Computer Security: Computer Security: Principles and Practice Principles and Practice Chapter 22 – – Internet Authentication Internet Authentication Chapter 22 Applications Applications First Edition First Edition by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
Internet Authentication Internet Authentication Applications Applications � will consider authentication functions will consider authentication functions � � developed to support application developed to support application- -level level � authentication & digital signatures authentication & digital signatures � will consider will consider � � Kerberos private Kerberos private- -key authentication service key authentication service � � X.509 public X.509 public- -key directory authentication key directory authentication � � public public- -key infrastructure (PKI) key infrastructure (PKI) � � federated identity management federated identity management �
Kerberos Kerberos � trusted key server system from MIT trusted key server system from MIT � � provides centralised private provides centralised private- -key third key third- -party party � authentication in a distributed network authentication in a distributed network � allows users access to services distributed allows users access to services distributed � through network through network � without needing to trust all workstations without needing to trust all workstations � � rather all trust a central authentication server rather all trust a central authentication server � � two versions in use: 4 & 5 two versions in use: 4 & 5 �
Kerberos Overview Kerberos Overview � a basic third a basic third- -party authentication scheme party authentication scheme � � have an Authentication Server (AS) have an Authentication Server (AS) � � users initially negotiate with AS to identify self users initially negotiate with AS to identify self � � AS provides a non AS provides a non- -corruptible authentication corruptible authentication � credential (ticket granting ticket TGT) credential (ticket granting ticket TGT) � have a Ticket Granting server (TGS) have a Ticket Granting server (TGS) � � users subsequently request access to other users subsequently request access to other � services from TGS on basis of users TGT services from TGS on basis of users TGT
Kerberos Overview Kerberos Overview
Kerberos Realms Kerberos Realms � a Kerberos environment consists of: a Kerberos environment consists of: � � a Kerberos server a Kerberos server � � a number of clients, all registered with server a number of clients, all registered with server � � application servers, sharing keys with server application servers, sharing keys with server � � this is termed a realm this is termed a realm � � typically a single administrative domain typically a single administrative domain � � if have multiple realms, their Kerberos if have multiple realms, their Kerberos � servers must share keys and trust servers must share keys and trust
Kerberos Realms Kerberos Realms
Kerberos Version 5 Kerberos Version 5 � Kerberos v4 is most widely used version Kerberos v4 is most widely used version � � also have v5, developed in mid 1990 also have v5, developed in mid 1990’ ’s s � � specified as Internet standard RFC 1510 specified as Internet standard RFC 1510 � � provides improvements over v4 provides improvements over v4 � � addresses environmental shortcomings addresses environmental shortcomings � • encryption encryption alg alg, network protocol, byte order, ticket , network protocol, byte order, ticket • lifetime, authentication forwarding, inter- -realm auth realm auth lifetime, authentication forwarding, inter � and technical deficiencies and technical deficiencies � • double encryption, non double encryption, non- -std mode of use, session std mode of use, session • keys, password attacks keys, password attacks
Kerberos Performance Issues Kerberos Performance Issues � see larger client see larger client- -server installations server installations � � query Kerberos performance impact query Kerberos performance impact � � very little if system is properly configured very little if system is properly configured � � since tickets are reusable since tickets are reusable � � Kerberos security best assured if place its Kerberos security best assured if place its � server on a separate, isolated machine server on a separate, isolated machine � administrative motivation for multi realms administrative motivation for multi realms � � not a performance issue not a performance issue �
Certificate Authorities Certificate Authorities � certificate consists of: certificate consists of: � � a public key plus a User ID of the key owner a public key plus a User ID of the key owner � � signed by a third party trusted by community signed by a third party trusted by community � � often govt./bank often govt./bank certificate authority certificate authority (CA) (CA) � � users obtain certificates from CA users obtain certificates from CA � � create keys & unsigned cert, gives to CA, CA create keys & unsigned cert, gives to CA, CA � signs cert & attaches sig, returns to user signs cert & attaches sig, returns to user � other users can verify cert other users can verify cert � � checking sig on cert using CA checking sig on cert using CA’ ’s public key s public key �
X.509 Authentication Service X.509 Authentication Service � universally accepted standard for universally accepted standard for � formatting public- -key certificates key certificates formatting public � widely used widely used in network security applications, in network security applications, � including IPSec, SSL, SET, and S/MIME including IPSec, SSL, SET, and S/MIME � part of CCITT X.500 directory service part of CCITT X.500 directory service � standards standards � uses public uses public- -key crypto & digital signatures key crypto & digital signatures � � algorithms not standardised, but RSA algorithms not standardised, but RSA � recommended recommended
X.509 Certificates X.509 Certificates
Public Key Infrastructure Public Key Infrastructure
PKIX Management PKIX Management � functions: functions: � � registration registration � � initialization initialization � � certification certification � � key pair recovery key pair recovery � � key pair update key pair update � � revocation request revocation request � � cross certification cross certification � � protocols: CMP, CMC protocols: CMP, CMC �
Federated Identity Federated Identity Management Management � use of common identity management scheme use of common identity management scheme � � across multiple enterprises & numerous applications across multiple enterprises & numerous applications � � supporting many thousands, even millions of users supporting many thousands, even millions of users � � principal elements are: principal elements are: � � authentication, authorization, accounting, authentication, authorization, accounting, � provisioning, workflow automation, delegated provisioning, workflow automation, delegated administration, password synchronization, self- -service service administration, password synchronization, self password reset, federation password reset, federation � Kerberos contains many of these elements Kerberos contains many of these elements �
Identity Management Identity Management
Federated Identity Management Federated Identity Management
Standards Used Standards Used � Extensible Markup Language (XML) Extensible Markup Language (XML) � � characterizes text elements in a document on characterizes text elements in a document on � appearance, function, meaning, or context appearance, function, meaning, or context � Simple Object Access Protocol (SOAP) Simple Object Access Protocol (SOAP) � � for invoking code using XML over HTTP for invoking code using XML over HTTP � � WS WS- -Security Security � � set of SOAP extensions for implementing message set of SOAP extensions for implementing message � integrity and confidentiality in Web services integrity and confidentiality in Web services � Security Assertion Markup Language (SAML) Security Assertion Markup Language (SAML) � � XML XML- -based language for the exchange of security based language for the exchange of security � information between online business partners information between online business partners
Summary Summary � reviewed network authentication using: reviewed network authentication using: � � Kerberos private Kerberos private- -key authentication service key authentication service � � X.509 public X.509 public- -key directory authentication key directory authentication � � public public- -key infrastructure (PKI) key infrastructure (PKI) � � federated identity management federated identity management �
Recommend
More recommend