Spelling suggestions: "subject:"trusted aplatform bodule"" "subject:"trusted aplatform amodule""
1 |
Towards a Trustworthy Thin Terminal for Securing Enterprise NetworksFrenn, Evan 25 April 2013 (has links)
Organizations have many employees that lack the technical knowledge to securely operate their machines. These users may open malicious email attachments/links or install unverified software such as P2P programs. These actions introduce significant risk to an organization's network since they allow attackers to exploit the trust and access given to a client machine. However, system administrators currently lack the control of client machines needed to prevent these security risks. A possible solution to address this issue lies in attestation. With respect to computer science, attestation is the ability of a machine to prove its current state. This capability can be used by client machines to remotely attest to their state, which can be used by other machines in the network when making trust decisions. Previous research in this area has focused on the use of a static root of trust (RoT), requiring the use of a chain of trust over the entire software stack. We would argue this approach is limited in feasibility, because it requires an understanding and evaluation of the all the previous states of a machine. With the use of late launch, a dynamic root of trust introduced in the Trusted Platform Module (TPM) v1.2 specification, the required chain of trust is drastically shortened, minimizing the previous states of a machine that must be evaluated. This reduced chain of trust may allow a dynamic RoT to address the limitations of a static RoT. We are implementing a client terminal service that utilizes late launch to attest to its execution. Further, the minimal functional requirements of the service facilitate strong software verification. The goal in designing this service is not to increase the security of the network, but rather to push the functionality, and therefore the security risks and responsibilities, of client machines to the network€™s servers. In doing so, we create a platform that can more easily be administered by those individuals best equipped to do so with the expectation that this will lead to better security practices. Through the use of late launch and remote attestation in our terminal service, the system administrators have a strong guarantee the clients connecting to their system are secure and can therefore focus their efforts on securing the server architecture. This effectively addresses our motivating problem as it forces user actions to occur under the control of system administrators.
|
2 |
Privacy Preserving Authentication Schemes and ApplicationsAsokan, Pranav 23 June 2017 (has links)
With the advent of smart devices, Internet of things and cloud computing the amount of information collected about an individual is enormous. Using this meta-data, a complete profile about a person could be created - professional information, personal information like his/her choices, preferences, likes/dislikes etc. The concept of privacy is totally lost with this gamut of technology. The ability to separate one's on-line identity from their personal identity is near impossible. The conflicting interests of the two parties - service providers' need for authentication and the users' privacy needs - is the cause for this problem. Privacy Preserving Authentication could help solve both these problems by creating valid and anonymous identities for the users. And simply by proving the authenticity and integrity of this anonymous identity (without revealing/exposing it) the users can obtain services whilst protecting their privacy. In this thesis, I review and analyze the various types of PPA schemes leading to the discussion of our new scheme 'Lightweight Anonymous Attestation with Efficient Revocation'. Finally, the scenarios where these schemes are applicable are discussed in detail. / Master of Science / With the advent of smart devices, people are almost always connected to the Internet. These smart devices and applications collect information about the user on a massive scale. When all such meta-data are put together, a complete profile of the user - professional and personal information, his/her choices, preferences, likes/dislikes etc. could be created. And all this data is stored somewhere on the Internet. The concept of privacy loses its meaning as this entity knows more about the user than they do themselves. The main reason for this is the inability to separate one’s on-line identity from their personal identity. Service providers need to authenticate the users - the process by which one entity is assured of the identity of the second entity it is interacting with - to ensure only valid members are allowed to use their service. This leads to invasion of the user’s privacy/anonymity as authentication often needs details like address, date-of-birth, credit card details etc. Privacy Preserving Authentication could help solve both these problems by creating valid but anonymous identities for the users. PPA works by issuing the users a secret credential if they can prove their identity. And simply by proving the authenticity and integrity of these secret credentials (without revealing/exposing it) the users can obtain services whilst protecting their privacy. In this thesis, I review and analyze the various types of PPA schemes leading to the discussion of our new scheme Lightweight Anonymous Attestation with Efficient Revocation. Finally, the application scenarios where these schemes are applicable are discussed in detail.
|
3 |
Um Data Diode com hardware criptográfico para Redes Industriais CríticasTeixeira, Gabriel Carrijo Bento, 69-99292-1505 15 December 2017 (has links)
Submitted by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2018-03-05T15:59:13Z
No. of bitstreams: 2
license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5)
Dissertação_Gabriel C. B. Teixeira.pdf: 7518481 bytes, checksum: f8b49cd06f0d81fce33b270fade5aa54 (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2018-03-05T15:59:25Z (GMT) No. of bitstreams: 2
license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5)
Dissertação_Gabriel C. B. Teixeira.pdf: 7518481 bytes, checksum: f8b49cd06f0d81fce33b270fade5aa54 (MD5) / Made available in DSpace on 2018-03-05T15:59:25Z (GMT). No. of bitstreams: 2
license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5)
Dissertação_Gabriel C. B. Teixeira.pdf: 7518481 bytes, checksum: f8b49cd06f0d81fce33b270fade5aa54 (MD5)
Previous issue date: 2017-12-15 / Industrial networks are highly sensitive environments from the point of view of
information security with a view to computer incidents can cause incalculable
damage. Over the years the connection of those networks with enterprise environments
and consequently the Internet, has brought serious concerns about the
integrity of the information and equipment involved. Several solutions have been
proposed with the aim of protecting Industrial Networks in data communications
infrastructure. However, is it really possible or feasible to ensure that the solutions
implemented are really safe? In this sense, this work presents a security
scheme able to deal with the problems encountered in the integration of critical
industrial networks with insecure corporate networks, aiming to ensure data integrity
and reliability being the devices. To this end it is proposed to use a Data
Diode in the interconnection of networks for the protection of industrial plant
and a cryptographic hardware TPM (Trusted Platform Module) to guarantee integrity
and reliability of the devices involved. In order to prove the effectiveness
of this architecture, tests were carried out to the end the work show that it is
possible to achieve better results than those existing in the literature. / Redes Industriais são ambientes altamente sensíveis do ponto de vista da Segurança
da Informação, visto que incidentes computacionais podem ocasionar
prejuízos incalculáveis. Com o passar dos anos a interligação dessas redes com
ambientes corporativos e, consequentemente a Internet, trouxe sérias preocupações
sobre a integridade das informações e equipamentos envolvidos. Diversas
soluções têm sido propostas com o objetivo de proteger infraestruturas de comunicação
de dados em Redes Industriais. Contudo, será que realmente é possível
ou factível garantir que as soluções implementadas são realmente seguras? Neste
sentido, esta dissertação apresenta um esquema de segurança capaz de tratar
os problemas encontrados na integração de redes industriais críticas com redes
corporativas inseguras, objetivando garantir integridade dos dados e confiabilidade
entre os dispositivos. Para esse fim é proposta a utilização de um Data
Diode na interligação das redes para a proteção da planta industrial e um hardware
criptográfico TPM (Trusted Platform Module) para garantia de integridade
e confiabilidade dos dispositivos envolvidos. Como forma de provar a efetividade
dessa arquitetura, foram realizados testes, que ao final no trabalho, mostram que
é possível alcançar resultados superiores aos trabalhos já existentes na literatura.
|
4 |
Comparative Study of Network Access Control TechnologiesQazi, Hasham Ud Din January 2007 (has links)
<p>This thesis presents a comparative study of four Network Access Control (NAC) technologies; Trusted Network Connect by the Trusted Computing group, Juniper Networks, Inc.’s Unified Access Control, Microsoft Corp.’s Network Access Protection, and Cisco Systems Inc.’s Network Admission Control. NAC is a vision, which utilizes existing solutions and new technologies to provide assurance that any device connecting to a network policy domain is authenticated and is subject to the network’s policy enforcement. Non-compliant devices are isolated until they have been brought back to a complaint status. We compare the NAC technologies in terms of architectural and functional features they provide.</p><p>There is a race of NAC solutions in the marketplace, each claiming their own definition and terminology, making it difficult for customers to adopt such a solution, resulting in much uncertainty. The NAC paradigm can be classified into two categories: the first category embraces open standards; the second follows proprietary standards. By selecting these architectures, we cover a representative set of proprietary and open standards-based NAC technologies.</p><p>This study concludes that there is a great need for standardization and interoperability of NAC components and that the four major solution proposals that we studied fall short of the desired interoperability. With standards, customers have the choice to adopt solution components from different vendors, selecting, what is commonly referred to as the best of breed. One example for a standard technology that all four NAC technologies that we studied did adopt is the IEEE’s 802.1X port-based access control technology. It is used to control endpoint device access to the network.</p><p>One shortcoming that most NAC architectures (with the exception of Trusted Network Connect) have in common, is the lack of a strong root-of-trust. Without it, clients’ compliance measurements cannot be trusted by the policy server whose task is to assess each client’s policy compliance.</p>
|
5 |
Secure network programming in wireless sensor networksTan, Hailun, Computer Science & Engineering, Faculty of Engineering, UNSW January 2010 (has links)
Network programming is one of the most important applications in Wireless Sensor Networks as It provides an efficient way to update program Images running on sensor nodes without physical access to them. Securing these updates, however, remains a challenging and important issue, given the open deployment environment of sensor nodes. Though several security schemes have been proposed to impose the authenticity and Integrity protection on network programming applications, they are either energy Inefficient as they tend to use digital signature or lacks the data confidentiality. In addition, due to the absence of secure memory management in the current sensor hardware, the attacker could inject malicious code into the program flash by exploiting buffer overflow In the memory despite the secure code dissemination. The contribution of this thesis Is to provide two software-based security protocols and one hardware-based remote attestation protocol for network programming application. Our first protocol deploys multiple one-way key chains for a multi-hop sensor network. The scheme Is shown to be lower In computational, power consumption and communication costs yet still able to secure multi??hop propagation of program images. Our second protocol utilizes an Iterative hash structure to the data packets in network programming application, ensuring the data confidentiality and authenticity. In addition, we Integrated confidentiality and DoS-attack-resistance in a multi??hop code dissemination protocol. Our final solution is a hardware-based remote attestation protocol for verification of running codes on sensor nodes. An additional piece of tamper-proof hardware, Trusted Platform Module (TPM), is imposed into the sensor nodes. It secures the sensitive information (e.g., the session key) from attackers and monitors any platform environment changes with the Internal registers. With these features of TPM, the code Injection attack could be detected and removed when the contaminated nodes are challenged in our remote attestation protocol. We implement the first two software-based protocols with Deluge as the reference network programming protocol in TinyOS, evaluate them with the extensive simulation using TOSSIM and validate the simulation results with experiments using Tmote. We implement the remote attestation protocol on Fleck, a sensor platform developed by CSIRO that Integrates an Atmel TPM chip.
|
6 |
Secure network programming in wireless sensor networksTan, Hailun, Computer Science & Engineering, Faculty of Engineering, UNSW January 2010 (has links)
Network programming is one of the most important applications in Wireless Sensor Networks as It provides an efficient way to update program Images running on sensor nodes without physical access to them. Securing these updates, however, remains a challenging and important issue, given the open deployment environment of sensor nodes. Though several security schemes have been proposed to impose the authenticity and Integrity protection on network programming applications, they are either energy Inefficient as they tend to use digital signature or lacks the data confidentiality. In addition, due to the absence of secure memory management in the current sensor hardware, the attacker could inject malicious code into the program flash by exploiting buffer overflow In the memory despite the secure code dissemination. The contribution of this thesis Is to provide two software-based security protocols and one hardware-based remote attestation protocol for network programming application. Our first protocol deploys multiple one-way key chains for a multi-hop sensor network. The scheme Is shown to be lower In computational, power consumption and communication costs yet still able to secure multi??hop propagation of program images. Our second protocol utilizes an Iterative hash structure to the data packets in network programming application, ensuring the data confidentiality and authenticity. In addition, we Integrated confidentiality and DoS-attack-resistance in a multi??hop code dissemination protocol. Our final solution is a hardware-based remote attestation protocol for verification of running codes on sensor nodes. An additional piece of tamper-proof hardware, Trusted Platform Module (TPM), is imposed into the sensor nodes. It secures the sensitive information (e.g., the session key) from attackers and monitors any platform environment changes with the Internal registers. With these features of TPM, the code Injection attack could be detected and removed when the contaminated nodes are challenged in our remote attestation protocol. We implement the first two software-based protocols with Deluge as the reference network programming protocol in TinyOS, evaluate them with the extensive simulation using TOSSIM and validate the simulation results with experiments using Tmote. We implement the remote attestation protocol on Fleck, a sensor platform developed by CSIRO that Integrates an Atmel TPM chip.
|
7 |
Comparative Study of Network Access Control TechnologiesQazi, Hasham Ud Din January 2007 (has links)
This thesis presents a comparative study of four Network Access Control (NAC) technologies; Trusted Network Connect by the Trusted Computing group, Juniper Networks, Inc.’s Unified Access Control, Microsoft Corp.’s Network Access Protection, and Cisco Systems Inc.’s Network Admission Control. NAC is a vision, which utilizes existing solutions and new technologies to provide assurance that any device connecting to a network policy domain is authenticated and is subject to the network’s policy enforcement. Non-compliant devices are isolated until they have been brought back to a complaint status. We compare the NAC technologies in terms of architectural and functional features they provide. There is a race of NAC solutions in the marketplace, each claiming their own definition and terminology, making it difficult for customers to adopt such a solution, resulting in much uncertainty. The NAC paradigm can be classified into two categories: the first category embraces open standards; the second follows proprietary standards. By selecting these architectures, we cover a representative set of proprietary and open standards-based NAC technologies. This study concludes that there is a great need for standardization and interoperability of NAC components and that the four major solution proposals that we studied fall short of the desired interoperability. With standards, customers have the choice to adopt solution components from different vendors, selecting, what is commonly referred to as the best of breed. One example for a standard technology that all four NAC technologies that we studied did adopt is the IEEE’s 802.1X port-based access control technology. It is used to control endpoint device access to the network. One shortcoming that most NAC architectures (with the exception of Trusted Network Connect) have in common, is the lack of a strong root-of-trust. Without it, clients’ compliance measurements cannot be trusted by the policy server whose task is to assess each client’s policy compliance.
|
Page generated in 0.0965 seconds