Authentication 3: On The Internet

2 Readings URL attacks Web security using CGI scripts Tempest:

3 Topics URL Obscuring Kerberos X.509 Digital Certificate Standard

4 URL Obscuring Uniform Resource Locator is used to find a web site. If you are sent a URL from an untrusted source, it may be obscured in a number of ways to look like a familiar, trusted site. Characters can be put into URLs to change the meaning.

5 URL Obscuring For example, you receive an saying click on this link: You think you are going to “friendlysite”; however, means that everything before it is the username and you really go to

6 Challenges for E-Commerce Many clients want services from a number of different servers. Servers need to know that the client is who he says he is. Key concerns are confidentiality and timeliness To provide confidentiality must encrypt identification and session key info which requires the use of previously shared private or public keys Need timeliness to prevent replay attacks. Can be provided by using sequence numbers or timestamps or challenge/response

7 Kerberos Developed at MIT. Users wish to access services on many servers. Three threats exist: –User pretend to be another user. –User alter the network address of a workstation to get another’s services. –User eavesdrop on exchanges and use a replay attack to get unauthorized services.

8 Problem with CR Protocol Alice and Bob want to use a challenge-response protocol to authenticate each other. They can encrypt and decrypt message with DES and their shared key, K AB. Alice sends her identity A and a random number R A to Bob. Bob responds with the number encrypted with the key he shares with Alice, K AB {R A } along with another random number R B. Alice responds by encrypting Bob’s number K AB {R B } and sending it to Bob. If that was Eve pretending to be Alice, she has a plaintext,cypertext pair to crack the key K AB.

9 Kerberos Kerberos provides a centralized authentication server to authenticate users to servers and servers to users. Users can share password with AS, but need not be known by all servers. Relies on conventional encryption, making no use of public-key encryption. Two versions: version 4 and 5. Version 4 uses DES

10 Simplified Version Client, C, asks authentication server, AS, for a “ticket” to identify him to vendor, V. Client supplies his password which is known by AS. AS gives C a ticket which can only be read by the vendor, V. Client, C, contacts vendor,V, giving him the ticket which V accepts because he trusts AS.

11 Kerberos Terms: C = Client AS = authentication server V = server or vendor ID c = identifier of user on C ID v = identifier of V P c = password of user on C ADc = network address of C K v = secret encryption key shared by AS and V TS = timestamp || = concatenation

12 Simple Authentication Dialog (1)C  AS: ID c || P c || ID v (2)AS  C:Ticket (3)C  V: ID c || Ticket Ticket = E K v [ ID c || AD c || ID v]

13 Problems with Simple Dialog Lifetime needs to be associated with the ticket –If too short, repeatedly asked for password –If too long, greater chance of replay attack –The threat is that an opponent will steal the ticket and use it before it expires Client password sent in the clear Every time client wants to use a new service (or reuse one) he must go to AS.

14 Solution: Kerberos Version 4 Add a Ticket Granting server When client logs in at start of session/day, he gets a ticket-granting ticket (TGT) from the Authentication Server. He supplies his password once per session/day. TGT is used to get a service ticket from a Ticket Granting Server each time service is needed (read mail, get a file, use print server). Authenticator is K c,v {ID c ||AD c ||TS}

15

16 Kerberos Version 4 Authentication Service Exhange: To obtain Ticket-Granting Ticket (1)C  AS: IDc || IDtgs ||TS 1 AS  C: E Kc [K c,tgs || ID tgs || TS 2 || Lifetime 2 || Ticket tgs ] Client/Server Authentication Exhange: To Obtain Service (5) C  V: Ticket v || Authenticator c (6) V  C: EKc,v[TS5 +1] Ticket-Granting Service Echange: To obtain Service-Granting Ticket (3) C  TGS: IDv ||Ticket tgs ||Authenticatorc (4) TGS  C: E Kc [K c,¨v || IDv || TS 4 || Ticket v ] Ticket tgs = E Ktgs [K c,tgs || IDc || ADc || IDtgs || TS 2 || lifetime] Ticket v = E Kv [K c,v || IDc || ADc || IDv || TS || lifetime]

17 Kerberos in Use Currently have two Kerberos versions: 4 : restricted to a single realm 5 : allows inter-realm authentication Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities To use Kerberos: need to have Kerberised applications running on all participating systems

Digital Certificates and PKI

19 Public Key Encryption Public key cryptography solves symmetric key encryption problem of having to exchange secret key Uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner) Both keys are used to encrypt and decrypt message Once key is used to encrypt message, same key cannot be used to decrypt message For example, sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it

20

21 Hash Signatures Application of hash function (mathematical algorithm) by sender prior to encryption produces hash digest that recipient can use to verify integrity of data Double encryption with sender’s private key (digital signature) helps ensure authenticity and nonrepudiation

22

23 Digital Envelopes Addresses weaknesses of public key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure) Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key

24 X.509 Authentication Standard A standard for a distributed set of servers that maintains a database about users. Based on public key cryptography, digital signatures and certificates. Each certificate contains the public key of a user and is signed with the private key of a CA. Used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended.

25 X.509 A public key certificate is associated with each user in the system. Certificates are created by some trusted certification authority (CA) and placed in the directory. Any user with the public key of the CA can recover a user public key in the directory that was certified by the CA. No party other than the CA can modify the certificate without detection. Certificates are unforgeable.

26 Digital Signature Idea

27 Digital Certificate Digital document that includes:  Name of subject or company  Subject’s public key  Digital certificate serial number  Expiration date  Issuance date  Digital signature of certification authority (trusted third party (institution) that issues certificate  Other identifying information

28

29 PKI Public Key Infrastructure (PKI): refers to the CAs and digital certificate procedures that are accepted by all parties. PKI applies mainly to protecting messages in transit. PKI is not effective against insider fraud. Protection of private keys by individuals may be haphazard. No guarantee that verifying computer of merchant is secure. CAs are unregulated, self-selecting organizations.

30 Certificate Revocation Each certificate has a period of validity. Usually a new certificate is issued just before the old one expires. Sometimes the certificates must be revoked before they expire: –The users secret key is assumed to be compromised. –The user is no longer certified by this CA. –The CA’s certificate is assumed to be compromised.

31 Certificate Revocation Lists Each CA maintains a list of revoked but not yet expired certificates. Each list (CRL) is signed by the CA and posted to the directory. A user who receives a certificate is responsible for checking the CRL to determine its validity.

32 Serial number is unique to a CA

33 Secure Session with SSL

34 For More Info General hacking PKI in practice Government PKI standards