1 / 16

CSCE 715: Network Systems Security

CSCE 715: Network Systems Security. Chin-Tser Huang huangct@cse.sc.edu University of South Carolina. Authentication Applications. Developed to support application-level authentication and digital signatures A famous example is Kerberos – a password authentication service. Kerberos.

bryannal
Download Presentation

CSCE 715: Network Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 715:Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

  2. Authentication Applications • Developed to support application-level authentication and digital signatures • A famous example is Kerberos – a password authentication service

  3. Kerberos • Trusted key server system from MIT • Provide centralized password third-party authentication in a distributed network • allow users access to services distributed through network • without needing to trust all workstations • instead all trust a central authentication server • Two versions in use: 4 & 5

  4. Kerberos Requirements • First published report identified its requirements as • security • reliability • transparency • scalability • Implemented using an authentication protocol based on Needham-Schroeder

  5. Kerberos 4 Overview • A basic third-party authentication scheme • Have an Authentication Server (AS) • users initially negotiate with AS to identify self • AS provides a non-corruptible authentication credential (ticket granting ticket, TGT) • Have a Ticket-Granting Server (TGS) • users subsequently request access to other services from TGS on basis of users TGT

  6. First Design (1) C  AS: IDc||Pc||IDv (2) AS  C: Ticket (3) C  V: IDc||Ticket Ticket = EKv [IDc||ADc||IDv]

  7. Problems with First Design • User may have to submit password many times in the same logon session • Password is transmitted in clear

  8. Second Design Once per user logon session: (1) C  AS: IDc||IDtgs (2) AS  C: EKc [Tickettgs] Once per type of service: (3) C  TGS: IDc||IDv||Tickettgs (3) TGS  C: Ticketv Once per service session: (3) C  V: IDc||Ticketv Tickettgs = EKtgs [IDc||ADc||IDtgs||TS1||Lifetime1] Ticketv = EKv [IDc||ADc||IDv||TS2||Lifetime2]

  9. Problems with Second Design • Requirement for server (TGS or application server) to verify that the person using a ticket is the same person to whom ticket was issued • Requirement for server to authenticate themselves to users

  10. Kerberos 4 Message Exchange

  11. Kerberos 4 Overview

  12. Kerberos Realms • Kerberos environment consists of • a Kerberos server • a number of clients, all registered with server • application servers, sharing keys with server • This is termed a “realm” • typically within a single administrative domain • If have multiple realms, their Kerberos servers must share keys and trust each other

  13. Request Service in Another Realm

  14. Kerberos Version 5 • Developed in mid 1990’s • Provide improvements over Version 4 • addresses environmental shortcomings • encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth • and technical deficiencies • double encryption, non-std mode of use, session keys, password attacks • Specified as Internet standard RFC 1510

  15. Kerberos 5 Message Exchange

  16. Next Class • Certificate and authorization • Firewall and access control • Read Chapters 14, 20

More Related