Analyzing And Enhancing Security Of LDAP

As a lightweight access protocol, LDAP can provide easy, efficient, and customized directory services. Because of advantages like cross-platform operating, high-performance data reading, and broadly industrial supports, LDAP has been widely used for public enterprise information services, network information managements, digital certificates managements, and etc. Security of LDAP directory services is very important, due to sensitive data located in LDAP directories.Many literatures partly analyzed and discussed some issues about security of LDAP, but seldom did comprehensively, systematicly, and deeply simultaneously. In this thesis, we will summarize basic concepts, developing path, and current security state of LDAP, and then analyze authentication, confidentiality, integrity, and access control of LDAP, respectively.Authentication is a primitive way for LDAP security. According to architecture, existing LDAP authentication schemas are divided into E2E and TTP groups. E2E-type schemas only involve two parties, many of which have simple procedure and weak security; TTP-type schemas introduce Trusted Third-Party (TTP), resulting in high security and complicated procedure. After comprehensive analyzing, summarizing and comparing, we suggest that LDAP should bring in more secure and efficient authentication schemas.Confidentiality and integrity are very important to LDAP services, often implemented with encryption and message digest techniques. LDAP does not support these two well. According to analysis in this thesis, security of key exchange schema directly affects confidentiality and integrity in LDAP. More efforts are needed for existing vulnerabilities.Authorization and access control are used for controlling valid users' authorities to access directory information. Along with broad and thorough applications of LDAP, access control is becoming increasingly important. Currently LDAP does not define an access control model so that different vendors have made their own schemas, bringing problems of compatibility and inter-operationality. Based on access control schemas of several LDAP products, we will thoroughly analyze authorzation in LDAP.A security schema for making LDAP safer is introduced in this thesis, which utilizes an authencation protocol without trusted third-party based on ID-based cryptosystem. It has advantages of both E2E-type and TTP-type authentication schemas, being simple and secure simultaneously. Besides, the schema integrates authentication, confidentiality and integrity, based on secure bidirectional authentication and session key exchange.