Coding & Information Theory Lab.

Similar documents
Displaying SSL Configuration Information and Statistics

KEY DISTRIBUTION AND USER AUTHENTICATION

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Information Security CS 526

Radius, LDAP, Radius used in Authenticating Users

Cryptography and Network Security

Digital Certificates Demystified

Network Security Essentials

Security: Focus of Control. Authentication

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Security: Focus of Control

Configuring SSL. SSL Overview CHAPTER

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

How to Configure Authentication and Access Control (AAA)

Single Sign-On Showdown

How to Set Up External CA VPN Certificates

Configuring SSL CHAPTER

Datasäkerhetsmetoder föreläsning 7

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Overview. SSL Cryptography Overview CHAPTER 1

Configuring SSL. SSL Overview CHAPTER

Security Digital Certificate Manager

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

IBM. Security Digital Certificate Manager. IBM i 7.1

Kerberized Certificate Issuance Protocol (KX509)

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Transport Layer Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

IBM i Version 7.2. Security Digital Certificate Manager IBM

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Key Management and Distribution

Contents. Configuring SSH 1

HTTPS--HTTP Server and Client with SSL 3.0

New open source CA development as Grid research platform.

Security Handshake Pitfalls

User Authentication Principles and Methods

HTTPS--HTTP Server and Client with SSL 3.0

Cloud Access Manager Configuration Guide

Managing AON Security

Public-key Infrastructure

Overview of Authentication Systems

Chapter 9: Key Management

What is Secure. Authenticated I know who I am talking to. Our communication is Encrypted

Kerberos V5. Raj Jain. Washington University in St. Louis

Security Handshake Pitfalls

CERTIFICATE POLICY CIGNA PKI Certificates

Verteilte Systeme (Distributed Systems)

Public Key Infrastructure. What can it do for you?

Configuring Certificate Authorities and Digital Certificates

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Send documentation comments to

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

CPSC 467b: Cryptography and Computer Security

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Security Policy Document Version 3.3. Tropos Networks

How to Set Up VPN Certificates

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

PKI Configuration Examples

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Authentication in Distributed Systems

IBM Education Assistance for z/os V2R2

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Public-key Infrastructure

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

The KX.509 Protocol. William Doster Marcus Watts Dan Hyde University of Michigan ABSTRACT

Lesson 13 Securing Web Services (WS-Security, SAML)

1.264 Lecture 28. Cryptography: Asymmetric keys

Uniform Resource Locators (URL)

Lecture 08: Networking services: there s no place like

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

User Authentication. Modified By: Dr. Ramzi Saifan

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Transport Level Security

Red Hat Certificate System Common Criteria Certification 8.1 Using End User Services

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Unit-VI. User Authentication Mechanisms.

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Key management. Pretty Good Privacy

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

BlackBerry Dynamics Security White Paper. Version 1.6

Authenticating SMTP Sessions Using Client Certificates

CSE 565 Computer Security Fall 2018

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Course Administration

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Configuring Secure Socket Layer HTTP

Cryptographic Protocols 1

Key management. Required Reading. Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E

Configuring Secure Socket Layer HTTP

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

TS: Upgrading from Windows Server 2003 MCSA to, Windows Server 2008, Technology Specializations

Transcription:

통합인증시스템설계및구현 연세대학교전기 전자공학과정연식, 송홍엽 Coding & Information Theory Lab.

Introduction Previous Works Contents Design and Implementation of Public-Key Infrastructure Design and Implementation of Single Sign-On Conclusion Coding & Information Theory Lab. 2/28

Multi- Environment Introduction Problems of multiple passwords Problems of implementation of challenge-response protocol Single Sign-On Single Sign-On Integration of authentication schemes inside domain of service A user logs in once using a single password, gets authenticated access to all servers in the Intranet Without sending any passwords over the network and Coding & Information Theory Lab. 3/28

Kerberos System Previous Works: Kerberos Based on secret-key cryptosystem Based on Needham-Schroeder s third-party protocol Kerberos Database Once per user log-in User Request TGT TGT + Session-key Request SGT SGT + Session-key Authentication Ticket-granting Client Request service Once per type of service Once per service session Application Coding & Information Theory Lab. 4/28

Previous Works: Netscape s s SSO Netscape s SuiteSpot Based on digital signature Based on Secure Socket Layer(SSL) Step 1. User enters private-key password. Directory Client Step 2. Client retrieves private-key and generates the digital signature. Step 3. Client sends the certificate and the digital signature over the SSL connection. SSL Connection SuiteSpot Step 4. authenticates user' s identity. Step 5. checks whether certificate is in LDAP entry for user. Step 6. authorizes access for user. Coding & Information Theory Lab. 5/28

The Proposed Single Sign-On The Proposed Single Sign-On Based on Public-Key Infrastructure Use of challenge-response protocol User Application 1 Client Challenge-response protocol Authentication LDAP CA Application 2 Coding & Information Theory Lab. 6/28

Introduction Previous Works Contents Design and Implementation of Public-Key Infrastructure Design and Implementation of Single Sign-On Conclusion Coding & Information Theory Lab. 7/28

Public-Key Infrastructure Concept Enables the use of public-key encryption and digital signature in a consistent manner Certificate management infrastructure Issues and provides access to public-key certificates Network of certificate authorities Components Certificate Authority(CA) server Directory server Client modules Coding & Information Theory Lab. 8/28

Generation of Certificate User Sign and Verify data using PKCS #7. Application Request certificates and CRLs. Process PKCS #10 to send certification request. Publish certificates and CRLs. Client Generate a public/ private-key pair and use PKCS #5 to encrypt the private-key Another Intranet CA Crosscertification LDAP CA Coding & Information Theory Lab. 9/28

CA Functions Generates certificates Registers the certificates into the directory server Issues certificates Using PIN Revokes certificates Simply deletes a user entry and its attribute from the directory Does not need the use of certificate revocation list(crl) Implementation Apache web server CGI programming Coding & Information Theory Lab. 10/28

Certificate X.509 Certificate Format Version ver.1 Signature algorihtm identifier MD5 with RSA encryption Issuer name Root CA(Yonsei CA) Period of validity: Not before Present date Period of validity: Not after Present date + 1 year Subject s public-key info RSA algorithm Signature algorithm identifier Period of validity Subject's public-key info Signature Version Certificate serial number Algorithm Parameters Issuer name Not before Not after Subject name Algorithms Parameters Key Issuer unique identifier Subject unique identifier Extensions Algorithms Parameters Encrypted Version 1 Version 2 All versions Version 3 Coding & Information Theory Lab. 11/28

Directory Functions Stores the certificates and CRLs Makes all stored certificates available on request Lightweight Directory Access Protocol (LDAP) Simplified DAP(X.500) Runs directly over TCP or other reliable transport layer Implementation OpenLDAP release distribution Stand-alone LDAP daemon: SLAPD server Binary to ASCII conversion Base-64 encoding/decoding algorithm Coding & Information Theory Lab. 12/28

Client Module Functions Generates public/private-key pairs RSA key pair Size of modulus: 1024bit Encrypts the private-key and saves into the local machine Password-based encryption Generates certification requests PKCS #10 Communicates with the CA server to send certification request Implementation Visual Basic Script language Microsoft ActiveX control programming Socket programming Coding & Information Theory Lab. 13/28

CA Coding & Information Theory Lab. 14/28

Introduction Previous Works Contents Design and Implementation of Public-Key Infrastructure Design and Implementation of Single Sign-On Conclusion Coding & Information Theory Lab. 15/28

The Proposed Single Sign-On Components Authentication server Application servers Client modules User Client Application Step. 1 Step. 6 Step. 2 Step. 5 LDAP Step. 4 Step. 3 Challenge-response protocol Authentication Application Coding & Information Theory Lab. 16/28

Requirements Capture Message Sequence Chart Guide for designing the system Visualization of the system runs Messages service_req req service_resp resp auth_req auth_resp password_req req password_resp resp cert_req req cert_resp resp signature_req req signature_resp resp Subjects Client (User) Application Application Authentication Authentication Client (User) Authentication LDAP Authentication Client (User) URI, useremail flag servername, useremail, randstr useremail,, ticket - flag - certificate randnum signeddata Parameters Coding & Information Theory Lab. 17/28

Scenario 1 Client (User) Application Authentication LDAP service_req URI, useremail auth_req servername, useremail, randstr password_req password_resp (S) cert_req signature_req randnum cert_resp certificate signature_resp signeddata auth_resp service_resp (S) useremail, ticket First login: General case Coding & Information Theory Lab. 18/28

Scenario 2 Client (User) Application Authentication LDAP service_req auth_req password_req password_resp (F) password_req In case a user enters invalid password Coding & Information Theory Lab. 19/28

Scenario 3 Client (User) Application Authentication LDAP service_req cert_resp service_resp (S) auth_resp T Auth service_req auth_req service_resp (S) auth_resp In case a user accesses the same application server from the same client within timer expiration Coding & Information Theory Lab. 20/28

Scenario 4 Client (User) Application Authentication 1 Application 2 LDAP service_req cert_resp service_resp (S) auth_resp T Auth service_req service_resp (S) auth_req auth_resp In case a user accesses another application server from the same client within timer expiration Coding & Information Theory Lab. 21/28

Scenario 5 Client 1 (User) Application Authentication LDAP service_req Client 2 (User) service_resp (S) auth_resp cert_resp T Auth service_req auth_req password_req password_resp (F) password_req In case an opponent accesses the application server from the another client within timer expiration Coding & Information Theory Lab. 22/28

randstr & ticket Scenario 6 Application server can be accessed through two URIs To prevent an opponent from directly accessing an application server without authentication protocol Can prevent server-spoofing attack ticket: randstr encrypted by authentication server Client (User) Application Authentication LDAP service_req service_resp (F) In case an opponent directly accesses an application server without authentication process Coding & Information Theory Lab. 23/28

Scenario 7 Client (User) Application Authentication LDAP service_req auth_req T App service_req service_req auth_req password_req password_resp (S) cert_req cert_resp signature_req service_resp (S) signature_resp auth_resp In case a user sends multiple service_req req messages Coding & Information Theory Lab. 24/28

Authentication Functions Challenge-response protocol Generates the ticket DES-CBC with all 0 s IV To transmit as CGI parameter Base-64 encoding algorithm Additional encoding: + -, / @, = : Control of the timer(t Auth ) Implemented by checking the log-in time in the database 1 hour Implementation Apache web server CGI programming Database management system MySQL database Coding & Information Theory Lab. 25/28

Application Functions Verifies the ticket DES-CBC with all 0 s IV Base-64 decoding algorithm Control of the timer(t App ) Maximum Segment Lifetime(MSL) 30 seconds Implementation Apache web server CGI programming Redirection Location header of HTTP Coding & Information Theory Lab. 26/28

Client Module Functions Decrypts the private-key Password-based decryption Challenge-response protocol RSA signature algorithm with MD5 hash function Size of modulus: 1024bit Implementation Visual Basic Script language Microsoft ActiveX control programming Socket programming Coding & Information Theory Lab. 27/28

Conclusion Advantages Has the mechanism that a user directly connects the application server he wants to access Independent of lower layer protocol implementations Easy to implement and use in the Intranet Future Research Development of SSO for other application protocols Current: HTTP Future: Telnet, customized application protocols Extension to multiple-ca environment Use of smart card Coding & Information Theory Lab. 28/28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback