Microsoft’s Active Directory Security Feature

For active directory, Kerberos was used.

Kerberos is automatically installed when the Active Directory is installed on a Windows 2000 DC. It is used for user logon authentication and also to support transitive trusts in Windows 2000.

The physical components of Kerberos are client, server and key distribution center (KDC). Kerberos authencation process is the result of an interaction between the client requesting a service, the server providing a service and the KDC, a key server that distribute keys.

For enhance security, three keys are needed in order to provide a much secured interaction among client, server and KDC. The three keys are session key, client key and server key.

The process is as follow:

• The client will request access to a server service
• The KDC creates the session key
• The KDC creates a ticket and encrypts it with a key
• The client decrypts the response with the key and extracts the ticket.
• The client sends an application request to the server and a ticket encrypted with a key
• The server decrypts the ticket with its key and gets the session key
• The server uses the session key to decrypt the authenticator

X.500 allows strong authentication by using public key cryptosystems and access control to information in administrative area, entry, attribute and attribute value. All aspects of security policy can be easily configured on each of its DSAs through the usage of a specialized tool or through simple editing of plain text configuration files. The security in the directory is divided into two categories, authentication of the users to verify their identity and the procedures to prevent unauthorized access to the information.

In user authentication, the purpose of such is to verify the identity of a directory user so that access can be granted to the use who claims he/she to be. There are two such schemes used namely simple authentication and strong authentication.

As to how we prevent unauthorized users, we need make use of access control to control all access to the directory information. The DIB is viewed as a collection of protected items: Entries, Attributes, Attribute Values and names. Each of this protected item is associated with a set of permission which represents the access rights of the particular users, group of users or the general public. These permissions are then further broken down into: Read, Browse, Add, Remove, Modify, Rename, Disclose on Error and many other more.

Each of the protected item indicates what kind permission does each particular user posses. When the user request for an operation, the directory will seek out for the protected item and ascertains whether the user has permission before carrying out the operation. If not, the operation will not be carried out and a security error may be returned from the system.

LDAP (Lightweight Directory Access Protocol), is a software protocol to allow communications between the LDAP servers and its clients. The LDAP servers is used to store directories which are access by LDAP clients. The reason why it is named as lightweight is because it a smaller and easier protocol derived from X.500 DAP.

An LDAP directory is organized in a simple "tree" hierarchy which consists of the following levels:

• The root directory
• Countries
• Organization
• Organizational units
• Individuals

LDAP Security Features

1. Client authentication
2. Client authorization
3. Data integrity
4. Resource limitation
5. Server authentication

The 5 points mentioned above are some of the ways to ensure security is in place. Basically, LDAP uses the authentication method as one of its security features. These are the authentication types used by LDAP

• No Authentication
• Basic Authentication
• Simple Authentication and Security Layer (SASL)

When sharing data with public, the use of "No-Authentication" is fine. Basic Authentication can be done through the usage of a distinguished name and password. The data will either be sent in plaintext or encoded using Base64 encoding method. As for SASL, it is a framework used for plugging in alternative security features which includes Kerberos 4, S/Key.

GSM (Global System for Mobile Communications)

These are some of the features that are supported by GSM

• Short Message Service which allows you to send and receive 126 character text messages
• Ability to use same phone in a number of network-related countries
• Forwarding of calls to another number
• More capacity, ensuring rapid call set-up. Handsets also smaller and more robust.
• Talk to a number of other parties simultaneously

Referenced from: (http://www.cellular.co.za/gsm-features.htm)

The main focus of GSM security is to provide authentication for mobile users over the network, to provide high-confidentiality for the signalling information as well as user data, to not disclose subscriber's identity and to use SIM (Subscriber Identity Module) as a security module.

GSM faces such security threats due to the openness of wireless communications and it make users vulnerable to such threats. Some of the threats faced are:

• Interception of data over the air media
• Illegal access to a mobile service
• Man-In-Middle Attacks
• Flaws in implementation of A3/A8 algorithm
• Flaws in cryptography algorithms
• SIM card cloning
• Vulnerability to the DOS attacks

Referenced from: (http://uib.academia.edu/toorani/Papers/146481/Solutions_to_the_GSM_Security_Weaknesses)

Through several research, I have found some solutions to solve the threats that are faced by GSM. Firstly, implementation of secure algorithms such as the newer A5/3 can be done to improve the flaws found in the A3/A8 algorithm and it can also prevent SIM card cloning from occurring. Lastly, securing of backbone traffic is done to further encrypt the data to prevent attacker or eavesdropper from modifying the transmitted data.

GPRS:

GPRS, General Packet Radio services, is a wireless communication based on packets. GPRS has the ability to provide up to 114kpbs of data rate and it extends GSM (Global System for Mobile) capabilities to allow mobile users to connect to internet. However, the allowing of connection to Internet can cause securitythreats.

GPRS offers many kind of services such as SMS and MMS messaging, continuous internet access as well as push to talk over cellular network. (Referenced from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service)

Below is an image of a typical GPRS network infrastructure.


Several security features offered by GPRS:

• Identity Confidentiality
• Main goal is to provide privacy to its subscribers
• Dialed digits and addresses are used to protect identity
• Making it difficult to identify the person from their signal

• Identity Authentication
• Feature is performed within the SGSN based on challenge-response mechanism
• Sign responses and pairs of random numbers will be obtained and stored within the SGSN.
• SGSN will decide if the correct authentication algorithm is used.

• User and Signaling Data Confidentiality
• User data and 64 bit Signaling key is transmitted over the GRPS IP-backbone
• Synchronization is performed by using a cipher key
• Protects from interception and eavesdropping

Image above shows the possible security threats faced by GRPS

• Theft of Service attempts
• Denial of Service attempts
• Snooping attempts
• Intercept attempts

(Referenced from: http://trends-in-telecoms.blogspot.com/2011/04/femtocell-security-vulnerabilities.html)