av nackdelarna med SSO genom att övervaka användarnas beteende med avseende på en mall. Om en användare utför åtgärder som passar det beteende som beskrivs av mallen, då den föreslagna mekanismen kommer att hantera autentiseringen automatiskt. Om, å andra sidan, en användare gör något oförutsett, kommer mekanismen inte att automatiskt utföra autentisering för den här användaren, utan utlöser manuellt autentisering. Om denna manuella autentiseringen lyckas, så kan användare fortsätta att fortsätta att interagera med systemet, annars kommer användarsessionen att avslutas. Denna beteendebaserade utvidgning av autentiseringsmekanismen är en lovande metod som minskar behovet av att komma ihåg många namn och lösenord, utan att lämna delsystem öppna till de säkerhetsproblem som uppstår i ren SSO, och utan att vara beroende av biometriska egenskaper som kan förändras över tiden. Denna metod kan integreras med befintliga webbaserade lösningar utan ökad risk och ökade kostnader. SSO Single sign-on SAML authentication security behavior risk SSO Single sign-on SAML autentisering säkerhet beteende risk Communication Systems Kommunikationssystem
5	Hardware Security Module Performance Optimization by Using a "Key Pool" : Generating keys when the load is low and saving in the external storage to use when the load is high Seyed Saboonchi, Nima January 2014 (has links) This thesis project examines the performance limitations of Hardware Security Module (HSM) devices with respect to fulfilling the needs of security services in a rapidly growing security market in a cost-effective way. In particular, the needs due to the introduction of a new electronic ID system in Sweden (the Federation of Swedish eID) and how signatures are created and managed. SafeNet Luna SA 1700 is a high performance HSM's available in the current market. In this thesis the Luna SA 1700 capabilities are stated and a comprehensive analysis of its performance shows a performance gap between what HSMs are currently able to do and what they need to do to address the expected demands. A case study focused on new security services needed to address Sweden's e Identification organization is presented. Based upon the expected performance demands, this thesis project proposes an optimized HSM solution to address the identified performance gap between what is required and what current HSMs can provide. A series of tests were conducted to measure an existing HSM's performance. An analysis of these measurements was used to optimize a proposed solution for selected HSM or similar HSMs. One of the main requirements of the new signing service is the capability to perform fifty digital signatures within the acceptable response time which is 300 ms during normal hours and 3000 ms during peak hours. The proposed solution enables the HSM to meet the expected demands of 50 signing request per second in the assumed two hours of peak rate at a cost that is 1/9 of the cost of simply scaling up the number of HSMs. The target audience of this thesis project is Security Service Providers who use HSMs and need a high volume of key generation and storing. Also HSM vendors consider this solution and add similar functionality to their devices in order to meet the desired demands and to ensure a better future in this very rapidly growing market. / Detta examensarbete undersöker prestandabegränsningar för Hardware Security Module (HSM) enheter med avseende på att uppfylla behov av säkerhetstjänster i en snabbt växande marknad och på ett kostnadseffektivt sätt. I synnerhet på grund av de säkerhetskrav som nu existerar/tillkommit efter införandet av ett nytt elektroniskt ID-system i Sverige (Federationen för Svensk eID) och hur underskrifter skapas och hanteras. SafeNet Luna SA 1700 är en högpresterande HSM enhet tillgänglig på marknaden. I den här avhandlingen presenteras nuvarande HSM kapacitet och en omfattande analys av resultatet visar ett prestanda gap mellan vad HSMS för närvarande kan göra och vad som behöver förbättras för att ta itu med de förväntade kraven. En fallstudie fokuserad på nya säkerhetstjänster som krävs i och med Sveriges nya e-Identifiering presenteras. Baserat på resultatet i den här avhandlingen föreslås en optimerad HSM lösning för att tillgodose prestanda gapet mellan vad HSM presterar och de nya krav som ställs. Ett flertal tester genomfördes för att mäta en befintlig HSM prestanda. En analys av dessa mätningar användes för att föreslå en optimerad lösning för HSMS (eller liknande) enheter. Ett av de huvudsakliga kraven för den nya signeringstjänsten är att ha en kapacitet av 50 digitala signaturer inom en accepterad svarstidsintervall, vilket är 300ms vid ordinarie trafik och 3000ms vid högtrafik. Förslagen i avhandlingen möjliggör HSM enheten att tillgodose kraven på 50 signeringen per sekund under två timmars högtrafik, och till en 1/9 kostnad genom att skala upp antalet HSMs. Målgruppen i den här avhandlingen är användare av HSMs och där behovet av lagring och generering av nycklar i höga volymer är stort. Även HSM leverantörer som kan implementera den här optimeringen/lösningen i befintlig funktionalitet för att tillgodose det här behovet i en alltmer växande marknad. HSM Digital Signature PKI e-Identification RSA SAML HSM Digitala signatur PKI e-legitimation RSA SAML Communication Systems Kommunikationssystem
6	Svensk e-legitimation; alla ägg i samma korg? Ställvik, Emil, Bentell, Morgan January 2016 (has links) A case study has been conducted on an electronic identification service called “Svensk e-legitimation”. The service has been developed on behalf of the Swedish government and is provided by a board created in 2011, E-legitimationsnämnden. The service, whose purpose is to assist with identification at Swedish authorities, also increases the competitiveness between the issuers of e-ID. By reviewing the documents published on websites regarding the service a risk area has been identified. To demonstrate the importance of addressing the risks four attack scenarios were created, scenarios which potential attackers might use. Finally, a solution which aims to secure the identified risks is presented. / En fallstudie har utförts på den elektroniska legitimeringstjänsten Svensk e-legitimation vilken tillhandahålls av E-legitimationsnämnden på uppdrag av Sveriges riksdag. Tjänsten, vars syfte är att bistå med legitimeringsmöjligheter för svenska myndigheter, ökar dessutom konkurrenskraften mellan utfärdare av e-legitimation. Genom att granska dokument publicerade på hemsidor för tjänsten har en hotbild identifierats. För att demonstrera vikten av att åtgärda riskerna inom hotbilden framställdes fyra angreppsscenarion vilka potentiella angripare skulle kunna använda. Slutligen presenterades en lösning vilken ämnar säkerställa de risker som identifierats. electronic identification e-ID Svensk e-legitimation E-legitimationsnämnden namecoin blockchain SAML security risk elektronisk legitimation e-legitimation e-ID Svensk e-legitimation E-legitimationsnämnden namecoin blockchain SAML säkerhet risk
7	Superando os riscos da seguran?a baseada em per?metro - Uma abordagem com identifica??o federada atrav?s de certificados digitais A3/ICP-Brasil e SAML Souza, Wellington Silva de 18 February 2013 (has links) Made available in DSpace on 2014-12-17T14:56:15Z (GMT). No. of bitstreams: 1 WellingtonSS_DISSERT.pdf: 5097418 bytes, checksum: 0861f0beded3a7d7e387f3b5d7f448ed (MD5) Previous issue date: 2013-02-18 / The traditional perimeter-based approach for computer network security (the castle and the moat model) hinders the progress of enterprise systems and promotes, both in administrators and users, the delusion that systems are protected. To deal with the new range of threats, a new data-safety oriented paradigm, called de-perimeterisation , began to be studied in the last decade. One of the requirements for the implementation of the de-perimeterised model of security is the definition of a safe and effective mechanism for federated identity. This work seeks to fill this gap by presenting the specification, modelling and implementation of a mechanism for federated identity, based on the combination of SAML and X.509 digital certificates stored in smart-cards, following the A3 standard of ICP-Brasil (Brazilian official certificate authority and PKI) / A vis?o tradicional de seguran?a em redes de computadores, baseada em per?metro (modelo do castelo e fosso ), al?m de entravar a evolu??o dos sistemas corporativos, cria, tanto em administradores quanto usu?rios, a falsa ilus?o de prote??o. Para lidar com a nova gama de amea?as, um novo paradigma orientado ? seguran?a intr?nseca dos dados, chamado deperimetriza??o , come?ou a ser estudado na ?ltima d?cada. Um dos requisitos para a implanta??o do modelo deperimetrizado de seguran?a ? a defini??o de um mecanismo seguro e eficaz de identifica??o federada. Este trabalho busca preencher essa lacuna, apresentando a especifica??o, modelagem e implementa??o de um mecanismo de identifica??o federada, baseado na conjun??o do protocolo SAML e certificados digitais X.509 armazenados em cart?es-inteligentes, padr?o A3/ICP-Brasil CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA
8	THE IMPACT OF XML SECURITY STANDARDS ON MANAGING POST PROCESSED TELEMETRY DATA Kalibjian, Jeffrey R. 10 1900 (has links) International Telemetering Conference Proceedings / October 20-23, 2003 / Riviera Hotel and Convention Center, Las Vegas, Nevada / Today many organizations use the Secure Sockets Layer protocol (SSL, now known as TLS, or Transport Layer Security) to secure post processed telemetry data transmitted over internal or external Internet Protocol (IP) networks. While TLS secures data traveling over a network, it does not protect data after it reaches its end point. In the Open Systems Interconnection (OSI) layer model, TLS falls several layers below the application category. This implies that applications utilizing data delivered by TLS have no way of evaluating whether data has been compromised before TLS encryption (from a source), or after TLS decryption (at the destination). This security “gap” can be addressed by adoption of a security infrastructure that allows security operations to be abstracted at an OSI application level. Link data security application data security XML TLS XKMS SAML XACML SOAP
9	Patient Privacy And Consent Management In Ehealth Alpay, Erdem 01 August 2012 (has links) (PDF) Health information of patients are preserved either in Electronic Health Records (EHR) repositories which are generally managed in national level or in local hospital systems. However, the real owners of the data are always the patients themselves, without depending where or by whom the data is preserved. Patients should have the rights to permit or deny the access of modification of their information to whoever they want. Here comes the concept of Consent. Consent means provision of approval or agreement, after thoughtful consideration. Decisions of patients about sharing their information are collected and preserved in consent documents. These consent documents can be stored in different formats. The eXtensible Access Control Markup Language (XACML) defines the policy language for this purpose. Also there is another language defined by XACML called Request/Response Language for creating request to access information and response to reply requests. Even though XACML is the most appropriate standard for conserving consent documents, it has some weak points when used in practical systems. In the first part of this study, a new model based on XACML is designed. This model is easily convertable to XACML and vice versa. Then a Consent Management tool is designed using the new model. This tool has two parts, Basic Consent Editor and Consent Manager. Basic Consent Editor is aiming to provide a practical user interface for creating and managing consent documents. Consent Manager on the other hand plays a decision mechanism role which handle requests and create decision responses according to already created consent documents. In this study, three different tools are implemented based on the Consent Management tool, each for different purposes on different projects. Throughout these implementations, usability and possible extensibility of Consent Management tool is analysed.
10	Architectural Design of a Conformative Authentication Service for Security Platforms Hermansson, Mikael January 2013 (has links) Authentication services in security platforms often need to handle different types of systems which have various requirements regarding the authentication. These requirements can often interfere with each other and the issue here is that the authentication service often needs to be manually adjusted to comply with these requirements. Therefore there is a need for a flexible architectural design which enables changes and could open up for new emerging technologies and possibilities. This thesis presents an architectural design of a conformative authentication service based on SAML 2.0 to be used in security platforms. In this thesis a requirements analysis was performed and an architectural design was developed. The architectural design presented in this thesis is conformative in various aspects, e.g. usage of various authentication methods, versatile handling of attributes, handling of various SAML 2.0 profiles, possibilities to participate in various identity federations and handling of legacy systems not supporting SAML. In addition, an evaluation comparing the candidate architectural design presented in this thesis with a currently active architectural design was performed. This evaluation showed that the candidate architectural design was considered better for more usage scenarios. Authentication Service Software Architecture Security Architecture Identity Management Electronic Authentication SAML Computer Engineering Datorteknik

Search results