computer security: principles and practice
DESCRIPTION
Computer Security: Principles and Practice. Chapter 22 – Internet Authentication Applications. First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown. Internet Authentication Applications. will consider authentication functions - PowerPoint PPT PresentationTRANSCRIPT
Computer Security: Computer Security: Principles and PracticePrinciples and Practice
First EditionFirst Edition
by William Stallings and Lawrie Brownby William Stallings and Lawrie Brown
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 22 – Internet Authentication Chapter 22 – Internet Authentication ApplicationsApplications
will consider authentication functionswill consider authentication functions developed to support application-level developed to support application-level
authentication & digital signaturesauthentication & digital signatures will consider will consider
Kerberos private-key authentication serviceKerberos private-key authentication service X.509 public-key directory authenticationX.509 public-key directory authentication public-key infrastructure (PKI)public-key infrastructure (PKI) federated identity managementfederated identity management
Internet Authentication Internet Authentication ApplicationsApplications
KerberosKerberos
trusted key server system from MIT trusted key server system from MIT provides centralised private-key third-party provides centralised private-key third-party
authentication in a distributed networkauthentication in a distributed network allows users access to services distributed allows users access to services distributed
through networkthrough network without needing to trust all workstationswithout needing to trust all workstations rather all trust a central authentication serverrather all trust a central authentication server
two versions in use: 4 & 5two versions in use: 4 & 5
Kerberos OverviewKerberos Overview
a basic third-party authentication schemea basic third-party authentication scheme have an Authentication Server (AS) have an Authentication Server (AS)
users initially negotiate with AS to identify self users initially negotiate with AS to identify self AS provides a non-corruptible authentication AS provides a non-corruptible authentication
credential (ticket granting ticket TGT) credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)have a Ticket Granting server (TGS)
users subsequently request access to other users subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT
Kerberos OverviewKerberos Overview
Kerberos RealmsKerberos Realms
a Kerberos environment consists of:a Kerberos environment consists of: a Kerberos servera Kerberos server a number of clients, all registered with servera number of clients, all registered with server application servers, sharing keys with serverapplication servers, sharing keys with server
this is termed a realmthis is termed a realm typically a single administrative domaintypically a single administrative domain
if have multiple realms, their Kerberos if have multiple realms, their Kerberos servers must share keys and trust servers must share keys and trust
Kerberos RealmsKerberos Realms
Kerberos Version 5Kerberos Version 5 Kerberos v4 is most widely used versionKerberos v4 is most widely used version also have v5, developed in mid 1990’salso have v5, developed in mid 1990’s
specified as Internet standard RFC 1510specified as Internet standard RFC 1510 provides improvements over v4provides improvements over v4
addresses environmental shortcomingsaddresses environmental shortcomings• encryption alg, network protocol, byte order, ticket encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, inter-realm authlifetime, authentication forwarding, inter-realm auth and technical deficienciesand technical deficiencies
• double encryption, non-std mode of use, session double encryption, non-std mode of use, session keys, password attackskeys, password attacks
Kerberos Performance IssuesKerberos Performance Issues
see larger client-server installationssee larger client-server installations query Kerberos performance impact query Kerberos performance impact
very little if system is properly configuredvery little if system is properly configured since tickets are reusablesince tickets are reusable
Kerberos security best assured if place its Kerberos security best assured if place its server on a separate, isolated machineserver on a separate, isolated machine
administrative motivation for multi realmsadministrative motivation for multi realms not a performance issuenot a performance issue
Certificate AuthoritiesCertificate Authorities
certificate consists of:certificate consists of: a public key plus a User ID of the key ownera public key plus a User ID of the key owner signed by a third party trusted by communitysigned by a third party trusted by community often govt./bank often govt./bank certificate authoritycertificate authority (CA) (CA)
users obtain certificates from CAusers obtain certificates from CA create keys & unsigned cert, gives to CA, CA create keys & unsigned cert, gives to CA, CA
signs cert & attaches sig, returns to usersigns cert & attaches sig, returns to user other users can verify certother users can verify cert
checking sig on cert using CA’s public keychecking sig on cert using CA’s public key
X.509 Authentication Service X.509 Authentication Service
universally accepted standard for universally accepted standard for formatting public-key certificatesformatting public-key certificates widely used widely used in network security applications, in network security applications,
including IPSec, SSL, SET, and S/MIMEincluding IPSec, SSL, SET, and S/MIME part of CCITT X.500 directory service part of CCITT X.500 directory service
standardsstandards uses public-key crypto & digital signatures uses public-key crypto & digital signatures
algorithms not standardised, but RSA algorithms not standardised, but RSA recommendedrecommended
X.509 CertificatesX.509 Certificates
Public Key InfrastructurePublic Key Infrastructure
PKIX ManagementPKIX Management
functions:functions: registrationregistration initializationinitialization certificationcertification key pair recoverykey pair recovery key pair updatekey pair update revocation requestrevocation request cross certificationcross certification
protocols: CMP, CMCprotocols: CMP, CMC
Federated Identity Federated Identity ManagementManagement
use of common identity management schemeuse of common identity management scheme across multiple enterprises & numerous applications across multiple enterprises & numerous applications supporting many thousands, even millions of users supporting many thousands, even millions of users
principal elements are:principal elements are: authentication, authorization, accounting, authentication, authorization, accounting,
provisioning, workflow automation, delegated provisioning, workflow automation, delegated administration, password synchronization, self-service administration, password synchronization, self-service password reset, federationpassword reset, federation
Kerberos contains many of these elementsKerberos contains many of these elements
Identity ManagementIdentity Management
Federated Identity ManagementFederated Identity Management
Standards UsedStandards Used
Extensible Markup Language (XML)Extensible Markup Language (XML) characterizes text elements in a document on characterizes text elements in a document on
appearance, function, meaning, or contextappearance, function, meaning, or context
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP) for invoking code using XML over HTTPfor invoking code using XML over HTTP
WS-SecurityWS-Security set of SOAP extensions for implementing message set of SOAP extensions for implementing message
integrity and confidentiality in Web servicesintegrity and confidentiality in Web services
Security Assertion Markup Language (SAML)Security Assertion Markup Language (SAML) XML-based language for the exchange of security XML-based language for the exchange of security
information between online business partnersinformation between online business partners
SummarySummary
reviewed network authentication using:reviewed network authentication using: Kerberos private-key authentication serviceKerberos private-key authentication service X.509 public-key directory authenticationX.509 public-key directory authentication public-key infrastructure (PKI)public-key infrastructure (PKI) federated identity managementfederated identity management