Computer Security: Computer Security: Principles and Practice - - PowerPoint PPT Presentation

computer security computer security principles and
SMART_READER_LITE
LIVE PREVIEW

Computer Security: Computer Security: Principles and Practice - - PowerPoint PPT Presentation

Dec 07, 2022 151 likes •349 views

Computer Security: Computer Security: Principles and Practice Principles and Practice Chapter 22 Internet Authentication Internet Authentication Chapter 22 Applications Applications First Edition First Edition by William

slide-1
SLIDE 1

Computer Security: Computer Security: Principles and Practice Principles and Practice

First Edition First Edition by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown

Chapter 22 Chapter 22 – – Internet Authentication Internet Authentication Applications Applications

slide-2
SLIDE 2
  • will consider authentication functions

will consider authentication functions

  • developed to support application

developed to support application-

  • level

level authentication & digital signatures authentication & digital signatures

  • will consider

will consider

  • Kerberos private

Kerberos private-

  • key authentication service

key authentication service

  • X.509 public

X.509 public-

  • key directory authentication

key directory authentication

  • public

public-

  • key infrastructure (PKI)

key infrastructure (PKI)

  • federated identity management

federated identity management

Internet Authentication Internet Authentication Applications Applications

slide-3
SLIDE 3

Kerberos Kerberos

  • trusted key server system from MIT

trusted key server system from MIT

  • provides centralised private

provides centralised private-

  • key third

key third-

  • party

party authentication in a distributed network authentication in a distributed network

  • allows users access to services distributed

allows users access to services distributed through network through network

  • without needing to trust all workstations

without needing to trust all workstations

  • rather all trust a central authentication server

rather all trust a central authentication server

  • two versions in use: 4 & 5

two versions in use: 4 & 5

slide-4
SLIDE 4

Kerberos Overview Kerberos Overview

  • a basic third

a basic third-

  • party authentication scheme

party authentication scheme

  • have an Authentication Server (AS)

have an Authentication Server (AS)

  • users initially negotiate with AS to identify self

users initially negotiate with AS to identify self

  • AS provides a non

AS provides a non-

  • corruptible authentication

corruptible authentication credential (ticket granting ticket TGT) credential (ticket granting ticket TGT)

  • have a Ticket Granting server (TGS)

have a Ticket Granting server (TGS)

  • users subsequently request access to other

users subsequently request access to other services from TGS on basis of users TGT services from TGS on basis of users TGT

slide-5
SLIDE 5

Kerberos Overview Kerberos Overview

slide-6
SLIDE 6

Kerberos Realms Kerberos Realms

  • a Kerberos environment consists of:

a Kerberos environment consists of:

  • a Kerberos server

a Kerberos server

  • a number of clients, all registered with server

a number of clients, all registered with server

  • application servers, sharing keys with server

application servers, sharing keys with server

  • this is termed a realm

this is termed a realm

  • typically a single administrative domain

typically a single administrative domain

  • if have multiple realms, their Kerberos

if have multiple realms, their Kerberos servers must share keys and trust servers must share keys and trust

slide-7
SLIDE 7

Kerberos Realms Kerberos Realms

slide-8
SLIDE 8

Kerberos Version 5 Kerberos Version 5

  • Kerberos v4 is most widely used version

Kerberos v4 is most widely used version

  • also have v5, developed in mid 1990

also have v5, developed in mid 1990’ ’s s

  • specified as Internet standard RFC 1510

specified as Internet standard RFC 1510

  • provides improvements over v4

provides improvements over v4

  • addresses environmental shortcomings

addresses environmental shortcomings

  • encryption

encryption alg alg, network protocol, byte order, ticket , network protocol, byte order, ticket lifetime, authentication forwarding, inter lifetime, authentication forwarding, inter-

  • realm auth

realm auth

  • and technical deficiencies

and technical deficiencies

  • double encryption, non

double encryption, non-

  • std mode of use, session

std mode of use, session keys, password attacks keys, password attacks

slide-9
SLIDE 9

Kerberos Performance Issues Kerberos Performance Issues

  • see larger client

see larger client-

  • server installations

server installations

  • query Kerberos performance impact

query Kerberos performance impact

  • very little if system is properly configured

very little if system is properly configured

  • since tickets are reusable

since tickets are reusable

  • Kerberos security best assured if place its

Kerberos security best assured if place its server on a separate, isolated machine server on a separate, isolated machine

  • administrative motivation for multi realms

administrative motivation for multi realms

  • not a performance issue

not a performance issue

slide-10
SLIDE 10

Certificate Authorities Certificate Authorities

  • certificate consists of:

certificate consists of:

  • a public key plus a User ID of the key owner

a public key plus a User ID of the key owner

  • signed by a third party trusted by community

signed by a third party trusted by community

  • ften govt./bank
  • ften govt./bank certificate authority

certificate authority (CA) (CA)

  • users obtain certificates from CA

users obtain certificates from CA

  • create keys & unsigned cert, gives to CA, CA

create keys & unsigned cert, gives to CA, CA signs cert & attaches sig, returns to user signs cert & attaches sig, returns to user

  • ther users can verify cert
  • ther users can verify cert
  • checking sig on cert using CA

checking sig on cert using CA’ ’s public key s public key

slide-11
SLIDE 11

X.509 Authentication Service X.509 Authentication Service

  • universally accepted standard for

universally accepted standard for formatting public formatting public-

  • key certificates

key certificates

  • widely used

widely used in network security applications, in network security applications, including IPSec, SSL, SET, and S/MIME including IPSec, SSL, SET, and S/MIME

  • part of CCITT X.500 directory service

part of CCITT X.500 directory service standards standards

  • uses public

uses public-

  • key crypto & digital signatures

key crypto & digital signatures

  • algorithms not standardised, but RSA

algorithms not standardised, but RSA recommended recommended

slide-12
SLIDE 12

X.509 Certificates X.509 Certificates

slide-13
SLIDE 13

Public Key Infrastructure Public Key Infrastructure

slide-14
SLIDE 14

PKIX Management PKIX Management

  • functions:

functions:

  • registration

registration

  • initialization

initialization

  • certification

certification

  • key pair recovery

key pair recovery

  • key pair update

key pair update

  • revocation request

revocation request

  • cross certification

cross certification

  • protocols: CMP, CMC

protocols: CMP, CMC

slide-15
SLIDE 15

Federated Identity Federated Identity Management Management

  • use of common identity management scheme

use of common identity management scheme

  • across multiple enterprises & numerous applications

across multiple enterprises & numerous applications

  • supporting many thousands, even millions of users

supporting many thousands, even millions of users

  • principal elements are:

principal elements are:

  • authentication, authorization, accounting,

authentication, authorization, accounting, provisioning, workflow automation, delegated provisioning, workflow automation, delegated administration, password synchronization, self administration, password synchronization, self-

  • service

service password reset, federation password reset, federation

  • Kerberos contains many of these elements

Kerberos contains many of these elements

slide-16
SLIDE 16

Identity Management Identity Management

slide-17
SLIDE 17

Federated Identity Management Federated Identity Management

slide-18
SLIDE 18

Standards Used Standards Used

  • Extensible Markup Language (XML)

Extensible Markup Language (XML)

  • characterizes text elements in a document on

characterizes text elements in a document on appearance, function, meaning, or context appearance, function, meaning, or context

  • Simple Object Access Protocol (SOAP)

Simple Object Access Protocol (SOAP)

  • for invoking code using XML over HTTP

for invoking code using XML over HTTP

  • WS

WS-

  • Security

Security

  • set of SOAP extensions for implementing message

set of SOAP extensions for implementing message integrity and confidentiality in Web services integrity and confidentiality in Web services

  • Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML)

  • XML

XML-

  • based language for the exchange of security

based language for the exchange of security information between online business partners information between online business partners

slide-19
SLIDE 19

Summary Summary

  • reviewed network authentication using:

reviewed network authentication using:

  • Kerberos private

Kerberos private-

  • key authentication service

key authentication service

  • X.509 public

X.509 public-

  • key directory authentication

key directory authentication

  • public

public-

  • key infrastructure (PKI)

key infrastructure (PKI)

  • federated identity management

federated identity management