Computer Network Security Ticket

Document Sample
Computer Network Security Ticket Powered By Docstoc
					Authentication Applications
   Network Systems Security

         Mort Anvari
Authentication Applications
   Developed to support application-level
    authentication and digital signatures
   A famous example is Kerberos – a
    password authentication service

10/21/2004                                   2
   Trusted key server system from MIT
   Provide centralized password third-party
    authentication in a distributed network
        allow users access to services distributed through
        without needing to trust all workstations
        instead all trust a central authentication server
   Two versions in use: 4 & 5

10/21/2004                                                    3
Kerberos Requirements
   First published report identified its
    requirements as
        security
        reliability
        transparency
        scalability
   Implemented using an authentication
    protocol based on Needham-Schroeder

10/21/2004                                  4
Kerberos 4 Overview
   A basic third-party authentication scheme
   Have an Authentication Server (AS)
        users initially negotiate with AS to identify self
        AS provides a non-corruptible authentication
         credential (ticket granting ticket, TGT)
   Have a Ticket-Granting Server (TGS)
        users subsequently request access to other
         services from TGS on basis of users TGT

10/21/2004                                                    5
First Design
   (1)C  AS:      IDc||Pc||IDv
   (2)AS  C:      Ticket
   (3)C  V:       IDc||Ticket
   Ticket = EKv   [IDc||ADc||IDv]

10/21/2004                          6
Problems with First Design
   User may have to submit password
    many times in the same logon session
   Password is transmitted in clear

10/21/2004                                 7
Second Design
Once per user logon session:
  (1) C  AS:         IDc||IDtgs
  (2) AS  C:          EKc [Tickettgs]
Once per type of service:
  (3) C  TGS:        IDc||IDv||Tickettgs
  (3) TGS  C:        Ticketv
Once per service session:
  (3) C  V:          IDc||Ticketv
  Tickettgs = EKtgs [IDc||ADc||IDtgs||TS1||Lifetime1]
  Ticketv = EKv [IDc||ADc||IDv||TS2||Lifetime2]

10/21/2004                                              8
Problems with Second Design
   Requirement for server (TGS or
    application server) to verify that the
    person using a ticket is the same
    person to whom ticket was issued
   Requirement for server to authenticate
    themselves to users

10/21/2004                                   9
Kerberos 4 Message Exchange

10/21/2004                10
Kerberos 4 Overview

10/21/2004            11
Kerberos Realms
   Kerberos environment consists of
        a Kerberos server
        a number of clients, all registered with server
        application servers, sharing keys with server
   This is termed a “realm”
        typically within a single administrative domain
   If have multiple realms, their Kerberos
    servers must share keys and trust each other

10/21/2004                                                 12
Request Service in Another Realm

10/21/2004                     13
Kerberos Version 5
   Developed in mid 1990’s
   Provide improvements over Version 4
        addresses environmental shortcomings
                encryption alg, network protocol, byte order, ticket
                 lifetime, authentication forwarding, interrealm auth
        and technical deficiencies
                double encryption, non-std mode of use, session keys,
                 password attacks
   Specified as Internet standard RFC 1510

10/21/2004                                                               14
Kerberos 5 Message Exchange

10/21/2004                15
Next Class
   Certificate and authorization
   Firewall and access control

10/21/2004                          16

Shared By:
Description: Computer Network Security Ticket