Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Published byTreyton Divers Modified over 10 years ago

Similar presentations

Presentation on theme: "Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer."— Presentation transcript:

1 Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer systems apply and are more difficult: –User authentication and authorization – determine the identity and privileges of users accessing the system –Access control – limiting what actions are permitted

2 Additional Challenges of Network Security Networking increases message vulnerability to: –Interception –Modification –Destruction –Delay –Reordering –Repetition Networking implies cooperation, sharing, and trust Networking exposes a system to a larger pool of potential attackers and decreases the likelihood of intruders getting caught

3 Authentication and Authorization Issues: –For the Server: Is the Client really who they say they are? Is the request from the Client fresh? Will an eavesdropper be able to read my response? –For the Client: How do I know Im really talking to the Server? Will an eavesdropper be able to read my request?

4 Kerberos - Overview Trusted third-party authentication service for computer networks Developed at the Massachusetts Institute of Technology Based on the client-server architecture Capabilities: –A client program requesting a service can prove the identity of the user on whose behalf it is operating –Clients can also (optionally) ask a server program to authenticate itself –Kerberos can protect the privacy and integrity of messages between clients and servers

5 How Kerberos Works Shares a secret DES key with each user Phase 1: user obtains credentials (from Kerberos) to be used to request access to other services Phase 2: user requests authentication (from Kerberos) for a specific service Phase 3: user presents credentials to a server

6 Kerberos Credentials Tickets –Generated by the Kerberos –Valid until expiration –Used to securely pass the identity of the person to whom the ticket was issued from Kerberos to a server –Contains: Persons identity Information to show that the person using the ticket is the person to whom it was issued Authenticators –Generated by the user –Valid only once –Used to show that the person using the ticket is the person to whom it was issued

7 Kerberos Credentials (cont) Ticket = Encrypt((Server,Client,Addr,Timestamp,Lifetime,K S-C ),K S ) Authenticator = Encrypt((Client,Addr,Timestamp),K S-C ) –Server is the name of the server –Client is the name of the client –Addr is the clients IP address –Timestamp is the time the ticket was generated –Lifetime is the amount of time for which the ticket is valid –K SC is the session key to be shared between the Server and the Client –K S is the DES key shared between the AS and the Server

8 Getting the Initial Ticket User enters username Request for ticket for ticket-granting service (TGS) sent to authentication server (AS) ClientAS Client, TGS

9 Getting the Initial Ticket (cont) AS checks that Client is a valid user Generates a session key, K C-TGS, for the Client and the TGS Generates a ticket, Encrypt((TGS,Client,Addr, Timestamp, Lifetime,K C-TGS,,),K TGS ), for the Client to use for the TGS Sends session key and ticket back to Client (encrypted with Clients key, K C ) ClientAS Encrypt((session key,ticket),K C )

10 Getting the Initial Ticket (cont) User enters password Password is converted to a DES key and used to decrypt the ASs reply Clients machine: –Stores session key and ticket –Erases the users password and DES key from memory

11 Getting a Ticket for a Server Client contacts TGS and requests a ticket for Server: –Name of Server –Clients TGS ticket, Encrypt((TGS,Client,Addr, Timestamp, Lifetime,K C-TGS,,),K TGS ) –Clients authenticator, Encrypt((Client,Addr,Timestamp), K C-TGS ) Clients request is encrypted under its session key with the TGS, K C-TGS ClientTGS Encrypt((Server,ticket,A C ),K C-TGS )

12 Getting a Ticket for a Server (cont) TGS: –Checks the ticket and authenticator –Generates a session key, K C-S, for the Client and the Server –Generates a ticket, Encrypt((Server,Client,Addr, Timestamp, Lifetime,K C-S,,),K S ), for the Client to use for the Server –Sends session key and ticket back to Client (encrypted with session key the Client and TGS share, K C-TGS ) ClientTGS Encrypt((ticket,session key),K C-TGS )

13 Requesting a Service Client: –Builds an authenticator, Encrypt((Client,Addr,Timestamp), K C-S ) –Sends authenticator and ticket, Encrypt((Server,Client,Addr, Timestamp, Lifetime,K C-S,,),K S ), to the Server ClientServer Authenticator, ticket

14 The Servers Response Server: –Decrypts and checks the ticket (learns the session key) –Decrypts and checks the authenticator –Optionally: increments the Timestamp by one and returns it to the Client encrypted with the session key ClientServer Encrypt(Timestamp+1,K C-S )

15 Overview of Kerberos Messages 1.Request for TGS ticket 2.Ticket for TGS 3.Request for Server Ticket 4.Ticket for Server 5.Request for service 6.Server authentication ASServerTGSClient 5 2 6 3 4 1

16 Limitations of Kerberos Applications must be Kerberized Based on: –Client/server model –Synchronized clocks The TGS could be a bottleneck Cross-realm operation doesnt scale well

17 Interaction With Other Sites Using Kerberos Both Site 1 and Site 2 run Kerberos: Can clients at one site use Kerberos to access servers at the other site securely? Site 1Site 2

18 Summary Very difficult in a network environment: –Authentication - determining a users identity –Authorization – determining what actions a user can perform Reasons: –Vulnerability of network communications –May be controlled by several different administrative authorities Solution: –Kerberos - Trusted third-party authentication service for computer networks

Download ppt "Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer."

Similar presentations

1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
A less formal view of the Kerberos protocol J.-F. Pâris.

A less formal view of the Kerberos protocol J.-F. Pâris.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
KERBEROS www.unix.org.ua/orelly/networking/puis/ch19_06.htm.

KERBEROS
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Similar presentations

Ads by Google