Download Trusted Path Client-server applications

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Document related concepts
no text concepts found
Transcript 
Trusted Path Clientserver applications
Using COTS components
Tommy Kristiansen
[email protected]
Agenda
Thesis
 Contributions
 Solution
 Result
 Questions

Background

Bruce Schneier believes that "semantic attacks"
are the next wave of attacks to be faced by
computer users. These violate integrity and
authenticity of data presented to the user,
enticing him to perform actions benefiting the
malfactor. Examples of direct user interactions
where this threat can be found are online voting,
online gambling, electronic signatures and
financial transactions etc.
thesis – Contributions – Solution – Result – Questions
Trusted Path

Orange Book
“A mechanism by which a person at a terminal can communicate
directly with the Trusted Computing Base. This mechanism can only
be activated by the person or the Trusted Computing Base and
cannot be imitated by untrusted software.“
Validates to B2 but are often implemented even when not validated
to B2 e.g. Windows NT C2.
The trusted path mechanism guarantees that data typed by a user
on a client keyboard is protected from any intrusion by unauthorized
programs. It allows a user to create a non-forgeable and nonpenetrable communication path between the user’s client and the
trusted operating system software.
thesis – Contributions – Solution – Result – Questions
Trusted path with COTS

Built on Hanno Langweg’s work
– He looked at this with Client applications.
Using Delphi to create a ActiveX Control
where we use DirectX components to
create a secure environment on a win32
platform.
 Hopefully this will give authenticity and
integrity of the user and server.

thesis – Contributions – Solution – Result – Questions
Why use DirectX
When we use DirectX DirectInput and
DirectDraw no other program can interfere with
them run in exclusive mode.
 When we use DirectInput, there must be a user
present to give input

– Eliminates synthesizing
– Gives authenticity of a user.

When we use DirectDraw no other program can
interfere with the integrity of what you see.
thesis – Contributions – Solution – Result – Questions
Why use ActiveX
Easy to implement DirectX components
 No effort for the user to use it.
 Trusted by OS

– Signed ActiveX control
– So you’ll have an trusted application that you
need to verify origin of when installing the
control.
thesis – Contributions – Solution – Result – Questions
Hench
SendInput
 Screen capture applications
 User permissions installing ActiveX

thesis – Contributions – Solution – Result – Questions
Goals with thesis
See if it’s possible to create such solution
 Look at existing solution to prevent
phishing and compare them with this
solution.
 Look at the possibilities of implementing
this in other environments.

thesis – Contributions – Solution – Status – Questions
Contributions




Provide software developers with a server-distributed component to
establish integrity and authenticity with a local human user.
Use existing software-based technology and operating system
mechanisms to implement a trusted path without additional
expensive hardware.
Analyze and compare the security of this approach and alternatives.
Build a working prototype for an existing general purpose operating
system.

Prevents phishing attacks
More secure under login/sigin
Prevent effectiveness of Trojan horse/Malware

Does not prevent keylogging!!


thesis – Contributions – Solution – Status – Questions
Contributions

Assuming
– We can trust the OS(a assumption we already
have when using e.g. e-banking)
– That the connection between client-server is
secure e.g. SSL

Trojan horse and Malware
– Is on top of the OS and only have the same
rights as the user (no adm).
thesis – Contributions – Solution – Status – Questions
Solution
thesis – Contributions – Solution – Result – Questions
Results
Gives advantages compared with existing
solutions.
 Limitations due to platform
 Found some other interesting platform to
see if similar solutions are possible.

thesis – Contributions – Solution – Result – Questions
Questions ?
thesis – Contributions – Solution – Status – Questions
Related documents
Abstract The term biodiversity means biological diversity at different
Abstract The term biodiversity means biological diversity at different
Analysis Assignment - Northern State University
Analysis Assignment - Northern State University
Student Handout
Student Handout
Possible Thesis Questions
Possible Thesis Questions
Academic writing vs non academic writing
Academic writing vs non academic writing
Methods of Library Research
Methods of Library Research
Example Thesis Statements Remember, one useful approach to
Example Thesis Statements Remember, one useful approach to
Student Travel Fellowships
Student Travel Fellowships
More Than One Idea
More Than One Idea
The thesis Corporate Culture provides a basic overview of scientific
The thesis Corporate Culture provides a basic overview of scientific
Write a thesis statement only answering the following questions.
Write a thesis statement only answering the following questions.