network security - g. steffen. user authentication fundamental security building block basis of...
TRANSCRIPT
![Page 1: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/1.jpg)
Network Security - G. Steffen
![Page 2: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/2.jpg)
User Authenticationfundamental security building block
basis of access control & user accountabilityis the process of verifying an identity claimed
by or for a system entityhas two steps:
identification - specify identifierverification - bind entity (person) and identifier
distinct from message authentication
Network Security - G. Steffen
![Page 3: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/3.jpg)
Means of User Authentication four means of authenticating user's identitybased one something the individual
knows - e.g. password, PINpossesses - e.g. key, token, smartcardis (static biometrics) - e.g. fingerprint, retinadoes (dynamic biometrics) - e.g. voice, sign
can use alone or combinedall can provide user authenticationall have issues
Network Security - G. Steffen
![Page 4: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/4.jpg)
Authentication Protocolsused to convince parties of each others
identity and to exchange session keysmay be one-way or mutualkey issues are
confidentiality – to protect session keystimeliness – to prevent replay attacks
Network Security - G. Steffen
![Page 5: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/5.jpg)
Replay Attackswhere a valid signed message is copied
and later resentsimple replayrepetition that can be loggedrepetition that cannot be detectedbackward replay without modification
countermeasures includeuse of sequence numbers (generally
impractical)timestamps (needs synchronized clocks)challenge/response (using unique nonce)
Network Security - G. Steffen
![Page 6: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/6.jpg)
One-Way Authenticationrequired when sender & receiver are not in
communications at same time (eg. email)have header in clear so can be delivered by
email systemmay want contents of body protected &
sender authenticated
Network Security - G. Steffen
![Page 7: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/7.jpg)
Using Symmetric Encryptionas discussed previously can use a two-level
hierarchy of keysusually with a trusted Key Distribution
Center (KDC)each party shares own master key with KDCKDC generates session keys used for
connections between partiesmaster keys used to distribute these to them
Network Security - G. Steffen
![Page 8: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/8.jpg)
Needham-Schroeder Protocoloriginal third-party key distribution protocolfor session between A B mediated by KDCprotocol overview is:
1. A->KDC: IDA || IDB || N1
2. KDC -> A: E(Ka,[Ks||IDB||N1|| E(Kb,[Ks||IDA])])
3. A -> B: E(Kb, [Ks||IDA])
4. B -> A: E(Ks, [N2])
5. A -> B: E(Ks, [f(N2)])
Network Security - G. Steffen
![Page 9: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/9.jpg)
Needham-Schroeder Protocolused to securely distribute a new session key
for communications between A & Bbut is vulnerable to a replay attack if an old
session key has been compromisedthen message 3 can be resent convincing B
that is communicating with Amodifications to address this require:
timestamps in steps 2 & 3 (Denning 81)using an extra nonce (Neuman 93)
Network Security - G. Steffen
![Page 10: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/10.jpg)
One-Way Authenticationuse refinement of KDC to secure email
since B no online, drop steps 4 & 5protocol becomes:
1. A->KDC: IDA || IDB || N1
2. KDC -> A: E(Ka, [Ks||IDB||N1 || E(Kb,[Ks||IDA])])
3. A -> B: E(Kb, [Ks||IDA]) || E(Ks, M)
provides encryption & some authenticationdoes not protect from replay attack
Network Security - G. Steffen
![Page 11: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/11.jpg)
Kerberostrusted key server system from MIT provides centralised private-key third-party
authentication in a distributed networkallows users access to services distributed
through networkwithout needing to trust all workstationsrather all trust a central authentication server
two versions in use: 4 & 5
Network Security - G. Steffen
![Page 12: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/12.jpg)
Kerberos Requirementsits first report identified requirements as:
securereliabletransparentscalable
implemented using an authentication protocol based on Needham-Schroeder
Network Security - G. Steffen
![Page 13: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/13.jpg)
Kerberos v4 Overviewa basic third-party authentication schemehave an Authentication Server (AS)
users initially negotiate with AS to identify self AS provides a non-corruptible authentication
credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of users TGT
using a complex protocol using DES
Network Security - G. Steffen
![Page 14: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/14.jpg)
Kerberos v4 Dialogue
Network Security - G. Steffen
![Page 15: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/15.jpg)
Kerberos 4 Overview
Network Security - G. Steffen
![Page 16: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/16.jpg)
Kerberos Realmsa Kerberos environment consists of:
a Kerberos servera number of clients, all registered with serverapplication servers, sharing keys with server
this is termed a realmtypically a single administrative domain
if have multiple realms, their Kerberos servers must share keys and trust
Network Security - G. Steffen
![Page 17: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/17.jpg)
Kerberos Realms
Network Security - G. Steffen
![Page 18: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/18.jpg)
Kerberos Version 5developed in mid 1990’sspecified as Internet standard RFC 1510provides improvements over v4
addresses environmental shortcomings encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm authand technical deficiencies
double encryption, non-std mode of use, session keys, password attacks
Network Security - G. Steffen
![Page 19: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/19.jpg)
Kerberos v5 Dialogue
Network Security - G. Steffen
![Page 20: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/20.jpg)
Remote User Authenticationin Ch 14 saw use of public-key encryption for
session key distributionassumes both parties have other’s public keysmay not be practical
have Denning protocol using timestampsuses central authentication server (AS) to
provide public-key certificatesrequires synchronized clocks
have Woo and Lam protocol using noncescare needed to ensure no protocol flaws
Network Security - G. Steffen
![Page 21: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/21.jpg)
One-Way Authenticationhave public-key approaches for email
encryption of message for confidentiality, authentication, or both
must now public keysusing costly public-key alg on long message
for confidentiality encrypt message with one-time secret key, public-key encrypted
for authentication use a digital signaturemay need to protect by encrypting signature
use digital certificate to supply public key
Network Security - G. Steffen
![Page 22: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/22.jpg)
Federated Identity Managementuse of common identity management scheme
across multiple enterprises & numerous applications
supporting many thousands, even millions of users principal elements are:
authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation
Kerberos contains many of these elements
Network Security - G. Steffen
![Page 23: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/23.jpg)
Identity Management
Network Security - G. Steffen
![Page 24: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/24.jpg)
Identity Federation
Network Security - G. Steffen
![Page 25: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/25.jpg)
Standards UsedSecurity Assertion Markup Language (SAML)
XML-based language for exchange of security information between online business partners
part of OASIS (Organization for the Advancement of Structured Information Standards) standards for federated identity managemente.g. WS-Federation for browser-based federation
need a few mature industry standards
Network Security - G. Steffen
![Page 26: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/26.jpg)
Federated Identity Examples
Network Security - G. Steffen
![Page 27: Network Security - G. Steffen. User Authentication fundamental security building block basis of access control & user accountability is the process](https://reader030.vdocument.in/reader030/viewer/2022032722/56649cf45503460f949c2707/html5/thumbnails/27.jpg)
Summaryhave considered:
remote user authentication issuesauthentication using symmetric encryptionthe Kerberos trusted key server systemauthentication using asymmetric encryptionfederated identity management
Network Security - G. Steffen