• No results found

CS 356 Lecture 28 Internet Authentication. Spring 2013

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "CS 356 Lecture 28 Internet Authentication. Spring 2013"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

CS 356 – Lecture 28

Internet Authentication

(2)

Review

•  Chapter 1: Basic Concepts and Terminology •  Chapter 2: Basic Cryptographic Tools

•  Chapter 3 – User Authentication •  Chapter 4 – Access Control Lists

•  Chapter 5 – Database Security (skipped) •  Chapter 6 – Malicious Software

•  Networking Basics (not in book) •  Chapter 7 – Denial of Service •  Chapter 8 – Intrusion Detection

•  Chapter 9 – Firewalls and Intrusion Prevention •  Chapter 10 – Buffer Overflow

•  Chapter 11 – Software Security •  Chapter 12 – OS Security

•  Chapter 22 – Internet Security Protocols

(3)

Chapter 23

Internet Authentication

Applications

(4)

Kerberos Overview

•  initially developed at MIT

•  software utility available in both the public

domain and in commercially supported

versions

•  issued as an Internet standard and is the

defacto standard for remote authentication

•  overall scheme is that of a trusted third party

authentication service

•  requires that a user prove his or her identity

for each service invoked and requires servers

to prove their identity to clients

(5)

Kerberos Protocol

•  designed to counter a variety of threats to the security of a client/server dialogue •  obvious security risk is impersonation

•  servers must be able to confirm the identities of clients who request service

involves clients, application servers, and a Kerberos server

•  user initially negotiates with AS for identity verification

•  AS verifies identity and then passes information on to an application server

which will then accept service requests from the client

use an Authentication Server (AS)

•  if client sends user’s password to the AS over the network an opponent could

observe the password

•  an opponent could impersonate the AS and send a false validation

(6)

Authentication Server (AS) Ticket-granting Server (TGS) request ticket-granting ticket once per user logon session 1. User logs on to workstation and

requests service on host.

3. Workstation prompts

user for password and uses password to decrypt incoming message, then sends ticket and

authenticator that contains user's name, network address, and time to TGS.

ticket + session key request

service-granting ticket ticket + session key

once per

type of service 4. TGS decrypts ticket and

authenticator, verifies request, then creates ticket for requested server.

Kerberos

5. Workstation sends

ticket and authenticator to server.

6. Server verifies that

ticket and authenticator match, then grants access to service. If mutual authentication is required, server returns an authenticator. request service provide server authenticator once per service session

Figure 23.1 Overview of Kerberos

2. AS verifies user's access right in

database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user's password.

(7)

Kerberos Realms

•  a Kerberos environment consists of:

–  a Kerberos server

–  a number of clients, all registered with server

–  a number of application servers, sharing keys with server

•  this is referred to as a realm

–  networks of clients and servers under different administrative organizations generally constitute different realms

•  if multiple realms:

–  their Kerberos servers must share a secret key and trust the Kerberos server in the other realm to authenticate its users

–  participating servers in the second realm must also be willing to trust the Kerberos server in the first realm

(8)

Kerberos

Realms

AS TGS Kerberos Client Realm A AS TGS Kerberos Server Realm B

1. request ticket for local TGS 2. ticket for local TGS 3. request ticket for remote TGS

4. ticket for remote TGS

5 request ticket for remote server

6 ticket for remote server

7. request remote service

(9)

Kerberos Versions 4 and 5

•  Kerberos v4 is most widely used version

•  improvements found in version 5:

–  an encrypted message is tagged with an

encryption algorithm identifier

•  this enables users to configure Kerberos to use an

algorithm other than DES

–  supports authentication forwarding

•  enables a client to access a server and have that

server access another server on behalf of the client

•  supports a method for interrealm authentication that

(10)

Kerberos Performance Issues

•  see larger client-server installations

•  Kerberos performance impact in a large-scale

Kerberos security is best assured by placing the

Kerberos server on a separate, isolated machine

•  motivation for multiple realms is administrative, not

performance related

environment:

•  very little if system is properly configured

•  tickets are reusable which reduces traffic

(11)

Certificate Authority (CA)

certificate consists of:

•  a public key plus a User ID of the key owner •  signed by a trusted third party

•  typically the third party is a CA that is trusted by the user community

(such as a government agency or a financial institution)

user can present his or her public key to the authority in

a secure manner and obtain a certificate

•  user can then publish the certificate

•  anyone needing this user’s public key can obtain the certificate and

(12)

X.509 Authentication Service

universally accepted standard for formatting

public-key certificates part of CCITT X.500

directory service standards

uses public-key crypto & digital signatures

•  widely used in network security applications, including IPsec, SSL, SET, and S/MIME

•  algorithms not

standardized, but RSA recommended

(13)

X.509 Certificates

Certificate Serial Number Version Issuer Name Signature algorithm identifier Subject Name Extensions Issuer Unique Identifier Subject Unique Identifier algorithm parameters not before algorithms parameters key algorithms parameters encrypted hash (a) X.509 Certificate not after Subject's public key info Signature Figure 23.3 X.509 Formats Period of validity V ersion 1 V ersion 2 V ersion 3 all versions Issuer Name This Update Date Next Update Date

! ! ! Signature algorithm identifier algorithm parameters

user certificate serial #

(b) Certificate Revocation List

revocation date algorithms parameters encrypted hash Signature Revoked certificate

user certificate serial # revocation date

Revoked certificate

(14)

Public

Key

Infrastructure

X.509

(PKIX)

End entity certificate/CRL retrieval certificate publication certificate/CRL publication CRL publication cross certification Certificate/CRL Repository Certificate authority Registration authority Certificate authority registration, initialization, certification, key pair recovery, key pair update revocation request PKI users PKI management entities CRL issuer

(15)

PKIX Management Functions

registration

initialization

certification

key pair

recovery

key pair

update

revocation

request

cross

(16)

Federated Identity Management

•  use of common identity management scheme

–  across multiple enterprises and numerous

applications

–  supporting many thousands, even millions of users

•  principal elements are:

–  authentication, authorization, accounting,

provisioning, workflow automation, delegated

administration, password synchronization,

self-service password reset, federation

(17)

Identity Management

Principal Principal Administrator Administrator Data consumer Identity control interface Principals provide attributes Principals authenticate, manage their identity elements Administrators provide attributes

Data consumers apply references to obtain attribute data

Data consumers obtain identifiers, attribute references

Identity Provider

Figure 23.5 Generic Identity Management Architecture

Attribute locator Principal authentication Identifier translation Data consumer Attribute service Attribute service Attribute service Principal

(18)

Standards Used

Extensible Markup Language (XML) characterizes text elements in a document on appearance, function, meaning, or context Simple Object Access Protocol (SOAP) for invoking code using XML over HTTP WS-Security set of SOAP extensions for implementing message integrity and confidentiality in Web services Security Assertion Markup Language (SAML) XML-based language for the exchange of security information between online business partners

(19)

Federated Identity Management

User store

(a) Federation based on account linking

(b) Chained Web Services

Figure 23.6 Federated Identity Scenarios

Workplace.com (employee portal) Name Joe Jane Ravi ID 1213 1410 1603 User store Name Joe Jane Ravi ID 1213 1410 1603 Links: health benefits etc. Health.com Workplace.com End user (employee) Initial

authentication User store

(b) Federation based on roles

W orkplace.com (employee portal) Name Joe Jane Ravi ID 1213 1410 1603 Dept Eng Purch Purch User store Role Engineer Purchaser Links: parts supplier etc. PartsSupplier.com Welcome Joe! Technical doc. Troubleshooting End user (employee) Initial authentication Procurement application End user Soap message Initial message authentication Soap message PinSupplies.com Purchasing Web service E-ship.com Shipping Web service

(20)

Summary

•  Kerberos

•  Kerberos protocol

•  Kerberos realms

•  Kerberos versions 4

and 5

•  Kerberos

performance issues

•  X.509

•  public-key

infrastructure

•  PKIX management

functions

•  PKIX management

protocols

•  federated identity

management

References

Download now ( PDF - 20 Page - 4.40 MB )

Related documents

City Manager means the Chief Administrative Officer of the City of St. Albert, as defined by the Alberta Municipal Government Act.

A capital contribution to reserves that is produced in each of the four utilities (water, wastewater, storm water and solid waste utility business units) may be supplemented

Taylor Rule and the Macroeconomic Performance in Pakistan

term interest rate (monetary policy instrument) in response to deviation of output from trend or potential level and that of inflation from the target with equal weight given to

Regulation of Marine Contamination under Environmental Uncertainty: Shellfish Contamination in California

The premium in pollution control costs imposed by an increase in the required margin of safety increases as aversion to uncertainty grows and as the risk standard becomes

System Storage DS3400 Storage Subsystem. Installation, User s, and Maintenance Guide

To determine the firmware levels of the DS3400 storage subsystem, the connected storage expansion enclosures, and the installed hard disk drives, use the DS3000 Storage Manager

White paper Fujitsu End-User Analytics

End users, wherever they’re working, will be able to access the applications and data they need, from a wider range of devices?. Who will lead this transformation in

Teaching Strategy with TOPSIM-Going Global Prof. Dr. Ralf Dillerup Hochschule Heilbronn

realized strategies.. strategic situation Ressourcenorientierte Strategien Marktorientierte Strategien strategic options industry analysis market analysis competitor

Conceptual Knowledge Processing with Formal Concept Analysis and Ontologies

In the second part of this section, we show a new, orthogonal approach: By summarizing ‘similar’ objects prior to the lattice computation with a standard clustering algorithm

Integrated structural and construction engineering – A study of project team performance in Swedish bridge design

Keywords: integration in construction, integrated design, collaboration in construction, inter-disciplinary, interprofessional dialogue, integrated project teams, structural