Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Slides:

Advertisements

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Advertisements

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Chapter 14 – Authentication Applications

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Akshat Sharma Samarth Shah

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Lecture 23 Internet Authentication Applications

Grid Security. Typical Grid Scenario Users Resources.

Security Issues in Grid Computing Reading: Grid Book, Chapter 16: “Security, Accounting and Assurance” By Clifford Neuman.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CS582: Distributed Systems Lecture 10, 11 –

Online Security Tuesday April 8, 2003 Maxence Crossley.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authorization.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Secure Socket Layer (SSL)

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.

Unit 1: Protection and Security for Grid Computing Part 2

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

Module 9: Fundamentals of Securing Network Communication.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Application Services COM211 Communications and Networks CDA College Theodoros Christophides

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Advanced Operating Systems Lecture notes Dr.

1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

1 Example security systems n Kerberos n Secure shell.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Lecture 6.

Web Security CS-431.

Tutorial on Creating Certificates SSH Kerberos

Radius, LDAP, Radius used in Authenticating Users

Web Services Security.

Tutorial on Creating Certificates SSH Kerberos

Using SSL – Secure Socket Layer

Computer Security Distributed System Security

Chapter 7 Network Applications

MESSAGE ACCESS AGENT: POP AND IMAP

Presentation transcript:

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication (continued) 8 October 2003 Dr. Clifford Neuman University of Southern California Information Sciences Institute

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Public Key Cryptography (revisited) Key Distribution –Confidentiality not needed for public key –Solves n 2 problem Performance –Slower than conventional cryptography –Implementations use for key distribution, then use conventional crypto for data encryption Trusted third party still needed –To certify public key –To manage revocation –In some cases, third party may be off-line

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Certificate-Based Authentication Certification authorities issue signed certificates –Banks, companies, & organizations like Verisign act as CA’s –Certificates bind a public key to the name of a user –Public key of CA certified by higher-level CA’s –Root CA public keys configured in browsers & other software –Certificates provide key distribution

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Certificate-Based Authentication (2) Authentication steps –Verifier provides nonce, or a timestamp is used instead. –Principal selects session key and sends it to verifier with nonce, encrypted with principal’s private key and verifier’s public key, and possibly with principal’s certificate –Verifier checks signature on nonce, and validates certificate.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Secure Sockets Layer (and TLS) Encryption support provided between Browser and web server - below HTTP layer Client checks server certificate Works as long as client starts with the correct URL Key distribution supported through cert steps Authentication provided by verify steps C S Attacker Hello Hello + Cert S {PMKey}K s [Cert C + Verify C ] Verify S

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Trust models for certification X.509 Hierarchical –Single root (original plan) –Multi-root (better accepted) –SET has banks as CA’s and common SET root PGP Model –“Friends and Family approach” - S. Kent Other representations for certifications No certificates at all –Out of band key distribution –SSH

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Global Authentication Service Pair-wise trust in hierarchy –Name is derived from path followed –Shortcuts allowed, but changes name –Exposure of path is important for security Compared to Kerberos –Transited field in Kerberos - doesn’t change name Compared with X.509 –X.509 has single path from root –X.509 is for public key systems Compared with PGP –PGP evaluates path at end, but may have name conflicts

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Proxies A proxy allows a second principal to operate with the rights and privileges of the principal that issued the proxy –Existing authentication credentials –Too much privilege and too easily propagated Restricted Proxies –By placing conditions on the use of proxies, they form the basis of a flexible authorization mechanism

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Restricted Proxies Two Kinds of proxies –Proxy key needed to exercise bearer proxy –Restrictions limit use of a delegate proxy Restrictions limit authorized operations –Individual objects –Additional conditions + Proxy Conditions: Use between 9AM and 5PM Grantee is user X, Netmask is x.x, must be able to read this fine print, can you PROXY CERTIFICATE Grantor

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Generic Security Services API Standard interface for choosing among authentication methods Once an application uses GSS-API, it can be changed to use a different authentication method easily. Calls Acquire and release cred Manage security context Init, accept, and process tokens Wrap and unwrap

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Authentication in Applications Unix login Telnet RSH SSH HTTP (Web browsing) FTP Windows login SMTP ( ) NFS Network Access

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Unix Login (review) One way encryption of password Salted as defense against pre-computed dictionary attacks To validate, encrypt and compare with stored encrypted password May use shadow password file

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Telnet A remote login application Normally just an unencrypted channel over which plaintext password is sent. Supports encryption option and authentication options using protocols like Kerberos.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE RSH (Remote Shell/Remote Login) Usually IP address and asserted account name. Privileged port means accept asserted identity. If not trusted, request unix password in clear. Kerberos based options available Kerberos based authentication and optional encryption

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Secure Shell (SSH) Encrypted channel with Unix login Establish encrypted channel, using public key presented by server Send password of user over channel Unix login to validate password. Public key stored on target machine User generate Public Private key pair, and uploads the public key to directory on target host. Target host validates that corresponding private key is known.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Web Browsing (HTTP) Connect in the clear, Unix Password Connect through SSL, Unix password Digest authentication (RFC 2617) Server sends nonce Responds is MD5 checksum of Username, password, nonce URI User certificate, strong authentication

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE File Transfer Protocol Password based authentication or GSS-API based authentication Including use of Kerberos Authentication occurs and then stream is encrypted

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Windows Network Login In Win2K and later uses Kerberos In Win NT Challenge response Server generates 8 byte nonce Prompts for password and hashes it Uses hash to DES encrypt nonce 3 times

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE SMTP – To send mail Usually network address based Can use password Can be SSL protected SMTP after POP

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Post Office Protocol Plaintext Password Can be SSL protected Eudora supports Kerberos authent IMAP Password authentication Can also support Kerberos

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE File System Authentication Sun’s Network File System Typically address based Athena Kerberized version Maps authenticated UID’s to addresses NFS bult on ONC RPC ONC RPC has stronger Kerberos/GSSAPI support

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE File System Authentication Andrew File System Based on Andrew RPC Uses Kerberos authentication OSF’s DCE File System (DFS) Based on DCE RPC Uses Kerberos authenciation

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Network Access Servers Radius Problem: Not connected to network until connection established Need for indirect authentication Network access server must validate login with radius server. Password sent to radius server encrypted using key between agent and radius server

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Delegated Authentication Usually an authorization problem How to allow an intermediary to perform operations on your behalf. Pass credentials needed to authenticate yourself Apply restrictions on what they may be used for.