Authentication Protocol

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
Kerberos for Users Jeff Blaine 5/2006. What is Kerberos? Developed by MIT Shared secret-based strong 3 rd party authentication Provides single sign-on.
Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications
NETWORK SECURITY.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
Kerberos versions 4 and 5 X.509 Authentication Service
Authentication & Kerberos
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
1 Authentication Applications Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
1 Authentication Applications Behzad Akbari Fall 2010 In the Name of the Most High.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Authentication 3: On The Internet. 2 Readings URL attacks
KERBEROS. Introduction trusted key server system from MIT.Part of project Athena (MIT).Developed in mid 1980s. provides centralised private-key third-party.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Lecture 25 Presented by: Dr. Munam Ali Shah.
Kerberos Guilin Wang School of Computer Science 03 Dec
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
KERBEROS SYSTEM Kumar Madugula.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Computer and Network Security
Chapter 14. Authentication Applications
Chapter 14 – Authentication Applications
Cryptography and Network Security
KERBEROS.
CSCE 715: Network Systems Security
Authentication Applications
CSCE 715: Network Systems Security
Kerberos: An Authentication Service for Open Network Systems
Kerberos.
CS60002: Distributed Systems
CS 378 Kerberos Vitaly Shmatikov.
Network Security – Kerberos
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Kerberos Part of project Athena (MIT).
KERBEROS.
KERBEROS Miah, Md. Saef Ullah.
Kerberos and X.509 Fourth Edition by William Stallings
Authentication Applications
Presentation transcript:

Authentication Protocol Authentication Application

Authentication Protocol Users wish to access services on servers. used to convince each others identity and to exchange session keys. Require the user to prove his identity for each service invoked Require that servers prove their identity to clients Provide security in a distributed architecture consisting of dedicated user workstations (clients), and distributed or centralized servers. may be one-way or mutual.

Security Concerns key concerns are Confidentiality:-encrypt identification and session key info. Timestamp:- to prevent replay attacks. by using sequence numbers

Kerberos In Greek mythology, a many headed dog, the guardian of the entrance of Hades

What is Kerberos? Developed as part of Project Athena at MIT Open Source hence freely available Provides centralised private-key third-party authentication in a distributed network Provides single sign-on capability Passwords (i.e: Secret Key) never sent across network Key revocation can be achived by disabling a user at KDC.

How does Kerberos Works? Uses an Authentication Server (AS) Knows all user passwords, and stores in a DB Shares a unique secret key with every user. Send an encrypted ticket granting ticket TGT contains a lifetime and timestamp

How does Kerberos Works? Uses a Ticket Granting Server (TGS) Issues tickets to users authenticated by AS. Encrypted with a key only known by AS and TGS Returns a service granting ticket Service granting ticket contains timestamp and lifetime

Kerberos Dialog Message Exchanges Simplified approach Client asks authentication server for ticket AS exchange to obtain ticket-granting ticket AS grants ticket TGS exchange to obtain service granting ticket Client sends ticket to server Client/Server authentication exchange to obtain service

XYZ Service Ticket SERVER Granting Service Key Distribution Center Ticket Granting Service Think “Kerberos Server” and don’t let yourself get mired in terminology. Authen- Tication Service Gurukul Desktop Computer USER

XYZ Service Ticket Granting Service Key Distribution Center Authen- Tication “I’d like to be allowed to get tickets from the Ticket Granting Server, please. Gurukul Desktop Computer UID USER UID&PW

XYZ Service Ticket Granting Service Key Distribution Center Ticket Granting Service Authen- Tication “Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.” Gurukul Desktop Computer USER

TGT XYZ Service Ticket Granting Service Key Distribution Center Authen- Tication TGT Gurukul Desktop Computer My Password USER

TGT Because Gurukul was able to open the box (decrypt a message) from the Authentication Service, he/she is now the owner of a “Ticket-Granting Ticket”. The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication. The TGT contains no password information.

Kerberos Realms a Kerberos environment consists of: a Kerberos server a number of clients, all registered with server application servers, sharing keys with server A Kerberos Realm Set of managed nodes that share the same Kerberos database To improve the performance To over come failure issues due too single AS & TGS

Multiple Kerberi Kerberos server in each realm shares a secret key with one another There must be trust between the servers i.e. each server are registered with one another Does not scale well

Kerberos Version 4 1- IDc + Pc+IDv 2- Ticket 3- IDc +Ticket Pc=password of client 1- IDc + Pc+IDv 2- Ticket 3- IDc +Ticket Ticket=Ekv[IDc,ADc,IDv] kv=Secret Key between AS and V (Server) IDc= User id of client

Kerberos Version 4 Weaknesses Big load on AS (Provide secondary ticket- granting servers) Repeated password entry (Password to AS seldom, tickets from TGS when needed, based on AS authentication)

Version 4 Authentication Dialogue Problems: Lifetime associated with the ticket-granting ticket If to short  repeatedly asked for password If to long  greater opportunity to replay The threat is that an opponent will steal the ticket and use it before it expires Henric Johnson

Strategies and Countermoves What opponents of 4 can do Wait for long-lived ticket-granting tickets and then reuse Capture service-granting tickets and then use remaining time Antitheft of ticket-granting tickets AS provides both client with a secret, securely Done by sending a session key This procedure also makes service- granting tickets reusable

Kerberos Organization Called a realm, it includes: Kerberos server, which includes: UID and hashed password for each user Shared secret key with each user Kerberos server includes both AS and TGS Inter-realm issues Kerberos servers in each realm are registered with each other (share a secret key) TGS in server realm issues tickets to client on other realm (i.e RTGS)

Kerberos Version 5 Fixes version 4 environmental shortcomings New elements for AS exchange: Realm, Options, Times, Nonce Client/server authentication exchange Sub key, sequence number Kerberos Ticket Flags

Difference Between Version 4 & 5 Point of Discussion Version 4 Version 5 Encryption Algorithm Used DES only DES & its variant, IDEA etc. Identifiers IP Address only N/w Add, Type , length Message byte ordering Not Allowed Allowed Tickets Lifetime Small Renewable time span Authentication forwarding Same server only Any server in realm Inter-realm authentication Support (SCALING) No Single Peer-to-peer Yes Multiple Transitive (Cross-realm) Replay Caches Support Postdatabale Ticket Not Available Available Forwardable (New Ticket) Single ticket, same M/C, Same IP Current credentials to get valid on another M/C

Attacks on Kerberos Threats exist: Modification Attack:- Network address of a workstation. Replay Attack:-Eavesdrop while communication. PW Guessing Attack:- User pretend to be another user. Inter-session chosen Plaintext Attack:- As per V.5 Draft Created by Mr. Sumit Patel

Kerberos Mechanism Used By Microsoft Passport Technology Windows NT

Version 5 – Continued Avoids double encryptions Avoids PCBC (vulnerable to a cipher block exchange attack) Session and sub-session keys Pre-authentication – makes password attacks more difficult (but not impossible)