Presentation is loading. Please wait.

Presentation is loading. Please wait.

Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden

Published byClara Greenway Modified over 10 years ago

Similar presentations

Presentation on theme: "Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden"— Presentation transcript:

1 Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se

2 Henric Johnson2 Outline Security Concerns Kerberos X.509 Authentication Service Recommended reading and Web Sites

3 Henric Johnson3 Security Concerns key concerns are confidentiality and timeliness to provide confidentiality must encrypt identification and session key info which requires the use of previously shared private or public keys need timeliness to prevent replay attacks provided by using sequence numbers or timestamps or challenge/response

4 Henric Johnson4 KERBEROS In Greek mythology, a many headed dog, the guardian of the entrance of Hades

5 Henric Johnson5 KERBEROS Users wish to access services on servers. Three threats exist: –User pretend to be another user. –User alter the network address of a workstation. –User eavesdrop on exchanges and use a replay attack.

6 Henric Johnson6 KERBEROS Provides a centralized authentication server to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES

7 Henric Johnson7 Kerberos Version 4 Terms: –C = Client –AS = authentication server –V = server –ID c = identifier of user on C –ID v = identifier of V –P c = password of user on C –ADc = network address of C – K v = secret encryption key shared by AS an V –TS = timestamp –|| = concatenation

8 Henric Johnson8 A Simple Authentication Dialogue (1)C AS: ID c || P c || ID v (2)AS C:Ticket (3)C V: ID c || Ticket Ticket = E K v [ ID c || AD c || ID v]

9 Henric Johnson9 Version 4 Authentication Dialogue Problems: –Lifetime associated with the ticket-granting ticket –If too short repeatedly asked for password –If too long greater opportunity to replay The threat is that an opponent will steal the ticket and use it before it expires

10 Henric Johnson10 Verbeterde versie Eens per logon sessie: (1)C AS: IDc || IDtgs (2)AS C: E Kc [Ticket tgs ] Ticket-Granting Service Echange: To obtain Service-Granting Ticket (3) C TGS: IDc || IDv ||Ticket tgs (4) TGS C: Ticket v Client/Server Authentication Exhange: To Obtain Service (5) C V: IDc ||Ticket v Ticket tgs = E ktgs [IDc || ADc || ID tgs || TS1 || Lifetime1] Ticket v = E kv [IDc || ADc || ID v || TS2 || Lifetime2]

11 Henric Johnson11 Version 4 Authentication Dialogue Authentication Service Exhange: To obtain Ticket-Granting Ticket (1)C AS: IDc || IDtgs ||TS 1 (2)AS C: E Kc [K c,tgs || ID tgs || TS 2 || Lifetime 2 || Ticket tgs ] Ticket-Granting Service Echange: To obtain Service-Granting Ticket (3) C TGS: IDv ||Ticket tgs ||Authenticatorc (4) TGS C: E Kc [K c,¨v || IDv || TS 4 || Ticket v ] Client/Server Authentication Exhange: To Obtain Service (5) C V: Ticket v || Authenticator c (6) V C: EKc,v[TS5 +1]

12 Henric Johnson12 Overview of Kerberos

13 Henric Johnson13 Request for Service in Another Realm

14 Henric Johnson14 Difference Between Version 4 and 5 Encryption system dependence (V.4 DES) Internet protocol dependence Message byte ordering Ticket lifetime Authentication forwarding Interrealm authentication

15 Henric Johnson15 Kerberos Encryption Techniques

16 Henric Johnson16 PCBC Mode

17 Henric Johnson17 Kerberos - in practise Kerberos - in practise Currently have two Kerberos versions: 4 : restricted to a single realm 5 : allows inter-realm authentication, in beta test Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities To use Kerberos: need to have a KDC on your network need to have Kerberised applications running on all participating systems major problem - US export restrictions Kerberos cannot be directly distributed outside the US in source format (& binary versions must obscure crypto routine entry points and have no encryption) else crypto libraries must be reimplemented locally

18 Henric Johnson18 X.509 Authentication Service Distributed set of servers that maintains a database about users. Each certificate contains the public key of a user and is signed with the private key of a CA. Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.

19 Henric Johnson19 X.509 Formats

20 Henric Johnson20 Typical Digital Signature Approach

21 Henric Johnson21 Obtaining a Users Certificate Characteristics of certificates generated by CA: –Any user with access to the public key of the CA can recover the user public key that was certified. –No part other than the CA can modify the certificate without this being detected.

22 Henric Johnson22 X.509 CA Hierarchy

23 Henric Johnson23 Revocation of Certificates Reasons for revocation: –The users secret key is assumed to be compromised. –The user is no longer certified by this CA. –The CAs certificate is assumed to be compromised.

24 Henric Johnson24 Authentication Procedures

25 Henric Johnson25 Recommended Reading and WEB Sites www.whatis.com (search for kerberos) Bryant, W. Designing an Authentication System: A Dialogue in Four Scenes. http://web.mit.edu/kerberos/www/dialogue.html Kohl, J.; Neuman, B. The Evolotion of the Kerberos Authentication Service http://web.mit.edu/kerberos/www/papers.html http://www.isi.edu/gost/info/kerberos/

Download ppt "Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden"

Similar presentations

Personnel Preparation Through Collaboration: The Deaf Education Online Collaborative Network Harold Johnson/Professor – Kent State University February.

Personnel Preparation Through Collaboration: The Deaf Education Online Collaborative Network Harold Johnson/Professor – Kent State University February.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications

Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Behzad Akbari Spring 2012 1 In the Name of the Most High.

Behzad Akbari Spring In the Name of the Most High.
Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google