Internet Authentication Application
Internet Authentication Application
Practice
Chapter 23: Internet Authentication
Applications
1
Internet Authentication Applications
• Internet authentication functions: Developed to support
network-based authentication & digital signatures
• Will consider
– Kerberos: secure networked servers and hosts
– X.509 public-key directory authentication
– Public-key infrastructure (PKI)
Kerberos Overview
• Initially developed at MIT
• Software utility available in both the public domain and in
commercially supported versions
• Issued as an Internet standard and is the defacto standard for
remote authentication
• Provides centralised private-key third-party authentication
in a distributed network
– Requires that a user prove his or her identity for each service
invoked
– requires servers to prove their identity to clients
• https://web.mit.edu/kerberos/
Kerberos Protocol
Involves clients, application servers, and a Kerberos server
• Designed to counter a variety of threats to the security of a client/server
dialogue
• Obvious security risk is impersonation
• Servers must be able to confirm the identities of clients who request
service
• If multiple realms:
– Their Kerberos servers must share a secret key and trust the
Kerberos server in the other realm to authenticate its users
– Participating servers in the second realm must also be willing to
trust the Kerberos server in the first realm
Kerberos Realms(Service Areas)
Kerberos servers in each realm
may share a secret key with the
server in other realm; the two
Kerberos are registered with each
other