CPS 290.2 Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 14 – Authentication Applications
SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
SSL Implementation Guide Onno W. Purbo
15-853Page 1 CPS 214 Computer Networks and Distributed Systems Cryptography Basics RSA SSL SSH Kerberos.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Kerberos Authenticating Over an Insecure Network.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
SSH Secure Login Connections over the Internet
CSCI 6962: Server-side Design and Programming
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Chapter 21 Distributed System Security Copyright © 2008.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
Application Services COM211 Communications and Networks CDA College Theodoros Christophides
Authentication 3: On The Internet. 2 Readings URL attacks
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Module 4 Network & Application Security: Kerberos – X509 Authentication service – IP security Architecture – Secure socket layer – Electronic mail security.
1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Lecture 25 Presented by: Dr. Munam Ali Shah.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Cryptography in the Real World Diffie-Hellman Key Exchange RSA Analysis RSA Performance SSH Protocol Page 1.
KERBEROS SYSTEM Kumar Madugula.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
1 Example security systems n Kerberos n Secure shell.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
Tutorial on Creating Certificates SSH Kerberos
Tutorial on Creating Certificates SSH Kerberos
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Computer Security Heartbleed Bug Tutorial on Creating Certificates SSH
Presentation transcript:

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1

Acting as Your own Certificate Authority (CA) 1. a. Create private root key for CA b. Create self-signed root certificate 2. a. Create private intermediate key b. Create intermediate certificate signing request (CSR) c. Sign intermediate certificate 3. a. Create private key for domain b. Create CSR for domain c. Sign certificate for domain using intermediate private key Might do this when setting up secure web sites within a corporate intranet. CPS 290 Page 2

Create Files and Directories CPS 290 Page 3 index.txt stores database of certificates created serial holds serial number of next certificate

Create Configuration File CPS 290 Page 4 Strict policy requires organization names in parent and child certificates to match, e.g., when used in intranet.

Create Root Private Key CPS 290 Page 5 Private key is encrypted using pass phrase as key to AES256 algorithm.

Create Root Certificate CPS 290 Page 6 -x509 indicates self-signed certificate sha256 algorithm used to create message digest (hash) of certificate, which is then (self) signed

Examine the Root Certificate CPS 290 Page 7

CPS 290 Page 8

CPS 290 Page 9

Create Private Intermediate Key CPS 290 Page 10

Create Intermediate CSR CPS 290 Page 11 sha256 digest (hash) of applicant information signed with intermediate private key – can check that it can be decoded with intermediate public key

Sign Intermediate Certificate CPS 290 Page 12

Examine Signed Intermediate Certificate CPS 290 Page 13

CPS 290 Page 14

CPS 290 Page 15

Verify Signed Certificate Using Root Certificate CPS 290 Page 16

Create Private Key for Domain CPS 290 Page 17

Create CSR for Domain CPS 290 Page 18

Sign Certificate for Domain CPS 290 Page 19

CPS 290Page 20 SSH v2 Server has a permanent “host” public-private key pair (RSA or DSA). Public key typically NOT signed by a certificate authority. Client warns if public host key changes. Diffie-Hellman used to exchange session key. –Server selects g and p (group size) and sends to client. –Client and server create DH private keys a and b. Client sends public DH key g a. –Server sends public DH key g b and signs hash of DH shared secret g ab and 12 other values with its private “host” key. –Client verifies signed shared secret using public key. Symmetric encryption using 3DES, Blowfish, AES, or Arcfour begins. User can authenticate by sending password or using public- private key pair. Private key has optional passphrase. If using keys, server sends “challenge” signed with users public key for user to decode with private key.

Why Combine RSA and Diffie-Hellman? Why doesn’t the client just send a symmetric key to the server, encrypted with the server’s public key? Because if the server’s private key is later compromised, previous communications encrypted with the public key can be decrypted, revealing the symmetric key. Then all communications encrypted with the symmetric key can also be decrypted! To prevent this attack, Diffie-Hellman ensures that the symmetric key is never transmitted, even in encrypted form, and the client and server discard the symmetric key after the session is over. SSL/TLS provides this option too: DHE_RSA key exchange CPS 290 Page 21

SSH Applications Secure Shell (SSH): Replacement for insecure telnet, rlogin, rsh, rexec, which sent plaintext passwords over the network! CPS 290 Page 22

SSH Applications Port forwarding ( example): Log in to linux.cs.duke.edu. Forward anything received locally (phoenix) on port 25 to linux.cs.duke.edu on port25. Useful if “phoenix” is not a trusted relayer but “linux” is. “phoenix” program configured to use phoenix as relayer CPS 290 Page 23

CPS 290Page 24 Kerberos A key-serving system based on Private-Keys (DES). Assumptions Built on top of TCP/IP networks Many “clients” (typically users, but perhaps software) Many “servers” (e.g. file servers, compute servers, print servers, …) User machines and servers are potentially insecure without compromising the whole system A kerberos server must be secure.

CPS 290Page 25 Kerberos (kinit) Kerberos Authentication Server Client (C) Service Server (S) Ticket Granting Server (TGS) Request ticket-granting-ticket (TGT) 2. 3.Request server-ticket (ST) 4. 5.Request service

CPS 290Page 26 C = client S = server K = key or session key T = timestamp V = time range TGS = Ticket Granting Service A = Net Address Ticket Granting Ticket: T C,TGS = TGS,{C,A,V,K C,TGS }K TGS Server Ticket: T C,S = S, {C,A,V,K C,S }K S Authenticator: A C,S = {C,T}K C,S 1.Client to Kerberos: C,TGS 2.Kerberos to Client: {K C,TGS }K C, T C,TGS 3.Client to TGS: T C,TGS, S, A C,TGS 4.TGS to Client: {K C,S }K C,TGS, T C,S 5.Client to Server: A C,S, T C,S Kerberos V Message Formats Possibly repeat

CPS 290Page 27 Kerberos Notes All machines have to have synchronized clocks –Must not be able to reuse authenticators Servers should store all previous and valid tickets –Help prevent replays Client keys are typically a one-way hash of the password. Clients do not keep these keys. Kerberos 5 uses CBC mode for encryption Kerberos 4 was insecure because it used a nonstandard mode.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.