Computer Security: Principles and Practice, 1/e

Computer Security: Principles and Practice, 1/e

Computer Security: Principles and Practice Chapter 23: Internet Authentication Applications EECS710: Information Security Professor Hossein Saiedian Fall 2014 Internet Authentication Applications Internet authentication functions: Developed to support application-level authentication & digital signatures Will consider

RADIUS Kerberos private-key authentication service X.509 public-key directory authentication Public-key infrastructure (PKI) Federated identity management 2 RADIUS Architecture 3 RADIUS Components

Network Access Server 4 RADIUS Architecture 5 Authentication Flow 6 Kerberos Trusted key server system from MIT

Provides centralised private-key thirdparty authentication in a distributed network Allows users access to services distributed through network Without needing to trust all workstations Rather all trust a central authentication server Two versions in use: 4 & 5 7 Kerberos Overview

A basic third-party authentication scheme Have an Authentication Server (AS) Users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT) Have a Ticket Granting server (TGS) Users subsequently request access to other

services from TGS on basis of users TGT 8 Kerberos Overview 9 Kerberos Realms A Kerberos environment consists of:

This is termed a realm A Kerberos server A number of clients, all registered with server Application servers, sharing keys with server Typically a single administrative domain If multiple realms, their Kerberos servers must share keys and trust 10 Kerberos Realms (Service Areas) Kerberos servers in each realm

may share a secret key with the server in other realm; the two Kerberos are registered with each other Server in one realm must trust the Kerberos in the other realm 11 Kerberos Version 5 Kerberos v4 is most widely used version Also have v5, developed in mid 1990s

Specified as Internet standard RFC 1510 Provides improvements over v4 Addresses environmental shortcomings Encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm auth And technical deficiencies Double encryption, non-std mode of use, session keys, password attacks

12 Certificate Authorities Certificate consists of: Users obtain certificates from CA

A public key plus a User ID of the key owner Signed by a third party trusted by community Often govt/bank certificate authority (CA) Create keys & unsigned cert, gives to CA, CA signs cert & attaches sig, returns to user Other users can verify cert Checking sig on cert using CAs public key 14 Common Key Steps User software creates a pair of keys: private and public 2. Clients prepares unsigned certificate that includes user ID and public key

3. User provides unsigned certificate to a CA 4. CA creates a signature: 1. i. ii. 5. Creates a hash code of the unsigned certificate Encrypts the hash code with the CAs private key CA attaches the signature to unsigned certificate to make signed certificate 15 Key Steps (continued)

6. 7. 8. CA returns the signed certificate to the client Client may provide signed signature to other users Any user may verify the certificate I. II. III. Calculate the hash code of certificate (exclude signature) Decrypt signature using CAs public key Compare the two

16 Public Key Certificates See textbook figure p.63 17 X.509 Authentication Service Universally accepted standard for formatting public-key certificates

Widely used in network security applications, including IPSec, SSL, and S/MIME Part of CCITT X.500 directory service standards Uses public-key crypto & digital signatures Algorithms not standardised, but RSA recommended 18 Certificate Variations Conventional

(long-lived) certificates CA and end user certificates Typically issued for validity periods of months to years Short-lived certificates Used to provide authentication for applications such as grid computing, while avoiding some of the overheads and limitations of conventional certificates They have validity periods of hours to days, which limits the period of

misuse if compromised Proxy certificates Also used in applications such as grid computing Allow a user to easily create a credential to access resources in some environment, without needing to provide their full certificate and right

19 X.509 Certificates To revoke before expiration (in case the key has been compromised) 20 PKI X.509 (PKIX) Management Functions:

Registration Certification: process to issue CA Key pair recovery: forgotten passwords, corrupted HDs; restore key pairs from authorized backup Key pair update: update with new keys Revocation request: a users CA advises to revoke Cross certification: two CAs exchange info 21 PKIX Architecture Model Users, servers PKI: HW, SW, people,

policies, and procedures to create, manage, distribute, and revoke DCs based on asymmetric cryptography Certain admin func of CA Issues of CA Issues cert revocation lists 22 Federated Identity Management

use of common identity management scheme principal elements are: across multiple enterprises & numerous applications supporting many thousands, even millions of users authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, selfservice password reset, federation

Kerberos contains many of these elements 23 Generic Identity Management Arch Attr other than identity eg, shipping address Identity holder (eg human user) Admin may add other attr such as employee info Entities that obtain and use data maintained Bb identity provider Principals authenticate to identify provider 24

Standards Used Extensible Markup Language (XML) Simple Object Access Protocol (SOAP) for invoking code using XML over HTTP WS-Security

characterizes text elements in a document on appearance, function, meaning, or context set of SOAP extensions for implementing message integrity and confidentiality in Web services Security Assertion Markup Language (SAML) XML-based language for the exchange of security information between online business partners 26 Summary

reviewed network authentication using: Kerberos private-key authentication service X.509 public-key directory authentication public-key infrastructure (PKI) federated identity management 27

Recently Viewed Presentations

  • Reflection of Light - SNC 2P

    Reflection of Light - SNC 2P

    Another example of refraction of light is the twinkling of a star in the night sky As starlight travels from space into the Earth's atmosphere, the rays are refracted. Since the atmosphere is constantly changing, the amount of refraction also...
  • Piramide - CARNetov Portal za škole

    Piramide - CARNetov Portal za škole

    Najveća piramida u Gizi, Keopsova piramida, gledana izdaleka gotovo je identična idealnoj geometrijskoj piramidi kojojsu strane ravneplohe, a bridovidužine.Međutim, gledano izbliza ona je u stvari hrpa pravilnoraspoređenih kamenih blokova.
  • Divergent Evolution in the Ferns - University of Vermont

    Divergent Evolution in the Ferns - University of Vermont

    Divergent Evolution in the Ferns Botany 209 25 March, 2004 Divergent Evolution in the Ferns Botany 209 25 March, 2004 Phylogeny of Isoetes species based on ITS sequence data Kelloff et al. 2002. Differentiation of eastern North American Athyrium filix-femina...
  • Hand-Type Cutting Tools

    Hand-Type Cutting Tools

    Two types Solid blade (all-hard) Hardened throughout and very brittle Flexible blade Teeth hardened, while back of blade soft and flexible Stand more abuse than all-hard blade, but will not last long in general use Used on channel iron, tubing,...
  • Prezentacja programu PowerPoint

    Prezentacja programu PowerPoint

    występują aksopodia - pseudopodia ze szkieletem osiowym Radioloaria - Promienice Heliozoa - Słonecznice PHYLUM (TYP): APICOMPLEXA pasożyty, głównie wewnątrzkomórkowe gruba pellikula, nadająca trwały, zwykle pałeczkowaty kształt ciała w pellikuli mikropory - odżywianie dla wszystkich charakterystyczne jest występowanie ...
  • Folk Literature -

    Folk Literature -

    Folklore Using the activity on page 43, match the type of story with its definition. Your group will be assigned one of the types of folk literature. Your group will receive a book on this type. Read through your book...
  • Cognitive Processes PSY 334

    Cognitive Processes PSY 334

    Problem Representation Finding the solution may depend upon how the problem is represented: Checkerboard problem solution depends on seeing that each domino must cover one white and one black square. Failures of transfer - students do not see that material...
  • Using a Thesaurus - fhsenglishks3

    Using a Thesaurus - fhsenglishks3

    For more information about how the spellings of words change with the addition of suffixes (for example, creating 'driver' by adding '-er' to 'drive' results in the loss of one 'e'), see the Spelling Starters Word Endings.ppt. Boardworks style is...