AUTHENTICATION APPLICATION
|
|
- August Parker
- 5 years ago
- Views:
Transcription
1 AUTHENTICATION APPLICATION WHAT IS KERBEROS? Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that "the bad guys" are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. KERBEROS Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise. KERBEROS REQUIREMENTS Secure: A network eavesdropper should not be able to obtain the necessary information to impersonate a user. Reliable: It must be highly reliable on access control and employ distributed server architecture with one system able to back up another. Transparent: The user should not be aware that authentication is taking place, beyond the requirement to enter a password. Scalable: The system should be capable of supporting large numbers of clients and servers. KERBEROS V4 It makes use of DES. It provides a number of hypothetical dialogues. o A simple authentication dialogue. o A more secure authentication dialogue.
2 A SIMPLE AUTHENTICATION DIALOGUE: The user logs on to a workstation C and requests access to server V. C requests the user s password and then sends a message to authentication server AS. o The message includes user s ID, the servers ID and user s password. The AS checks its database o to see if the user has supplied the proper password for this user ID. o and whether this user is permitted access to server V. If both tests are passed o the AS accepts the user as authentic. o and convince the server that this user is authentic. To do so, o the AS creates a ticket that contains the user s ID, network address of C and the server s ID. o and encrypts the ticket using the secret key shared by the AS and server V. o As sends the encrypted ticket to C (because the ticket is encrypted it cannot be altered by C or by an opponent. With this ticket C can now apply to V for service. C -> AS: ID C P C ID V AS -> C: Ticket C -> V: Id C Ticket Ticket = E KV [ID C AD C ID V ] DRAWBACK User needs a new ticket for every different service. Plaintext password could be easily captured by an eavesdropper. A MORE SECURE AUTHENTICATION DIALOGUE: To solve these additional problems, we propose a new server called ticket-granting server (TGS) and avoiding plaintext password. Once per user logon session C-> AS: IDC ID tgs AS->C: E KC [Ticket tgs ]
3 Once per type of service C -> TGS: ID C ID V Ticket tgs TGS -> C: Ticket V Once per service session C -> V: ID C Ticket V Ticket tgs = E Ktgs [ID C AD C ID tgs TS 1 Lifettime 1 ] Ticket V = E KV [ID C AD C ID V TS 2 Lifettime 2 ] THE VERSION 4 AUTHENTICATION DIALOGUE: SEE TABLE 11.1 SEE FIGURE 11.1 WHAT IS TICKET? Your Kerberos credentials, or "tickets", are a set of electronic information that can be used to verify your identity. Your Kerberos tickets may be stored in a file, or they may exist only in memory. The first ticket you obtain is a ticket-granting ticket, which permits you to obtain additional tickets. These additional tickets give you permission for specific services. The requesting and granting of these additional tickets happens transparently. A good analogy for the ticket-granting ticket is a three-day ski pass that is good at four different resorts. You show the pass at whichever resort you decide to go to (until it expires), and you receive a lift ticket for that resort. Once you have the lift ticket, you can ski all you want at that resort. If you go to another resort the next day, you once again show your pass, and you get an additional lift ticket for the new resort. The difference is that the Kerberos V5 programs notice that you have the weekend ski pass, and get the lift ticket for you, so you don't have to perform the transactions yourself. WHAT IS A KERBEROS PRINCIPAL? A Kerberos principal is a unique identity to which Kerberos can assign tickets. By convention, a principal is divided into three parts: the primary, the instance, and the realm. The format of a typical Kerberos V5 principal is primary/instance@realm. The primary is the first part of the principal. In the case of a user, it's the same as your username. For a host, the primary is the word host.
4 The instance is an optional string that qualifies the primary. The instance is separated from the primary by a slash (/). In the case of a user, the instance is usually null, but a user might also have an additional principal, with an instance called `admin', which he/she uses to administrate a database. The principal jennifer@athena.mit.edu is completely separate from the principal jennifer/admin@athena.mit.edu, with a separate password, and separate permissions. In the case of a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu. The realm is your Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. For example, the machine daffodil.mit.edu would be in the realm ATHENA.MIT.EDU. (See figure 11.2) TICKET MANAGEMENT On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as rsh, rcp, telnet, and rlogin, can forward copies of your tickets to the remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the kdestroy command to your.logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen. OBTAINING TICKETS WITH kinit If your site is using the Kerberos V5 login program, you will get Kerberos tickets automatically when you log in. If your site uses a different login program, you may need to explicitly obtain your Kerberos tickets, using the kinit program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones. To use the kinit program, simply type kinit and then type your password at the prompt. For example, Jennifer (whose username is jennifer) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type: kinit Password for jennifer@athena.mit.edu: <-- [Type jennifer's password here.]
5 If you type your password incorrectly, kinit will give you the following error message: kinit Password for <-- [Type the wrong password here.] kinit: Password incorrect and you won't get Kerberos tickets. Notice that kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, FUBAR.ORG. He would type: kinit david@fubar.org Password for david@fubar.org: <-- [Type david's password here.] David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC (Key Distribution Center) in the other realm. If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the -f option: kinit -f Password for jennifer@athena.mit.edu: <-- [Type your password here.] Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the klist command. Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the `-l' option. Add the letter `s' to the value for seconds, `m' for minutes, `h' for hours, or `d' for days. For example, to obtain forwardable tickets for david@fubar.org that would be good for three hours, you would type: kinit -f -l 3h david@fubar.org Password for david@fubar.org: <-- [Type david's password here.] You cannot mix units; specifying a lifetime of `3h30m' would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime. VIEWING YOUR TICKETS
6 The klist command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this: klist Ticket cache: /tmp/krb5cc_ttypa Default principal: Valid starting Expires Service principal 06/07/96 19:49:21 06/08/96 05:49:19 The ticket cache is the location of your ticket file. In the above example, this file is named /tmp/krb5cc_ttypa. The default principal is your kerberos principal. The "valid starting" and "expires" fields describe the period of time during which the ticket is valid. The service principal describes each ticket. The ticket-granting ticket has the primary krbtgt, and the instance is the realm name. Now, if jennifer connected to the machine daffodil.mit.edu, and then typed klist again, she would have gotten the following result: klist Ticket cache: /tmp/krb5cc_ttypa Default principal: Valid starting Expires Service principal 06/07/96 19:49:21 06/08/96 05:49:19 06/07/96 20:22:30 06/08/96 05:49:19 Here's what happened: when jennifer used telnet to connect to the host daffodil.mit.edu, the telnet program presented her ticket-granting ticket to the KDC and requested a host ticket for the host daffodil.mit.edu. The KDC sent the host ticket, which telnet then presented to the host daffodil.mit.edu, and she was allowed to log in without typing her password. Suppose your Kerberos tickets allow you to log into a host in another domain, such as trillium.fubar.org, which is also in another Kerberos realm, FUBAR.ORG. If you telnet to this host, you will receive a ticket-granting ticket for the realm FUBAR.ORG, plus the new host ticket for trillium.fubar.org. klist will now show: klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@athena.mit.edu Valid starting Expires Service principal 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/athena.mit.edu@athena.mit.edu 06/07/96 20:22:30 06/08/96 05:49:19 host/daffodil.mit.edu@athena.mit.edu 06/07/96 20:24:18 06/08/96 05:49:19 krbtgt/fubar.org@athena.mit.edu 06/07/96 20:24:18 06/08/96 05:49:19 host/trillium.fubar.org@athena.mit.edu
7 once per user logon session 1. User logs on to workstation and requests service on host. request ticketgranting ticket ticket + session key request servicegranting ticket ticket + session key 2. AS verifies user's access right in database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user's password. Kerberos Authentication Server (AS) Ticketgranting Server (TGS) 3. Workstation prompts user for password and uses password to decrypt incoming message, then sends ticket and authenticator that contains user's name, network address, and time to TGS. 5. Workstation sends ticket and authenticator to server. once per service session provide server authenticator once per type of service request service 4. TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested server. 6. Server verifies that ticket and authenticator match, then grants access to service. If mutual authentication is required, server returns an authenticator. Figure 11.1 Overview of Kerberos
8 Client Realm A 1. request ticket for local TGS 2. ticket for local TGS 3. request ticket for remote TGS 4. ticket for remote TGS Kerberos AS TGS 7. request remote service 5 request ticket for remote server 6 ticket for remote server Kerberos AS Server Realm B TGS Figure 11.2 Request for Service in Another Realm
9 Table 11.1 Summary of Kerberos Version 4 Message Exchanges (a) Authentication Service Exchange: to obtain ticket-granting ticket (1) C AS: ID c ID tgs TS 1 (2) AS C: E Kc [ K c,tgs ID tgs TS 2 Lifetime 2 Ticket tgs ] Ticket tgs = E Ktgs [ K c,tgs ID c AD c ID tgs TS 2 Lifetime 2 ] (b) Ticket-Granting Service Exchange: to obtain service-granting ticket (3) C TGS: ID v Ticket tgs Authenticator c (4) TGS C: E Kc,tgs [ K c,v ID v TS 4 Ticket v ] Ticket tgs = E Ktgs [ K c,tgs ID c AD c ID tgs TS 2 Lifetime 2 ] Ticket v = E Kv [ K c,v ID c AD c ID v TS 4 Lifetime 4 ] Authenticator c = E Kc,tgs [ ID c AD c TS 3 ] (c) Client/Server Authentication Exchange: to obtain service (5) C K: Ticket v Authenticator c (6) K C: E Kc,v [ TS ] (for mutual authentication) Ticket v = E Kv [ K c,v ID c AD c ID v TS 4 Lifetime 4 ] Authenticator c = E Kc,v [ ID c AD c TS 5 ]
10 Table 11.2 Rationale for the Elements of the Kerberos Version 4 Protocol (page 1 of 2) (a) Authentication Service Exchange Message (1) ID C : IDtgs: TS 1 : Message (2) E Kc : K c,tgs : ID tgs : TS 2 : Lifetime 2 : Ticket tgs : Client requests ticket-granting ticket Tells AS identity of user from this client Tells AS that user requests access to TGS Allows AS to verify that client's clock is synchronized with that of AS AS returns ticket-granting ticket Encryption is based on user's password, enabling AS and client to verify password, and protecting contents of message (2) Copy of session key accessible to client; created by AS to permit secure exchange between client and TGS without requiring them to share a permanent key Confirms that this ticket is for the TGS Informs client of time this ticket was issued Informs client of the lifetime of this ticket Ticket to be used by client to access TGS (b) Ticket-Granting Service Exchange Message (3) ID V : Ticket tgs : Authenticator c : Client requests service-granting ticket Tells TGS that user requests access to server V Assures TGS that this user has been authenticated by AS Generated by client to validate ticket Message (4) TGS returns service-granting ticket E Kc,tgs : Key shared only by C and TGS; protects contents of message (4) K c,tgs : Copy of session key accessible to client; created by TGS to permit secure exchange between client and server without requiring them to share a permanent key ID V : Confirms that this ticket is for server V TS 4 : Informs client of time this ticket was issued Ticket V : Ticket to be used by client to access server V Ticket tgs E Ktgs : K c,tgs : ID c : AD c : ID tgs : TS 2 : Lifetime 2 : Reusable so that user does not have to reenter password Ticket is encrypted with key known only to AS and TGS, to prevent tampering Copy of session key accessible to TGS; used to decrypt authenticator, thereby authenticating ticket Indicates the rightful owner of this ticket Prevents use of ticket from workstation other than one that initially requested the ticket Assures server that it has decrypted ticket properly Informs TGS of time this ticket was issued Prevents replay after ticket has expired
11 Table 11.2 Rationale for the Elements of the Kerberos Version 4 Protocol (page 2 of 2) Authenticator c : E Kc,tgs : ID c : AD c : TS 2 : Assures TGS that the ticket presenter is the same as the client for whom the ticket was issued; has very short lifetime to prevent replay Authenticator is encrypted with key known only to client and TGS, to prevent tampering Must match ID in ticket to authenticate ticket Must match address in ticket to authenticate ticket Informs TGS of time this authenticator was generated (c) Client/Server Authentication Exchange Message (5) Ticket V : Authenticator c : Message (6) E Kc,v : TS 5 + 1: Ticket v E Kv : K c,v : ID c : AD c : ID v : TS 4 : Lifetime 4 : Authenticator c : E Kc,v : ID c : AD c : TS 5 : Client requests service Assures server that this user has been authenticated by AS Generated by client to validate ticket Optional authentication of server to client Assures C that this message is from V Assures C that this is not a replay of an old reply Reusable so that client does not need to request a new ticket from TGS for each access to the same server Ticket is encrypted with key known only to TGS and server, to prevent tampering Copy of session key accessible to client; used to decrypt authenticator, thereby authenticating ticket Indicates the rightful owner of this ticket Prevents use of ticket from workstation other than one that initially requested the ticket Assures server that it has decrypted ticket properly Informs server of time this ticket was issued Prevents replay after ticket has expired Assures server that the ticket presenter is the same as the client for whom the ticket was issued; has very short lifetime to prevent replay Authenticator is encrypted with key known only to client and server, to prevent tampering Must match ID in ticket to authenticate ticket Must match address in ticket to authenticate ticket Informs server of time this authenticator was generated
12 Table 11.3 Summary of Kerberos Version 5 Message Exchanges (a) Authentication Service Exchange: to obtain ticket-granting ticket (1) C AS: Options ID c Realm c ID tgs Times Nonce 1 (2) AS C: Realm c ID c Ticket tgs E Kc [K c,tgs Times Nonce 1 Realm tgs ID tgs ] Ticket tgs = E Ktgs [Flags K c,tgs Realm c ID c AD c Times] (b) Ticket-Granting Service Exchange: to obtain service-granting ticket (3) C TGS: Options ID v Times Nonce 2 Ticket tgs Authenticator c (4) TGS C: Realm c ID c Ticket v E Kc,tgs [ K c,v Times Nonce 2 Realm v ID v ] Ticket tgs = E Ktgs [Flags K c,tgs Realm c ID c AD c Times] Ticket v = E Kv [Flags K c,v Realm c ID c AD c Times] Authenticator c = E Kc,tgs [ ID c Realm c TS 1 ] (c) Client/Server Authentication Exchange: to obtain service (5) C TGS: Options Ticket v Authenticator c (6) TGS C: E Kc,v [ TS 2 Subkey Seq# ] Ticket v = E Kv [Flags K c,v Realm c ID c AD c Times] Authenticator c = E Kc,V [ ID c Realm c TS 2 Subkey Seq# ]
CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni
CSCI 667: Concepts of Computer Security Lecture 9 Prof. Adwait Nadkarni 1 Derived from slides by William Enck, Micah Sherr, Patrick McDaniel, Peng Ning, and Vitaly Shmatikov Authentication Alice? Bob?
More informationIn any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.
e-pgpathshala Subject: Computer Science Paper: Cryptography and Network Security Module: Authentication Application Kerberos Module No: CS/CNS/31 Quadrant 1 e-text Learning Objectives To introduce authentication
More informationKEY DISTRIBUTION AND USER AUTHENTICATION
PART 2: NETWORK SECURITY APPLICATIONS KEY DISTRIBUTION AND USER AUTHENTICATION 4.1 Symmetric Key Distribution Using Symmetric Encryption 4.2 Kerberos Kerberos Version 4 Kerberos Version 5 4.3 Key Distribution
More informationThe Kerberos Authentication Service
The Kerberos Authentication Service By: Cule Stevan ID#: 0047307 SFWR 4C03 April 4, 2005 Last Revision: April 5, 2005 Stevan Cule 0047307 SOFTWARE ENGINEERING 4C03 WINTER 2005 The Kerberos Authentication
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationSecurity issues in Distributed Systems
Security issues in Distributed Systems Is Kerberos the Answer? Types of Distributed Systems There are many different types of distributed computing systems and many challenges to overcome in successfully
More informationCHAPTER 3. ENHANCED KERBEROS SECURITY: An application of the proposed system
CHAPTER 3 ENHANCED KERBEROS SECURITY: An application of the proposed system 3.1 Introduction Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server
More informationKerberos User Guide. Release 1.13 MIT
Kerberos User Guide Release 1.13 MIT CONTENTS 1 Password management 1 1.1 Changing your password......................................... 1 1.2 Granting access to your account.....................................
More informationKerberos MIT protocol
Kerberos MIT protocol December 11 th 2009 Amit Shinde Kerberos MIT protocol Motivation behind the design Overview of Kerberos Protocol Kerberized applications Attacks and Security analysis Q & A Motivations
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Authentication Applications We cannot enter into alliance with neighbouring princes until
More informationConfiguring Kerberos
Configuring Kerberos Last Updated: January 26, 2012 Finding Feature Information, page 1 Information About Kerberos, page 1 How to Configure Kerberos, page 5 Kerberos Configuration Examples, page 13 Additional
More informationKey distribution and certification
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification Authority
More information13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.
Key distribution and certification Kerberos In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification
More informationChapter 4 Authentication Applications
Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se Henric Johnson 1 Outline Security Concerns Kerberos X.509
More informationThis chapter examines some of the authentication functions that have been developed to support network-based use authentication.
1 This chapter examines some of the authentication functions that have been developed to support network-based use authentication. In most computer security contexts, user authentication is the fundamental
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationTrusted Intermediaries
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationSecurity and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models
CS 645 Security and Privacy in Computer Systems Lecture 7 The Kerberos authentication system Last Week Security policy, security models, trust Access control models The Bell-La Padula (BLP) model The Biba
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationOverview of Kerberos(I)
Overview of Kerberos(I) Network Authentication Protocol for C/S application based on symmetric cryptosystem TTP authentication service Based on secret key, single login Part of MIT's project Athena (public
More informationIntroduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.
Trusted Intermediaries CSC/ECE 574 Computer and Network Security Topic 7. Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center () Representative solution:
More informationPersistent key, value storage
Persistent key, value storage In programs, often use hash tables - E.g., Buckets are an array of pointers, collision chaining For persistant data, minimize # disk accesses - Traversing linked lists is
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationConfiguring Kerberos
Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationBACHELOR THESIS CAPABILITY OF KERBEROS MATTHIJS MEKKING
BACHELOR THESIS CAPABILITY OF KERBEROS MATTHIJS MEKKING JUNE 2006 Contents 1 Introduction 5 1.1 Outline.................................. 5 2 The Kerberos Protocol 7 2.1 Term definitions.............................
More informationCSCE 813 Internet Security Kerberos
CSCE 813 Internet Security Kerberos Professor Lisa Luo Fall 2017 What is Kerberos? An authentication server system from MIT; versions 4 and 5 Provide authentication for a user that works on a workstation
More informationAcknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications
CSE565: Computer Security Lectures 16 & 17 Authentication & Applications Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 Lec 16.1 Acknowledgments Material for some
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationHow to Integrate an External Authentication Server
How to Integrate an External Authentication Server Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above, and to all Barracuda
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationFactotum Sep. 24, 2007
15-412 Factotum Sep. 24, 2007 Dave Eckhardt 1 Factotum Left Out (of P9/9P Lecture) The whole authentication thing There is an auth server much like a Kerberos KDC There is an authentication file system
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationUser Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers)
User Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers) Configuring Kerberos 2 Finding Feature Information 2 Prerequisites for Configuring Kerberos 2 Information About Configuring
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationThe Kerberos Authentication System Course Outline
The Kerberos Authentication System Course Outline Technical Underpinnings - authentication based on key sharing - Needham-Schroeder protocol - Denning and Sacco protocol Kerbeors V - Login and client-server
More informationYou are not allowed to use any means of aid. However, according to general rules printed English language dictionaries are allowed.
CHALMERS UNIVERSITY OF TECHNOLOGY Department of Computer Science and Engineering Examination in Computer Security EDA263 (DIT641) for the International Master s Program in Computer Systems and Networks,
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More information"When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short
KERBEROS: the fierce watchdog of Haides, depicted as a three headed dog with a serpent's tail, a mane of snakes, and a lion's claws. "And before them a dreaded hound, on watch, who has no pity, but a vile
More informationINTRODUCTION WHAT IS KERBEROS? Where does the name Kerberos came from? WHY KERBEROS?
ABSTRACT The Kerberos authentication system was developed at the Massachusetts Institute of Technology (MIT) as part of project Athena. Kerberos provides a means for network entities to securely verify
More informationAuthentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based
More informationCryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)
Cryptology Part 1 Uses of Cryptology 1. Transmission of a message with assurance that the contents will be known only by sender and recipient a) Steganography: existence of the message is hidden b) Cryptography:
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationA Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography
A Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography Ashok Kumar J 1, and Gopinath Ganapathy 2 1,2 School of Computer Science, Engineering and Applications
More informationMITOCW watch?v=qota76ga_fy
MITOCW watch?v=qota76ga_fy The following content is provided under a Creative Commons license. Your support will help MIT OpenCourseWare continue to offer high quality educational resources for free. To
More informationISSN: EverScience Publications 149
An Eager Strategy for TGT Generation at Client Side for Kerberos Protocol Deepika Yadav M.Tech Scholar, B.S.Anangpuria Institute of Technology &Management, Faridabad. Dr. A.K.Sharma Dean & Prof., Department
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationKerberos and Active Directory symmetric cryptography in practice COSC412
Kerberos and Active Directory symmetric cryptography in practice COSC412 Learning objectives Understand the function of Kerberos Explain how symmetric cryptography supports the operation of Kerberos Summarise
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Security Handshake Pitfalls Login only Mutual
More informationUsing Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain
Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain Copyright Informatica LLC 2016, 2018. Informatica LLC. No part of this document may be reproduced or transmitted in any
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationConfiguring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications
Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications Copyright Notice The correct bibliographic citation for this manual is as follows: SAS Institute Inc., Configuring
More informationNovell Kerberos Login Method for NMASTM
Novell Kerberos Login Method for NMASTM 1.0 ADMINISTRATION GUIDE www.novell.com Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation,
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationSession Key Distribution
Session Key Distribution The TA shares secret keys with network users. The TA chooses session keys and distributes them in encrypted form upon request of network users. We will need to define appropriate
More informationNetwork Security (NetSec)
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Network Security (NetSec) IN2101 WS 17/18 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius
More informationAuthentication systems. Authentication methodologies. User authentication. Authentication systems (auth - april 2011)
Authentication systems Diana Berbecaru < diana.berbecaru @ polito.it > Politecnico di Torino Dip. Automatica e Informatica Authentication methodologies can be based on different factors ( 1/2/3-factors
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More informationSEMINAR REPORT ON BAN LOGIC
SEMINAR REPORT ON BAN LOGIC Submitted by Name : Abhijeet Chatarjee Roll No.: 14IT60R11 SCHOOL OF INFORMATION TECHNOLOGY INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR-721302 (INDIA) Abstract: Authentication
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationKerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos
Kerberos and Public-Key Infrastructure Key Points Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a thrusted third-part authentication service
More informationKerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008
Kerberos Pehr Söderman Pehrs@kth.se Natsak08/DD2495 CSC KTH 2008 Project Athena Started 1983 at MIT 10 000 workstations 1000 servers Unified enviroment Any user, any workstation, any server, anywhere...
More informationMarch 26, Abstract
Public-key Cryptography Extensions into Kerberos Ian Downard University of Missouri Rolla Department of Electrical and Computer Engineering 1870 Miner Circle Rolla, MO 65409 Phone: 573-341-8422 Fax: 573-341-4532
More informationHow to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x
How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x Copyright Informatica LLC 2015, 2017. Informatica Corporation. No part of this document may be reproduced
More informationKerberos Introduction. Jim Binkley-
Kerberos Introduction Jim Binkley- jrb@cs.pdx.edu 1 outline intro to Kerberos (bark, bark) protocols Needham Schroeder K4 K5 miscellaneous issues conclusion 2 Kerberos history Kerberos came from MIT part
More informationHow to Configure Authentication and Access Control (AAA)
How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationSCIENCE & TECHNOLOGY
Pertanika J. Sci. & Technol. 25 (4): 1317-1330 (2017) SCIENCE & TECHNOLOGY Journal homepage: http://www.pertanika.upm.edu.my/ A Lightweight Authentication Protocol based on ECC for Satellite Communication
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationNetwork Security. Chapter 7 Cryptographic Protocols
Network Security Chapter 7 Cryptographic Protocols 1 Introduction! Definition: A cryptographic protocol is defined as a series of steps and message exchanges between multiple entities in order to achieve
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More informationNetwork Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München
Network Security Kerberos and other Frameworks for Client Authentication Dr. Heiko Niedermayer Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: January
More informationNetwork Working Group Request for Comments: 4120 Obsoletes: 1510 Category: Standards Track K. Raeburn MIT July 2005
Network Working Group Request for Comments: 4120 Obsoletes: 1510 Category: Standards Track C. Neuman USC-ISI T. Yu S. Hartman K. Raeburn MIT July 2005 Status of This Memo The Kerberos Network Authentication
More informationKerberos and NFS4 on Linux. isginf Workshop
Kerberos and NFS4 on Linux isginf Workshop Stefan Walter 13.03.18 1 Welcome First workshop we organize! Background info and three practical labs Goal is to show you how to get NFS4 with Kerberos working
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationGlobal Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationCopyright
This video will look at configuring the default password policy in Active Directory. These setting determines setting like how long a user password will be, if the password needs to complex, and how many
More informationUnit-VI. User Authentication Mechanisms.
Unit-VI User Authentication Mechanisms Authentication is the first step in any cryptographic solution Authentication can be defined as determining an identity to the required level of assurance Passwords
More informationSection E.2.1 Kerberos Authentication and Authorization System
PROJECT ATHENA TECHNICAL PLAN Section E.2.1 Kerberos Authentication and Authorization System by S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer Κερβεροσ; also spelled Cerberus. "n. The watch
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationLord of the Rings J.R.R. TOLKIEN
Copyright 1994 AT&T and Lumeta Corporation. All Rights Reserved. Notice: For personal use only. These materials may not be reproduced or distributed in any form or by any means except that they may be
More informationKEY DISTRIBUTION AND USER AUTHENTICATION
KEY DISTRIBUTION AND USER AUTHENTICATION Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman
More informationData Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II
Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II Hello and welcome to today's lecture on secured communication.
More information