0% found this document useful (0 votes)
27 views17 pages

Internet Authentication Application

Internet and Authentication application

Uploaded by

chehabb2003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
27 views17 pages

Internet Authentication Application

Internet and Authentication application

Uploaded by

chehabb2003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Computer Security: Principles and

Practice
Chapter 23: Internet Authentication
Applications

1
Internet Authentication Applications
• Internet authentication functions: Developed to support
network-based authentication & digital signatures
• Will consider
– Kerberos: secure networked servers and hosts
– X.509 public-key directory authentication
– Public-key infrastructure (PKI)
Kerberos Overview
• Initially developed at MIT
• Software utility available in both the public domain and in
commercially supported versions
• Issued as an Internet standard and is the defacto standard for
remote authentication
• Provides centralised private-key third-party authentication
in a distributed network
– Requires that a user prove his or her identity for each service
invoked
– requires servers to prove their identity to clients
• https://web.mit.edu/kerberos/
Kerberos Protocol
Involves clients, application servers, and a Kerberos server
• Designed to counter a variety of threats to the security of a client/server
dialogue
• Obvious security risk is impersonation
• Servers must be able to confirm the identities of clients who request
service

Use an Authentication Server (AS)


• User initially negotiates with AS for identity verification
• AS verifies identity and then passes information on to an application
server which will then accept service requests from the client

Need to find a way to do this in a secure way


• If client sends user’s password to the AS over the network an opponent
could observe the password
• An opponent could impersonate the AS and send a false validation
Overview of Kerberos
Kerberos Realms
• A Kerberos environment consists of:
– A Kerberos server
– A number of clients, all registered with server
– A number of application servers, sharing keys with server
• This is termed a realm
– Networks of clients and servers under different administrative
organizations generally constitute different realms

• If multiple realms:
– Their Kerberos servers must share a secret key and trust the
Kerberos server in the other realm to authenticate its users
– Participating servers in the second realm must also be willing to
trust the Kerberos server in the first realm
Kerberos Realms(Service Areas)
Kerberos servers in each realm
may share a secret key with the
server in other realm; the two
Kerberos are registered with each
other

Server in one realm must trust the


Kerberos in the other realm
Kerberos Version 5
• The first version of Kerberos that was widely used was
version 4, published in the late 1980s
• Improvements found in version 5:
• An encrypted message is tagged with an encryption algorithm
identifier
• This enables users to configure Kerberos to use an algorithm other than
DES
• Supports authentication forwarding
• Enables a client to access a server and have that server access another
server on behalf of the client
• Supports a method for interrealm authentication that requires fewer secure
key exchanges than in version 4
Certificate Authorities (CA)
• Certificate consists of:
– A public key plus a User ID of the key owner
– Signed by a third party trusted by community
– Typically the third party is a CA that is trusted by the user
community (such as a government agency, telecommunications
company, financial institution, or other trusted peak organization)
• User can present his or her public key to the authority in a
secure manner and obtain a certificate
– User can then publish the certificate or send it to others
– Anyone needing this user’s public key can obtain the certificate
and verify that it is valid by way of the attached trusted signature
X.509

• Specified in RFC 5280


• The most widely accepted format for public-key certificates
• Certificates are used in most network security applications,
including:
− IP security (IPSEC)
− Secure sockets layer (SSL)
− Secure electronic transactions (SET)
− S/MIME
− eBusiness applications
A number of specialized variants also exist, distinguished by
particular element values or the presence of certain
extensions:
• Conventional (long-lived) certificates
• CA and “end user” certificates
• Typically issued for validity periods of months to years
• Short-lived certificates
• Used to provide authentication for applications such as grid computing,
while avoiding some of the overheads and limitations of conventional
certificates
• They have validity periods of hours to days, which limits the period of
misuse if compromised
• Because they are usually not issued by recognized CA’s there are issues
with verifying them outside their issuing organization
A number of specialized variants also exist, distinguished by
particular element values or the presence of certain
extensions:
• Proxy certificates
• Widely used to provide authentication for applications such as grid computing,
while addressing some of the limitations of short-lived certificates
• Defined in RFC 3820
• Identified by the presence of the “proxy certificate” extension
• They allow an “end user” certificate to sign another certificate
• Allow a user to easily create a credential to access resources in some
environment, without needing to provide their full certificate and right
• Attribute certificates
• Defined in RFC 5755
• Use a different certificate format to link a user’s identity to a set of attributes that
are typically used for authorization and access control
• A user may have a number of different attribute certificates, with different set of
attributes for different purposes
• Defined in an “Attributes” extension
X.509 Formats

To revoke before expiration (in case


the key has been compromised)
PKI X.509 (PKIX) Management
• RFC 4949 (Internet Security Glossary, Version 2, 2007): Public-key
infrastructure (PKI) is the set of hardware, software, people, policies,
and procedures needed to create, manage, store, distribute, and
revoke digital certificates based on asymmetric cryptography
• PKI was developed to enable secure, convenient, and efficient
acquisition of public keys
• X.509 PKI implementations came with a large list of CAs and their
public keys, known as a “trust store”
Problems of PKI X.509 (PKIX)
• First, the reliance on the user to make an informed decision when
there is a problem verifying a certificate.
– Unfortunately, it is clear that most users do not understand what a certificate is and why
there might be a problem. Hence they choose to accept a certificate, or not, for reasons
that have little to do with their security, which may result in the compromise of their
systems.
• Second, the assumption that all of the CAs in the “trust store” are
equally trusted, equally well managed, and apply equivalent policies.
– This was dramatically illustrated by the compromise of the DigiNotar CA in 2011 that
resulted in the fraudulent issue of certificates for many well-known organizations. As a
consequence, the DigiNotar CA keys were removed from the “trust store” in many
systems, and the company was declared bankrupt later that year.
– Another CA, Comodo, was also compromised in 2011, with a small number of fraudulent
certificates issued.
• Third, the various web browsers and operating systems, use different
“trust stores,” and hence present different security views to users.
PKIX Architecture Model
• Interrelationship among the key elements of the PKIX model
 End entity for which the
certificate for and the
Certificate authority that
issues the certificates. Users, servers
 Registration authority
(RA) that handles end entity
registration Certain admin func of CA
 The (certificate revocation
list) CRL issuer and
Repository that manage Issues
CRLs. of CA

PKI: HW, SW, people,


policies, and procedures Issues cert revocation lists
to create, manage, distribute,
and revoke DCs based
on asymmetric cryptography
Summary
• reviewed network authentication using:
– Kerberos private-key authentication service
– X.509 public-key directory authentication
– public-key infrastructure (PKI)

You might also like