1 kerberos and x.509 fourth edition by william stallings lecture slides by lawrie brown (changed by...
TRANSCRIPT
![Page 1: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/1.jpg)
1
Kerberos and X.509
Fourth Editionby William Stallings
Lecture slides by Lawrie Brown
(Changed by Somesh Jha)
![Page 2: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/2.jpg)
2
Authentication Applications
• will consider authentication functions• developed to support application-
level authentication & digital signatures
• will consider Kerberos – a private-key authentication service
• then X.509 directory authentication service
![Page 3: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/3.jpg)
3
Kerberos• trusted key server system from MIT • provides centralised private-key third-
party authentication in a distributed network– allows users access to services distributed
through out the network– without needing to trust all workstations– rather all trust a central authentication
server
• two versions in use: 4 & 5
![Page 4: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/4.jpg)
4
Kerberos Requirements
• first published report identified its requirements as:– security– reliability– transparency– scalability
• implemented using an authentication protocol based on Needham-Schroeder
![Page 5: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/5.jpg)
5
Kerberos 4 Overview• a basic third-party authentication scheme• have an Authentication Server (AS)
– users initially negotiate with AS to identify themselves
– AS provides a non-corruptible authentication credential (ticket granting ticket TGT)
• have a Ticket Granting server (TGS)– users subsequently request access to other
services from TGS on basis of users TGT
![Page 6: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/6.jpg)
6
A Simple Authentication Dialogue
• (1) C -> AS : IDC || PC || IDV
– C = client – AS = authentication server– IDC = identifier of user on C– PC = password of user on C– IDV = identifier of server V– C asks user for the password– AS checks that user supplied the right
password
![Page 7: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/7.jpg)
7
Message 2
• (2) AS -> C : Ticket
• Ticket = E K(V) [IDC || ADC || IDV]– K(V) = secret encryption key shared by
AS and V
– ADC = network address of C
– Ticket cannot be altered by C or an adversary
![Page 8: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/8.jpg)
8
Message 3
• (3) C -> V: IDC || Ticket– Server V decrypts the ticket and checks
various fields
– ADC in the ticket binds the ticket to the network address of C
– However this authentication scheme has problems
![Page 9: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/9.jpg)
9
Problems
• Each time a user needs to access a different service he/she needs to enter their password– Read email several times– Print, mail, or file server– Assume that each ticket can be used
only once (otherwise open to replay attacks)
• Password sent in the clear
![Page 10: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/10.jpg)
10
Authentication Dialogue II
• Once per user logon session
• (1) C -> AS: IDC || IDTGS
• (2) AS -> C: E K(C) [TicketTGS]
• TicketTGS is equal to
– E K(TGS) [IDC || ADC || IDTGS
|| TS1 || Lifetime1 ]
![Page 11: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/11.jpg)
11
Explaining the fields
• TGS = Ticket-granting server
• IDTGS = Identifier of the TGS
• TicketTGS = Ticket-granting ticket or TGT
• TS1 = timestamp
• Lifetime1 = lifetime for the TGT
• K (C) = key derived from user’s password
![Page 12: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/12.jpg)
12
Messages (3) and (4)
• Once per type of service
• (3) C -> TGS: IDC || IDV || TicketTGS
• (4) TGS -> C : TicketV
• TicketV is equal to
– E K(V) [ IDC || ADC || IDV ||
TS2 || Lifetime2 ]
K(V): key shared between V and TGSIs called the service-granting ticket (SGT)
![Page 13: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/13.jpg)
13
Message 5
• Once per service session
• (5) C -> V: IDC || TicketV
• C says to V “I am IDC and have a ticket from the TGS” . Let me in!
• Seems secure, but..– There are problems
![Page 14: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/14.jpg)
14
Problems
• Lifetime of the TGT– Short : user is repeatedly asked for their
password– Long : open to replay attack– Oscar captures TGT and waits for the
user to logoff– Sends message (3) with network address
IDC (network address is easy to forge)
• Same problem with SGT
![Page 15: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/15.jpg)
15
What should we do?
• A network service (TGS or server) should be able to verify that – person using the ticket is the same as the
person that the ticket was issued to– Remedy : use an authenticator
• Server should also authenticate to user– Otherwise can setup a “fake” server– A “fake” tuition payment server and capture
the student’s credit card– Remedy : use a challenge-response protocol
![Page 16: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/16.jpg)
16
Kerberos Realms• a Kerberos environment consists of:
– a Kerberos server– a number of clients, all registered with
server– application servers, sharing keys with server
• this is termed a realm– typically a single administrative domain
• if have multiple realms, their Kerberos servers must share keys and trust
![Page 17: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/17.jpg)
17
Kerberos Version 5• developed in mid 1990’s• provides improvements over v4
– addresses environmental shortcomings• encryption algorithm, network protocol, byte
order, ticket lifetime, authentication forwarding, inter-realm authentication
– and technical deficiencies• double encryption, non-standard mode of use,
session keys, password attacks
• specified as Internet standard RFC 1510
![Page 18: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/18.jpg)
18
Reading assignment
• Inter-realm authentication in version 4– Pages 411-413
• Version 5– Fixes some shortcomings of version 4– Page 413-419
![Page 19: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/19.jpg)
19
X.509 Authentication Service
• part of CCITT X.500 directory service standards– distributed servers maintaining some info database
• defines framework for authentication services – directory may store public-key certificates– with public key of user– signed by certification authority
• also defines authentication protocols • uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
![Page 20: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/20.jpg)
20
X.509 Certificates• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
![Page 21: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/21.jpg)
21
Obtaining a Certificate
• any user with access to CA can get any certificate from it
• only the CA can modify a certificate • because cannot be forged,
certificates can be placed in a public directory
![Page 22: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/22.jpg)
22
CA Hierarchy
• if both users share a common CA then they are assumed to know its public key
• otherwise CA's must form a hierarchy • use certificates linking members of
hierarchy to validate other CA's – each CA has certificates for clients (forward)
and parent (backward)
• each client trusts parents certificates • enable verification of any certificate from
one CA by users of all other CAs in hierarchy
![Page 23: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/23.jpg)
23
CA Hierarchy Use
![Page 24: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/24.jpg)
24
Certificate Revocation
• certificates have a period of validity• may need to revoke before expiry
1. user's private key is compromised2. user is no longer certified by this CA3. CA's certificate is compromised
• CA’s maintain list of revoked certificates
– the Certificate Revocation List (CRL)
• users should check certs with CA’s CRL
![Page 25: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/25.jpg)
25
Authentication Procedures
• X.509 includes three alternative authentication procedures:
• One-Way Authentication • Two-Way Authentication • Three-Way Authentication • all use public-key signatures
![Page 26: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/26.jpg)
26
One-Way Authentication
• 1 message ( A->B) used to establish – the identity of A and that message is
from A – message was intended for B – integrity & originality of message
• message must include timestamp, nonce, B's identity and is signed by A
![Page 27: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/27.jpg)
27
Two-Way Authentication
• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply
• reply includes original nonce from A, also timestamp and nonce from B
![Page 28: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/28.jpg)
28
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks
• has reply from A back to B containing signed copy of nonce from B
• means that timestamps need not be checked or relied upon
• Reading assignment: pages 424-427
![Page 29: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/29.jpg)
29
X.509 Version 3
• has been recognised that additional information is needed in a certificate – email/URL, policy details, usage constraints
• rather than explicitly naming new fields defined a general extension method
• extensions consist of:– extension identifier– criticality indicator– extension value
![Page 30: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/30.jpg)
30
Certificate Extensions
• key and policy information– convey info about subject & issuer keys,
plus indicators of certificate policy• certificate subject and issuer attributes
– support alternative names, in alternative formats for certificate subject and/or issuer
• certificate path constraints– allow constraints on use of certificates by
other CA’s
![Page 31: 1 Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)](https://reader036.vdocuments.us/reader036/viewer/2022062303/551a1bd955034619378b51eb/html5/thumbnails/31.jpg)
31
Summary
• have considered:– Kerberos trusted key server system– X.509 authentication and certificates