Authentication Applications will consider authentication functions will consider authentication functions developed to support application- level authentication & digital signatures developed to support application- level authentication & digital signatures Kerberos – a private-key authentication service Kerberos – a private-key authentication service X.509 directory authentication service X.509 directory authentication service
Symmetric Key Distribution With symmetric encryption: With symmetric encryption: Both parties must have the same keyBoth parties must have the same key Key must be protected from anyone elseKey must be protected from anyone else Keys should be changed frequentlyKeys should be changed frequently To minimize the amount of data compromised if a hacker learns the key To minimize the amount of data compromised if a hacker learns the key The strength of any system using symmetric encryption depend how the keys are distributed The strength of any system using symmetric encryption depend how the keys are distributed
2 Party Distribution A picks a key and physically delivers it to B A picks a key and physically delivers it to B A disinterested third party picks the key and physically delivers it to A and B A disinterested third party picks the key and physically delivers it to A and B A and B have both recently communicated using a key, one party could use the old key to send the new key to the other party then destroy the old key. A and B have both recently communicated using a key, one party could use the old key to send the new key to the other party then destroy the old key. If A and B both have an encrypted link to a third party C, C could send the new key to A and B on the encrypted link. (this requires a session key and a permanent key and a Key Distribution Center (KDC) If A and B both have an encrypted link to a third party C, C could send the new key to A and B on the encrypted link. (this requires a session key and a permanent key and a Key Distribution Center (KDC)
Key Distribution Center KDC determines which systems are allowed to communicate. When KDC receives a request for two systems to communicate it sends a one-time session key. KDC determines which systems are allowed to communicate. When KDC receives a request for two systems to communicate it sends a one-time session key. A wants to talk to B, A sends a connection request to KDC encrypted by a key known by only A and KDC.A wants to talk to B, A sends a connection request to KDC encrypted by a key known by only A and KDC. KDC creates session key and encrypts it using the permanent key that A used to encrypt the original request and send it to A then it send the session key to B using the permanent key between itself and B.KDC creates session key and encrypts it using the permanent key that A used to encrypt the original request and send it to A then it send the session key to B using the permanent key between itself and B. A and B can now talk using the temporary session keyA and B can now talk using the temporary session key This is the method used by Kerberos for the distribution of DES keys This is the method used by Kerberos for the distribution of DES keys
Kerberos trusted key server system from MIT trusted key server system from MIT provides centralised private-key third-party authentication in a distributed network provides centralised private-key third-party authentication in a distributed network allows users access to services distributed through networkallows users access to services distributed through network without needing to trust all workstationswithout needing to trust all workstations rather all trust a central authentication serverrather all trust a central authentication server two versions in use: 4 & 5 two versions in use: 4 & 5
Kerberos Requirements first published report identified its requirements as: first published report identified its requirements as: security-an eavesdropper shouldn’t be able to get enough information to impersonate the usersecurity-an eavesdropper shouldn’t be able to get enough information to impersonate the user reliability- services using Kerberos would be unusable if Kerberos isn’t availablereliability- services using Kerberos would be unusable if Kerberos isn’t available transparency-users should be unaware of its presencetransparency-users should be unaware of its presence scalability- should support large number of usersscalability- should support large number of users implemented using a 3 rd party authentication scheme using a protocol proposed by Needham-Schroeder (NEED78) implemented using a 3 rd party authentication scheme using a protocol proposed by Needham-Schroeder (NEED78)
Kerberos 4 Overview a basic third-party authentication scheme a basic third-party authentication scheme uses DES buried in an elaborate protocoluses DES buried in an elaborate protocol Authentication Server (AS) Authentication Server (AS) user initially negotiates with AS to identify selfuser initially negotiates with AS to identify self AS provides a non-corruptible authentication credential (ticket-granting ticket TGT)AS provides a non-corruptible authentication credential (ticket-granting ticket TGT) Ticket Granting server (TGS) Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGTusers subsequently request access to other services from TGS on basis of users TGT
Kerberos 4 Overview
Kerberos Realms a Kerberos environment consists of: a Kerberos environment consists of: a Kerberos servera Kerberos server a number of clients, all registered with servera number of clients, all registered with server application servers, sharing keys with serverapplication servers, sharing keys with server this is termed a realm this is termed a realm typically a single administrative domaintypically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust if have multiple realms, their Kerberos servers must share keys and trust
Kerberos Version 5 developed in mid 1990’s developed in mid 1990’s provides improvements over v4 provides improvements over v4 addresses environmental shortcomingsaddresses environmental shortcomings encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authentication encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authentication and technical deficienciesand technical deficiencies double encryption, non-standard mode of use, session keys, password attacks double encryption, non-standard mode of use, session keys, password attacks specified as Internet standard RFC 1510 specified as Internet standard RFC 1510
X.509 Authentication Service part of CCITT X.500 directory service standards part of CCITT X.500 directory service standards distributed servers maintaining some info databasedistributed servers maintaining some info database defines framework for authentication services defines framework for authentication services directory may store public-key certificatesdirectory may store public-key certificates with public key of userwith public key of user signed by certification authoritysigned by certification authority also defines authentication protocols also defines authentication protocols uses public-key crypto & digital signatures uses public-key crypto & digital signatures algorithms not standardized, but RSA recommendedalgorithms not standardized, but RSA recommended
X.509 Certificates issued by a Certification Authority (CA), containing: issued by a Certification Authority (CA), containing: version (1, 2, or 3)version (1, 2, or 3) serial number (unique within CA) identifying certificateserial number (unique within CA) identifying certificate signature algorithm identifiersignature algorithm identifier issuer X.500 name (CA)issuer X.500 name (CA) period of validity (from - to dates)period of validity (from - to dates) subject X.500 name (name of owner)subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key)subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+)issuer unique identifier (v2+) subject unique identifier (v2+)subject unique identifier (v2+) extension fields (v3)extension fields (v3) signature (of hash of all fields in certificate)signature (of hash of all fields in certificate) notation CA > denotes certificate for A signed by CA notation CA > denotes certificate for A signed by CA
X.509 Certificates
Obtaining a Certificate any user with access to the public key of the CA can verify the user public key that was certified any user with access to the public key of the CA can verify the user public key that was certified only the CA can modify a certificate without being detected only the CA can modify a certificate without being detected cannot be forged, certificates can be placed in a public directory cannot be forged, certificates can be placed in a public directory
CA Hierarchy if both users share a common CA then they are assumed to know its public key if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy otherwise CA's must form a hierarchy use certificates linking members of hierarchy to validate other CA's use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward)each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy enable verification of any certificate from one CA by users of all other CAs in hierarchy
CA Hierarchy Use
Certificate Revocation certificates have a period of validity certificates have a period of validity may need to revoke before expiration, eg: may need to revoke before expiration, eg: 1.user's private key is compromised 2.user is no longer certified by this CA 3.CA's certificate is compromised CAs maintain list of revoked certificates CAs maintain list of revoked certificates the Certificate Revocation List (CRL )the Certificate Revocation List (CRL ) users should check certificates with CA’s CRL users should check certificates with CA’s CRL
Authentication Procedures X.509 includes three alternative authentication procedures: X.509 includes three alternative authentication procedures: One-Way AuthenticationOne-Way Authentication Two-Way AuthenticationTwo-Way Authentication Three-Way AuthenticationThree-Way Authentication all use public-key signatures all use public-key signatures
Nonce a nonce is a parameter that varies with time. A nonce can be a time stamp, a visit counter on a Web page, or a special marker intended to limit or prevent the unauthorized replay or reproduction of a file. a nonce is a parameter that varies with time. A nonce can be a time stamp, a visit counter on a Web page, or a special marker intended to limit or prevent the unauthorized replay or reproduction of a file.
Nonce from RFC 2617: from RFC 2617:RFC 2617RFC 2617 For applications where no possibility of replay attack can be tolerated the server can use one-time nonce values which will not be honored for a second use. This requires the overhead of the server remembering which nonce values have been used until the nonce time-stamp (and hence the digest built with it) has expired, but it effectively protects against replay attacks.For applications where no possibility of replay attack can be tolerated the server can use one-time nonce values which will not be honored for a second use. This requires the overhead of the server remembering which nonce values have been used until the nonce time-stamp (and hence the digest built with it) has expired, but it effectively protects against replay attacks.
One-Way Authentication One message ( A->B) used to establish One message ( A->B) used to establish the identity of A and that message is from Athe identity of A and that message is from A message was intended for Bmessage was intended for B integrity & originality (message hasn’t been sent multiple times)integrity & originality (message hasn’t been sent multiple times) message must include timestamp, nonce, B's identity and is signed by A message must include timestamp, nonce, B's identity and is signed by A
Two-Way Authentication Two messages (A->B, B->A) which also establishes in addition: Two messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from Bthe identity of B and that reply is from B that reply is intended for Athat reply is intended for A integrity & originality of replyintegrity & originality of reply reply includes original nonce from A, also timestamp and nonce from B reply includes original nonce from A, also timestamp and nonce from B
Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks has reply from A back to B containing a signed copy of nonce from B has reply from A back to B containing a signed copy of nonce from B means that timestamps need not be checked or relied upon means that timestamps need not be checked or relied upon
X.509 Version 3 has been recognized that additional information is needed in a certificate has been recognized that additional information is needed in a certificate /URL, policy details, usage constraints /URL, policy details, usage constraints rather than explicitly naming new fields a general extension method was defined rather than explicitly naming new fields a general extension method was defined extensions consist of: extensions consist of: extension identifierextension identifier criticality indicatorcriticality indicator extension valueextension value
Certificate Extensions key and policy information key and policy information convey info about subject & issuer keys, plus indicators of certificate policyconvey info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuersupport alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints certificate path constraints allow constraints on use of certificates by other CA’sallow constraints on use of certificates by other CA’s
Public-Key Infrastructure PKI: a set of hardware,software, people, policies, and procedures needed to create, manage, store distribute and revoke digital certificates based on asymmetric cryptography. PKI: a set of hardware,software, people, policies, and procedures needed to create, manage, store distribute and revoke digital certificates based on asymmetric cryptography. To enable the secure, convenient and efficient acquisition of public keys. To enable the secure, convenient and efficient acquisition of public keys.
PKIX End Entity Registration Authority Certificate Authority CRL issuer