Presentation is loading. Please wait.

Presentation is loading. Please wait.

VKSF 423 System Administration III Authentication Kerberos.

Published byAron Mason Modified over 9 years ago

Similar presentations

Presentation on theme: "VKSF 423 System Administration III Authentication Kerberos."— Presentation transcript:

1 VKSF 423 System Administration III Authentication Kerberos

2 Announcements Slight modification to the syllabus Office hours Tuesday 10-12 Thursday 10-12, 2-3 Lab Three: Virtualized Storage Veritas Storage Central OpenAFS LVM or EVMS Dynamic Disks (MS DFS)

3 Syllabus Modifications Old Component WeightNew Component Due date Labs25%No changeAll sign offs and submission by the end of 10 th week Practical25%No changeDemonstrated before exam week begins Group Presentation 10%In labIn lab approximately 5 minutes Group Report 10%Site BookDue by end of 10 th week Homework10%Group Evaluation How did the individuals contribute to the completion of the labs Final Exam20%No changeDuring the final exam period

4 Definitions Identification- assertion of who you are Authentication-process of proving one’s identity Authorization-The privileges that accrue to an identity Access control-Provide the correct services to the correct users

5 Two Types of Authentication User authentication Machine to machine authentication Cryptographic Other (weak)

6 Identification Who are you? Who do you claim to be? Who are you acting as?

7 Authentication Can you prove who you say you are? How? Something you know Passwords Something you are Biometrics Something you have Access tokens

8 Access Control All of the above Allow the correct users Into a system Access to appropriate resources Disallow invalid users Entry to the systems Deny access to restricted resources

9 Something you Know Passwords Oxymoron: Large random string != easy to remember Password design/assignment Multiple words/syllables Mixed case/digits/punctuation Storage Weak/strong encryption Users perceive the risks as minimal vs. need to get work done

10 Passwords Myth: never write down a password Recovery Helps more complicated passwords Multiple passwords Clues/questions One time passwords

11 Something you are Biometrics Voice, retinal, DNA, body geometry, signature, finger prints Hard to change Easy to forge

12 Something you have Access Tokens Physical keys Smart cards Translators Problems Stolen Duplicated Spoofed

13 Authentication Protocols Cryptographic methods to authenticate over a network Multiple vulnerabilities

14 Network Authentication Options Do nothing- trust machine to prevent unauthorized user access (control physical access) Require machine to prove identity to network, then trust machine to authenticate users and provide access control Require identification and authentication at each resource

15 Authentication Requirements Must be Secure A.k.a. secure enough to push hackers elsewhere Must be reliable Manageable level of false negatives and false positives Transparent to users Scalable to enterprise networks

16 Simple Protocol Bob enters password on client Client sends password to server Server looks up id and password in database of ids and passwords If it matches, validation message sent to client & Bob is in

17 Problems with simple scenario Clear text password in database Clear text password in transfer Confirmation spoofing

18 Password Database Hide Encrypt Salt Multiple serial encryptions

19 Transfer Hashing Encryption

20 Confirmation spoofing Simple T/F Alternate hash of password/known key Encryption

21 Improved Protocol: Challenge Avoid clear text transfer of password Bob informs server of desire to access Server offers a phrase to Bob Bob encrypts phrase with Bob’s password and sends to server Server, who already knows Bob’s password, also encrypts phrase with Bob’s password and compares

22 Problems with improved version Server needs clear text copy of Bob’s password Given enough instances of a login the original password could be determined

23 Use of a “Trusted Third Party” The “Blind Date” protocol I don’t know Kathy She doesn’t know me We both know Loretta We both separately contact Loretta Loretta “vouches” for me to Kathy Loretta “vouches” for Kathy to me

24 Levels of Kerberos Protection Authentication at initiation of network session, assume future messages from same address come from same machine Authentication of each message, no encryption of message Private messages-each message is authenticated and encrypted

25 Kerberos Modules Applications library Encryption library Database library Database administration programs Administration server Authentication server Db propagation software User programs applications

26 Kerberos Misc. Model based on Needham and Schroeder key distribution protocol Encryption done with DES Extendable to DES Cypher Block Chaining Database Contains one record/principal Record contains name, private key, expiration date of principal Name- name.instance@realm

27 Kerberos Ticket Used to securely pass the identity of the person to whom the ticket was issued between the authentication server and the end server. Authenticator Contains additional information which when compared against the ticket proves that the client presenting the ticket is the same one to which the ticket was issued.

28 Kerberos Keeps database of clients and private keys If client is user, key is encrypted password Generates temporary private keys (session keys) Session keys are given to two clients to encrypt messages between them.

29 Kerberos Ticket Ticket is good for a single server and a single client Contains name of the server Name of the client IP address of the client Timestamp Lifetime Random session key Encrypted using the private key of the server for which the ticket will be used May be used until lifetime expires

30 Kerberos Authenticator Contains Name of the client Client’s IP address Client’s current time Can only be used once, must be regenerated each time a client wants to use a service Can be regenerated by the client (without going to the server) Encrypted in the session key that is part of the ticket

31 Enhanced protocol: Kerberos Bob asks K-server to access Mary’s server K-server checks to see if Bob has access permissions K-server sends Bob a ticket and a session key Bob uses session key to create an authenticator to prove to Mary he is Bob Bob send ticket and authenticator to Mary Mary checks both

32 Main Problem Authentication of user or device given zero prior information Does Kerberos do this?

Download ppt "VKSF 423 System Administration III Authentication Kerberos."

Similar presentations

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)

AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
Authentication & Kerberos

Authentication & Kerberos

Similar presentations

Ads by Google