Computer Security: Computer Security: Principles and PracticePrinciples and Practice

First EditionFirst Edition

by William Stallings and Lawrie Brownby William Stallings and Lawrie Brown

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 22 – Internet Authentication Chapter 22 – Internet Authentication ApplicationsApplications

will consider authentication functionswill consider authentication functions developed to support application-level developed to support application-level

authentication & digital signaturesauthentication & digital signatures will consider will consider

Kerberos private-key authentication serviceKerberos private-key authentication service X.509 public-key directory authenticationX.509 public-key directory authentication public-key infrastructure (PKI)public-key infrastructure (PKI) federated identity managementfederated identity management

Internet Authentication Internet Authentication ApplicationsApplications

KerberosKerberos

trusted key server system from MIT trusted key server system from MIT provides centralised private-key third-party provides centralised private-key third-party

authentication in a distributed networkauthentication in a distributed network allows users access to services distributed allows users access to services distributed

through networkthrough network without needing to trust all workstationswithout needing to trust all workstations rather all trust a central authentication serverrather all trust a central authentication server

two versions in use: 4 & 5two versions in use: 4 & 5

Kerberos OverviewKerberos Overview

a basic third-party authentication schemea basic third-party authentication scheme have an Authentication Server (AS) have an Authentication Server (AS)

users initially negotiate with AS to identify self users initially negotiate with AS to identify self AS provides a non-corruptible authentication AS provides a non-corruptible authentication

credential (ticket granting ticket TGT) credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)have a Ticket Granting server (TGS)

users subsequently request access to other users subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT

Kerberos OverviewKerberos Overview

Kerberos RealmsKerberos Realms

a Kerberos environment consists of:a Kerberos environment consists of: a Kerberos servera Kerberos server a number of clients, all registered with servera number of clients, all registered with server application servers, sharing keys with serverapplication servers, sharing keys with server

this is termed a realmthis is termed a realm typically a single administrative domaintypically a single administrative domain

if have multiple realms, their Kerberos if have multiple realms, their Kerberos servers must share keys and trust servers must share keys and trust

Kerberos RealmsKerberos Realms

Kerberos Version 5Kerberos Version 5 Kerberos v4 is most widely used versionKerberos v4 is most widely used version also have v5, developed in mid 1990’salso have v5, developed in mid 1990’s

specified as Internet standard RFC 1510specified as Internet standard RFC 1510 provides improvements over v4provides improvements over v4

addresses environmental shortcomingsaddresses environmental shortcomings• encryption alg, network protocol, byte order, ticket encryption alg, network protocol, byte order, ticket

lifetime, authentication forwarding, inter-realm authlifetime, authentication forwarding, inter-realm auth and technical deficienciesand technical deficiencies

• double encryption, non-std mode of use, session double encryption, non-std mode of use, session keys, password attackskeys, password attacks

Kerberos Performance IssuesKerberos Performance Issues

see larger client-server installationssee larger client-server installations query Kerberos performance impact query Kerberos performance impact

very little if system is properly configuredvery little if system is properly configured since tickets are reusablesince tickets are reusable

Kerberos security best assured if place its Kerberos security best assured if place its server on a separate, isolated machineserver on a separate, isolated machine

administrative motivation for multi realmsadministrative motivation for multi realms not a performance issuenot a performance issue

Certificate AuthoritiesCertificate Authorities

certificate consists of:certificate consists of: a public key plus a User ID of the key ownera public key plus a User ID of the key owner signed by a third party trusted by communitysigned by a third party trusted by community often govt./bank often govt./bank certificate authoritycertificate authority (CA) (CA)

users obtain certificates from CAusers obtain certificates from CA create keys & unsigned cert, gives to CA, CA create keys & unsigned cert, gives to CA, CA

signs cert & attaches sig, returns to usersigns cert & attaches sig, returns to user other users can verify certother users can verify cert

checking sig on cert using CA’s public keychecking sig on cert using CA’s public key

X.509 Authentication Service X.509 Authentication Service

universally accepted standard for universally accepted standard for formatting public-key certificatesformatting public-key certificates widely used widely used in network security applications, in network security applications,

including IPSec, SSL, SET, and S/MIMEincluding IPSec, SSL, SET, and S/MIME part of CCITT X.500 directory service part of CCITT X.500 directory service

standardsstandards uses public-key crypto & digital signatures uses public-key crypto & digital signatures

algorithms not standardised, but RSA algorithms not standardised, but RSA recommendedrecommended

X.509 CertificatesX.509 Certificates

Public Key InfrastructurePublic Key Infrastructure

PKIX ManagementPKIX Management

functions:functions: registrationregistration initializationinitialization certificationcertification key pair recoverykey pair recovery key pair updatekey pair update revocation requestrevocation request cross certificationcross certification

protocols: CMP, CMCprotocols: CMP, CMC

Federated Identity Federated Identity ManagementManagement

use of common identity management schemeuse of common identity management scheme across multiple enterprises & numerous applications across multiple enterprises & numerous applications supporting many thousands, even millions of users supporting many thousands, even millions of users

principal elements are:principal elements are: authentication, authorization, accounting, authentication, authorization, accounting,

provisioning, workflow automation, delegated provisioning, workflow automation, delegated administration, password synchronization, self-service administration, password synchronization, self-service password reset, federationpassword reset, federation

Kerberos contains many of these elementsKerberos contains many of these elements

Identity ManagementIdentity Management

Federated Identity ManagementFederated Identity Management

Standards UsedStandards Used

Extensible Markup Language (XML)Extensible Markup Language (XML) characterizes text elements in a document on characterizes text elements in a document on

appearance, function, meaning, or contextappearance, function, meaning, or context

Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP) for invoking code using XML over HTTPfor invoking code using XML over HTTP

WS-SecurityWS-Security set of SOAP extensions for implementing message set of SOAP extensions for implementing message

integrity and confidentiality in Web servicesintegrity and confidentiality in Web services

Security Assertion Markup Language (SAML)Security Assertion Markup Language (SAML) XML-based language for the exchange of security XML-based language for the exchange of security

information between online business partnersinformation between online business partners

SummarySummary

reviewed network authentication using:reviewed network authentication using: Kerberos private-key authentication serviceKerberos private-key authentication service X.509 public-key directory authenticationX.509 public-key directory authentication public-key infrastructure (PKI)public-key infrastructure (PKI) federated identity managementfederated identity management