USC CSci530
`Computer Security Systems
`Lecture notes
`Fall 2007
`
`Dr. Clifford Neuman
`University of Southern California
`Information Sciences Institute
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 1 of 99
`
`
`Computer Security Systems
`Lecture notes
`Fall 2007
`
`Dr. Clifford Neuman
`University of Southern California
`Information Sciences Institute
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 1 of 99
`
`
`
`CSci530: Security Systems
`Lecture 4 – September 21, 2007
`Cryptography Continued
`
`Dr. Clifford Neuman
`University of Southern California
`Information Sciences Institute
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 2 of 99
`
`
`
`FROM PREVIOUS LECTURE
`
`Examples
`
`• PGP
`– “Web of Trust”
`– Can model as connected digraph of
`signers
`• X.500
`– Hierarchical model: tree (or DAG?)
`– (But X.509 certificates use ASN.1!)
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 3 of 99
`
`
`
`Examples
`
`• SSH
`– User keys out of band exchange.
`– Weak assurance of server keys.
`▪ Was the same host you spoke with last
`time.
`– Discussion of benefits
`• SET
`– Hierarchical
`– Multiple roots
`– Key splitting
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 4 of 99
`
`
`
`What to do with keys
`• Practical issues
`– How to carry them
`▪ Passwords vs. disks vs.
`smartcards
`– Where do they stay, where do they go
`– How many do you have
`– How do you get them to begin with.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 5 of 99
`
`
`
`Key Distribution
`• Conventional cryptography
`– Single key shared by both parties
`• Public Key cryptography
`– Public key published to the world
`– Private key known only by owner
`• Third party certifies or distributes keys
`– Certification infrastructure
`– Authentication
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 6 of 99
`
`
`
`Practical use of keys
`• Email (PEM or S/MIME or PGP)
`– Hashes and message keys to be
`distributed and signed.
`• Conferencing
`– Group key management (discussed later)
`• Authentication (next lecture)
`• SSL
`– And other “real time” protocols
`– Key establishment
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 7 of 99
`
`
`
`Recovery from exposed keys
`• Revocation lists (CRL’s)
`– Long lists
`– Hard to propogate
`• Lifetime / Expiration
`– Short life allows assurance of
`validitiy at time of issue.
`• Realtime validation
`– Online Certificate Status Protocol
`(OCSP)
`• What about existing messages?
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 8 of 99
`
`
`
`Key Management Overview
`
`• Key size vs. data size
`– Affects security and usability
`• Reuse of keys
`– Multiple users, multiple messages
`• Initial exchange
`– The bootstrap/registration problem
`– Confidentiality vs. authentication
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 9 of 99
`
`
`
`Key Management Review
`
`• KDC’s
`– Generate and distribute keys
`– Bind names to shared keys
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 10 of 99
`
`
`
`Key Management Overview
`
`• Who needs strong secrets anyway
`– Users?
`– Servers?
`– The Security System?
`– Software?
`– End Systems?
`• Secret vs. Public
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 11 of 99
`
`
`
`Security Architectures
`
`• DSSA
`– Delegation is the important issue
`▪ Workstation can act as user
`▪ Software can act as workstation
`–if given key
`▪ Software can act as developer
`–if checksum validated
`– Complete chain needed to assume authority
`– Roles provide limits on authority – new sub-
`principal
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 12 of 99
`
`
`
`Group Key Management
`
`• Group key vs. Individual key
`– Identifies member of groups vs.
`which member of group
`– PK slower but allows multiple
`verification of individuals
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 13 of 99
`
`
`
`Group Key Management Issues
`
`• Revoking access
`– Change messages, keys, redistribute
`• Joining and leaving groups
`– Does one see old message on join
`– How to revoke access
`• Performance issues
`– Hierarchy to reduce number of
`envelopes for very large systems
`– Hot research topic
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 14 of 99
`
`
`
`Group Key Management Approaches
`
`• Centralized
`– Single entity issues keys
`– Optimization to reduce traffic for large groups
`– May utilize application specific knowledges
`• Decentralized
`– Employs sub managers
`• Distributed
`– Members do key generation
`– May involve group contributions
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 15 of 99
`
`
`
`Group Key Management Approaches
`
`• Centralized
`– Single entity issues keys
`– Optimization to reduce traffic for large groups
`– May utilize application specific knowledges
`• Decentralized
`– Employs sub managers
`• Distributed
`– Members do key generation
`– May involve group contributions
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 16 of 99
`
`
`
`CSci530: Computer Security Systems
`Lecture 4 – 21 September 2007
`Authentication
`
`Dr. Clifford Neuman
`University of Southern California
`Information Sciences Institute
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 17 of 99
`
`
`
`Identification vs. Authentication
`
`Identification
`Associating an identity with an
`individual, process, or request
`Authentication
`– Verifying a claimed identity
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 18 of 99
`
`
`
`Basis for Authentication
`Ideally
`Who you are
`Practically
`Something you know
`Something you have
`Something about you
`(Sometimes mistakenly called things you are)
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 19 of 99
`
`
`
`Something you know
`Password or Algorithm
`e.g. encryption key derived from password
`Issues
`Someone else may learn it
`Find it, sniff it, trick you into providing it
`Other party must know how to check
`You must remember it
`How stored and checked by verifier
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 20 of 99
`
`
`
`Examples of Password Systems
`Verifier knows password
`Encrypted Password
`One way encryption
`Third Party Validation
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 21 of 99
`
`
`
`Attacks on Password
`Brute force
`Dictionary
`Pre-computed Dictionary
`Guessing
`Finding elsewhere
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 22 of 99
`
`
`
`Something you Have
`Cards
`Mag stripe (= password)
`Smart card, USB key
`Time varying password
`Issues
`How to validate
`How to read (i.e. infrastructure)
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 23 of 99
`
`
`
`Something about you
`Biometrics
`Measures some physical attribute
`Iris scan
`Fingerprint
`Picture
`Voice
`Issues
`How to prevent spoofing
`Suited when biometric device is trusted,
`not suited otherwise
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 24 of 99
`
`
`
`Other forms of authentication
`IP Address
`Caller ID (or call back)
`Past transaction information
`(second example of something you know)
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 25 of 99
`
`
`
`“Enrollment”
`How to initially exchange the secret.
`In person enrollment
`Information known in advance
`Third party verification
`Mail or email verification
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 26 of 99
`
`
`
`Multi-factor authentication
`Require at least two of the classes
`above.
`e.g. Smart card plus PIN
`RSA SecurID plus password (AOL)
`Biometric and password
`Issues
`Better than one factor
`Be careful about how the second factor is
`validated. E.g. on card, or on remote system.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 27 of 99
`
`
`
`General Problems with Password
`Space from which passwords Chosen
`Too many passwords
`And what it leads to
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 28 of 99
`
`
`
`Single Sign On
`“Users should log in once
`And have access to everything”
`Many systems store password lists
`Which are easily stolen
`Better is encryption based credentials
`Usable with multiple verifiers
`Interoperability is complicating factor.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 29 of 99
`
`
`
`Encryption Based Authentication
`
`• Proving knowledge of encryption key
`– Nonce = Non repeating value
`
`{Nonce or timestamp}Kc
`
`C
`
`S
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 30 of 99
`
`
`
`Authentication w/ Conventional Crypto
`
`• Kerberos
`
`or Needham Schroeder
`
`KDC
`
`1
`
`2
`
`3
`
`,4,5
`
`C
`
`S
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 31 of 99
`
`
`
`Authentication w/ PK Crypto
`
`• Based on public key certificates
`
`DS
`
`1
`
`2
`
`3
`
`S
`
`C
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 32 of 99
`
`
`
`Public Key Cryptography (revisited)
`• Key Distribution
`– Confidentiality not needed for public key
`– Solves n2 problem
`• Performance
`– Slower than conventional cryptography
`– Implementations use for key distribution, then
`use conventional crypto for data encryption
`• Trusted third party still needed
`– To certify public key
`– To manage revocation
`– In some cases, third party may be off-line
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 33 of 99
`
`
`
`Certificate-Based Authentication
`
`Certification authorities issue signed
`certificates
`– Banks, companies, & organizations like
`Verisign act as CA’s
`– Certificates bind a public key to the name
`of a user
`– Public key of CA certified by higher-level CA’s
`– Root CA public keys configured in browsers &
`other software
`– Certificates provide key distribution
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 34 of 99
`
`
`
`Certificate-Based Authentication (2)
`
`Authentication steps
`– Verifier provides nonce, or a timestamp is used
`instead.
`– Principal selects session key and sends it to
`verifier with nonce, encrypted with principal’s
`private key and verifier’s public key, and
`possibly with principal’s certificate
`– Verifier checks signature on nonce, and
`validates certificate.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 35 of 99
`
`
`
`Secure Sockets Layer (and TLS)
`Hello
`
`{PMKey}Ks
`
`C
`
`Hello + CertS
`[CertC + VerifyC ]
`VerifyS
`
`S
`
`Attacker
`Encryption support provided between
`Browser and web server - below HTTP layer
`Client checks server certificate
`Works as long as client starts with the correct URL
`Key distribution supported through cert steps
`Authentication provided by verify steps
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 36 of 99
`
`
`
`Trust models for certification
`
`• X.509 Hierarchical
`– Single root (original plan)
`– Multi-root (better accepted)
`– SET has banks as CA’s and common SET root
`• PGP Model
`– “Friends and Family approach” - S. Kent
`• Other representations for certifications
`• No certificates at all
`– Out of band key distribution
`– SSH
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 37 of 99
`
`
`
`Authenticating Hardware and Software
`• DSSA
`– Delegation is the important issue
`▪ Workstation can act as user
`▪ Software can act as workstation
`–if given key
`▪ Software can act as developer
`–if checksum validated
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 38 of 99
`
`
`
`Next Generation Secure
`Computing Base (Longhorn)
`• Secure booting provides known hardware
`and OS software base.
`• Security Kernel in OS provides assurance
`about the application.
`• Security Kernel in application manages
`credentials granted to application.
`• Security servers enforce rules on what
`software they will interact with.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 39 of 99
`
`
`
`Passport v Liberty Alliance
`• Two versions of Passport
`– Current deployed version has lots of
`weaknesses and is centralized
`– Version under development is
`“federated” and based on Kerberos
`Liberty Alliance
`– Loosely federated with framework to
`describe authentication provided by
`others.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 40 of 99
`
`
`
`Passport v1
`
`• Goal is single sign on
`• Implemented via redirections
`
`S
`
`P
`
`1
`
`2
`
`7
`
`8
`
`3
`
`5
`
`4
`
`6
`
`C
`
`Assigned reading: http://avirubin.com/passport.html
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 41 of 99
`
`
`
`Federated Passport
`
`• Announced September 2001
`• Multiple registrars
`– E.g. ISPs register own users
`• Kerberos credentials
`– Embedded authorization data to pass
`other info to merchants.
`• Federated Passport is predominantly
`vaporware today, but .net authentication may
`be where their federated model went.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 42 of 99
`
`
`
`Liberty Alliance
`
`• Answer to MS federated Passport
`• Design criteria was most of the issues addressed by
`Federated Passport, i.e. no central authority.
`• Got off to slow start, but to date has produced more than
`passport has.
`• Use SAML (Security Association Markup Language) to
`describe trust across authorities, and what assertions
`means from particular authorities.
`• These are hard problems, and comes to the core of what
`has kept PKI from being as dominant as orginally
`envisioned.
`• Phased approach: Single sign on, Web service,
`Federated Services Infrastrcture.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 43 of 99
`
`
`
`Federated Identity - Shibboleth
`
`• Internet 2 Project
`– Federated Administration
`– Attribute Based Access Control
`– Active Management of Privacy
`– Based on Open SAML
`– Framework for Federation
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 44 of 99
`
`
`
`Shibboleth - Architecture
`
`• Service Provider
`– Browser goes to Resource Manager
`who users WAYF, and users Attribute
`Requester, and decides whether to
`grant access.
`• Where are you from service
`– Redirects to correct servers
`• Federation
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 45 of 99
`
`
`
`The Shibboleth Protocol
`3. Where are you from?
`2. I don’t know you, or
`where you are from
`4. Redirect to IdP for your org
`5. I don’t know you.
`Authenticate using your
`org’s web login
`
`1. User requests
`resource
`
`8
`
`Client
`Web Browser
`
`1
`
`3
`
`5
`
`Service Provider (SP)
`Web Site
`
`2
`
`WAYF
`
`4
`
`6
`
`7
`
`Identity Provider
`(IdP)
`Web Site
`
`LDAP
`
`6. I know you now.
`8. Based on attribute
`Redirect to SP, with a
`7. I don’t know your attributes.
`values, allow access to
`handle for user
`Ask the IdP (peer to peer)
`resource
`Source: Kathryn Huxtable khuxtable@ku.edu 10 June 2005
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 46 of 99
`
`
`
`Generic Security Services API
`Moving up the Stack
`Standard interface for choosing among
`authentication methods
`Once an application uses GSS-API, it can
`be changed to use a different
`authentication method easily.
`Calls
`Acquire and release cred
`Manage security context
`Init, accept, and process tokens
`Wrap and unwrap
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 47 of 99
`
`
`
`Authentication in Applications
`Unix login
`Telnet
`RSH
`SSH
`HTTP (Web browsing)
`FTP
`Windows login
`SMTP (Email)
`NFS
`Network Access
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 48 of 99
`
`
`
`Unix Login (review)
`One way encryption of password
`Salted as defense against pre-computed
`dictionary attacks
`To validate, encrypt and compare with
`stored encrypted password
`May use shadow password file
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 49 of 99
`
`
`
`Telnet
`A remote login application
`Normally just an unencrypted channel
`over which plaintext password sent.
`Supports encryption option and
`authentication options using
`protocols like Kerberos.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 50 of 99
`
`
`
`RSH (Remote Shell/Remote Login)
`Usually IP address and asserted
`account name.
`Privileged port means accept
`asserted identity.
`If not trusted, request unix password
`in clear.
`Kerberos based options available
`Kerberos based authentication and
`optional encryption
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 51 of 99
`
`
`
`Secure Shell (SSH)
`Encrypted channel with Unix login
`Establish encrypted channel, using public
`key presented by server
`Send password of user over channel
`Unix login to validate password.
`Public key stored on target machine
`User generate Public Private key pair, and
`uploads the public key to directory on
`target host.
`Target host validates that corresponding
`private key is known.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 52 of 99
`
`
`
`Web Browsing (HTTP)
`Connect in the clear, Unix Password
`Connect through SSL, Unix password
`Digest authentication (RFC 2617)
`Server sends nonce
`Response is MD5 checksum of
`Username, password, nonce URI
`User certificate, strong authentication
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 53 of 99
`
`
`
`File Transfer Protocol
`Password based authentication or
`GSS-API based authentication
`Including use of Kerberos
`Authentication occurs and then
`stream is encrypted
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 54 of 99
`
`
`
`Windows Network Login
`In Win2K and later uses Kerberos
`In Win NT
`Challenge response
`Server generates 8 byte nonce
`Prompts for password and hashes it
`Uses hash to DES encrypt nonce 3
`times
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 55 of 99
`
`
`
`SMTP – To send mail
`Usually network address based
`Can use password
`Can be SSL protected
`SMTP after POP
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 56 of 99
`
`
`
`Post Office Protocol
`Plaintext Password
`Can be SSL protected
`Eudora supports Kerberos authent
`IMAP
`Password authentication
`Can also support Kerberos
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 57 of 99
`
`
`
`File System Authentication
`Sun’s Network File System
`Typically address based
`Athena Kerberized version
`Maps authenticated UID’s to addresses
`NFS bult on ONC RPC
`ONC RPC has stronger
`Kerberos/GSSAPI support
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 58 of 99
`
`
`
`File System Authentication
`Andrew File System
`Based on Andrew RPC
`Uses Kerberos authentication
`OSF’s DCE File System (DFS)
`Based on DCE RPC
`Uses Kerberos authenciation
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 59 of 99
`
`
`
`Network Access Servers
`
`Radius
`Problem: Not connected to network
`until connection established
`Need for indirect authentication
`Network access server must
`validate login with radius server.
`Password sent to radius server
`encrypted using key between
`agent and radius server
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 60 of 99
`
`
`
`Delegated Authentication
`Usually an authorization problem
`How to allow an intermediary to perform
`operations on your behalf.
`Pass credentials needed to
`authenticate yourself
`Apply restrictions on what they may
`be used for.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 61 of 99
`
`
`
`Current Event
`Storm Worm More Powerful Than Top Supercomputers
`– SlashDot September 7
`Stony Stevenson writes to mention that some security researchers are
`claiming that the Storm Worm has grown so massive that it could rival
`the world's top supercomputers in terms of raw power. "Sergeant said
`researchers at MessageLabs see about 2 million different computers in
`the botnet sending out spam on any given day, and he adds that he
`estimates the botnet generally is operating at about 10 percent of
`capacity. 'We've seen spikes where the owner is experimenting with
`something and those spikes are usually five to 10 times what we
`normally see,' he said, noting he suspects the botnet could be as large
`as 50 million computers. 'That means they can turn on the taps
`whenever they want to.'"
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 62 of 99
`
`
`
`CSci530: Security Systems
`Lecture 6 – October 5, 2007
`Authorization and Policy
`IN CASE WE GET AHEAD – PRELIMINARY
`
`Dr. Clifford Neuman
`University of Southern California
`Information Sciences Institute
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 63 of 99
`
`
`
`Proxies
`
`• A proxy allows a second principal to operate
`with the rights and privileges of the principal
`that issued the proxy
`– Existing authentication credentials
`– Too much privilege and too easily propagated
`• Restricted Proxies
`– By placing conditions on the use of
`proxies, they form the basis of a flexible
`authorization mechanism
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 64 of 99
`
`
`
`Restricted Proxies
`
`PROXY CERTIFICATE
`Conditions:
`Proxy
`Grantor
`
`Use between 9AM and 5PM
`Grantee is user X, Netmask
`is 128.9.x.x, must be able to
`read this fine print, can you
`
`+
`
`Proxy
`
`• Two Kinds of proxies
`– Proxy key needed to exercise bearer proxy
`– Restrictions limit use of a delegate proxy
`• Restrictions limit authorized operations
`– Individual objects
`– Additional conditions
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 65 of 99
`
`
`
`Next Generation Secure
`Computing Base (Longhorn)
`• Secure booting provides known hardware
`and OS software base.
`• Security Kernel in OS provides assurance
`about the application.
`• Security Kernel in application manages
`credentials granted to application.
`• Security servers enforce rules on what
`software they will interact with.
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 66 of 99
`
`
`
`Authorization: Two Meanings
`
`• Determining permission
`– Is principal P permitted to perform
`action A on object U?
`• Adding permission
`– P is now permitted to perform
`action A on object U
`• In this course, we use the first sense
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 67 of 99
`
`
`
`Access Control
`
`• Who is permitted to perform which
`actions on what objects?
`• Access Control Matrix (ACM)
`– Columns indexed by principal
`– Rows indexed by objects
`– Elements are arrays of
`permissions indexed by action
`• In practice, ACMs are abstract
`objects
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 68 of 99
`
`
`
`Instantiations of ACMs
`
`• Access Control Lists (ACLs)
`– For each object, list principals and
`actions permitted on that object
`– Corresponds to rows of ACM
`– Example: Kerberos admin system
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 69 of 99
`
`
`
`Instantiations of ACMs
`
`• Capabilities
`– For each principal, list objects and
`actions permitted for that principal
`– Corresponds to columns of ACM
`– Example: Kerberos restricted
`proxies
`• The Unix file system is an example
`of…?
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 70 of 99
`
`
`
`Problems
`
`• Permissions may need to be
`determined dynamically
`– Time
`– System load
`– Relationship with other objects
`– Security status of host
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 71 of 99
`
`
`
`Problems
`
`• Distributed nature of systems may
`aggravate this
`– ACLs need to be replicated or
`centralized
`– Capabilities don’t, but they’re
`harder to revoke
`• Approaches
`– GAA
`– Agent-based authorization
`
`Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
`
`UNIFIED PATENTS EXHIBIT 1034
`UNIFIED PATENTS, LLC v. AUTHWALLET, LLC
`IPR2021-01260
`Page 72 of 99
`
`
`
`Authorization
`
`• Final goal of security
`– Determine whether to allow an operation.
`• Depends upon
`▪ Policy
`▪ Possibly authentication
`▪ Other characteristics
`
`Copyright
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
