Computer Security: Computer Security: Principles and PracticePrinciples and Practice
First EditionFirst Editionby William Stallings and Lawrie Brownby William Stallings and Lawrie Brown
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 22 Chapter 22 –– Internet Authentication Internet Authentication ApplicationsApplications
will consider authentication functionswill consider authentication functionsdeveloped to support applicationdeveloped to support application--level level authentication & digital signaturesauthentication & digital signatureswill consider will consider
Kerberos privateKerberos private--key authentication servicekey authentication serviceX.509 publicX.509 public--key directory authenticationkey directory authenticationpublicpublic--key infrastructure (PKI)key infrastructure (PKI)federated identity managementfederated identity management
Internet Authentication Internet Authentication ApplicationsApplications
KerberosKerberos
trusted key server system from MIT trusted key server system from MIT provides centralised privateprovides centralised private--key thirdkey third--party party authentication in a distributed networkauthentication in a distributed network
allows users access to services distributed allows users access to services distributed through networkthrough networkwithout needing to trust all workstationswithout needing to trust all workstationsrather all trust a central authentication serverrather all trust a central authentication server
two versions in use: 4 & 5two versions in use: 4 & 5
Kerberos OverviewKerberos Overview
a basic thirda basic third--party authentication schemeparty authentication schemehave an Authentication Server (AS) have an Authentication Server (AS)
users initially negotiate with AS to identify self users initially negotiate with AS to identify self AS provides a nonAS provides a non--corruptible authentication corruptible authentication credential (ticket granting ticket TGT) credential (ticket granting ticket TGT)
have a Ticket Granting server (TGS)have a Ticket Granting server (TGS)users subsequently request access to other users subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT
Kerberos OverviewKerberos Overview
Kerberos RealmsKerberos Realms
a Kerberos environment consists of:a Kerberos environment consists of:a Kerberos servera Kerberos servera number of clients, all registered with servera number of clients, all registered with serverapplication servers, sharing keys with serverapplication servers, sharing keys with server
this is termed a realmthis is termed a realmtypically a single administrative domaintypically a single administrative domain
if have multiple realms, their Kerberos if have multiple realms, their Kerberos servers must share keys and trust servers must share keys and trust
Kerberos RealmsKerberos Realms
Kerberos Version 5Kerberos Version 5Kerberos v4 is most widely used versionKerberos v4 is most widely used versionalso have v5, developed in mid 1990also have v5, developed in mid 1990’’ss
specified as Internet standard RFC 1510specified as Internet standard RFC 1510provides improvements over v4provides improvements over v4
addresses environmental shortcomingsaddresses environmental shortcomings•• encryption encryption algalg, network protocol, byte order, ticket , network protocol, byte order, ticket
lifetime, authentication forwarding, interlifetime, authentication forwarding, inter--realm authrealm auth
and technical deficienciesand technical deficiencies•• double encryption, nondouble encryption, non--std mode of use, session std mode of use, session
keys, password attackskeys, password attacks
Kerberos Performance IssuesKerberos Performance Issues
see larger clientsee larger client--server installationsserver installationsquery Kerberos performance impact query Kerberos performance impact
very little if system is properly configuredvery little if system is properly configuredsince tickets are reusablesince tickets are reusable
Kerberos security best assured if place its Kerberos security best assured if place its server on a separate, isolated machineserver on a separate, isolated machineadministrative motivation for multi realmsadministrative motivation for multi realms
not a performance issuenot a performance issue
Certificate AuthoritiesCertificate Authorities
certificate consists of:certificate consists of:a public key plus a User ID of the key ownera public key plus a User ID of the key ownersigned by a third party trusted by communitysigned by a third party trusted by communityoften govt./bank often govt./bank certificate authoritycertificate authority (CA)(CA)
users obtain certificates from CAusers obtain certificates from CAcreate keys & unsigned cert, gives to CA, CA create keys & unsigned cert, gives to CA, CA signs cert & attaches sig, returns to usersigns cert & attaches sig, returns to user
other users can verify certother users can verify certchecking sig on cert using CAchecking sig on cert using CA’’s public keys public key
X.509 Authentication Service X.509 Authentication Service
universally accepted standard for universally accepted standard for formatting publicformatting public--key certificateskey certificates
widely used widely used in network security applications, in network security applications, including IPSec, SSL, SET, and S/MIMEincluding IPSec, SSL, SET, and S/MIME
part of CCITT X.500 directory service part of CCITT X.500 directory service standardsstandardsuses publicuses public--key crypto & digital signatures key crypto & digital signatures
algorithms not standardised, but RSA algorithms not standardised, but RSA recommendedrecommended
X.509 CertificatesX.509 Certificates
Public Key InfrastructurePublic Key Infrastructure
PKIX ManagementPKIX Management
functions:functions:registrationregistrationinitializationinitializationcertificationcertificationkey pair recoverykey pair recoverykey pair updatekey pair updaterevocation requestrevocation requestcross certificationcross certification
protocols: CMP, CMCprotocols: CMP, CMC
Federated Identity Federated Identity ManagementManagement
use of common identity management schemeuse of common identity management schemeacross multiple enterprises & numerous applications across multiple enterprises & numerous applications supporting many thousands, even millions of users supporting many thousands, even millions of users
principal elements are:principal elements are:authentication, authorization, accounting, authentication, authorization, accounting, provisioning, workflow automation, delegated provisioning, workflow automation, delegated administration, password synchronization, selfadministration, password synchronization, self--service service password reset, federationpassword reset, federation
Kerberos contains many of these elementsKerberos contains many of these elements
Identity ManagementIdentity Management
Federated Identity ManagementFederated Identity Management
Standards UsedStandards UsedExtensible Markup Language (XML)Extensible Markup Language (XML)
characterizes text elements in a document on characterizes text elements in a document on appearance, function, meaning, or contextappearance, function, meaning, or context
Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)for invoking code using XML over HTTPfor invoking code using XML over HTTP
WSWS--SecuritySecurityset of SOAP extensions for implementing message set of SOAP extensions for implementing message integrity and confidentiality in Web servicesintegrity and confidentiality in Web services
Security Assertion Markup Language (SAML)Security Assertion Markup Language (SAML)XMLXML--based language for the exchange of security based language for the exchange of security information between online business partnersinformation between online business partners
SummarySummary
reviewed network authentication using:reviewed network authentication using:Kerberos privateKerberos private--key authentication servicekey authentication serviceX.509 publicX.509 public--key directory authenticationkey directory authenticationpublicpublic--key infrastructure (PKI)key infrastructure (PKI)federated identity managementfederated identity management