SlideShare a Scribd company logo

IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any Electronics and Communication batch

Download as PPTX, PDF
A
AvsAkhilAkhil

This ppt is very helpful for engineering students of any Electronics and Communication batch.

Engineering
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
User Authentication  Something the individual knows : (passwords, pin , tokens, patterns, etc.  Something the individual have (static biometrics): e.g. fingerprint, retina ,face  Something the individual does (dynamic biometrics): e.g. voice, handwriting  These All can be used alone or combined.  All can provide user authentication.  All have issues.  Note that user authentication is different from message authentication.  Message authentication is the procedure that allows two parties to verify that contents of received message have not been changed and source is authentic.
Authentication Protocols  An important application area of authentication is authentication protocols.  It may be one-way authentication protocol or mutual authentication protocol  Mutual Authentication :  Mutual Authentication Protocols used to satisfy or convince communicating parties about each others identity and to exchange session keys  Two key issues are :  Confidentiality – to protect session keys.  Timeliness – to prevent replay attacks.
Authentication Protocols Replay Attacks : – Simple replay (Opponent copy the message and replay it later) – Repetition that can be logged – Repetition that cannot be detected – Backward replay without modification • The countermeasures include : – Use of sequence numbers (generally impractical) – Timestamps (needs synchronized clocks) – Challenge/Response (using unique nonce)
Authentication Protocols  One-Way Authentication :  It is required when sender & receiver are not in communications at same time  (e.g. email) because it is not necessary for the sender and receiver be online at the same time  The message is forwarded to the receiver ‘s mailbox , where it is buffered till the receiver read it  Header will deliver by store and forward email protocol , like SMTP  It want contents to be protected & sender authenticated .
Kerberos  Kerberos is authentication protocol or service or key distribution center KDC  Designed at MIT in 1980. Systems ,including windows use Kerberos.  The Kerberos is a Greek word that signify a three- headed dog (used to keep outsiders away)  It is a trusted key server system.  Provides centralized third-party authentication in distributed network.  Kerberos is designed for open distributed environment.  Means it is a network authentication protocol that provides authentication for client/server applications.
Kerberos  Users at workstations want to access the services on servers that are distributed throughout the network.  Following threats from Attacker exist & servers should not allow :  1. Attacker can use particular workstation and act as a valid user working from that workstation.  2. Attacker can alter the network address of a workstation.  So any request sent from altered workstation appears to come from valid workstation  3. Attacker use a replay attack to gain entrance to server.  Note : In the above cases, an attacker may use services and data that he is not authorized to use.
Kerberos  To solve these problems , instead of using authentication protocol at each server, Kerberos provides a centralized authentication server that authenticate users to servers and servers to users  Unlike other authentication technique, Kerberos makes use of symmetric i.e. secret key cryptography  It does not use public- key encryption  The two commonly used versions of Kerberos are :  1. Kerberos version 4 (implementation still exist)  2. Kerberos version 5 (corrects security deficiencies of version 4 and issued as internet standard )
Kerberos Requirements  Motivation of Kerberos come from following requirement:  Users must prove their identity to the servers for each services.  Servers also must prove their identity to the clients or users.  First Report on Kerberos identified following requirements :  1. Secure : Attacker should not obtain information appear like user.  Means Kerberos should be strong enough that opponent does not find weak link.  2. Reliable : Kerberos should be highly reliable and should employ the distributed server architecture with one system able to back up other  3. Transparent : Users should not be know that authentication is taking place.  4. Scalable: Should be capable of supporting large number of clients and servers.
Kerberos Requirements  To satisfy these requirements, Kerberos is Implemented as a third party authentication service using an authentication protocol.  Kerberos is trusted because both client and server trust Kerberos to mediate their mutual authentication.
Kerberos Version 4 Kerberos version 4 Overview :  It is a basic third-party authentication scheme.  Version 4 of Kerberos makes use of DES algorithm.  In distributed client/server architecture, Kerberos provides user authentication by using one or more Kerberos server.  Different approaches for security are as following :  1. Simple Authentication Dialogue :  In this approach an Authentication Server (AS) is used that maintains the username and password of all users and store in a centralized database.  The AS shares a unique secret key with each server and these keys distributed in secure manner.
Kerberos Version 4  When any client makes a request from its workstation to some server for service, the following process takes place :  C = Client , AS = Authentication Server , V = Server , IDc = Identifier of user on client C.  IDv = identifier of server V ,Pc = password of user on Client C, ADc = network address of C.  Kv = secret encryption key shared by AS and V.  1. Client C log on to workstation and requests access to server V for service.  2. C in the client workstation requests for the user’s password and then sends a message to the AS that contains user’s ID, user’s password and server’s ID.
Kerberos Version 4  Message from client to AS = (IDc ,Pc, IDv)  3. AS now checks the pair IDc and Pc in it’s database to see whether user has given proper password and whether user is permitted to use server V.  4. If both tests are passed , then AS accepts the user as authentic and then tell the server that user is authentic.  To do this, AS creates the ticket that contains user’s ID , network address of user’s and server’s ID.  5. The ticket is encrypted using secret key shared by AS and this server.  So, Ticket = E[ IDc , ADc, IDv]  6. AS now send this encrypted ticket to client C.  Neither client nor opponent can alter ticket because it is encrypted.
Kerberos Version 4  7. With this ticket ,C can now apply to server V for using service.  8 .For this, the Client C sends a message to server V containing ID of client C and ticket.  Message = [IDc, Ticket]  9.The server V decrypts the message and verifies that user’s ID in ticket is same as the unencrypted user ID in the message.  10. If these two matches, then the server is assured that user is authenticated.  11. Now server allow the requested service to client.
Kerberos Version 4  The first problem with this scheme is that each time client request for a new service ,he needs to have new ticket from AS  Second problem is that this scheme sends the plaintext passwords hence its security is vulnerable.  Consider the following dialogues :  1 . C →AS : IDc, Pc, IDv  2. AS→C : Ticket  3. C→V : IDc ,Ticket  Ticket = E[ IDc , ADc, IDv]
Kerberos Version 4  More secure Authentication Dialogue :  This scheme uses the Ticket Granting Server (TGS).  Function of TGS is to issue tickets to the users who are authenticated by AS.  The user requests the AS for ticket granting ticket (Tickettgs)  The client saves this ticket in the user’s works station.  Whenever the user wants to access a new service , he requests the TGS using the ticket to authenticate itself.  The TGS then grants the ticket for the particular service.  Client saves each service – granting ticket issued by TGS for later use to authenticate it’s user to server whenever the user requests for particular service.
Kerberos Version 4  The new message dialogues are as :  1. Request from client to AS C → AS : IDc, IDtgs  2. Response from AS to C AS→ C : Ek (Tickettgs)  3. Request from client to TGS C→TGS : IDc, IDv, Tickettgs  4. Response from TGS to client TGS→C : Tickettgs  5. Message from client to server C→ V : IDc, Ticketv  Here, Tickettgs = E( Ktgs, [IDc,ADc,IDtgs, TS1,Lifetime1])  Ticketv = E( Kv, [IDc,ADc,IDv, TS2,Lifetime2])
Kerberos v4 Dialogue
IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any Electronics and Communication batch
Kerberos Realms • A full service Kerberos environment consists of a Kerberos server ,a number of clients, and number of application servers requires the following : • Kerberos server must have the user ID • It must have hashed password for all participating users. • Kerberos must share secret key with all participant users. • All users are registered with Kerberos sever. • All servers are registered with Kerberos server. • Such an environment which provides all of these is called as “Kerberos Realm”. • Typically a single administrative domain. • If have multiple realms means connection between two realms, their Kerberos servers must share keys and trust.
Kerberos Realms
Kerberos Version 5 • developed in mid 1990’s • specified as Internet standard RFC 1510 • provides improvements over v4 – addresses environmental shortcomings • encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth – and technical deficiencies • double encryption, non-std mode of use, session keys, password attacks
Kerberos v5 Dialogue
X.509 Authentication Service  It is a part of CCITT X.500 directory service standards. Distributed servers maintaining user information database.  It defines framework for authentication services by X.500 directory to its users. Directory may store public-key certificates. Each certificates contains public key of user signed by private key of certification authority.  Also defines authentication protocols .  X.509 is an important standard because the certificate structure and authentication protocol defined in X.509 are used in various contexts  Example ,the X.509 certificate used in IP security and SSL/TLS.
Has 3 versions. X.509 was initially issued in 1988 and version 2 issued in 1993. Then third version was issued in 1995 and again revised in 2000. Version 3 resolves some security concerns and limited flexibility in version 1 and 2. It is based on public-key cryptography & digital signatures. The standard not dictate specific algorithms , but RSA recommended. The digital signature use hash function which is not specific. X.509 certificates are widely used.
X.509 Certificate Use
X.509 Certificates • CA has created a side effect that each certificate may have different format . • So certificates that need to be used universally, must have universal format. • Heart of X.509 scheme is public –key certificates associated with user. • X.509 is the way to describe certificate in structured way. • These user certificates issued by a trusted Certification Authority (CA), and placed in a directory by the CA.
X.509 Certificates • All X.509 certificate has format which contains the following elements : – 1. Version V (1, 2, or 3) : This field specifies version of the certificate format. – Default version is 1. If issuer unique identifier are present , version 2. – 2. Serial Number: Integer number that is unique with CA identifies the certificate – 3. Signature algorithm identifier AI : This field consists of an algorithm , that is used by the CA to sign the certificates.
4. Issuer X.500 name (CA) : This field consists of name of the certification Authority who created and signed the certificate. 5. Period of validity (TA) : This field consists of two dates ,the first and last on which the certificate is valid. 6. Subject(User) name (Name of owner) : This field consists of the name of user whose public key certified by this certificate. 7. Subject(User) public-key information : (algorithm, parameters, key) This field consists the public – key of the user with identifier of the algorithm for which this key is used with associated parameters. 8. Issuer unique identifier (v2,v3):This field is optional present in version 2 ,3. This is an unique integer number used to identify an issuer i.e. to identify CA.
X.509 Certificates – 9. Subject(User) unique identifier (v2+v3) : – It is also an optional field present in version 2 and 3. – It is an unique integer number used to identify a user. – 10. Extension fields (v3) : This field is present in version 3. A set of one or more extension fields. – 11. Signature : It covers all other fields of certificate. It contains hash code of other fields encrypted with CA’s private key. – This field includes the signature algorithm identifier. • The standard use the following notation to define a certificate : • CA<<A>> = CA [V, SN, AI, CA, UCA, A, UA, Ap, Ta]
Notation : CA<<A>> denotes certificate of user A signed and issued by Certification authority CA. CA[I] = the signing of I by CA . It consists of I with an encrypted hash code appended V = version of the certificate SN = serial number of the certificate AI = identifier of the algorithm used to sign the certificate CA = name of the certificate of authority UCA = optional unique identifier of the CA A = name of the user A UA = Optional unique identifier of the user A Ap = public key of user A Ta = period of validity of the certificate. The CA signs the certificate with its private key. If the corresponding public key is known to user , then user can verify that certificate is signed by the CA is valid.
X.509 Certificates
Certificate Revocation • In some cases certificates must be revoked before its expiration. • Certificates have a period of validity • May need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised • CA’s maintain list of revoked certificates. – the Certificate Revocation List (CRL) • Users should check certificates with CA’s CRL

More Related Content

PPT
Kerberos
Sou Jana
 
PPTX
Kerberos
RafatSamreen
 
PDF
Kerberos Protocol
Netwax Lab
 
PPTX
kerberos
sameer farooq
 
PDF
Computer security module 4
Deepak John
 
RTF
Kerberos case study
Mayuri Patil
 
PPTX
Kerberos Architecture.pptx
Shashwat Shriparv
 
PPTX
Kerberos Architecture.pptx
Shashwat Shriparv
 
Kerberos
Sou Jana
 
Kerberos
RafatSamreen
 
Kerberos Protocol
Netwax Lab
 
kerberos
sameer farooq
 
Computer security module 4
Deepak John
 
Kerberos case study
Mayuri Patil
 
Kerberos Architecture.pptx
Shashwat Shriparv
 
Kerberos Architecture.pptx
Shashwat Shriparv
 

Similar to IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any Electronics and Communication batch (20)

PPT
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
Harini737456
 
PPTX
Rakesh raj
DBNCOET
 
PPTX
Kerberos realms & multiple kerberi
Manas Nayak
 
PPT
Authentication Application in Network Security NS4
koolkampus
 
PDF
BAIT1103 Chapter 3
limsh
 
PPTX
Unit 5
KRAMANJANEYULU1
 
PPTX
NS UNIT 2 Key Distribution and Management
AntonySuresh13
 
PPT
Web Security
Ram Dutt Shukla
 
PPT
Kerberos full with detailed explanation tkerberos.ppt
manikandancsesdm
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
PPT
Ch15
raja yasodhar
 
PDF
Module 4 network and computer security
Deepak John
 
PPTX
user authentication in cryptography and network security.pptx
Vivekananda Gn
 
PPT
kerb.ppt
JdQi
 
PPTX
Kerberos : An Authentication Application
Vidulatiwari
 
PPTX
Transport Layer Security
Huda Seyam
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
DOCX
Elliptic curve cryptography
Abhishek Kesharwani
 
PPT
ch14.ppt
SomuPatil8
 
PPTX
Kerberos
Sutanu Paul
 
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
Harini737456
 
Rakesh raj
DBNCOET
 
Kerberos realms & multiple kerberi
Manas Nayak
 
Authentication Application in Network Security NS4
koolkampus
 
BAIT1103 Chapter 3
limsh
 
Unit 5
KRAMANJANEYULU1
 
NS UNIT 2 Key Distribution and Management
AntonySuresh13
 
Web Security
Ram Dutt Shukla
 
Kerberos full with detailed explanation tkerberos.ppt
manikandancsesdm
 
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Ch15
raja yasodhar
 
Module 4 network and computer security
Deepak John
 
user authentication in cryptography and network security.pptx
Vivekananda Gn
 
kerb.ppt
JdQi
 
Kerberos : An Authentication Application
Vidulatiwari
 
Transport Layer Security
Huda Seyam
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Elliptic curve cryptography
Abhishek Kesharwani
 
ch14.ppt
SomuPatil8
 
Kerberos
Sutanu Paul
 
Ad

Recently uploaded (20)

PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
web development for engineering and engineering
keshriji700
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Well-logging-methods_new................
ZafriFarid
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Sustainable Sites - Green Building Construction
mhdumerali
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Ad

IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any Electronics and Communication batch

  • 1. User Authentication  Something the individual knows : (passwords, pin , tokens, patterns, etc.  Something the individual have (static biometrics): e.g. fingerprint, retina ,face  Something the individual does (dynamic biometrics): e.g. voice, handwriting  These All can be used alone or combined.  All can provide user authentication.  All have issues.  Note that user authentication is different from message authentication.  Message authentication is the procedure that allows two parties to verify that contents of received message have not been changed and source is authentic.
  • 2. Authentication Protocols  An important application area of authentication is authentication protocols.  It may be one-way authentication protocol or mutual authentication protocol  Mutual Authentication :  Mutual Authentication Protocols used to satisfy or convince communicating parties about each others identity and to exchange session keys  Two key issues are :  Confidentiality – to protect session keys.  Timeliness – to prevent replay attacks.
  • 3. Authentication Protocols Replay Attacks : – Simple replay (Opponent copy the message and replay it later) – Repetition that can be logged – Repetition that cannot be detected – Backward replay without modification • The countermeasures include : – Use of sequence numbers (generally impractical) – Timestamps (needs synchronized clocks) – Challenge/Response (using unique nonce)
  • 4. Authentication Protocols  One-Way Authentication :  It is required when sender & receiver are not in communications at same time  (e.g. email) because it is not necessary for the sender and receiver be online at the same time  The message is forwarded to the receiver ‘s mailbox , where it is buffered till the receiver read it  Header will deliver by store and forward email protocol , like SMTP  It want contents to be protected & sender authenticated .
  • 5. Kerberos  Kerberos is authentication protocol or service or key distribution center KDC  Designed at MIT in 1980. Systems ,including windows use Kerberos.  The Kerberos is a Greek word that signify a three- headed dog (used to keep outsiders away)  It is a trusted key server system.  Provides centralized third-party authentication in distributed network.  Kerberos is designed for open distributed environment.  Means it is a network authentication protocol that provides authentication for client/server applications.
  • 6. Kerberos  Users at workstations want to access the services on servers that are distributed throughout the network.  Following threats from Attacker exist & servers should not allow :  1. Attacker can use particular workstation and act as a valid user working from that workstation.  2. Attacker can alter the network address of a workstation.  So any request sent from altered workstation appears to come from valid workstation  3. Attacker use a replay attack to gain entrance to server.  Note : In the above cases, an attacker may use services and data that he is not authorized to use.
  • 7. Kerberos  To solve these problems , instead of using authentication protocol at each server, Kerberos provides a centralized authentication server that authenticate users to servers and servers to users  Unlike other authentication technique, Kerberos makes use of symmetric i.e. secret key cryptography  It does not use public- key encryption  The two commonly used versions of Kerberos are :  1. Kerberos version 4 (implementation still exist)  2. Kerberos version 5 (corrects security deficiencies of version 4 and issued as internet standard )
  • 8. Kerberos Requirements  Motivation of Kerberos come from following requirement:  Users must prove their identity to the servers for each services.  Servers also must prove their identity to the clients or users.  First Report on Kerberos identified following requirements :  1. Secure : Attacker should not obtain information appear like user.  Means Kerberos should be strong enough that opponent does not find weak link.  2. Reliable : Kerberos should be highly reliable and should employ the distributed server architecture with one system able to back up other  3. Transparent : Users should not be know that authentication is taking place.  4. Scalable: Should be capable of supporting large number of clients and servers.
  • 9. Kerberos Requirements  To satisfy these requirements, Kerberos is Implemented as a third party authentication service using an authentication protocol.  Kerberos is trusted because both client and server trust Kerberos to mediate their mutual authentication.
  • 10. Kerberos Version 4 Kerberos version 4 Overview :  It is a basic third-party authentication scheme.  Version 4 of Kerberos makes use of DES algorithm.  In distributed client/server architecture, Kerberos provides user authentication by using one or more Kerberos server.  Different approaches for security are as following :  1. Simple Authentication Dialogue :  In this approach an Authentication Server (AS) is used that maintains the username and password of all users and store in a centralized database.  The AS shares a unique secret key with each server and these keys distributed in secure manner.
  • 11. Kerberos Version 4  When any client makes a request from its workstation to some server for service, the following process takes place :  C = Client , AS = Authentication Server , V = Server , IDc = Identifier of user on client C.  IDv = identifier of server V ,Pc = password of user on Client C, ADc = network address of C.  Kv = secret encryption key shared by AS and V.  1. Client C log on to workstation and requests access to server V for service.  2. C in the client workstation requests for the user’s password and then sends a message to the AS that contains user’s ID, user’s password and server’s ID.
  • 12. Kerberos Version 4  Message from client to AS = (IDc ,Pc, IDv)  3. AS now checks the pair IDc and Pc in it’s database to see whether user has given proper password and whether user is permitted to use server V.  4. If both tests are passed , then AS accepts the user as authentic and then tell the server that user is authentic.  To do this, AS creates the ticket that contains user’s ID , network address of user’s and server’s ID.  5. The ticket is encrypted using secret key shared by AS and this server.  So, Ticket = E[ IDc , ADc, IDv]  6. AS now send this encrypted ticket to client C.  Neither client nor opponent can alter ticket because it is encrypted.
  • 13. Kerberos Version 4  7. With this ticket ,C can now apply to server V for using service.  8 .For this, the Client C sends a message to server V containing ID of client C and ticket.  Message = [IDc, Ticket]  9.The server V decrypts the message and verifies that user’s ID in ticket is same as the unencrypted user ID in the message.  10. If these two matches, then the server is assured that user is authenticated.  11. Now server allow the requested service to client.
  • 14. Kerberos Version 4  The first problem with this scheme is that each time client request for a new service ,he needs to have new ticket from AS  Second problem is that this scheme sends the plaintext passwords hence its security is vulnerable.  Consider the following dialogues :  1 . C →AS : IDc, Pc, IDv  2. AS→C : Ticket  3. C→V : IDc ,Ticket  Ticket = E[ IDc , ADc, IDv]
  • 15. Kerberos Version 4  More secure Authentication Dialogue :  This scheme uses the Ticket Granting Server (TGS).  Function of TGS is to issue tickets to the users who are authenticated by AS.  The user requests the AS for ticket granting ticket (Tickettgs)  The client saves this ticket in the user’s works station.  Whenever the user wants to access a new service , he requests the TGS using the ticket to authenticate itself.  The TGS then grants the ticket for the particular service.  Client saves each service – granting ticket issued by TGS for later use to authenticate it’s user to server whenever the user requests for particular service.
  • 16. Kerberos Version 4  The new message dialogues are as :  1. Request from client to AS C → AS : IDc, IDtgs  2. Response from AS to C AS→ C : Ek (Tickettgs)  3. Request from client to TGS C→TGS : IDc, IDv, Tickettgs  4. Response from TGS to client TGS→C : Tickettgs  5. Message from client to server C→ V : IDc, Ticketv  Here, Tickettgs = E( Ktgs, [IDc,ADc,IDtgs, TS1,Lifetime1])  Ticketv = E( Kv, [IDc,ADc,IDv, TS2,Lifetime2])
  • 19. Kerberos Realms • A full service Kerberos environment consists of a Kerberos server ,a number of clients, and number of application servers requires the following : • Kerberos server must have the user ID • It must have hashed password for all participating users. • Kerberos must share secret key with all participant users. • All users are registered with Kerberos sever. • All servers are registered with Kerberos server. • Such an environment which provides all of these is called as “Kerberos Realm”. • Typically a single administrative domain. • If have multiple realms means connection between two realms, their Kerberos servers must share keys and trust.
  • 21. Kerberos Version 5 • developed in mid 1990’s • specified as Internet standard RFC 1510 • provides improvements over v4 – addresses environmental shortcomings • encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth – and technical deficiencies • double encryption, non-std mode of use, session keys, password attacks
  • 23. X.509 Authentication Service  It is a part of CCITT X.500 directory service standards. Distributed servers maintaining user information database.  It defines framework for authentication services by X.500 directory to its users. Directory may store public-key certificates. Each certificates contains public key of user signed by private key of certification authority.  Also defines authentication protocols .  X.509 is an important standard because the certificate structure and authentication protocol defined in X.509 are used in various contexts  Example ,the X.509 certificate used in IP security and SSL/TLS.
  • 24. Has 3 versions. X.509 was initially issued in 1988 and version 2 issued in 1993. Then third version was issued in 1995 and again revised in 2000. Version 3 resolves some security concerns and limited flexibility in version 1 and 2. It is based on public-key cryptography & digital signatures. The standard not dictate specific algorithms , but RSA recommended. The digital signature use hash function which is not specific. X.509 certificates are widely used.
  • 26. X.509 Certificates • CA has created a side effect that each certificate may have different format . • So certificates that need to be used universally, must have universal format. • Heart of X.509 scheme is public –key certificates associated with user. • X.509 is the way to describe certificate in structured way. • These user certificates issued by a trusted Certification Authority (CA), and placed in a directory by the CA.
  • 27. X.509 Certificates • All X.509 certificate has format which contains the following elements : – 1. Version V (1, 2, or 3) : This field specifies version of the certificate format. – Default version is 1. If issuer unique identifier are present , version 2. – 2. Serial Number: Integer number that is unique with CA identifies the certificate – 3. Signature algorithm identifier AI : This field consists of an algorithm , that is used by the CA to sign the certificates.
  • 28. 4. Issuer X.500 name (CA) : This field consists of name of the certification Authority who created and signed the certificate. 5. Period of validity (TA) : This field consists of two dates ,the first and last on which the certificate is valid. 6. Subject(User) name (Name of owner) : This field consists of the name of user whose public key certified by this certificate. 7. Subject(User) public-key information : (algorithm, parameters, key) This field consists the public – key of the user with identifier of the algorithm for which this key is used with associated parameters. 8. Issuer unique identifier (v2,v3):This field is optional present in version 2 ,3. This is an unique integer number used to identify an issuer i.e. to identify CA.
  • 29. X.509 Certificates – 9. Subject(User) unique identifier (v2+v3) : – It is also an optional field present in version 2 and 3. – It is an unique integer number used to identify a user. – 10. Extension fields (v3) : This field is present in version 3. A set of one or more extension fields. – 11. Signature : It covers all other fields of certificate. It contains hash code of other fields encrypted with CA’s private key. – This field includes the signature algorithm identifier. • The standard use the following notation to define a certificate : • CA<<A>> = CA [V, SN, AI, CA, UCA, A, UA, Ap, Ta]
  • 30. Notation : CA<<A>> denotes certificate of user A signed and issued by Certification authority CA. CA[I] = the signing of I by CA . It consists of I with an encrypted hash code appended V = version of the certificate SN = serial number of the certificate AI = identifier of the algorithm used to sign the certificate CA = name of the certificate of authority UCA = optional unique identifier of the CA A = name of the user A UA = Optional unique identifier of the user A Ap = public key of user A Ta = period of validity of the certificate. The CA signs the certificate with its private key. If the corresponding public key is known to user , then user can verify that certificate is signed by the CA is valid.
  • 32. Certificate Revocation • In some cases certificates must be revoked before its expiration. • Certificates have a period of validity • May need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised • CA’s maintain list of revoked certificates. – the Certificate Revocation List (CRL) • Users should check certificates with CA’s CRL

Editor's Notes