Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.

Published byAudrey Peters Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014."— Presentation transcript:

1 Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014

2 Lecture 13 Page 2 Advanced Network Security Outline Authorization vs. authentication Differences between local networks and the general case Kerberos

3 Lecture 13 Page 3 Advanced Network Security Authorization and Authentication Authentication is determining who someone is Authorization is determining if someone is allowed to do something Authorization usually depends on good authentication –But authentication isn’t sufficient

4 Lecture 13 Page 4 Advanced Network Security LANs and WANs LANs – Local area networks WANs – Wide area networks What are the differences? What are the security implications? –With regards to authentication and authorization

5 Lecture 13 Page 5 Advanced Network Security Local Area Networks Local area networks are under a single entity’s control –Such as a company or university They have a limited geographical scope –A building, a campus, etc. They usually have a closed user community

6 Lecture 13 Page 6 Advanced Network Security Wide Area Networks The Internet is the biggest example Very large number of sites No single entity is in charge Almost unlimited geographical scope Broad, maybe totally unrestricted, membership

7 Lecture 13 Page 7 Advanced Network Security Security Implications Smaller is easier than big One manager is easier than many Closed is easier than open Less geography covered is easier than more

8 Lecture 13 Page 8 Advanced Network Security Security Implications for Authentication and Authorization In LANs, you know everyone who uses it –Easier to prearrange authentication You can configure everything to use a common mechanism You can more readily specify who should be able to do what –The vital authorization issue More confidence in physical security

9 Lecture 13 Page 9 Advanced Network Security Kerberos Provides authentication and authorization for large local networks –E.g., a university or corporation Originally developed at MIT Uses trusted third parties –And symmetric cryptography –Extensions use PK Goal: authenticate parties and provide them access to approved services

10 Lecture 13 Page 10 Advanced Network Security The Kerberos Model Clients and servers sit on the (usually local) network Clients want to interact securely with servers –Using a fresh key for each session Servers want assurances that clients are authorized Kerberos handles both concerns Scalability is an issue

11 Lecture 13 Page 11 Advanced Network Security Obtaining Keys and Services Through Kerberos The client needs to get a key to give to the server and use himself –Key will prove authorization, too Obtained from a ticket-granting server –Essentially, a server who hands out keys to talk to other servers But the ticket-granting server needs authentication of the client Which is obtained from the Kerberos server

12 Lecture 13 Page 12 Advanced Network Security What’s the Point of the Ticket- Granting Server? Scalability –Most requests for keys for servers go to ticket-granting server –There can be lots of them And issues of trust –Different ticket-granting servers can work with different servers and clients –So not everyone needs to trust one ticket- granting server

13 Lecture 13 Page 13 Advanced Network Security Players in the Kerberos Protocol The client The server The Ticket-Granting Service - someone the server trusts to authenticate the clients The Kerberos Server - someone everyone trusts

14 Lecture 13 Page 14 Advanced Network Security Kerberos Participants Client Server Kerberos Ticket-Granting Server

15 Lecture 13 Page 15 Advanced Network Security Client Requests a Ticket- Granting Ticket From Kerberos Client Server Kerberos I need to talk to the Ticket-Granting Server Ticket-Granting Server

16 Lecture 13 Page 16 Advanced Network Security Kerberos Sends the Client a Ticket-Granting Ticket Client Server Kerberos Ticket-Granting Server

17 Lecture 13 Page 17 Advanced Network Security Client Asks TGS for a Server Ticket Client Server Kerberos Ticket-Granting Server Ticket-Granting Server checks ticket validity

18 Lecture 13 Page 18 Advanced Network Security TGS Sends Ticket to Client Client Server Kerberos Ticket-Granting Server

19 Lecture 13 Page 19 Advanced Network Security Client Requests Service Client Server Kerberos Ticket-Granting Server Server checks ticket

20 Lecture 13 Page 20 Advanced Network Security Tickets and Authenticators A Kerberos ticket is used to pass information to a server securely An authenticator is an additional credential passed along with the ticket –Used to pass timestamp information about lifetime of a key

21 Lecture 13 Page 21 Advanced Network Security What’s In a Ticket T C,S = s, {c,a,v,K C,S } K S s is the server c is the client a is the client’s network address v is a timestamp K C,S is a session key K S is the server’s key

22 Lecture 13 Page 22 Advanced Network Security Kerberos in More Detail: Step 1 Client Server Kerberos Ticket-Granting Server Alice, Tracy Alice Tracy Sidney

23 Lecture 13 Page 23 Advanced Network Security Kerberos Sends Client Ticket- Granting Ticket Alice Sidney Kerberos Tracy {K Alice,Tracy }K Alice, What’s in the ticket? T Alice,Tracy = Tracy, {Alice, xxx.xxx.xxx.xxx,T Now, K Alice,Tracy }K Tracy

24 Lecture 13 Page 24 Advanced Network Security So What Has the Client Got? K Alice is derived from her password Which gets a session key allowing her to communicate securely with the TGS –K Alice,Tracy And she has a ticket for the TGS –Not directly usable by Alice –But the TGS (Tracy) can use it to authenticate Alice

25 Lecture 13 Page 25 Advanced Network Security Client Asks TGS for a Server Ticket Alice Sidney Kerberos Tracy {A Alice,Tracy }K Alice,Tracy Tracy, An authenticator

26 Lecture 13 Page 26 Advanced Network Security What Has the TGS Got? It can decrypt the ticket created by the Kerberos server –Obtaining K Alice,Tracy and other information –Authenticating that the transmission went through Kerberos server And it’s got the authenticator

27 Lecture 13 Page 27 Advanced Network Security Why the Authenticator? We want to avoid involving the Kerberos server every time a client needs a ticket So the ticket-granting ticket will be used multiple times Authenticator protects against replay attacks involving the multi-use ticket-granting ticket

28 Lecture 13 Page 28 Advanced Network Security TGS Sends Ticket to Client Alice Sidney Kerberos Tracy {K Alice,Sidney }K Alice,Tracy What’s in the ticket? T Alice,Sidney = Sidney, {Alice, xxx.xxx.xxx.xxx,T Now1, K Alice,Sidney }K Sidney

29 Lecture 13 Page 29 Advanced Network Security Now What Has the Client Got? She can decrypt the part of the message containing the new session key –So she’s ready to communicate She can’t decrypt the ticket –That’s in a key only the server Sidney knows –But Sidney can use it

30 Lecture 13 Page 30 Advanced Network Security Client Requests Service Alice Sidney Kerberos Tracy {A Alice,Sidney }K Alice,Sidney Alice creates a new authenticator to show freshness

31 Lecture 13 Page 31 Advanced Network Security What Does the Server Have? He can decrypt the ticket from the TGS –Since it’s in his key The ticket contains the session key –And authentication information He can then decrypt the authenticator –Which ensures a session isn’t being replayed (by timestamp) He can then determine authorization

32 Lecture 13 Page 32 Advanced Network Security Why Is There Both a Kerberos Server and a TGS? The TGS handles normal interactions between clients and servers The Kerberos server bootstraps interactions with the TGS –A ticket-granting ticket can be reused with a TGS over some time Compromise of the TGS has limited effects

33 Lecture 13 Page 33 Advanced Network Security Why Is There Both a Ticket and An Authenticator? The ticket is reusable –It has a timespan Typically 8 hours The authenticator is one-use-only –Supposedly –And its timestamp must be within the ticket’s timespan

34 Lecture 13 Page 34 Advanced Network Security Potential Weaknesses in Kerberos Timestamp-based attacks Password-guessing attacks Replacement of Kerberos software –The server is probably well protected –But are the clients? –Not unique to Kerberos

35 Lecture 13 Page 35 Advanced Network Security Practicalities of Kerberos Open source software Available for Windows, Linux, Macs Widely used Still actively supported by MIT Originally used DES –AES supported –DES will be removed eventually

Download ppt "Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014."

Similar presentations

1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
A less formal view of the Kerberos protocol J.-F. Pâris.

A less formal view of the Kerberos protocol J.-F. Pâris.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Similar presentations

Ads by Google