csce 715: network systems security
DESCRIPTION
CSCE 715: Network Systems Security. Chin-Tser Huang [email protected] University of South Carolina. Authentication Applications. Developed to support application-level authentication and digital signatures A famous example is Kerberos – a password authentication service. Kerberos. - PowerPoint PPT PresentationTRANSCRIPT
10/27/2011 2
Authentication Applications
Developed to support application-level authentication and digital signatures
A famous example is Kerberos – a password authentication service
10/27/2011 3
Kerberos Trusted key server system from MIT Provide centralized password third-party
authentication in a distributed network allow users access to services distributed
through network without needing to trust all workstations instead all trust a central authentication
server Two versions in use: 4 & 5
10/27/2011 4
Kerberos Requirements First published report identified its
requirements as security reliability transparency scalability
Implemented using an authentication protocol based on Needham-Schroeder
10/27/2011 5
Kerberos 4 Overview A basic third-party authentication scheme Have an Authentication Server (AS)
users initially negotiate with AS to identify self AS provides a non-corruptible authentication
credential (ticket granting ticket, TGT) Have a Ticket-Granting Server (TGS)
users subsequently request access to other services from TGS on basis of users TGT
10/27/2011 6
First Design
(1) C AS: IDc||Pc||IDv
(2) AS C: Ticket(3) C V: IDc||Ticket
Ticket = EKv [IDc||ADc||IDv]
10/27/2011 7
Problems with First Design
User may have to submit password many times in the same logon session
Password is transmitted in clear
10/27/2011 8
Second DesignOnce per user logon session:
(1) C AS: IDc||IDtgs
(2) AS C: EKc [Tickettgs]Once per type of service:
(3) C TGS: IDc||IDv||Tickettgs
(4) TGS C: Ticketv
Once per service session:(5) C V: IDc||Ticketv
Tickettgs = EKtgs [IDc||ADc||IDtgs||TS1||Lifetime1]
Ticketv = EKv [IDc||ADc||IDv||TS2||Lifetime2]
10/27/2011 9
Problems with Second Design
Requirement for server (TGS or application server) to verify that the person using a ticket is the same person to whom ticket was issued
Requirement for server to authenticate themselves to users
10/27/2011 10
Kerberos 4 Message Exchange
10/27/2011 11
Kerberos 4 Message Exchange
Kc,tgs: a session key created by AS to permit secure exchange between client and TGS without requiring them to share a permanent key
10/27/2011 12
Kerberos 4 Message Exchange
Authenticatorc: generated by client to assure TGS that the ticket presenter is the same as the client for whom Tickettgs was issued. Has very short lifetime to prevent replay
EKc,tgs
10/27/2011 13
Kerberos 4 Message Exchange
Message (6) ensures C that it is really talking to the legitimate server V and this message is not a replayed message
10/27/2011 14
Kerberos 4 Overview
10/27/2011 15
Kerberos Realms Kerberos environment consists of
a Kerberos server a number of clients, all registered with server application servers, sharing keys with server
This is termed a “realm” typically within a single administrative domain
If have multiple realms, their Kerberos servers must share keys and trust each other
10/27/2011 16
Request Service in Another Realm
10/27/2011 17
Kerberos Version 5 Developed in mid 1990’s Provide improvements over Version 4
addresses environmental shortcomings encryption alg, network protocol, byte order,
ticket lifetime, authentication forwarding, interrealm auth
and technical deficiencies double encryption, non-std mode of use, session
keys, password attacks
Specified as Internet standard RFC 1510
10/27/2011 18
Kerberos 5 Message Exchange
10/27/2011 19
Next Class
X.509 certificate and authorization