1 / 9

Authentication Applications

Authentication Applications. Kerberos And X.509. Kerberos. Motivation Secure against eavesdropping Reliable – distributed architecture Transparent – almost invisible to user Scalable – to many users and servers Two versions Version 4 – basic ideas

camila
Download Presentation

Authentication Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Applications Kerberos And X.509

  2. Kerberos • Motivation • Secure against eavesdropping • Reliable – distributed architecture • Transparent – almost invisible to user • Scalable – to many users and servers • Two versions • Version 4 – basic ideas • Version 5 – fixes and more variety of algorithms

  3. Kerberos Version 4 • Protocol is complex – so • Simplified approach • Client asks authentication server for ticket • AS grants ticket • Client sends ticket to server • Weaknesses • Big load on AS (Provide secondary ticket-granting servers) • Repeated password entry (Password to AS seldom, tickets from TGS when needed, based on AS authentication)

  4. Strategies and Countermoves • What opponents of 4 can do • Wait for long-lived ticket-granting tickets and then reuse • Capture service-granting tickets and then use remaining time • Antitheft of ticket-granting tickets • AS provides both client with a secret, securely • Done by sending a session key • This procedure also makes service-granting tickets reusable

  5. Kerberos Organization • Called a realm, it includes: • Kerberos server, which includes: • UID and hashed password for each user • Shared secret key with each user • Kerberos server includes both AS and TGS • Inter-realm issues • Kerberos servers in each realm are registered with each other (share a secret key) • TGS in server realm issues tickets to client on other realm

  6. Version 5 • Avoids DES suspicion by specifying algorithm and key length • Avoids IP dependence by specifying net address type and length • Allows specifying message byte ordering • Tickets contain start and end time • Authentication forwarding – server can forward authentication to another server • Inter-realm authentication

  7. Version 5 – Continued • Avoids double encryptions • Avoids PCBC (vulnerable to a cipher block exchange attack) • Session and subsession keys • Preauthentication – makes password attacks more difficult (but not impossible)

  8. X.509 Service • Uses public-key certificates from a CA (certification authority) – Kerberos uses privately distributed keys • Obtaining certificate requires access to public key of a CA • X.509 service is free-form hierarchical – does this by using forward and reverse certificates • Also provides for certificate revocation • Each CA contains a list of revoked but still in-date keys

  9. X.509 Service (Continued) • Authentication procedures • One-way • Single transfer of information from user to user • Two-way • Authenticates each to the other • Three-way • Detects replay attacks using nonces (rather than clock synchronization) • New versions – more of the same

More Related