Authentication Applications

Similar documents
Authentication Applications

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Authentication Application

Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

How To Use Kerberos

CS 356 Lecture 28 Internet Authentication. Spring 2013

Chapter 15 User Authentication

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Key Management and Distribution

Key Management and Distribution

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

How To Make A Trustless Certificate Authority Secure

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Introduction to Network Security Key Management and Distribution

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

7 Key Management and PKIs

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Lecture 10 - Authentication

CS549: Cryptography and Network Security

Cryptography and Network Security Digital Signature

Asymmetric cryptosystems fundamental problem: authentication of public keys

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Standards and Products. Computer Security. Kerberos. Kerberos

Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service

Kerberos. Login via Password. Keys in Kerberos

Network Security: Public Key Infrastructure

Authentication Types. Password-based Authentication. Off-Line Password Guessing

PUBLIC-KEY CERTIFICATES

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Scenario. Roadmap. ! The simplified architecture! The complete architecture Pre-authentication Delegation. Realms

10.2 World Wide Web Security S-HTTP (secure hypertext transfer protocol) SEA (security extension architecture)

Kerberos and Active Directory symmetric cryptography in practice COSC412

Cryptography and Network Security

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

Entrust Managed Services PKI

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Introduction to Computer Security

Computer and Network Security. Outline

Network Security Standards. Key distribution Kerberos SSL/TLS

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

CS 392/681 - Computer Security

CS 494/594 Computer and Network Security

Chapter 7 Managing Users, Authentication, and Certificates

Chapter 16: Authentication in Distributed System

Lecture VII : Public Key Infrastructure (PKI)

How To Protect Your Data From Being Hacked On A Network (Kerberos) On A Pc Or Mac Or Ipad (Ipad) On An Ipad Or Ipa (Networking) On Your Computer Or Ipam (Network

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Kerberos authentication made easy on OpenVMS

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

TELSTRA RSS CA Subscriber Agreement (SA)

Ciphermail S/MIME Setup Guide

Network Security Protocols

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

1. a. Define the properties of a one-way hash function. (6 marks)

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Architecture of Enterprise Applications III Single Sign-On

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Public Key Infrastructure

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

X.509 Certificate Generator User Manual

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

Cryptography and network security CNET4523

CERTIFICATION PRACTICE STATEMENT UPDATE

Message authentication and. digital signatures

[SMO-SFO-ICO-PE-046-GU-

How To Understand And Understand The Security Of A Key Infrastructure

Institute of Computer Technology - Vienna University of Technology. L96 - SSL, PGP, Kerberos

Implementing a Kerberos Single Sign-on Infrastructure

Configuring Digital Certificates

CSCI 454/554 Computer and Network Security. Final Exam Review

Chapter 14. Key management and Distribution. Symmetric Key Distribution Using Symmetric Encryption

SSL/TLS: The Ugly Truth

Certificates and network security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Module 7 Security CS655! 7-1!

NETWORK ADMINISTRATION AND SECURITY

Transcription:

Authentication Applications CSCI 454/554 Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures Kerberos a symmetric-key based authentication service X.509 directory authentication service 1

Kerberos developed from Project Athena at MIT provides centralised symmetric-key thirdparty authentication in a distributed network allows users access to services distributed through network without needing to trust all workstations rather all trust a central authentication server two versions in use: 4 & 5 Kerberos Requirements first published report identified its requirements as: security reliability transparency scalability implemented using an authentication protocol based on Needham-Schroeder 2

Needham-Schroeder Protocol A {Ka}, B{Kb}, and KDC {Ka, Kb, Kc, } 1. A > KDC: A, B, N1 2. KDC > A: { N1, B, Ks, {Ks, A}Kb }Ka 3. A > B: {Ks, A}Kb Ticket 4. B > A: {N2}Ks 5. A > B: {f(n2)}ks Kerberos 4 Overview Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential ( session key and ticket-granting ticket TGT) Ticket Granting Server (TGS) users subsequently request access to other services from TGS on basis of users TGT AS &TGS play the role of KDC 3

Why AS&TGS, not KDC? user s master key is derived from its password it is not secure to keep master key at the user side all the time master key is used to get a session key from AS, then is discarded at the user side TGT : { session key, user name, timestamp, and TGT s expiration time}ktgs user communicates with TGS for remote services How it works Login: obtain a session key and TGT from AS Alice > AS: Alice, TGS AS creates session key Sa and {TGT}Ktgs AS > Alice: {Sa, {TGT}Ktgs, Tstamp}KA (1) Alice uses password to derive KA (2) decrypt { session key, {TGT}Ktgs }KA (3) discard KA 4

How it works (Con t) Remote access: Alice > TGS: {TGT}Ktgs name of server (Bob) authenticator Authenticator: {A, network address, time of day} encrypted with session key Sa TGS > Alice: {B, Ks, ticket to B, Tstamp}Sa Ticket to access server B: {Ks, A, Tstamp, Life}KB Alice > Bob: {Ks, A, Tstamp, Life}KB Authenticator Bob > Alice: {Tstamp+1}Ks {A, net-address, time of day}ks Kerberos 4 Overview 5

More words about tickets Ticket-granting ticket is obtained as part of login process If login session lasts longer than lifetime of TGT Run kinit to obtain a new TGT All tickets are automatically destroyed when user logs out Kerberos Realms a Kerberos environment consists of: a Kerberos server a number of clients, all registered with server application servers, sharing keys with server this is termed a realm typically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust each other 6

Kerberos Version 5 developed in mid 1990 s provides improvements over v4 Problems in version 4 environmental shortcomings encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authentication technical deficiencies double encryption, non-std mode of use, session keys, password attacks specified as Internet standard RFC 1510 7

X.509 Authentication Service part of CCITT X.500 directory service standards distributed servers maintaining info about users defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority also defines authentication protocols uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended X.509 Certificates issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) notation CA<<A>> denotes certificate for A signed by CA 8

X.509 Certificates 9

Obtaining a Certificate any user with access to CA can get any certificate from it only the CA can modify a certificate because cannot be forged, certificates can be placed in a public directory CA<<A>>: the certificate of user A issued by certification authority CA CA Hierarchy Scalability issue: a very large user group CA hierarchy (tree) A node (X) of hierarchy is a CA, its parent node is another CA (Y) each CA has forward certificate: Y<<X>> and reverse certificate X<<Y>> each user trusts parent CA s certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy 10

CA Hierarchy Use Path of A acquiring the certificate of B: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>> Certificate Revocation certificates have a period of validity may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised CA s maintain list of revoked certificates the Certificate Revocation List (CRL) users should check certs with CA s CRL 11

X.509 Version 3 has been recognised that additional information is needed in a certificate email/url, policy details, usage constraints rather than explicitly naming new fields defined a general extension method each extension consist of: extension identifier criticality indicator: if can be safely ignored extension value Certificate Extensions key and policy information convey additional info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints allow constraints on use of certificates by other CA s 12

Public Key Infrastructure Summary have considered: Kerberos trusted key server system X.509 authentication and certificates 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information