CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

Midterm Exam Everyone gets one extra point After the adjustment Highest: 20.5 Average: 14.58 10/24/2006

Authentication Applications Developed to support application-level authentication and digital signatures A famous example is Kerberos – a password authentication service 10/24/2006

Kerberos Trusted key server system from MIT Provide centralized password third-party authentication in a distributed network allow users access to services distributed through network without needing to trust all workstations instead all trust a central authentication server Two versions in use: 4 & 5 10/24/2006

Kerberos Requirements First published report identified its requirements as security reliability transparency scalability Implemented using an authentication protocol based on Needham-Schroeder 10/24/2006

Kerberos 4 Overview A basic third-party authentication scheme Have an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket, TGT) Have a Ticket-Granting Server (TGS) users subsequently request access to other services from TGS on basis of users TGT 10/24/2006

First Design (1) C  AS: IDc||Pc||IDv (2) AS  C: Ticket (3) C  V: IDc||Ticket Ticket = EKv [IDc||ADc||IDv] 10/24/2006

Problems with First Design User may have to submit password many times in the same logon session Password is transmitted in clear 10/24/2006

Second Design Once per user logon session: (1) C  AS: IDc||IDtgs (2) AS  C: EKc [Tickettgs] Once per type of service: (3) C  TGS: IDc||IDv||Tickettgs (4) TGS  C: Ticketv Once per service session: (5) C  V: IDc||Ticketv Tickettgs = EKtgs [IDc||ADc||IDtgs||TS1||Lifetime1] Ticketv = EKv [IDc||ADc||IDv||TS2||Lifetime2] 10/24/2006

Problems with Second Design Requirement for server (TGS or application server) to verify that the person using a ticket is the same person to whom ticket was issued Requirement for server to authenticate themselves to users 10/24/2006

Kerberos 4 Message Exchange 10/24/2006

Kerberos 4 Overview 10/24/2006

Kerberos Realms Kerberos environment consists of a Kerberos server a number of clients, all registered with server application servers, sharing keys with server This is termed a “realm” typically within a single administrative domain If have multiple realms, their Kerberos servers must share keys and trust each other 10/24/2006

Request Service in Another Realm 10/24/2006

Kerberos Version 5 Developed in mid 1990’s Provide improvements over Version 4 addresses environmental shortcomings encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth and technical deficiencies double encryption, non-std mode of use, session keys, password attacks Specified as Internet standard RFC 1510 10/24/2006

Kerberos 5 Message Exchange 10/24/2006

Next Class First student presentation! Submit your summary to dropbox before class My next lecture will be about Certificate and authorization Firewall and access control 10/24/2006