Cryptography and Network

Security

Authentication Applications,
Kerberos
 Authentication applications
• will consider authentication functions
• developed to support application-level
authentication & digital signatures
• will consider Kerberos – a private-key
authentication service
• then X.509 - a public-key directory
authentication service
 Authentication process steps
• Identification step : Presenting an identifier to
the security system
• Verification step: Presenting or generating
authentication information that generates the
binding between the entity and the identifier
General means of authenticating user’s identity

• Something the individual knows : Eg. PIN

number
• Something the individual possess: Eg: Smart
cards
• Something the individual is: Eg: Fingerprint,
retina
• Something the individual does: Eg: voice
recognition, handwritting characteristics
 Examples of Replay attack
• Simple replays: simply copies msg and sends
• Repetition that can be logged: replay a
timestamped msg within valid time
• Repetition that cannot be detected: original
msg suppressed, replay msg arrives to
receiver
• Backward reply without modification: send
back to send without receiving to receiver
Two approaches to prevent replay attack
 One way authentication
• A procedure for confirming the identity of
somebody with whom you wish to share
sensitive information.
• On-line, authentication usually involves
whether account information set or maybe a
public/private key pair.
 Two way authentication
• It means that the client and the server
authenticate to each other.
• This is done through the exchange of
certificates that are checked by a Certificate
Authority
 Remote user authentication using symmetric
• Mutual authentication
• One way authentication
 Remote user authentication using symmetric encryption (Two-way
authentication (Mutual))
• Ex: Needham Schroeder protocol
• General one without timestamp
 Contd.,
• Including of timestamp,
 Contd.,
• Improved strategy with resolved replay attack
• Inclusion of nonce
• Provides effective, secure means for A and B
 Contd.,
• Security for the previous with inclusion of
nonce ensures each party without replay
attack
 Remote user authentication using symmetric
encryption (One-way authentication)

• Consider key distribution scenario with

elimination of few steps
• Provides secured sender level authentication
 Remote user authentication using Asymmetric
• Mutual authentication
• One way authentication
 Remote user authentication using Asymmetric encryption (Two-way
authentication (Mutual))
• Ex: public-key encryption for the purpose of
session-key distribution
• General one with timestamp
• Inclusion of nonce, synchronization
• Free from attacks
 Remote user authentication using Asymmetric
encryption (One-way authentication)
• If confidentiality is the primary concern, then the following
may be more efficient:

• If authentication is the primary concern, then a digital

signature may suffice:

• the message and signature can be encrypted with the

recipient’s public key:

• An effective way to provide this assurance is the digital

certificate:
Kerberos
 Kerberos
• Kerberos is an authentication service
developed as part of Project Athena at MIT.
• It is the secret key based service to provide
authentication in the network.
• Versions 1,2,3 are not in use
• Two versions:
– Version 4 : Simple, better performance but works
on TCP/IP networks
– Version 5: Greater functionality
 Threats in Kerberos
1. A user may gain access to a particular workstation
and pretend to be another user operating from
that workstation.
2. A user may alter the network address of a
workstation so that the requests sent from the
altered workstation appear to come from the
impersonated workstation.
3. A user may eavesdrop on exchanges and use a
replay attack to gain entrance to a server or to
disrupt operations.
 Kerberos Motivation
1. Rely on each individual client workstation to
assure the identity of its user or users and rely on
each server to enforce a security policy based on
user identification (ID).
2. Require that client systems authenticate
themselves to servers, but trust the client system
concerning the identity of its user.
3. Require the user to prove his or her identity for
each service invoked. Also require that servers
prove their identity to clients.
 Advantages of Kerberos
• Secure
• Reliable
• Transparent
• Scalable
 How does Kerberos Works?
• Four parties involved in Kerberos protocol
– Client
– Authentication server(AS) : verifies the user
– Ticket Granting Server (TGS) : Issues ticket to
certify proof of identity
– Server
 Version 4

• Kerberos Version 4 makes use of DES, to

provide the authentication service.
 Primary steps
• Login
• Obtaining a service granting ticket (SGT)
• Client contacts server for access
Version4 Message Exchange
Secure Authentication Dialogue
Contd.,
• scheme for avoiding plaintext passwords and
a new server, known as the ticket-granting
server (TGS).
Kerberos elements
Kerberos Realms
 Kerberos Version 5
• Kerberos Version 5 is specified in RFC 1510 and
provides a number of improvements over version 4.
• Version 5 is intended to address the limitations of
version 4 in two areas:
– addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket lifetime,
authentication forwarding, interrealm auth
– and technical deficiencies
• double encryption, non-std mode of use, session keys,
password attacks
Environmental shortcomings
Technical Deficiencies
Version 5 Message Exchange