Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Slides:



Advertisements
Similar presentations
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Advertisements

Chapter 14 – Authentication Applications
NETWORK SECURITY.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Network Security Essentials Chapter 4
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
Kerberos versions 4 and 5 X.509 Authentication Service
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
1 Authentication Applications Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Chapter 10: Authentication Guide to Computer Network Security.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
1 Authentication Applications Behzad Akbari Fall 2010 In the Name of the Most High.
Cryptography and Network Security Chapter 14 Authentication Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed and extended by.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Authentication 3: On The Internet. 2 Readings URL attacks
Module 4 Network & Application Security: Kerberos – X509 Authentication service – IP security Architecture – Secure socket layer – Electronic mail security.
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Lecture 25 Presented by: Dr. Munam Ali Shah.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
Creating and Managing Digital Certificates Chapter Eleven.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Chapter 14
Public Key Infrastructure (PKI)
Grid Security.
Cryptography and Network Security
CSCE 715: Network Systems Security
Authentication Applications
CSCE 715: Network Systems Security
Cryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14
PKI (Public Key Infrastructure)
Principles and Practice
Cryptography and Network Security Chapter 14
Presentation transcript:

Chapter 23 Internet Authentication Applications

Kerberos Overview Initially developed at MIT Software utility available in both the public domain and in commercially supported versions Issued as an Internet standard and is the defacto standard for remote authentication Overall scheme is that of a trusted third party authentication service Requires that a user prove his or her identity for each service invoked and requires servers to prove their identity to clients

Kerberos Protocol Designed to counter a variety of threats to the security of a client/server dialogue Obvious security risk is impersonation Servers must be able to confirm the identities of clients who request service Involves clients, application servers, and a Kerberos server User initially negotiates with AS for identity verification AS verifies identity and then passes information on to an application server which will then accept service requests from the client Use an Authentication Server (AS) If client sends user’s password to the AS over the network an opponent could observe the password An opponent could impersonate the AS and send a false validation Need to find a way to do this in a secure way

Kerberos Realms A Kerberos environment consists of: o A Kerberos server o A number of clients, all registered with server o A number of application servers, sharing keys with server This is referred to as a realm o Networks of clients and servers under different administrative organizations generally constitute different realms If multiple realms: o Their Kerberos servers must share a secret key and trust the Kerberos server in the other realm to authenticate its users o Participating servers in the second realm must also be willing to trust the Kerberos server in the first realm

Kerberos Versions 4 and 5 Kerberos v4 is most widely used version Improvements found in version 5: o An encrypted message is tagged with an encryption algorithm identifier This enables users to configure Kerberos to use an algorithm other than DES o Supports authentication forwarding Enables a client to access a server and have that server access another server on behalf of the client Supports a method for interrealm authentication that requires fewer secure key exchanges than in version 4

Kerberos Performance Issues Larger client-server installations Very little performance impact in a large- scale environment if the system is properly configured Kerberos security is best assured by placing the Kerberos server on a separate, isolated machine Motivation for multiple realms is administrative, not performance related

Certificate Authority (CA) Certificate consists of: A public key with the identity of the key’s owner Signed by a trusted third party Typically the third party is a CA that is trusted by the user community (such as a government agency, telecommunications company, financial institution, or other trusted peak organization) User can present his or her public key to the authority in a secure manner and obtain a certificate User can then publish the certificate or send it to others Anyone needing this user’s public key can obtain the certificate and verify that it is valid by way of the attached trusted signature

X.509 Specified in RFC 5280 The most widely accepted format for public-key certificates Certificates are used in most network security applications, including: o IP security (IPSEC) o Secure sockets layer (SSL) o Secure electronic transactions (SET) o S/MIME o eBusiness applications

A number of specialized variants also exist, distinguished by particular element values or the presence of certain extensions: Conventional (long-lived) certificates o CA and “end user” certificates o Typically issued for validity periods of months to years Short-lived certificates o Used to provide authentication for applications such as grid computing, while avoiding some of the overheads and limitations of conventional certificates o They have validity periods of hours to days, which limits the period of misuse if compromised o Because they are usually not issued by recognized CA’s there are issues with verifying them outside their issuing organization Proxy certificates o Widely used to provide authentication for applications such as grid computing, while addressing some of the limitations of short-lived certificates o Defined in RFC 3820 o Identified by the presence of the “proxy certificate” extension o They allow an “end user” certificate to sign another certificate o Allow a user to easily create a credential to access resources in some environment, without needing to provide their full certificate and right Attribute certificates o Defined in RFC 5755 o Use a different certificate format to link a user’s identity to a set of attributes that are typically used for authorization and access control o A user may have a number of different attribute certificates, with different set of attributes for different purposes o Defined in an “Attributes” extension

Public-Key Infrastructure (PKI) The set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography Developed to enable secure, convenient, and efficient acquisition of public keys “Trust store” o A list of CA’s and their public keys

Summary X.509 Public Key infrastructure o Public Key infrastructure X.509 (PKIX) Kerberos o The Kerberos Protocol o Kerberos realms and multiple Kerberi o Version 4 and Version 5 o Performance issues