Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

Published byEdith Sayres Modified over 10 years ago

Similar presentations

Presentation on theme: "IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002."— Presentation transcript:

1 IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002

2 1 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Outline: Context and Overview Security Concerns: Problem Statement Security Concerns: Network Threats Kerberos: Background Kerberos: Basics Kerberos: Terms Simple Dialogue: Steps Simple Dialogue: Steps (Cont) Version 4 Dialogue Examples Kerberos: Pictorial Version 4 Problems Version 5 Realms Kerberos in Practice Resources Lecture Outline

3 2 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Context and Overview Context [2]: In todays distributed computing environment, consisting of dedicated user workstations & servers, three approaches to security can be envisioned: -(1) Rely on each workstation to assure user identities, and rely on each server to enforce a security policy based on user Ids. -(2) Require that client systems authenticate themselves to servers, but trust the client systems concerning the identity of its user. -(3) Require the user to prove identity for each service invoked. Also require that servers prove their identity to clients. Issues [2]: In a small, closed environment, in which all systems are owned and operated by one IT group, the first or perhaps second strategy might suffice. But in a more open environment, the need for the third approach is needed to protect user information and resources housed on the server. The focus of this lecture will focus on one of the most widely used services to support this third approach - Kerberos.

4 3 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Security Concerns: Problem Statement Problem Statement [2]: Assume an open, distributed environment in which users at workstations wish to access services on servers distributed across the network. Servers need to restrict access to authorized users, and to authenticate requests for service. In this environment, a workstation cannot be trusted to identify its users correctly to network services. Specifically, three types of network threats exist:

5 4 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Security Concerns: Network Threats Network Threats [2]: (1) A user may gain access to a particular workstation and pretend to be another user operating from that workstation. (2) A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. (3) A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations. In any of these cases, an unauthorized user may be able to gain access to services and or data that s/he is not authorized to access.

6 5 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Kerberos: Background Background [2]: (1) Authentication Service developed as part of Project Athena at MIT. Overcomes the aforementioned Security Concerns. (2) Named after Kerberos – In Greek Mythology, the three headed guard dog of Hades. (3) Rather than building in elaborate authentication protocols at each server (which is exponentially expensive (labor/costs)), Kerberos provides a centralized authentication server that functions as a broker between users and servers. KERBEROS

7 6 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Kerberos: Basics Basics [3]: Provides a centralized authentication server (AS) to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES

8 7 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Kerberos: Terms Terms [2]: C = Client AS = Authentication server V = Server IDc = identifier of user on C IDv = identifier of V P c = password of user on C ADc = network address of C Kv = secret encryption key shared by AS an V TS = timestamp || = concatenation

9 8 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Simple Dialogue: Steps Steps [2]: (1) User logs into workstation and requests access to Server (V). (2) Client module (C) in the workstation requests the users password and then sends a message to the Authentication Server (AS) that includes the users ID, the servers ID, and the users password. (3) AS checks its database for proper authentication, and whether user has authorization to access Server (V). (4) If both tests are passed, the AS accepts the user as authentic and must now convince the the Server (V) that the user is authentic. (4.1) AS creates ticket that includes users ID and network address and the servers ID. Ticket is encrypted and share and the key is shared by AS and V. (4.2) Encrypted ticket is sent back to Client (C) (5) With the newly generated ticket, the C can now apply to V for service by sending a message to V containing the Cs ID an the ticket.

10 9 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Simple Dialogue: Steps (Cont) Steps [2]: (6) With the ticket, the C can now apply to V for service by sending a message to V containing the Cs ID and the ticket. (6.1) V decrypts the ticket and verifies that the user ID in the ticket is the same as the unencrypted user ID in the message. (6.2) If the two match, the server considers the user authenticate and grants the requested service. (7) Simply stated: (6.1)C AS: IDc || P c || IDv (6.2)AS C:Ticket (6.3)C V:IDc || Ticket

11 10 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Version 4 Dialogue Examples Authentication Service Exhange: To obtain Ticket-Granting Ticket [3] (1) C AS:IDc || IDtgs ||TS1 (2) AS C: E Kc [K c,tgs || IDtgs || TS 2 || Lifetime 2 || Tickettgs] Ticket-Granting Service Exchange: To obtain Service-Granting Ticket [3] (3) C TGS: IDv ||Ticket tgs ||Authenticatorc (4) TGS C: E Kc [K c,¨v || IDv || TS 4 || Ticketv] Client/Server Authentication Exhange: To Obtain Service ((5) C V: Ticket v || Authenticatorc (6) V C: EKc,v[TS5 +1]

12 11 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Kerberos: Pictorial

13 12 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Version 4 Problems Problems [3]: Lifetime associated with the ticket-granting ticket If to short repeatedly asked for password If to long greater opportunity to replay The threat is that an opponent will steal the ticket and use it before it expires

14 13 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Version 5 Realms Realms [2]: (1) A full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers. (2) User Ids and hashed passwords are store at each Kerberos server. (3) Authenticated users can access services across realms. KERBEROS

15 14 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only Kerberos in Practice In Practice [3]: Currently, two Kerberos versions: -V4 : Restricted to a single realm -V5 : Allows inter-realm authentication and is an Internet standard To use Kerberos [3]: Need to have a KDC on your network Need to have Kerberized apps running on all participating systems Major problem - US export restrictions. Cannot be directly distributed outside the US in source format (& binary versions must obscure cryptographic routine entry points and have no encryption)

16 15 August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only [1] Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. Chapter 6. [2] Stallings, William. Cryptography and Network Security, Prentice Hall, 1999. Chapter 11. [3] Johnson, Hedric. Authentication Applications. Blekinge Institute of Technology,Sweden. Lecture based on Stallings, William. Cryptography and Network Security, Prentice Hall, 1999. Chapter 11. Resources

Download ppt "IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden

Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
Authentication Applications

Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Similar presentations

Ads by Google