1 / 19

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Authentication Applications. Developed to support application-level authentication and digital signatures A famous example is Kerberos – a password authentication service. Kerberos.

luz
Télécharger la présentation

CSCE 715: Network Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

  2. Authentication Applications • Developed to support application-level authentication and digital signatures • A famous example is Kerberos – a password authentication service

  3. Kerberos • Trusted key server system from MIT • Provide centralized password third-party authentication in a distributed network • allow users access to services distributed through network • without needing to trust all workstations • instead all trust a central authentication server • Two versions in use: 4 & 5

  4. Kerberos Requirements • First published report identified its requirements as • security • reliability • transparency • scalability • Implemented using an authentication protocol based on Needham-Schroeder

  5. Kerberos 4 Overview • A basic third-party authentication scheme • Have an Authentication Server (AS) • users initially negotiate with AS to identify self • AS provides a non-corruptible authentication credential (ticket granting ticket, TGT) • Have a Ticket-Granting Server (TGS) • users subsequently request access to other services from TGS on basis of users TGT

  6. First Design (1) C  AS: IDc||Pc||IDv (2) AS  C: Ticket (3) C  V: IDc||Ticket Ticket = EKv [IDc||ADc||IDv]

  7. Problems with First Design • User may have to submit password many times in the same logon session • Password is transmitted in clear

  8. Second Design Once per user logon session: (1) C  AS: IDc||IDtgs (2) AS  C: EKc [Tickettgs] Once per type of service: (3) C  TGS: IDc||IDv||Tickettgs (4) TGS  C: Ticketv Once per service session: (5) C  V: IDc||Ticketv Tickettgs = EKtgs [IDc||ADc||IDtgs||TS1||Lifetime1] Ticketv = EKv [IDc||ADc||IDv||TS2||Lifetime2]

  9. Problems with Second Design • Requirement for server (TGS or application server) to verify that the person using a ticket is the same person to whom ticket was issued • Requirement for server to authenticate themselves to users

  10. Kerberos 4 Message Exchange

  11. Kerberos 4 Message Exchange Kc,tgs: a session key created by AS to permit secure exchange between client and TGS without requiring them to share a permanent key

  12. Kerberos 4 Message Exchange EKc,tgs Authenticatorc: generated by client to assure TGS that the ticket presenter is the same as the client for whom Tickettgs was issued. Has very short lifetime to prevent replay

  13. Kerberos 4 Message Exchange Message (6) ensures C that it is really talking to the legitimate server V and this message is not a replayed message

  14. Kerberos 4 Overview

  15. Kerberos Realms • Kerberos environment consists of • a Kerberos server • a number of clients, all registered with server • application servers, sharing keys with server • This is termed a “realm” • typically within a single administrative domain • If have multiple realms, their Kerberos servers must share keys and trust each other

  16. Request Service in Another Realm

  17. Kerberos Version 5 • Developed in mid 1990’s • Provide improvements over Version 4 • addresses environmental shortcomings • encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth • and technical deficiencies • double encryption, non-std mode of use, session keys, password attacks • Specified as Internet standard RFC 1510

  18. Kerberos 5 Message Exchange

  19. Next Class • X.509 certificate and authorization

More Related