Authentication Application in Network Security NS4
10,208 views
24 slides
May 20, 2007
Slide 1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Presentation
No description available for this slideshow.
Slide Content
Henric Johnson 1
Chapter 4Chapter 4
Authentication
Applications
Henric Johnson
Blekinge Institute of Technology,Sweden
http://www.its.bth.se/staff/hjo/
[email protected]
Chapter 4Chapter 4
Authentication
Applications
Henric Johnson
Blekinge Institute of Technology,Sweden
http://www.its.bth.se/staff/hjo/
[email protected]
Henric Johnson 2
OutlineOutline
•Security Concerns
•Kerberos
•X.509 Authentication Service
•Recommended reading and Web Sites
OutlineOutline
•Security Concerns
•Kerberos
•X.509 Authentication Service
•Recommended reading and Web Sites
Henric Johnson 3
Security ConcernsSecurity Concerns
•key concerns are confidentiality and
timeliness
•to provide confidentiality must encrypt
identification and session key info
•which requires the use of previously shared
private or public keys
•need timeliness to prevent replay attacks
•provided by using sequence numbers or
timestamps or challenge/response
Security ConcernsSecurity Concerns
•key concerns are confidentiality and
timeliness
•to provide confidentiality must encrypt
identification and session key info
•which requires the use of previously shared
private or public keys
•need timeliness to prevent replay attacks
•provided by using sequence numbers or
timestamps or challenge/response
Henric Johnson 4
KERBEROSKERBEROS
In Greek mythology, a many headed dog,
the guardian of the entrance of Hades
KERBEROSKERBEROS
In Greek mythology, a many headed dog,
the guardian of the entrance of Hades
Henric Johnson 5
KERBEROSKERBEROS
•Users wish to access services on
servers.
•Three threats exist:
–User pretend to be another user.
–User alter the network address of a
workstation.
–User eavesdrop on exchanges and use a
replay attack.
KERBEROSKERBEROS
•Users wish to access services on
servers.
•Three threats exist:
–User pretend to be another user.
–User alter the network address of a
workstation.
–User eavesdrop on exchanges and use a
replay attack.
Henric Johnson 6
KERBEROSKERBEROS
•Provides a centralized authentication
server to authenticate users to
servers and servers to users.
•Relies on conventional encryption,
making no use of public-key encryption
•Two versions: version 4 and 5
•Version 4 makes use of DES
KERBEROSKERBEROS
•Provides a centralized authentication
server to authenticate users to
servers and servers to users.
•Relies on conventional encryption,
making no use of public-key encryption
•Two versions: version 4 and 5
•Version 4 makes use of DES
Henric Johnson 7
Kerberos Version 4Kerberos Version 4
•Terms:
–C = Client
–AS = authentication server
–V = server
–IDc = identifier of user on C
–IDv = identifier of V
–P
c = password of user on C
–ADc = network address of C
– Kv
= secret encryption key shared by AS an V
–TS = timestamp
–|| = concatenation
Kerberos Version 4Kerberos Version 4
•Terms:
–C = Client
–AS = authentication server
–V = server
–IDc = identifier of user on C
–IDv = identifier of V
–P
c = password of user on C
–ADc = network address of C
– Kv
= secret encryption key shared by AS an V
–TS = timestamp
–|| = concatenation
Henric Johnson 8
A Simple Authentication A Simple Authentication
DialogueDialogue
(1)C AS: IDc || P
c
|| IDv
(2)AS C: Ticket
(3)C V: IDc || Ticket
Ticket = E
Kv[IDc || P
c
|| IDv]
A Simple Authentication A Simple Authentication
DialogueDialogue
(1)C AS: IDc || P
c
|| IDv
(2)AS C: Ticket
(3)C V: IDc || Ticket
Ticket = E
Kv[IDc || P
c
|| IDv]
Henric Johnson 9
Version 4 Authentication Version 4 Authentication
DialogueDialogue
•Problems:
–Lifetime associated with the ticket-granting
ticket
–If to short repeatedly asked for password
–If to long greater opportunity to replay
•The threat is that an opponent will steal the
ticket and use it before it expires
Version 4 Authentication Version 4 Authentication
DialogueDialogue
•Problems:
–Lifetime associated with the ticket-granting
ticket
–If to short repeatedly asked for password
–If to long greater opportunity to replay
•The threat is that an opponent will steal the
ticket and use it before it expires
Henric Johnson 10
Version 4 Authentication DialogueVersion 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(2)C AS: IDc || IDtgs ||TS1
(3)AS C: E
Kc [K
c,tgs|| IDtgs || TS
2 || Lifetime
2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Ticket
tgs
||Authenticatorc
(4) TGS C: E
Kc
[K
c,¨v
|| IDv || TS
4
|| Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticket
v
|| Authenticatorc
(6) V C: EKc,v[TS5 +1]
Version 4 Authentication DialogueVersion 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(2)C AS: IDc || IDtgs ||TS1
(3)AS C: E
Kc [K
c,tgs|| IDtgs || TS
2 || Lifetime
2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Ticket
tgs
||Authenticatorc
(4) TGS C: E
Kc
[K
c,¨v
|| IDv || TS
4
|| Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticket
v
|| Authenticatorc
(6) V C: EKc,v[TS5 +1]
Henric Johnson 11
Overview of KerberosOverview of Kerberos
Overview of KerberosOverview of Kerberos
Henric Johnson 12
Request for Service in Request for Service in
Another RealmAnother Realm
Request for Service in Request for Service in
Another RealmAnother Realm
Henric Johnson 13
Difference Between Version Difference Between Version
4 and 54 and 5
•Encryption system dependence (V.4 DES)
•Internet protocol dependence
•Message byte ordering
•Ticket lifetime
•Authentication forwarding
•Interrealm authentication
Difference Between Version Difference Between Version
4 and 54 and 5
•Encryption system dependence (V.4 DES)
•Internet protocol dependence
•Message byte ordering
•Ticket lifetime
•Authentication forwarding
•Interrealm authentication
Henric Johnson 14
Kerberos Encryption TechniquesKerberos Encryption Techniques
Kerberos Encryption TechniquesKerberos Encryption Techniques
Henric Johnson 15
PCBC ModePCBC Mode
PCBC ModePCBC Mode
Henric Johnson 16
Kerberos - in practiseKerberos - in practise
•Currently have two Kerberos versions:
•4 : restricted to a single realm
•5 : allows inter-realm authentication, in beta test
•Kerberos v5 is an Internet standard
•specified in RFC1510, and used by many utilities
•To use Kerberos:
•need to have a KDC on your network
•need to have Kerberised applications running on all
participating systems
•major problem - US export restrictions
•Kerberos cannot be directly distributed outside the
US in source format (& binary versions must obscure
crypto routine entry points and have no encryption)
•else crypto libraries must be reimplemented locally
Kerberos - in practiseKerberos - in practise
•Currently have two Kerberos versions:
•4 : restricted to a single realm
•5 : allows inter-realm authentication, in beta test
•Kerberos v5 is an Internet standard
•specified in RFC1510, and used by many utilities
•To use Kerberos:
•need to have a KDC on your network
•need to have Kerberised applications running on all
participating systems
•major problem - US export restrictions
•Kerberos cannot be directly distributed outside the
US in source format (& binary versions must obscure
crypto routine entry points and have no encryption)
•else crypto libraries must be reimplemented locally
Henric Johnson 17
X.509 Authentication X.509 Authentication
ServiceService
•Distributed set of servers that
maintains a database about users.
•Each certificate contains the public
key of a user and is signed with the
private key of a CA.
•Is used in S/MIME, IP Security,
SSL/TLS and SET.
•RSA is recommended to use.
X.509 Authentication X.509 Authentication
ServiceService
•Distributed set of servers that
maintains a database about users.
•Each certificate contains the public
key of a user and is signed with the
private key of a CA.
•Is used in S/MIME, IP Security,
SSL/TLS and SET.
•RSA is recommended to use.
Henric Johnson 18
X.509 FormatsX.509 Formats
X.509 FormatsX.509 Formats
Henric Johnson 19
Typical Typical Digital Signature Digital Signature
ApproachApproach
Typical Typical Digital Signature Digital Signature
ApproachApproach
Henric Johnson 20
Obtaining a User’s Obtaining a User’s
CertificateCertificate
•Characteristics of certificates
generated by CA:
–Any user with access to the public key of
the CA can recover the user public key
that was certified.
–No part other than the CA can modify
the certificate without this being
detected.
Obtaining a User’s Obtaining a User’s
CertificateCertificate
•Characteristics of certificates
generated by CA:
–Any user with access to the public key of
the CA can recover the user public key
that was certified.
–No part other than the CA can modify
the certificate without this being
detected.
Henric Johnson 21
X.509 CA HierarchyX.509 CA Hierarchy
X.509 CA HierarchyX.509 CA Hierarchy
Henric Johnson 22
Revocation of CertificatesRevocation of Certificates
•Reasons for revocation:
–The users secret key is assumed to be
compromised.
–The user is no longer certified by this
CA.
–The CA’s certificate is assumed to be
compromised.
Revocation of CertificatesRevocation of Certificates
•Reasons for revocation:
–The users secret key is assumed to be
compromised.
–The user is no longer certified by this
CA.
–The CA’s certificate is assumed to be
compromised.
Henric Johnson 23
Authentication ProceduresAuthentication Procedures
Authentication ProceduresAuthentication Procedures
Henric Johnson 24
Recommended Reading and Recommended Reading and
WEB SitesWEB Sites
•www.whatis.com (search for kerberos)
•Bryant, W. Designing an Authentication
System: A Dialogue in Four Scenes.
http://web.mit.edu/kerberos/www/dialogue.html
•Kohl, J.; Neuman, B. “The Evolotion of
the Kerberos Authentication Service”
http://web.mit.edu/kerberos/www/papers.html
•http://www.isi.edu/gost/info/kerberos/
Recommended Reading and Recommended Reading and
WEB SitesWEB Sites
•www.whatis.com (search for kerberos)
•Bryant, W. Designing an Authentication
System: A Dialogue in Four Scenes.
http://web.mit.edu/kerberos/www/dialogue.html
•Kohl, J.; Neuman, B. “The Evolotion of
the Kerberos Authentication Service”
http://web.mit.edu/kerberos/www/papers.html
•http://www.isi.edu/gost/info/kerberos/
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 10,208
- Slides 24
- Favorites 10
- Age 6770 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views