Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.

Published byRobert Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies."— Presentation transcript:

1 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation

2 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 2 Purpose Provide the background to understand and evaluate the Symbol/Intel proposal to base 802.11 security services on the GSS-API

3 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 3 Agenda What is the GSS-API? GSS-API Mechanisms

4 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 4 What is the GSS-API? (1) Generic Security Services Applications Programming Interface, defined by RFC 2743 –RFC 2744 gives standard ‘C’ bindings, RFC 2853 for Java bindings –but we will use it as an abstract service interface The GSS-API interface is implemented by GSS- API mechanisms –each mechanism is a security system –interface is independent of mechanisms

5 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 5 What is the GSS-API? (2) Credentials Management –GSS_Acquire_cred, GSS_Release_cred, GSS_Add_cred, etc. Context Management –GSS_Init_sec_context, GSS_Accept_sec_context, GSS_Delete_sec_context, GSS_Inquire_context, GSS_Context_time, etc. Per-Message Calls –GSS_Wrap, GSS_Unwrap, etc. Support Calls –GSS_Import_name, GSS_Export_name, GSS_Display_status, etc.

6 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 6 The GSS-API Model Step 1: Establish a security context Step 2: Use established security context to secure message exchanges

7 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 7 Establishing a Security Context InitiatorResponder GSS_Init_sec_context Peer ID GSS_Accept_sec_context GSS_Init_sec_context Authentication Token + Continue OK Authentication Token + OK

8 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 8 Using a Security Context Peer 1Peer 2 GSS_Wrap GSS_Unwrap DataWrapped DataData

9 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 9 Agenda What is the GSS-API? GSS-API Mechanisms

10 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 10 Some GSS-API Mechanisms SPNEGO (RFC 2478) - negotiate the other mechanisms Kerberos (RFC 1510, RFC 1964) - centralized key server based on shared secrets SPKM (RFC 2025) - 1- and 2-way public key based authentication LIPKEY (RFC 2847) - one-way authentication a la SSL; a species of SPKM SRP (draft-ietf-cat-srpgm-xx.txt) - secure remote password; a species of SPKM SASL (draft-ietf-cat-sasl-gssapi-xx.txt) - one time password PKINIT (draft-ietf-cat-kerberos-pk-init-xx.txt) - use public key to register secret with Kerberos KDC

11 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 11 SPNEGO InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context GSS_Init_sec_context Kerberos, SRP, SPKM + Continue OK Kerberos + OK

12 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 12 What is Kerberos? Authentication and Key Distribution Protocol Developed in late 1980s, latest version is Rev 5 RFC 1510; RFC 1964 fits it into GSS-API framework Default authentication protocol in Windows 2000 Domain Login Widely deployed in UNIX shops

13 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 13 How does Kerberos work? Three major elements: –Principal: a user or system (username, password) –Services (FTP, email, telnet, RF services) –Key Distribution Center - maps principals to keys Three step model: –user mutually authenticates with KDC (KRB_AP_REQ/KRB_AP_REP exchange) –KDC issues user authorization to access a service (KRB_TGT_REQ/KRB_TGT_REP exchange) –user gains access to service by presenting authorization

14 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 14 User Authentication KRB_AP_REQ message asks the KDC for access to the Ticket Granting Service KDC creates a unique authentication key for authenticating self with Ticket Granting Service, encrypts it under the user’s password, and sends it back to the user in the KRB_AP_REQ message The user decrypts the message and gains access to the authentication key. Password is never sent over the airwaves

15 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 15 Issuing Authorization KRB_TGT_REQ asks for authorization to a particular service –message is protected with authentication key returned by KDC in KRB_AP_REP message KDC decrypts message and examines request. If request is OK, KDC creates a session key to be use between the user and the service. KRB_TGT_REP from KDC contains two copies of the session key, one encrypted under user’s authentication key, and other under service’s

16 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 16 Gaining Access to the Service User decrypts the KRB_TGT_REP message to get session key and a “ticket” for the server User prepares and sends token to server containing “ticket”, other info, encrypted under session key Service decrypts “ticket” using its own authentication key received from KDC and gains access to session key Decrypts rest of request and processes request Service sends reply to user to authenticate

17 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 17 Kerberos as used by GSS-API InitiatorResponderKDC GSS_Init_sec_context KRB_AP_REQ KRB_AP_REP KRB_TGT_REQ KRB_TGT_REP GSS_Accept_sec_context Ticket, Authenticator + Continue GSS_Init_sec_context Authenticator + OK OK

18 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 18 PKINIT + Kerberos InitiatorResponderKDC GSS_Init_sec_context KRB_TGT_REQ KRB_TGT_REP GSS_Accept_sec_context Ticket, Authenticator + Continue GSS_Init_sec_context Authenticator + OK OK

19 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 19 SPKM InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context SPKM parameters, n + Continue GSS_Init_sec_context Sig, SigCert, CryptCert + Continue GSS_Accept_sec_context Crypt(K) + OK OK

20 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 20 SRP InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context username, g a + Continue GSS_Init_sec_context g b + x, s, n + Continue database: username, x = g h(s,password), s GSS_Accept_sec_context Hash1(K) + Continue K = g ab x nb K = ((g b + x) - x) (a+nh(s, password) GSS_Init_sec_context Hash2(K) + OK OK

21 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 21 Conclusions GSS-API is –simple, well-defined interface –widely deployed and well-tested Kerberos is –simple to implement –a GSS-API mechanism providing mutual authentication and key distribution –widely deployed and well-tested

22 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 22 Feedback?

Download ppt "Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Similar presentations

Ads by Google