1 / 16

IT 221: Introduction to Information Security Principles

IT 221: Introduction to Information Security Principles. Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002. Lecture Outline. Outline: Context and Overview Security Concerns: Problem Statement Security Concerns: Network Threats

misha
Download Presentation

IT 221: Introduction to Information Security Principles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT 221:Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002

  2. Lecture Outline • Outline: • Context and Overview • Security Concerns: Problem Statement • Security Concerns: Network Threats • Kerberos: Background • Kerberos: Basics • Kerberos: Terms • Simple Dialogue: Steps • Simple Dialogue: Steps (Cont) • Version 4 Dialogue Examples • Kerberos: Pictorial • Version 4 Problems • Version 5 Realms • Kerberos in Practice • Resources

  3. Context and Overview • Context [2]: • In today’s distributed computing environment, consisting of dedicated user workstations & servers, three approaches to security can be envisioned: -(1) Rely on each workstation to assure user identities, and rely on each server to enforce a security policy based on user Ids. -(2) Require that client systems authenticate themselves to servers, but trust the client systems concerning the identity of its user. -(3) Require the user to prove identity for each service invoked. Also require that servers prove their identity to clients. • Issues [2]: • In a small, closed environment, in which all systems are owned and operated by one IT group, the first or perhaps second strategy might suffice. • But in a more open environment, the need for the third approach is needed to protect user information and resources housed on the server. • The focus of this lecture will focus on one of the most widely used services to support this third approach - Kerberos.

  4. Security Concerns: Problem Statement • Problem Statement [2]: • Assume an open, distributed environment in which users at workstations wish to access services on servers distributed across the network. • Servers need to restrict access to authorized users, and to authenticate requests for service. • In this environment, a workstation cannot be trusted to identify its users correctly to network services. Specifically, three types of network threats exist:

  5. Security Concerns: Network Threats • Network Threats [2]: • (1) A user may gain access to a particular workstation and pretend to be another user operating from that workstation. • (2) A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. • (3) A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations. • In any of these cases, an unauthorized user may be able to gain access to services and or data that s/he is not authorized to access.

  6. Kerberos: Background KERBEROS • Background [2]: • (1) Authentication Service developed as part of Project Athena at MIT. Overcomes the aforementioned Security Concerns. • (2) Named after Kerberos – In Greek Mythology, the three headed guard dog of Hades. • (3) Rather than building in elaborate authentication protocols at each server (which is exponentially expensive (labor/costs)), Kerberos provides a centralized authentication server that functions as a broker between users and servers.

  7. Kerberos: Basics • Basics [3]: • Provides a centralized authentication server (AS) to authenticate users to servers and servers to users. • Relies on conventional encryption, making no use of public-key encryption • Two versions: version 4 and 5 • Version 4 makes use of DES

  8. Kerberos: Terms • Terms [2]: • C = Client • AS = Authentication server • V = Server • IDc = identifier of user on C • IDv = identifier of V • Pc = password of user on C • ADc = network address of C • Kv= secret encryption key shared by AS an V • TS = timestamp • || = concatenation

  9. Simple Dialogue: Steps • Steps [2]: • (1) User logs into workstation and requests access to Server (V). • (2) Client module (C) in the workstation requests the user’s password and then sends a message to the Authentication Server (AS) that includes the user’s ID, the server’s ID, and the user’s password. • (3) AS checks it’s database for proper authentication, and whether user has authorization to access Server (V). • (4) If both tests are passed, the AS accepts the user as authentic and must now convince the the Server (V) that the user is authentic. • (4.1) AS creates ticket that includes user’s ID and network address and the server’s ID. Ticket is encrypted and share and the key is shared by AS and V. • (4.2) Encrypted ticket is sent back to Client (C) • (5) With the newly generated ticket, the C can now apply to V for service by sending a message to V containing the C’s ID an the ticket.

  10. Simple Dialogue: Steps (Cont) • Steps [2]: • (6) With the ticket, the C can now apply to V for service by sending a message to V containing the C’s ID and the ticket. (6.1) V decrypts the ticket and verifies that the user ID in the ticket is the same as the unencrypted user ID in the message. (6.2) If the two match, the server considers the user authenticate and grants the requested service. • (7) Simply stated: • (6.1) C AS: IDc || Pc || IDv • (6.2) AS  C: Ticket • (6.3) C  V: IDc || Ticket

  11. Version 4 Dialogue Examples • Authentication Service Exhange: To obtain Ticket-Granting Ticket [3] • (1) C  AS: IDc || IDtgs ||TS1 • (2) AS  C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs] • Ticket-Granting Service Exchange: To obtain Service-Granting Ticket [3] • (3) C  TGS: IDv ||Tickettgs ||Authenticatorc • (4) TGS  C: EKc [Kc,¨v|| IDv || TS4 || Ticketv] • Client/Server Authentication Exhange: To Obtain Service • ((5) C  V: Ticketv || Authenticatorc • (6) V  C: EKc,v[TS5 +1]

  12. Kerberos: Pictorial

  13. Version 4 Problems • Problems [3]: • Lifetime associated with the ticket-granting ticket • If to short  repeatedly asked for password • If to long  greater opportunity to replay • The threat is that an opponent will steal the ticket and use it before it expires

  14. Version 5 Realms KERBEROS • Realms [2]: • (1) A full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers. • (2) User Ids and hashed passwords are store at each Kerberos server. • (3) Authenticated users can access services across realms.

  15. Kerberos in Practice • In Practice [3]: • Currently, two Kerberos versions: -V4 : Restricted to a single realm -V5 : Allows inter-realm authentication and is an Internet standard • To use Kerberos [3]: • Need to have a KDC on your network • Need to have Kerberized apps running on all participating systems • Major problem - US export restrictions. Cannot be directly distributed outside the US in source format (& binary versions must obscure cryptographic routine entry points and have no encryption)

  16. Resources • [1] Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. Chapter 6. • [2] Stallings, William. Cryptography and Network Security, Prentice Hall, 1999. Chapter 11. • [3] Johnson, Hedric. ‘Authentication Applications’. Blekinge Institute of Technology,Sweden. Lecture based on Stallings, William. Cryptography and Network Security, Prentice Hall, 1999. Chapter 11.

More Related