Docstoc

cnn ch ppt PowerPoint Ticket

Document Sample
cnn ch ppt PowerPoint  Ticket Powered By Docstoc
					              Xl.AUTHENTICATION
              APPLICATIONS
                        -Looking at one of the most widely used
                        services, which is known as Kerberos
                        -Examine the X.509 directory authentication
                        service




Cryptography & Network Security:
        CONTENTS…
       1. Kerberos


       2. X.509 Authentication service




Cryptography & Network Security:
        1.Kerberos
        Authentication service developed as part of
        Project Athena at MIT
        Threats in distributed environment
              Pretended to be another user
              IP Spoofing (network address altering)
              Eavesdropping and use replay attack
        Centralized authentication server
              Authenticate users to servers,servers to users
        Relies exclusively on conventional encryption
        Version 4 is still widely used

Cryptography & Network Security:
        1.Kerberos
           Motivation
                 Approaches to security
                      1. Security policy based on user
                       identification(ID)
                      2. Authenticate clients to servers, but trust
                       client system concerning identity of its user
                      3. Require the user to prove identity for each
                       service invoked
                 Third approach is supported by Kerberos

Cryptography & Network Security:
        1.Kerberos
         Motivation
               Requirements for Kerberos
                    Secure
                    Reliable
                    Transparent
                    Scalable
               Trusted third-party authentication service
                that uses a protocol based on that
                proposed by Needham and Schroeder


Cryptography & Network Security:
        1.Kerberos
        Kerveros Version 4
              Make use of DES, to provide the authentication
               service
        A simple Authentication Dialogue
              In an unprotected network environment, the obvious
               security risk is impersonation
              To counter this threat, servers must be able to
               confirm the identities of clients
              Authentication server
                   knows the password of all users and stores these in a
                    centralized database
                   Shares a unique secret key with each server

Cryptography & Network Security:
        1.Kerberos

               A Simple Authentication Dialogue
               1. C →AS : IDC,PC,IDV
                 2. AS →C : Ticket
                 3. C →V : IDC,Ticket
                   Ticket = EKv[IDC,ADC,IDV]




Cryptography & Network Security:
        1.Kerberos
             A more Secure Authentication Dialogue
                   Simple authentication dialogue’s problem
                        Too many times that user has to enter a
                           password
                                  User need a new ticket for every different service
                        Plaintext transmission of the password (M-1)


               →TGS(Ticket Granting Server)이용


Cryptography & Network Security:
        1.Kerberos
           A more Secure Authentication Dialogue
                 Once per user logon session
                    1.C  AS : IDC , IDtgs
                    2.AS  C : Ekc [Tickettgs]
                 Once per type of service
                    3.C  TGS : IDC , IDV , Tickettgs
                    4.TGS  C : Ticketv
                 Once per service session
                    5.C  V : IDC , Ticketv
                 Tickettgs = Ektgs [IDC,ADC,IDtgs, TS1,Lifetime1]
                 Ticketv = EKv[IDC,ADC,IDV,TS2,Lifetime2]
Cryptography & Network Security:
        1.Kerberos
           A more Secure Authentication Dialogue
                 Problem
                      TGS or an application service must be able to
                       prove that the person using a ticket is the same
                       person to whom that ticket was issued
                      Requirement for servers to authenticate
                       themselves to users




Cryptography & Network Security:
        1.Kerberos
        The version4 Authentication Dialogue
         1. C -> AS :IDC,IDTGS,TS1
         2. AS -> C : Ekc[Kc,tgs,IDtgs,TS2,L-time2,Tickettgs]
           Tickettgs = EKtgs[Kc,tgs,IDC,ADC,IDtgs,TS2,L-time2]
         3. C -> TGS : IDV,TicketTGS,Authenticatorc
         4. TGS -> C : EKc,tgs[Kc,v,IDv,TS4,TicketV]
           Ticketv = EKv[Kc,v,IDC,ADC,IDv,TS4,L-time4]
           Authenticatorc = EKc,tgs[IDC,ADC,TS3]
         5. C -> K : TicketV,Authenticatorc
         6. K -> C : EKc,v[TS5 +1]
           Authenticatorc = EKc,v[IDC,ADC,TS5]
Cryptography & Network Security:
        1.Kerberos

                  The version4 Authentication Dialogue
                1.       Client requests ticket-granting ticket
                2.       AS returns ticket-granting ticket
                3.       Client requests service-granting ticket
                4.       TGS returns service-granting ticket
                5.       Client requests service
                6.       Optional authentication of server to client




Cryptography & Network Security:
        1.Kerberos
                The version4 Authentication Dialogue




Cryptography & Network Security:
        1.Kerberos
                      Kerberos Realms and Multiple Kerberi
                            Service Kerberos environment requirement
                            1. All users are registered with Kerberos
                               server
                            2. All servers are registered with Kerbersos
                               server and share a secret key
                            3. The two Kerberos serves are registered and
                               shared a key with each other
                                (interoperating realm)
                            ※ 1,2 supported environment is referred to as
                               a realm

Cryptography & Network Security:
        1.Kerberos
             Kerberos Realms and Multiple Kerberi




Cryptography & Network Security:
        1.Kerberos
              Kerberos Realms and Multiple Kerberi
            1. C -> AS :IDC,IDTGS,TS1
            2. AS -> C : Ekc[Kc,tgs,IDtgs,TS2,L-time2,Tickettgs]
            3. C -> TGS :IDtgsrem,Tickettgs,Authenticatorc
            4. TGS -> C : EKc,tgs[Kc,tgsrem,,IDtgsrem,TS4,Tickettgsrem]
            5. C -> TGSrem :IDvrem,Tickettgsrem,Authenticatorc
            6. TGS -> C : Kc,tgsrem[kc,vrem,IDvrem,Tsb,Ticketvrem
            7. C -> Vrem : Ticket     vrem,   Authenticatorc



Cryptography & Network Security:
        1.Kerberos
              Kerberos Realms and Multiple Kerberi
             1. Request ticket for local TGS
             2. Ticket for local TGS
             3. Request ticket for remote TGS
             4. Ticket for remote TGS
             5. Request ticket for remote server
             6. Ticket for remote server
             7. Request remote service

Cryptography & Network Security:
        1.Kerberos

               Kerberos version 5
                     RFC 1510, provides a number of
                      improvements over version 4
                     Differences Between version 4 and 5
                          Environmental shortcomings
                          Technical deficiencies




Cryptography & Network Security:
        1.Kerberos

               Kerberos version 5
                     Differences Between version 4 and 5
                     Environmental shortcomings
                          Encryption system dependence
                          Internet protocol dependence
                          Message byte ordering
                          Ticket lifetime
                          Authentication forwarding
                          Inter-realm authentication


Cryptography & Network Security:
        1.Kerberos
           Kerberos version 5
                 Differences Between version 4 and 5
                 Technical deficiencies
                      Double encryption
                      PCBC encryption
                     ※ PCBC →Standard CBC
                      Session keys
                      Password attacks



Cryptography & Network Security:
        1.Kerberos
           The version 5 Authentication Dialogue
           1.Authentication service Exchange
             :To obtain ticket-granting ticket
                  (1) C -> AS :Option,IDC,Realmc,IDTGS,Timses,Nonce1
                  (2) AS -> C : Realmc, IDC, Tickettgs,
                               Ekc[Kc,tgs,Times, Nonce,Realmtgs ,IDTGS ]
               Tickettgs=
           EKtgs[Flags,Kc,tgs,RealmC,IDC,ADC,times]

Cryptography & Network Security:
        1.Kerberos
           The version 5 Authentication Dialogue
           2.Ticket-Granting Service Exchange
             :To obtain service-granting ticket
                  (3) C -> TGS :Options,IDV,Nonce2 Timses,
                                Tickettgs,AuthenicatorC
                  (4) TGS -> C : Realmc, IDC, TicketV,
                               Ekc,tgs[Kc,v,Times, Nonce2,RealmV ,IDV ]
                     TicketV =    EV[Flags,KC,V,RealmC,IDC,ADC,times]
                     AuthenicatorC= Ekc,tgs[IDC, Realmc, TS1]


Cryptography & Network Security:
        1.Kerberos
           The version 5 Authentication Dialogue
           3.Ticket-Granting Service Exchange
             :To obtain service
                  (5) C -> TGS :Options,TicketV,AuthenicatorC
                  (6) TGS -> C :EkC,V[TS2,Subkeys,Seq#]
                     TicketV =    EKv[Flags,KC,V,RealmC,IDC,ADC,times]
                     AuthenicatorC= EKC,V[IDC, Realmc, TS2,Subkeys,Seq#]




Cryptography & Network Security:
        1.Kerberos

               Ticket Flags
                     The flags field includede in tickets in
                      version 5 supports Expanded
                      functionality compared to V4
                     Reference to Table 11.4




Cryptography & Network Security:
        1.Kerberos

               The version 5 Authentication Dialogue
                     Subkey
                          For an encryption key to be used to protect
                             thic specific appplication session
                     Sequence number
                          An optional field that specifies the
                             starting sequence number to be used by the
                             server for messages sent to the client



Cryptography & Network Security:
        2.X.509 Authentication Service

               Overview
                     Directory
                          is a server or distributed set of servers
                           that maintains a database of information
                           about users
                          includes a mapping from user name to network
                           address, as well as other attributes and
                           information
                          may serve as a repository of public-key
                           certificates


Cryptography & Network Security:
        2.X.509 Authentication Service

               Overview
                     Was initially issued in 1988, and a third
                      version was drafted in 1995
                     Is based on the use of public-key
                      cryptography and digital signatures,
                     The standard does not dictate the use of
                      a specific algorithm and specific hash
                      algorithm

Cryptography & Network Security:
        2.X.509 Authentication Service

          Certificate
                The heart of the X.509 scheme is the public-key
                 certificate associated with each user
                Is based on the use of public-key cryptography
                 and digital signatures,
                The standard does not dictate the use of a
                 specific algorithm and specific hash algorithm
                The directory server merely provides an easily
                 accessible location for users to obtain
                 certificates

Cryptography & Network Security:
        2.X.509 Authentication Service
               Certificate (elements)




Cryptography & Network Security:
        2.X.509 Authentication Service

          Certificate
           CA<<A>>=CA{V,SN,AI,CA,TA,A,Ap}
           WHERE
                  - Y<<X>> : Certificate of user X issued
                 by certification authority Y
                  - Y{I} : The signing of I by Y



Cryptography & Network Security:
 2.X.509 Authentication Service

               Obtaining a User’s Certificate
                     User certificates generates by CA
                          Any user with access to the public key of
                           the CA can recover the user public key that
                           was certified
                          No party other than the certification
                           authority can modify the certificate without
                           this being detected



Cryptography & Network Security:
 2.X.509 Authentication Service

                    Obtaining a User’s Certificate
                         Hierarchical CAs
                           Two Cas have securely exchanged their own
                            public keys
                         1. A obtain, from the directory , the
                            certificate of X2 signed by X1
                         2. A then goes back to the directory and
                            obtains the certificate of B signed by X2
                              X1 <<X2>> X2<<B>>

Cryptography & Network Security:
 2.X.509 Authentication Service

                Revocation of Certificates
                     A new certificate is issued just before
                      the expiration of the old one
                     Occosion to revoke a certificates
                      The user’s secret key is assumed to be
                       compromised
                      The user is no longer certificated by the CA
                      The CA’s certificate is assumed to be
                       compromised
                     CRL:Certificate revocation list
Cryptography & Network Security:
        2.X.509 Authentication Service

               Authentication Procedure
                     One-Way Authentication
                         1. The identity of A and that the message was
                           generated by A
                         2. That the message was intended for B
                         3. The integrity and originality(it has not
                           been sent multiple times) of the message
                      Only the identity of the initiating
                      entity is verified in this process, not
                      that of the responding entity

Cryptography & Network Security:
        2.X.509 Authentication Service

          Authentication Procedure
                Two-Way Authentication
                    4. The identity of B and that the reply message
                      was generated by B
                    5. That the message was intednded for A
                    6. The integrity and originality of the reply
                Three-Way Authentication
                     This approach is needed when synchronized
                        clocks are not available

Cryptography & Network Security:
        2.X.509 Authentication Service

          X.509 Version 3
                The certificate extensions fall into three
                 main categries
                     Key and Policy Information
                     Certificates Subject and Issuer Attributes
                     Certification Path Constraints




Cryptography & Network Security:

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:34
posted:12/19/2010
language:English
pages:36
Description: cnn ch ppt PowerPoint Ticket