User authentication crytography in cse engineering
468 views
33 slides
Apr 23, 2024
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
cryto
Slide Content
User authentication
To guard against the baneful influence exerted by strangers
is therefore an elementary dictate of savage prudence.
Hence before strangers are allowed to enter a district, or
at least before they are permitted to mingle freely with
the inhabitants, certain ceremonies are often performed
by the natives of the country for the purpose of disarming
the strangers of their magical powers, or of disinfecting,
so to speak, the tainted atmosphere by which they are
supposed to be surrounded.
—The Golden Bough, Sir James George Frazer
To guard against the baneful influence exerted by strangers
is therefore an elementary dictate of savage prudence.
Hence before strangers are allowed to enter a district, or
at least before they are permitted to mingle freely with
the inhabitants, certain ceremonies are often performed
by the natives of the country for the purpose of disarming
the strangers of their magical powers, or of disinfecting,
so to speak, the tainted atmosphere by which they are
supposed to be surrounded.
—The Golden Bough, Sir James George Frazer
Remote User Authentication Principles:
Inmostcomputersecuritycontexts,userauthenticationis
thefundamentalbuildingblockandtheprimarylineof
defense.
Userauthenticationisthebasisformosttypesofaccess
controlandforuseraccountability.
Userinformationneedstobestoredonanyserveror
computersystemthathe/shewishestouseandcouldbe
knowntosystemadministrators.
Typicalitemofauthenticationinformationassociatedwith
theuserIDispassword.
User ID and password enables administrators to set up
user’s access permissions and audit their activity.
Inmostcomputersecuritycontexts,userauthenticationis
thefundamentalbuildingblockandtheprimarylineof
defense.
Userauthenticationisthebasisformosttypesofaccess
controlandforuseraccountability.
Userinformationneedstobestoredonanyserveror
computersystemthathe/shewishestouseandcouldbe
knowntosystemadministrators.
Typicalitemofauthenticationinformationassociatedwith
theuserIDispassword.
User ID and password enables administrators to set up
user’s access permissions and audit their activity.
Anauthenticationprocessconsistsoftwosteps:
•Identificationstep:Presentinganidentifierto
thesecuritysystem.
•Verificationstep:Presentingorgenerating
authenticationinformationthatconfirmsthe
bindingbetweentheentityandtheidentifier.
•Identificationstep:Presentinganidentifierto
thesecuritysystem.
•Verificationstep:Presentingorgenerating
authenticationinformationthatconfirmsthe
bindingbetweentheentityandtheidentifier.
There are four general means of authenticating a user’s
identity, which can be used alone or in combination:
1)Something the individual knows: Examples include a
password, a personal identification number (PIN), or
answers to a prearranged set of questions.
2) Something the individual possesses: Examples include
cryptographic keys, electronic keycards, smart cards, and
physical keys.
3) Something the individual is (static biometrics): Examples
include recognition by fingerprint, retina, and face.
4) Something the individual does (dynamic biometrics):
Examples include recognition by voice pattern, handwriting
characteristics, and typing rhythm.
All of these methods, properly implemented and used,
can provide secure user authentication. But, these
methods have drawbacks.
identity, which can be used alone or in combination:
1)Something the individual knows: Examples include a
password, a personal identification number (PIN), or
answers to a prearranged set of questions.
2) Something the individual possesses: Examples include
cryptographic keys, electronic keycards, smart cards, and
physical keys.
3) Something the individual is (static biometrics): Examples
include recognition by fingerprint, retina, and face.
4) Something the individual does (dynamic biometrics):
Examples include recognition by voice pattern, handwriting
characteristics, and typing rhythm.
All of these methods, properly implemented and used,
can provide secure user authentication. But, these
methods have drawbacks.
Fornetwork-baseduserauthentication,themostimportant
methodsinvolvecryptographickeysandsomethingthe
individualknows,suchasapassword.
MutualAuthentication:
Mutualauthenticationprotocolsenablecommunicatingparties
tosatisfythemselvesmutuallyabouteachother’sidentityand
toexchangesessionkeys.
Centraltotheproblemofauthenticatedkeyexchangearetwo
issues:confidentialityandtimeliness
Topreventcompromiseofsessionkeys,essentialidentification
andsession-keyinformationmustbecommunicatedin
encryptedform.
Timeliness, is important because of the threat of message
replays.
methodsinvolvecryptographickeysandsomethingthe
individualknows,suchasapassword.
MutualAuthentication:
Mutualauthenticationprotocolsenablecommunicatingparties
tosatisfythemselvesmutuallyabouteachother’sidentityand
toexchangesessionkeys.
Centraltotheproblemofauthenticatedkeyexchangearetwo
issues:confidentialityandtimeliness
Topreventcompromiseofsessionkeys,essentialidentification
andsession-keyinformationmustbecommunicatedin
encryptedform.
Timeliness, is important because of the threat of message
replays.
Replay Attacks
where a valid signed message is copied and later
resent
simple replay
repetition that can be logged
repetition that cannot be detected
backward replay without modification
countermeasures include
a) use of sequence numbers (generally impractical)
b) timestamps (needs synchronized clocks,. protocol must
be both fault tolerant, to cope with network errors, and secure,
to cope with hostile attacks)
c) challenge/response (using unique nonce)
where a valid signed message is copied and later
resent
simple replay
repetition that can be logged
repetition that cannot be detected
backward replay without modification
countermeasures include
a) use of sequence numbers (generally impractical)
b) timestamps (needs synchronized clocks,. protocol must
be both fault tolerant, to cope with network errors, and secure,
to cope with hostile attacks)
c) challenge/response (using unique nonce)
Becauseofthevariableandunpredictablenatureof
networkdelays,distributedclockscannotbeexpectedto
maintainprecisesynchronization.So,timestamp-based
proceduremustallowforawindowoftimesufficientlylarge
toaccommodatenetworkdelaysyetsufficientlysmallto
minimizetheopportunityforattack
The challenge-response approach is unsuitable for a
connectionless type of application, because it requires the
overhead of a handshake before any connectionless
transmission, effectively negating the chief characteristic of
a connectionless transaction.
networkdelays,distributedclockscannotbeexpectedto
maintainprecisesynchronization.So,timestamp-based
proceduremustallowforawindowoftimesufficientlylarge
toaccommodatenetworkdelaysyetsufficientlysmallto
minimizetheopportunityforattack
The challenge-response approach is unsuitable for a
connectionless type of application, because it requires the
overhead of a handshake before any connectionless
transmission, effectively negating the chief characteristic of
a connectionless transaction.
One way authentication :
One application for which encryption is growing in popularity is
electronic mail.
The chief benefit of Email is that it is not necessary for the
sender and receiver to be online at the same time.
The e-mail message is forwarded to the receiver’s electronic
mailbox, where it is buffered until the receiver is available to
read it.
The message can be handled by the store-and-forward e-mail
protocol, such as the Simple Mail Transfer Protocol (SMTP) or
X.400
E-mail message should be encrypted such that the mail-
handling system is not in possession of the decryption key.
second requirement is that of authentication. The recipient
wants some assurance that the message is from the genuine
sender.
One application for which encryption is growing in popularity is
electronic mail.
The chief benefit of Email is that it is not necessary for the
sender and receiver to be online at the same time.
The e-mail message is forwarded to the receiver’s electronic
mailbox, where it is buffered until the receiver is available to
read it.
The message can be handled by the store-and-forward e-mail
protocol, such as the Simple Mail Transfer Protocol (SMTP) or
X.400
E-mail message should be encrypted such that the mail-
handling system is not in possession of the decryption key.
second requirement is that of authentication. The recipient
wants some assurance that the message is from the genuine
sender.
Remote user authentication using symmetric encryption :
Mutual Authentication:
Two-level hierarchy of symmetric encryption keys can be used
to provide confidentiality for communication in a distributed
environment ( the third party KDC distributes the session key
encrypting session key using master key )
Needham and Schroeder[NEED78] for secret key distribution
using a KDC . Below is the protocol.
Despite the handshake of steps 4 and 5, the protocol is still vulnerable to a
form of replay attack.
Adversary X can impersonate A and trick B into using the old key by simply
replaying step 3.
Authentication
steps
Mutual Authentication:
Two-level hierarchy of symmetric encryption keys can be used
to provide confidentiality for communication in a distributed
environment ( the third party KDC distributes the session key
encrypting session key using master key )
Needham and Schroeder[NEED78] for secret key distribution
using a KDC . Below is the protocol.
Despite the handshake of steps 4 and 5, the protocol is still vulnerable to a
form of replay attack.
Adversary X can impersonate A and trick B into using the old key by simply
replaying step 3.
Authentication
steps
Denning[DENN81,DENN82]proposestoovercomethis
weaknessbyamodificationtotheNeedham/Schroeder
protocolthatincludestheadditionofatimestamptosteps2
and3.Herproposalassumesthatthemasterkeys,K
aand
K
b,aresecure,anditconsistsofthefollowingsteps.
TisatimestampthatassuresAandBthatthesessionkey
hasonlyjustbeengenerated.Thus,bothAandBknowthat
thekeydistributionisafreshexchange
AandBcanverifytimelinessbycheckingthat
Δt
1is the estimated normal discrepancy
between the KDC’s clock and the local clock (at
A or B)
Δt–network delay
weaknessbyamodificationtotheNeedham/Schroeder
protocolthatincludestheadditionofatimestamptosteps2
and3.Herproposalassumesthatthemasterkeys,K
aand
K
b,aresecure,anditconsistsofthefollowingsteps.
TisatimestampthatassuresAandBthatthesessionkey
hasonlyjustbeengenerated.Thus,bothAandBknowthat
thekeydistributionisafreshexchange
AandBcanverifytimelinessbycheckingthat
Δt
1is the estimated normal discrepancy
between the KDC’s clock and the local clock (at
A or B)
Δt–network delay
TheDenningprotocolseemstoprovideanincreased
degreeofsecuritycomparedtotheNeedham/Schroeder
protocol.
AnewconcernintheDenning’sapproachisthatthe
clocksmustbesynchronizedthroughoutthenetwork.
whenasender’sclockisaheadoftheintendedrecipient’s
clock.,anopponentcaninterceptamessagefromthe
senderandreplayitlaterwhenthetimestampinthe
messagebecomescurrentattherecipient’ssite.This
replaycouldcauseunexpectedresults.suchattacksare
referredassuppress-replayattacks.
Onewaytocountersuppress-replayattacksistoenforcethe
requirementthatpartiesregularlychecktheirclocksagainstthe
KDC’sclock.
Theotheralternative,whichavoidstheneedforclock
synchronization,istorelyonhandshakingprotocolsusing
nonces
degreeofsecuritycomparedtotheNeedham/Schroeder
protocol.
AnewconcernintheDenning’sapproachisthatthe
clocksmustbesynchronizedthroughoutthenetwork.
whenasender’sclockisaheadoftheintendedrecipient’s
clock.,anopponentcaninterceptamessagefromthe
senderandreplayitlaterwhenthetimestampinthe
messagebecomescurrentattherecipient’ssite.This
replaycouldcauseunexpectedresults.suchattacksare
referredassuppress-replayattacks.
Onewaytocountersuppress-replayattacksistoenforcethe
requirementthatpartiesregularlychecktheirclocksagainstthe
KDC’sclock.
Theotheralternative,whichavoidstheneedforclock
synchronization,istorelyonhandshakingprotocolsusing
nonces
In [KEHN92], an attempt is made to respond to the concerns
about suppress replay attacks and at the same time fix the
problems in the Needham/Schroeder protocol.
Subsequently, an inconsistency in this latter protocol was
noted and an improved strategy was presented in
[NEUM93a]. The protocol is,
K
s-session key
T
b–time limit to use K
s
ticket
about suppress replay attacks and at the same time fix the
problems in the Needham/Schroeder protocol.
Subsequently, an inconsistency in this latter protocol was
noted and an improved strategy was presented in
[NEUM93a]. The protocol is,
K
s-session key
T
b–time limit to use K
s
ticket
1.Ainitiatestheauthenticationexchangebygeneratinganonce,Na,andsending
thatplusitsidentifiertoBinplaintext.ThisnoncewillbereturnedtoAinan
encryptedmessagethatincludesthesessionkey,assuringAofitstimeliness.
2.BalertstheKDCthatasessionkeyisneeded.ItsmessagetotheKDCincludes
itsidentifierandanonce,Nb.ThisnoncewillbereturnedtoBinanencrypted
messagethatincludesthesessionkey,assuringBofitstimeliness.B’smessage
totheKDCalsoincludesablockencryptedwiththesecretkeysharedbyBand
theKDC.ThisblockisusedtoinstructtheKDCtoissuecredentialstoA;theblock
specifiestheintendedrecipientofthecredentials,asuggestedexpirationtimefor
thecredentials,andthenoncereceivedfromA.
3.TheKDCpassesontoAB’snonceandablockencryptedwiththesecretkey
thatBshareswiththeKDC.Theblockservesasa“ticket”thatcanbeused
byAforsubsequentauthentications,aswillbeseen.TheKDCalsosendsto
AablockencryptedwiththesecretkeysharedbyAandtheKDC.Thisblock
verifiesthatBhasreceivedA’sinitialmessage(IDB)andthatthisisatimely
messageandnotareplay(Na),anditprovidesAwithasessionkey(Ks)and
thetimelimitonitsuse(Tb).
4.AtransmitsthetickettoB,togetherwiththeB’snonce,thelatterencrypted
withthesessionkey.TheticketprovidesBwiththesecretkeythatisusedto
decryptE(Ks,Nb)torecoverthenonce.ThefactthatB’snonceisencryptedwith
thesessionkeyauthenticatesthatthemessagecamefromAandisnotareplay.
thatplusitsidentifiertoBinplaintext.ThisnoncewillbereturnedtoAinan
encryptedmessagethatincludesthesessionkey,assuringAofitstimeliness.
2.BalertstheKDCthatasessionkeyisneeded.ItsmessagetotheKDCincludes
itsidentifierandanonce,Nb.ThisnoncewillbereturnedtoBinanencrypted
messagethatincludesthesessionkey,assuringBofitstimeliness.B’smessage
totheKDCalsoincludesablockencryptedwiththesecretkeysharedbyBand
theKDC.ThisblockisusedtoinstructtheKDCtoissuecredentialstoA;theblock
specifiestheintendedrecipientofthecredentials,asuggestedexpirationtimefor
thecredentials,andthenoncereceivedfromA.
3.TheKDCpassesontoAB’snonceandablockencryptedwiththesecretkey
thatBshareswiththeKDC.Theblockservesasa“ticket”thatcanbeused
byAforsubsequentauthentications,aswillbeseen.TheKDCalsosendsto
AablockencryptedwiththesecretkeysharedbyAandtheKDC.Thisblock
verifiesthatBhasreceivedA’sinitialmessage(IDB)andthatthisisatimely
messageandnotareplay(Na),anditprovidesAwithasessionkey(Ks)and
thetimelimitonitsuse(Tb).
4.AtransmitsthetickettoB,togetherwiththeB’snonce,thelatterencrypted
withthesessionkey.TheticketprovidesBwiththesecretkeythatisusedto
decryptE(Ks,Nb)torecoverthenonce.ThefactthatB’snonceisencryptedwith
thesessionkeyauthenticatesthatthemessagecamefromAandisnotareplay.
SupposethatAandBestablishasessionusingthe
aforementionedprotocolandthenconcludethatsession.
Subsequently,butwithinthetimelimitestablishedbythe
protocol,AdesiresanewsessionwithB.Thefollowing
protocolensues:
aforementionedprotocolandthenconcludethatsession.
Subsequently,butwithinthetimelimitestablishedbythe
protocol,AdesiresanewsessionwithB.Thefollowing
protocolensues:
One-Way Authentication
symmetric encryption with some refinement is used for
one way authentication for Emails.
Following is the protocol,
symmetric encryption with some refinement is used for
one way authentication for Emails.
Following is the protocol,
Remote User Authentication using
Asymmetric Encryption:
Thisprotocoliscompactbut,requiresthesynchronizationof
clocks
Asymmetric Encryption:
Thisprotocoliscompactbut,requiresthesynchronizationof
clocks
Anotherapproach,proposedbyWooandLam
[WOO92a],makesuseofnonces.Theprotocol
consistsofthefollowingsteps
This protocol seems to be a secure protocol that takes
into account the various attacks.
The authors themselves spotted a flaw and submitted
a revised version of the algorithm in [WOO92b].
[WOO92a],makesuseofnonces.Theprotocol
consistsofthefollowingsteps
This protocol seems to be a secure protocol that takes
into account the various attacks.
The authors themselves spotted a flaw and submitted
a revised version of the algorithm in [WOO92b].
Revised version of the algorithm in [WOO92b]
One Way Authentication :
Public-keyencryptionapproachesrequirethateither
thesenderknowtherecipient’spublickey
(confidentiality),therecipientknowthesender’s
publickey(authentication),orboth(confidentiality
plusauthentication).
Public-keyencryptionapproachesaresuitablefor
E-mails.
Ifconfidentialityistheprimaryconcern,thenthe
followingisusedforEmails.
Themessageisencryptedwithaone-timesecretkey
Public-keyencryptionapproachesrequirethateither
thesenderknowtherecipient’spublickey
(confidentiality),therecipientknowthesender’s
publickey(authentication),orboth(confidentiality
plusauthentication).
Public-keyencryptionapproachesaresuitablefor
E-mails.
Ifconfidentialityistheprimaryconcern,thenthe
followingisusedforEmails.
Themessageisencryptedwithaone-timesecretkey
Ifauthenticationistheprimaryconcern,thena
digitalsignaturemaysuffice.
Thistechniqueisopentoanotherkindoffraud.
Toavoidfraud,boththemessageandsignature
canbeencryptedwiththerecipient’spublickey.
AbovetwoschemesrequirethatBknowA’spublic
keyandbeconvincedthatitistimely.Aneffective
waytoprovidethisassuranceisthedigital
certificate.
digitalsignaturemaysuffice.
Thistechniqueisopentoanotherkindoffraud.
Toavoidfraud,boththemessageandsignature
canbeencryptedwiththerecipient’spublickey.
AbovetwoschemesrequirethatBknowA’spublic
keyandbeconvincedthatitistimely.Aneffective
waytoprovidethisassuranceisthedigital
certificate.
Kerberos
Trustedauthenticationserversystemfrom
MIT
providescentralisedauthenticationserver
inadistributednetworkwhosefunctionisto
authenticateuserstoserversandserversto
users.
Kerberosreliesexclusivelyonsymmetric
encryption
Twoversionsinuse:4&5
Trustedauthenticationserversystemfrom
MIT
providescentralisedauthenticationserver
inadistributednetworkwhosefunctionisto
authenticateuserstoserversandserversto
users.
Kerberosreliesexclusivelyonsymmetric
encryption
Twoversionsinuse:4&5
Motivation:
Adistributedarchitectureconsistingofdedicateduser
workstations(clients)anddistributedorcentralizedservers.
Followingarethethreeapproachestosecurityin
distributedEnvironment.
1.Relyoneachindividualclientworkstationtoassurethe
identityofitsuserorusersandrelyoneachserverto
enforceasecuritypolicybasedonuseridentification(ID).
2.Requirethatclientsystemsauthenticatethemselvesto
servers,buttrusttheclientsystemconcerningtheidentityof
itsuser.
3.Requiretheusertoprovehisorheridentityforeach
serviceinvoked.Alsorequirethatserversprovetheir
identitytoclients.
Forsmallandclosedenv–option1or2
Foropenenv–option3
Adistributedarchitectureconsistingofdedicateduser
workstations(clients)anddistributedorcentralizedservers.
Followingarethethreeapproachestosecurityin
distributedEnvironment.
1.Relyoneachindividualclientworkstationtoassurethe
identityofitsuserorusersandrelyoneachserverto
enforceasecuritypolicybasedonuseridentification(ID).
2.Requirethatclientsystemsauthenticatethemselvesto
servers,buttrusttheclientsystemconcerningtheidentityof
itsuser.
3.Requiretheusertoprovehisorheridentityforeach
serviceinvoked.Alsorequirethatserversprovetheir
identitytoclients.
Forsmallandclosedenv–option1or2
Foropenenv–option3
Kerberos Requirements
Kerberos first report identified following requirements :
Secure:AN/weavesdroppershouldnotbeabletoobtain
thenecessaryinfotoimpersonateauser.
Reliable:Kerberosshouldbehighlyreliableandshould
employadistributedserverarchitecturewithonesystem
abletobackupother.
•Transparent:usershouldnotbeawarethat
authenticationistakingplacebeyondtherequirementtoenter
apassword.
Scalable:supportmorenumberofclientsandservers.
Kerberosassumes a distributed client/server architecture
and employs one or more Kerberos servers to provide an
authentication service.
Kerberos first report identified following requirements :
Secure:AN/weavesdroppershouldnotbeabletoobtain
thenecessaryinfotoimpersonateauser.
Reliable:Kerberosshouldbehighlyreliableandshould
employadistributedserverarchitecturewithonesystem
abletobackupother.
•Transparent:usershouldnotbeawarethat
authenticationistakingplacebeyondtherequirementtoenter
apassword.
Scalable:supportmorenumberofclientsandservers.
Kerberosassumes a distributed client/server architecture
and employs one or more Kerberos servers to provide an
authentication service.
Kerberos v4:
Version 4 of Kerberos makes use of DES, to provide
the authentication service.
A simple Authentication Dialogue :
Inanunprotectednetworkenvironment,anyclient
canapplytoanyserverforservice.
Theobvioussecurityriskisthatofimpersonation.
Anopponentcanpretendtobeanotherclientand
obtainunauthorizedprivilegesonservermachine.
Tocounterthisthreat,serversmustbeableto
confirmtheidentitiesofclientswhorequest
service.
inanopenenvironment,abovewayof
authenticationplacesasubstantialburdenoneach
server.
Version 4 of Kerberos makes use of DES, to provide
the authentication service.
A simple Authentication Dialogue :
Inanunprotectednetworkenvironment,anyclient
canapplytoanyserverforservice.
Theobvioussecurityriskisthatofimpersonation.
Anopponentcanpretendtobeanotherclientand
obtainunauthorizedprivilegesonservermachine.
Tocounterthisthreat,serversmustbeableto
confirmtheidentitiesofclientswhorequest
service.
inanopenenvironment,abovewayof
authenticationplacesasubstantialburdenoneach
server.
Analternativeistouseanauthenticationserver
(AS)thatknowsthepasswordsofallusersand
storestheseinacentralizeddatabase.
TheASsharesauniquesecretkeywitheach
server
Eachoftheingredients(IDc,ADc,IDv)of
message(3)issignificant.
(AS)thatknowsthepasswordsofallusersand
storestheseinacentralizeddatabase.
TheASsharesauniquesecretkeywitheach
server
Eachoftheingredients(IDc,ADc,IDv)of
message(3)issignificant.
AmoresecureAuthenticationDialogue:
Twoproblemsofauthenticationinanopen
networkenvironmentinpreviousauthentication
schemeare,
1)Auserhastoenterapasswordeachtime
he/sherequestforservicefromserver.
2)Aplaintexttransmissionofthepassword
[message(1)].Aneavesdroppercouldcapturethe
passwordanduseanyserviceaccessibletothe
victim.
Twoproblemsofauthenticationinanopen
networkenvironmentinpreviousauthentication
schemeare,
1)Auserhastoenterapasswordeachtime
he/sherequestforservicefromserver.
2)Aplaintexttransmissionofthepassword
[message(1)].Aneavesdroppercouldcapturethe
passwordanduseanyserviceaccessibletothe
victim.
Tosolvetheseproblems,aschemeforavoiding
plaintextpasswordsandanewserver,knownas
theticket-grantingserver(TGS)areintroduced.
Thenewscenarioisasfollows.
plaintextpasswordsandanewserver,knownas
theticket-grantingserver(TGS)areintroduced.
Thenewscenarioisasfollows.
The Version 4 Authentication Dialogue :
Kerberos Realms
a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
this is termed a realm
typically a single administrative domain
if have multiple realms, their Kerberos
servers must share keys and trust
a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
this is termed a realm
typically a single administrative domain
if have multiple realms, their Kerberos
servers must share keys and trust
KerberosRealmsandMultipleKerberi:
Afull-serviceKerberosenvironmentconsistingofaKerberos
server,anumberofclients,andanumberofapplication
serversrequiresthefollowing:
1.TheKerberosservermusthavetheuserIDandhashed
passwordsofallparticipatingusersinitsdatabase.Allusers
areregisteredwiththeKerberosserver.
2.TheKerberosservermustshareasecretkeywitheach
server.AllserversareregisteredwiththeKerberosserver
AboveenvironmentisreferredtoasaKerberosrealm.
AKerberosrealmisasetofmanagednodesthatshare
thesameKerberosdatabase.TheKerberosdatabase
residesontheKerberosmastercomputersystem.
ChangingoraccessingthecontentsofaKerberos
databaserequirestheKerberosmasterpassword
Afull-serviceKerberosenvironmentconsistingofaKerberos
server,anumberofclients,andanumberofapplication
serversrequiresthefollowing:
1.TheKerberosservermusthavetheuserIDandhashed
passwordsofallparticipatingusersinitsdatabase.Allusers
areregisteredwiththeKerberosserver.
2.TheKerberosservermustshareasecretkeywitheach
server.AllserversareregisteredwiththeKerberosserver
AboveenvironmentisreferredtoasaKerberosrealm.
AKerberosrealmisasetofmanagednodesthatshare
thesameKerberosdatabase.TheKerberosdatabase
residesontheKerberosmastercomputersystem.
ChangingoraccessingthecontentsofaKerberos
databaserequirestheKerberosmasterpassword
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 468
- Slides 33
- Age 588 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
34 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
28 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views