chapter 4
DESCRIPTION
Chapter 4. Authentication Applications. Henric Johnson Blekinge Institute of Technology,Sweden http://www.its.bth.se/staff/hjo/ [email protected]. Outline. Security Concerns Kerberos X.509 Authentication Service Recommended reading and Web Sites. Security Concerns. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/1.jpg)
Henric Johnson 1
Chapter 4Chapter 4
Authentication Applications
Henric Johnson
Blekinge Institute of Technology,Sweden
http://www.its.bth.se/staff/hjo/
![Page 2: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/2.jpg)
Henric Johnson 2
OutlineOutline
• Security Concerns• Kerberos• X.509 Authentication Service• Recommended reading and Web
Sites
![Page 3: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/3.jpg)
Henric Johnson 3
Security ConcernsSecurity Concerns
• key concerns are confidentiality and timeliness
• to provide confidentiality must encrypt identification and session key info
• which requires the use of previously shared private or public keys
• need timeliness to prevent replay attacks
• provided by using sequence numbers or timestamps or challenge/response
![Page 4: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/4.jpg)
Henric Johnson 4
KERBEROSKERBEROS
In Greek mythology, a many headed dog, the guardian of the entrance of Hades
![Page 5: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/5.jpg)
Henric Johnson 5
KERBEROSKERBEROS
• Users wish to access services on servers.
• Three threats exist:– User pretend to be another user.– User alter the network address of a
workstation.– User eavesdrop on exchanges and
use a replay attack.
![Page 6: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/6.jpg)
Henric Johnson 6
KERBEROSKERBEROS
• Provides a centralized authentication server to authenticate users to servers and servers to users.
• Relies on conventional encryption, making no use of public-key encryption
• Two versions: version 4 and 5• Version 4 makes use of DES
![Page 7: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/7.jpg)
Henric Johnson 7
Kerberos Version 4Kerberos Version 4
• Terms:– C = Client– AS = authentication server– V = server– IDc = identifier of user on C– IDv = identifier of V– Pc = password of user on C– ADc = network address of C– Kv = secret encryption key shared by AS an V– TS = timestamp– || = concatenation
![Page 8: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/8.jpg)
Henric Johnson 8
A Simple A Simple Authentication Authentication
DialogueDialogue(1)C AS: IDc || Pc || IDv
(2) AS C: Ticket
(3) C V: IDc || Ticket
Ticket = EKv[IDc || Pc || IDv]
![Page 9: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/9.jpg)
Henric Johnson 9
Version 4 Version 4 Authentication Authentication
DialogueDialogue• Problems:
– Lifetime associated with the ticket-granting ticket
– If to short repeatedly asked for password– If to long greater opportunity to replay
• The threat is that an opponent will steal the ticket and use it before it expires
![Page 10: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/10.jpg)
Henric Johnson 10
Version 4 Authentication Version 4 Authentication DialogueDialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C AS: IDc || IDtgs ||TS1
(2) AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]
![Page 11: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/11.jpg)
Henric Johnson 11
Overview of KerberosOverview of Kerberos
![Page 12: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/12.jpg)
Henric Johnson 12
Request for Service in Request for Service in Another RealmAnother Realm
![Page 13: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/13.jpg)
Henric Johnson 13
Difference Between Difference Between Version 4 and 5Version 4 and 5
• Encryption system dependence (V.4 DES)
• Internet protocol dependence• Message byte ordering• Ticket lifetime• Authentication forwarding• Interrealm authentication
![Page 14: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/14.jpg)
Henric Johnson 14
Kerberos Encryption Kerberos Encryption TechniquesTechniques
![Page 15: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/15.jpg)
Henric Johnson 15
PCBC ModePCBC Mode
![Page 16: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/16.jpg)
Henric Johnson 16
Kerberos - in practiseKerberos - in practise • Currently have two Kerberos versions:
• 4 : restricted to a single realm • 5 : allows inter-realm authentication, in beta test • Kerberos v5 is an Internet standard • specified in RFC1510, and used by many utilities • To use Kerberos: • need to have a KDC on your network • need to have Kerberised applications running on all participating
systems • major problem - US export restrictions • Kerberos cannot be directly distributed outside the US in source
format (& binary versions must obscure crypto routine entry points and have no encryption)
• else crypto libraries must be reimplemented locally
![Page 17: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/17.jpg)
Henric Johnson 17
X.509 Authentication X.509 Authentication ServiceService
• Distributed set of servers that maintains a database about users.
• Each certificate contains the public key of a user and is signed with the private key of a CA.
• Is used in S/MIME, IP Security, SSL/TLS and SET.
• RSA is recommended to use.
![Page 18: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/18.jpg)
Henric Johnson 18
X.509 FormatsX.509 Formats
![Page 19: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/19.jpg)
Henric Johnson 19
Typical Typical Digital Digital Signature ApproachSignature Approach
![Page 20: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/20.jpg)
Henric Johnson 20
Obtaining a User’s Obtaining a User’s CertificateCertificate
• Characteristics of certificates generated by CA:– Any user with access to the public key
of the CA can recover the user public key that was certified.
– No part other than the CA can modify the certificate without this being detected.
![Page 21: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/21.jpg)
Henric Johnson 21
X.509 CA HierarchyX.509 CA Hierarchy
![Page 22: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/22.jpg)
Henric Johnson 22
Revocation of Revocation of CertificatesCertificates
• Reasons for revocation:– The users secret key is assumed to be
compromised.– The user is no longer certified by this
CA.– The CA’s certificate is assumed to be
compromised.
![Page 23: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/23.jpg)
Henric Johnson 23
Authentication Authentication ProceduresProcedures
![Page 24: Chapter 4](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c59550346895d90e515/html5/thumbnails/24.jpg)
Henric Johnson 24
Recommended Reading Recommended Reading and WEB Sitesand WEB Sites
• www.whatis.com (search for kerberos)• Bryant, W. Designing an
Authentication System: A Dialogue in Four Scenes. http://web.mit.edu/kerberos/www/dialogue.html
• Kohl, J.; Neuman, B. “The Evolotion of the Kerberos Authentication Service” http://web.mit.edu/kerberos/www/papers.html
• http://www.isi.edu/gost/info/kerberos/