Kerberos Presentation: Provides a centralized authentication server to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES
Download as PPT, PDF0 likes8 views
The document discusses Kerberos authentication, focusing on security concerns such as confidentiality and replay attacks, and outlines the mechanisms of both Kerberos versions 4 and 5. It emphasizes the centralized approach to authentication and the need for compatible applications across networks, while also addressing the limitations imposed by export restrictions on encryption technologies. Additionally, the document briefly reviews X.509 authentication services and the process of certificate management.
![8
A Simple Authentication
A Simple Authentication
Dialogue
Dialogue
(1) C AS: IDc || Pc || IDv
(2) AS C: Ticket
(3) C V: IDc || Ticket
Ticket = EKv[IDc || Pc || IDv]](https://image.slidesharecdn.com/kerberos-241106091948-352ac578/85/Kerberos-Presentation-Provides-a-centralized-authentication-server-to-authenticate-users-to-servers-and-servers-to-users-Relies-on-conventional-encryption-making-no-use-of-public-key-encryption-Two-versions-version-4-and-5-Version-4-makes-use-of-DES-8-320.jpg)
![10
Version 4 Authentication Dialogue
Version 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C AS: IDc || IDtgs ||TS1
(2) AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]](https://image.slidesharecdn.com/kerberos-241106091948-352ac578/85/Kerberos-Presentation-Provides-a-centralized-authentication-server-to-authenticate-users-to-servers-and-servers-to-users-Relies-on-conventional-encryption-making-no-use-of-public-key-encryption-Two-versions-version-4-and-5-Version-4-makes-use-of-DES-10-320.jpg)
Kerberos Presentation: Provides a centralized authentication server to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES
- 2. 2 Outline Outline • Security Concerns • Kerberos • X.509 Authentication Service • Recommended reading and Web Sites
- 3. 3 Security Concerns Security Concerns • key concerns are confidentiality and timeliness • to provide confidentiality must encrypt identification and session key info • which requires the use of previously shared private or public keys • need timeliness to prevent replay attacks • provided by using sequence numbers or timestamps or challenge/response
- 4. 4 KERBEROS KERBEROS In Greek mythology, a many headed dog, the guardian of the entrance of Hades
- 5. 5 KERBEROS KERBEROS • Users wish to access services on servers. • Three threats exist: – User pretend to be another user. – User alter the network address of a workstation. – User eavesdrop on exchanges and use a replay attack.
- 6. 6 KERBEROS KERBEROS • Provides a centralized authentication server to authenticate users to servers and servers to users. • Relies on conventional encryption, making no use of public-key encryption • Two versions: version 4 and 5 • Version 4 makes use of DES
- 7. 7 Kerberos Version 4 Kerberos Version 4 • Terms: – C = Client – AS = authentication server – V = server – IDc = identifier of user on C – IDv = identifier of V – Pc = password of user on C – ADc = network address of C – Kv = secret encryption key shared by AS an V – TS = timestamp – || = concatenation
- 8. 8 A Simple Authentication A Simple Authentication Dialogue Dialogue (1) C AS: IDc || Pc || IDv (2) AS C: Ticket (3) C V: IDc || Ticket Ticket = EKv[IDc || Pc || IDv]
- 9. 9 Version 4 Authentication Version 4 Authentication Dialogue Dialogue • Problems: – Lifetime associated with the ticket-granting ticket – If too short repeatedly asked for password – If too long greater opportunity to replay • The threat is that an opponent will steal the ticket and use it before it expires
- 10. 10 Version 4 Authentication Dialogue Version 4 Authentication Dialogue Authentication Service Exhange: To obtain Ticket-Granting Ticket (1) C AS: IDc || IDtgs ||TS1 (2) AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs] Ticket-Granting Service Echange: To obtain Service-Granting Ticket (3) C TGS: IDv ||Tickettgs ||Authenticatorc (4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv] Client/Server Authentication Exhange: To Obtain Service (5) C V: Ticketv || Authenticatorc (6) V C: EKc,v[TS5 +1]
- 11. 11 Overview of Kerberos Overview of Kerberos
- 12. 12 Request for Service in Request for Service in Another Realm Another Realm
- 13. 13 Difference Between Difference Between Version 4 and 5 Version 4 and 5 • Encryption system dependence (V.4 DES) • Internet protocol dependence • Message byte ordering • Ticket lifetime • Authentication forwarding • Interrealm authentication
- 14. 14 Kerberos Encryption Techniques Kerberos Encryption Techniques
- 16. 16 Kerberos - in practice Kerberos - in practice • Currently have two Kerberos versions: • 4 : restricted to a single realm • 5 : allows inter-realm authentication, in beta test • Kerberos v5 is an Internet standard • specified in RFC1510, and used by many utilities • To use Kerberos: • need to have a KDC on your network • need to have Kerberised applications running on all participating systems • major problem - US export restrictions • Kerberos cannot be directly distributed outside the US in source format (& binary versions must obscure crypto routine entry points and have no encryption) • else crypto libraries must be reimplemented locally
- 17. 17 X.509 Authentication X.509 Authentication Service Service • Distributed set of servers that maintains a database about users. • Each certificate contains the public key of a user and is signed with the private key of a CA. • Is used in S/MIME, IP Security, SSL/TLS and SET. • RSA is recommended to use.
- 19. 19 Typical Typical Digital Signature Digital Signature Approach Approach
- 20. 20 Obtaining a User’s Obtaining a User’s Certificate Certificate • Characteristics of certificates generated by CA: – Any user with access to the public key of the CA can recover the user public key that was certified. – No part other than the CA can modify the certificate without this being detected.
- 21. 21 X.509 CA Hierarchy X.509 CA Hierarchy
- 22. 22 Revocation of Certificates Revocation of Certificates • Reasons for revocation: – The users secret key is assumed to be compromised. – The user is no longer certified by this CA. – The CA’s certificate is assumed to be compromised.
- 24. 24 Recommended Reading and Recommended Reading and WEB Sites WEB Sites • www.whatis.com (search for kerberos) • Bryant, W. Designing an Authentication System: A Dialogue in Four Scenes. http://web.mit.edu/kerberos/www/dialogue.html • Kohl, J.; Neuman, B. “The Evolotion of the Kerberos Authentication Service” http://web.mit.edu/kerberos/www/papers.html • http://www.isi.edu/gost/info/kerberos/