Scribd
Upload
247 views19 pages

Authentication Applications: Data and Network Security

Kerberos is a centralized authentication system that allows users and servers to authenticate each other across an unsecured network. It uses symmetric encryption and message exchange to provide confidentiality and prevent replay attacks. Kerberos Version 4 uses DES encryption and has issues with ticket lifetimes allowing replay attacks. Kerberos Version 5 allows inter-realm authentication and uses improved encryption methods. X.509 is a public key infrastructure that uses digital certificates signed by certificate authorities to authenticate users and secure communication.

Uploaded by

asad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
247 views19 pages

Authentication Applications: Data and Network Security

Kerberos is a centralized authentication system that allows users and servers to authenticate each other across an unsecured network. It uses symmetric encryption and message exchange to provide confidentiality and prevent replay attacks. Kerberos Version 4 uses DES encryption and has issues with ticket lifetimes allowing replay attacks. Kerberos Version 5 allows inter-realm authentication and uses improved encryption methods. X.509 is a public key infrastructure that uses digital certificates signed by certificate authorities to authenticate users and secure communication.

Uploaded by

asad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Authentication

Applications

Data and Network Security


Security Concerns
• key concerns are confidentiality and
timeliness
• to provide confidentiality must encrypt
identification and session key info
• which requires the use of previously shared
private or public keys
• need timeliness to prevent replay attacks
• provided by using sequence numbers or
timestamps or challenge/response

Data and Network Security


KERBEROS

In Greek mythology, a many headed dog,


the guardian of the entrance of Hades
Data and Network Security
KERBEROS
• Users wish to access services on
servers.
• Three threats exist:
– User pretend to be another user.
– User alter the network address of a
workstation.
– User eavesdrop on exchanges and use a
replay attack.
Data and Network Security
KERBEROS
• Provides a centralized authentication
server to authenticate users to
servers and servers to users.
• Relies on conventional encryption,
making no use of public-key
encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
Data and Network Security
Kerberos Version 4
• Terms:
– C = Client
– AS = authentication server
– V = server
– IDc = identifier of user on C
– IDv = identifier of V
– Pc = password of user on C
– ADc = network address of C
– Kv = secret encryption key shared by AS an V
– TS = timestamp
– || = concatenation
Data and Network Security
A Simple Authentication
Dialogue
(1) C  AS: IDc || Pc || IDv
(2) AS  C: Ticket
(3) C  V: IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

Data and Network Security


Version 4 Authentication
Dialogue
• Problems:
– Lifetime associated with the ticket-granting
ticket
– If too short  repeatedly asked for password
– If too long  greater opportunity to replay
• The threat is that an opponent will steal the
ticket and use it before it expires

Data and Network Security


Version 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C  AS: IDc || IDtgs ||TS1
(2) AS  C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket


(3) C  TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS  C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service


(5) C  V: Ticketv || Authenticatorc
(6) V  C: EKc,v[TS5 +1]
Data and Network Security
Overview of Kerberos

Data and Network Security


Request for Service in
Another Realm

Data and Network Security


Difference Between
Version 4 and 5
• Encryption system dependence (V.4 DES)
• Internet protocol dependence
• Message byte ordering
• Ticket lifetime
• Authentication forwarding
• Interrealm authentication

Data and Network Security


Kerberos - in practice
• Currently have two Kerberos versions:
• 4 : restricted to a single realm
• 5 : allows inter-realm authentication, in beta test
• Kerberos v5 is an Internet standard
• specified in RFC1510, and used by many utilities
• To use Kerberos:
• need to have a KDC on your network
• need to have Kerberised applications running on all
participating systems
• major problem - US export restrictions
• Kerberos cannot be directly distributed outside the
US in source format (& binary versions must obscure
crypto routine entry points and have no encryption)
• else crypto libraries must be reimplemented locally
Data and Network Security
X.509 Authentication
Service
• Distributed set of servers that
maintains a database about users.
• Each certificate contains the public
key of a user and is signed with the
private key of a CA.
• Is used in S/MIME, IP Security,
SSL/TLS and SET.
• RSA is recommended to use.
Data and Network Security
X.509 Formats

Data and Network Security


Typical Digital Signature
Approach

Data and Network Security


Obtaining a User’s
Certificate
• Characteristics of certificates
generated by CA:
– Any user with access to the public key of
the CA can recover the user public key
that was certified.
– No part other than the CA can modify
the certificate without this being
detected.

Data and Network Security


Revocation of Certificates
• Reasons for revocation:
– The users secret key is assumed to be
compromised.
– The user is no longer certified by this
CA.
– The CA’s certificate is assumed to be
compromised.

Data and Network Security


Authentication Procedures

Data and Network Security

You might also like