FRANCAIS
ABOUT THE
INTERNET SOCIETY ISOC Mission Statement
Membership
CONFERENCE OVERVIEW
Working Party
RealVideo Broadcast
Mbone Broadcast At-a-Glance
Program
Conference and Program Committees
Geneva and Palexpo
Call for Papers
Plenary Speakers
Evening Events
Internet Access Room
BOF Meetings
Pre-Post Tours
Chapter Activities
Internet Related Meetings
Reports From The Conference
PRE-CONFERENCE EVENTS
K-12 Workshop
Developing Countries Networking
Symposium
Technical Tutorials
Network Training
Workshops SPONSORSHIP + EXHIBITION
Invitation
to Sponsors
INET'98 Sponsors
Previous INET Sponsors
Sponsor Benefits
Exhibition Hall MEDIA/PRESS
Press Releases
Media Accreditation and Form
Official INET'98 Publications
REGISTRATION, HOUSING, TRAVEL
Registration Information and Form
Hotel Information and Form
Tour Information and Form
Airline Travel
HELP PROMOTE INET'98
Organizations/Companies Displaying the INET'98 Logo
FREQUENTLY ASKED QUESTIONS |
|
INET'98 LDAPv3Versus x.511 DAP Security: A Comparison and How to Sign
LDAPv3 Operations - Paper 132 Vesna HASSLER
Technical University of Vienna, Austria
In this paper we give a comparative overview of the X.511 DAP (Directory Access Protocol)
security features and the LDAPv3 (Lightweight Directory Access Protocol, Version 3)
security features. We also propose a method to implement digital signature for LDAPv3
since this functionality has not been discussed in
LDAPv3 documents so far. Smart Access: Strong Authentication on the Web - Paper 256
Ton VERSCHUREN
SURFnet, Netherlands
Today's Internet is moving away from its original academic credo: free access to
everything for all. Popular mechanisms to protect a (or part of a) Web site from public
access are filters on the IP address or username/password combinations. The first prevents
the identification of a single individual from any PC on the Internet. The latter suffers
from sniffing (the passwords travel unencrypted) and from publication; lists with
usernames and passwords are popular. In short, there's a strong need for better
identification (tell me who you are) of individuals and for better authentication (prove
to me who you are). One solution to this problem is the use of public key cryptography,
whereby both a Web server and a client possess a private/public key pair that is used to
create an encrypted communication path. An example is Netscape's Secure Sockets Layer
(SSL). Although the technology has been available for quite some time now, the use of
client certificates is minimal. Main reasons for this are the US crypto export regulations
(export of 40-bits instead of 128-bits keys makes the communication vulnerable to attacks)
and the fact that Certificate Authorities (the issuers of the certificates) are not yet
deployed on a large scale and do not interwork well. Therefore, another approach was
chosen. In the Netherlands more and more college and university passes are being
implemented on a multifunctional smartcard, the Student Smart Card,
"Studentenchipkaart" (SCK). Multifunctionality here means the combination of
several logical functions, both physical (the print on the
card) and electronic (the data on the card): visual pass for identification, access,
library; electronic purse, electronic identification, telephone card, etc. Could this
smartcard also be used as a means in a strong authentication process for online services?
The answer is yes. With the help of a team of students under
supervision of IBM staff, a protocol was developed and implemented, whereby a user with a
smartcard, a smartcard reader, a PC, and a Web browser can authenticate himself to a Web
server serving sensitive (i.e., nonpublic) data. The main advantage of this approach over
the one based on public key cryptography
is the fact that no separate registration process is necessary to obtain, say, a key. All
necessary data are already on the card when it reaches the student. The applications above
use a so-called two-party authentication mechanism, whereby the client talks directly to
the server for its authentication. Consequently, every server needs a copy of the secret
(triple DES) key on the smartcard. Obviously, this approach will not scale in a secure
way. Therefore, a three-party authentication service is currently under development.
SURFnet will act as the Trusted Third Party (TTP) for its customers who want to
authenticate their users
before they access their data. How to Organize Companywide Authentication and E-Mail Encryption
- Paper 313 Manfred BOGEN
Michael LENZ
Andreas REICHPIETSCH
Peter SIMONS
German National Research Center for Information Technology, Germany In the last three years, encryption utilities like Pretty Good Privacy (PGP) and
Privacy Enhanced Mail (PEM) have matured to a point where they have begun to receive
widespread acceptance among users of electronic mail on the Internet and intranets. Many
employees of research institutes, universities, and companies have started to use
encryption and digital signatures to protect and to authenticate their e-mail. To achieve a maximum benefit from these security measures, though, the organization has
to provide an infrastructure for its employees which includes trusted or untrusted key
servers, a key certification authority and a definite policy about the utilization of the
new technology. In this paper, the authors present a skeleton security policy on which others can base
their custom made solutions to the authentication problem. Experiences are also described
from establishing a certification authority within the German National Research Center for
Information Technology (GMD) and from maintaining a certification authority for the
individual network domain rhein.de. The foundation of the work is the policy for certification authorities as issued by the
German Research Network (DFN), which will be discussed and extended so that it suits the
requirements of middle-size to large companies or organizations. The paper also addresses the problem of handling different authentic keys for different
applications -- like encryption of electronic mail, Secure Shell (SSH) host keys, and
Secure Socket Layer (SSL) certificates for Web browsers -- as well as giving various
practical hints which will help to avoid the pitfalls that lurk on the way. The intention of this paper is to serve as a base for a security handbook for other
organizations
wishing to establish such an authentication infrastructure. Return
to Abstracts by Tracks Return to INET'98 Programs
|