0% found this document useful (0 votes)
5 views

Key Distribution and User Authentication - Part 1

lectures ppt

Uploaded by

tanjidaparvezs22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
5 views

Key Distribution and User Authentication - Part 1

lectures ppt

Uploaded by

tanjidaparvezs22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

CSE487 Cyber Security, Law, and Ethics

Key Distribution and User Authentication


Part 1

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 1


Lesson outline

1. Symmetric Key Distribution using Symmetric Encryption


[slides 3-4]
• Kerberos Protocol [slides 5-11]

2. Key Distribution using Asymmetric Encryption [slides 12-21]


• Digital Certificate
• Digital Signature

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 2


Symmetric Key Distribution
using Symmetric Encryption

• For symmetric encryption to work, two parties must share


the same key, and that key must be protected from access
by others.
• Frequent key changes are usually desirable to limit the
amount of data compromisation if an attacker learns the
key.
• Key distribution technique
– The means of delivering a key to two parties that wish to exchange
data, without allowing others to see the key.

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 3


Key Distribution

• For two parties A and B, there are the following options:

• A key can be selected by A and physically delivered to B


1

• A third party can select the key and physically deliver it to A


and B
2
• If A and B have previously and recently used a key, one party
could transmit the new key to the other, using the old key to
3 encrypt the new key

• If A and B each have an encrypted connection to a third-party


C, C could deliver a key on the encrypted links to A and B
4

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 4


Kerberos

• Key Distribution and User Authentication service


developed at MIT (USA).
• Provides a Centralized Authentication Server whose
function is to authenticate users to servers and servers
to users.
• Relies exclusively on symmetric encryption, making no use
of public-key encryption.

Two versions are in use


• Version 4 implementations still exist, although this version is
being phased out.
• Version 5 corrects some of the security deficiencies of version
4 and has been issued as a proposed Internet Standard (RFC
4120)

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 5


Kerberos Protocol

• A basic third-party authentication scheme.


• Complex protocol using AES.
• Authentication Server (AS)
– Users initially negotiate with AS to identify themselves.
– AS provides a non-corruptible authentication credential (ticket
granting ticket TGT) to the users.
• Ticket Granting Server (TGS)
– Users subsequently request access to other services from TGS on
the basis of users’ TGT.

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 6


CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 7
Kerberos Realms

Kerberos realm
 A set of managed nodes that share A Kerberos environment consists
of:
the same Kerberos database.
 The Kerberos database resides on
the Kerberos master computer
system, which should be kept in a A Kerberos server
physically secure room.
 A read-only copy of the Kerberos
database might also reside on other
Kerberos computer systems. A number of clients
 All changes to the database must
be made on the master computer
system. A number of application
 Changing or accessing the contents servers
of a Kerberos database requires the
Kerberos master password.
CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 8
Kerberos Realms
• Accessing service from a server residing in a different Kerberos Realm.

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 9


Kerberos Principal
• A service or user that is known to the Kerberos system.
• Each Kerberos Principal is identified by its Principal Name.

A
An
service A realm Principal
instance
or user name name
name
name

Principal names consist of three parts

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 10


Video Tutorials on Kerberos

Kerberos - authentication protocol


https://www.youtube.com/watch?v=_44CHD3Vx-0

Kerberos Authentication Explained | A deep


dive
https://www.youtube.com/watch?v=5N242XcKAsM

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 11


Key Distribution using Asymmetric Encryption

• One of the major roles of public-key encryption is to address the problem


of key distribution.
• There are two distinct aspects to the use of public-key encryption in this
regard:
– 1) The distribution of public keys (issue: anyone can forge a public announcement).
– 2) The use of public-key encryption to distribute secret keys for symmetric
encryption.
• Public-key Certificate (Digital Certificate)
– Consists of a public key plus a user ID of the key owner, with the whole block signed
by a trusted third party.
– Typically, the third party is a Certificate Authority (CA) that is trusted by the user
community, such as a government agency or a financial institution
– A user can present his or her public key to the authority in a secure manner and
obtain a certificate
– The user can then publish the certificate
– Anyone needing this user’s public key can obtain the certificate and verify that it is
valid by way of the attached trusted signature

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 12


Digital Certificate Verification

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 13


X.509 Certificates

• ITU-T recommendation X.509 is part of the X.500 series of


recommendations that define a directory service
• Directory is a server or distributed set of servers that maintains a
database of information about users, such as a mapping from
username to network address
• Defines a framework for the provision of authentication services
by the X.500 directory to its users
• The directory may serve as a repository of public-key certificates
• Defines alternative authentication protocols based on the use of
public-key certificates
– Was initially issued in 1988
– Based on the use of public-key cryptography and digital signatures
• The standard does not dictate the use of a specific algorithm but
recommends RSA
CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 14
X.509 Certificate Format

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 15


Sample X.509 Certificate

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 16


Digital Signature Process

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 17


Obtaining a User’s Certificate

• User Certificates generated by a CA have the following


characteristics:
– Any user with access to the public key of the CA can verify the user
public key that was certified.
– No party other than the certification authority can modify the
certificate without this being detected.
• Because certificates are unforgeable, they can be placed in
a directory without the need for the directory to make special
efforts to protect them.

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 18


X.509 Certificate Hierarchy

• Root Certificate Authority


signs Intermediate
Certificates.
• Intermediate Certificate
Authority signs End-entity
Certificates.
• End-entity Certificate
Authority signs End-users
Certificates.

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 19


Revocation of Certificates

– Each certificate includes a period of validity.

– Typically, a new certificate is issued just before the


expiration of the old one.
– It may be desirable on occasion to revoke a certificate
before it expires for one of the following reasons:
• The user’s private key is assumed to be compromised
• The user is no longer certified by this CA; reasons for this
include subject’s name has changed, the certificate is
superseded, or the certificate was not issued in conformance
with the CA’s policies
• The CA’s certificate is assumed to be compromised

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 20


Secure and Insecure Websites
 Secure Websites

 East West University

https://ewubd.edu/

 Bangladesh Bank

https://www.bb.org.bd/

 Insecure Websites

 Australian Govt Bureau of Meteorology

http://www.bom.gov.au/

 Bangladesh Telecommunications Company Limited (BTCL)

http://www.btcl.gov.bd/
CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 21
Test Your Browser

https://www.ssllabs.com/

CSE487 Copyright © Dr Md Hasanul Ferdaus, Assistant Professor, East West University 22

You might also like