cs 356 lecture 28 internet authentication
play

CS 356 Lecture 28 Internet Authentication Spring 2013 Review - PowerPoint PPT Presentation

Jan 07, 2024 •284 likes •493 views

CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

  1. CS 356 – Lecture 28 Internet Authentication Spring 2013

  2. Review • Chapter 1: Basic Concepts and Terminology • Chapter 2: Basic Cryptographic Tools • Chapter 3 – User Authentication • Chapter 4 – Access Control Lists • Chapter 5 – Database Security (skipped) • Chapter 6 – Malicious Software • Networking Basics (not in book) • Chapter 7 – Denial of Service • Chapter 8 – Intrusion Detection • Chapter 9 – Firewalls and Intrusion Prevention • Chapter 10 – Buffer Overflow • Chapter 11 – Software Security • Chapter 12 – OS Security • Chapter 22 – Internet Security Protocols • Chapter 23 – Internet Authentication Applications

  3. Chapter 23 Internet Authentication Applications

  4. Kerberos Overview • initially developed at MIT • software utility available in both the public domain and in commercially supported versions • issued as an Internet standard and is the defacto standard for remote authentication • overall scheme is that of a trusted third party authentication service • requires that a user prove his or her identity for each service invoked and requires servers to prove their identity to clients

  5. Kerberos Protocol involves clients, application servers, and a Kerberos server • designed to counter a variety of threats to the security of a client/server dialogue • obvious security risk is impersonation • servers must be able to confirm the identities of clients who request service use an Authentication Server (AS) • user initially negotiates with AS for identity verification • AS verifies identity and then passes information on to an application server which will then accept service requests from the client need to find a way to do this in a secure way • if client sends user’s password to the AS over the network an opponent could observe the password • an opponent could impersonate the AS and send a false validation

  6. Kerberos Overview 2. AS verifies user's access right in database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user's password. once per Kerberos user logon session Authentication - t e k Server (AS) c i t t e t k s c e u i t q e g r n i t n a r g 1. User logs on to ticket + session key workstation and requests service on host. e - c i v e r s Ticket- t e s u q e r t e c k i t g n granting t i n r a g Server (TGS) ticket + session key once per type of service 4. TGS decrypts ticket and 3. Workstation prompts authenticator, verifies request, user for password and then creates ticket for requested uses password to decrypt server. r e incoming message, then q u e s sends ticket and t s e r authenticator that v i c e contains user's name, network address, and p r o time to TGS. v a u i d t e h e s n e t r i v c once per 6. Server verifies that e a r t o r service session ticket and authenticator 5. Workstation sends match, then grants access ticket and authenticator to service. If mutual to server. authentication is required, server returns an authenticator. Figure 23.1 Overview of Kerberos

  7. Kerberos Realms • a Kerberos environment consists of: – a Kerberos server – a number of clients, all registered with server – a number of application servers, sharing keys with server • this is referred to as a realm – networks of clients and servers under different administrative organizations generally constitute different realms • if multiple realms: – their Kerberos servers must share a secret key and trust the Kerberos server in the other realm to authenticate its users – participating servers in the second realm must also be willing to trust the Kerberos server in the first realm

  8. Realm A Kerberos Client 1. request ticket for local TGS AS 2. ticket for local TGS 3 . r e q u e s t t i c k e t f o r r e m o t e T G S TGS 4 . t i c k e t f o r r e m o t e T G S Kerberos 7. request remote service 5 request ticket for remote server Realms 6 ticket for remote server Kerberos AS TGS Server Realm B Figure 23.2 Request for Service in Another Realm

  9. Kerberos Versions 4 and 5 • Kerberos v4 is most widely used version • improvements found in version 5: – an encrypted message is tagged with an encryption algorithm identifier • this enables users to configure Kerberos to use an algorithm other than DES – supports authentication forwarding • enables a client to access a server and have that server access another server on behalf of the client • supports a method for interrealm authentication that requires fewer secure key exchanges than in version 4

  10. Kerberos Performance Issues • see larger client-server installations environment: • very little if system is properly configured • tickets are reusable which reduces traffic • Kerberos performance impact in a large-scale Kerberos security is best assured by placing the Kerberos server on a separate, isolated machine • motivation for multiple realms is administrative, not performance related

  11. Certificate Authority (CA) certificate consists of: • a public key plus a User ID of the key owner • signed by a trusted third party • typically the third party is a CA that is trusted by the user community (such as a government agency or a financial institution) user can present his or her public key to the authority in a secure manner and obtain a certificate • user can then publish the certificate • anyone needing this user’s public key can obtain the certificate and verify that it is valid by way of the attached trusted signature

  12. X.509 Authentication Service • widely used in network universally accepted security applications, standard for formatting including IPsec, SSL, public-key certificates SET, and S/MIME part of CCITT X.500 directory service standards • algorithms not uses public-key crypto standardized, but RSA & digital signatures recommended

  13. X.509 Certificates Signature algorithm Version algorithm parameters identifier Certificate Issuer Name Serial Number Signature algorithm algorithm This Update Date parameters identifier Version 1 Issuer Name Next Update Date Version 2 Period of not before Revoked user certificate serial # validity certificate not after revocation date Version 3 Subject Name ! Subject's ! algorithms public key ! parameters key info Issuer Unique user certificate serial # Revoked Identifier certificate revocation date algorithms Subject Unique Signature parameters Identifier encrypted hash Extensions (b) Certificate Revocation List versions algorithms Signature parameters all encrypted hash (a) X.509 Certificate Figure 23.3 X.509 Formats

  14. PKI users Public certificate/CRL retrieval End entity Certificate/CRL Repository registration, Key initialization, certification, key pair recovery, Registration Infrastructure key pair update certificate authority revocation request publication certificate/CRL X.509 Certificate publication authority cross (PKIX) CRL issuer certification CRL publication Certificate authority PKI management entities Figure 23.4 PKIX Architectural Model

  15. PKIX Management Functions registration initialization certification key pair key pair revocation recovery update request cross certification

  16. Federated Identity Management • use of common identity management scheme – across multiple enterprises and numerous applications – supporting many thousands, even millions of users • principal elements are: – authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation

  17. Identity Management Administrators provide Administrator attributes Administrator Attribute service Principals provide Attribute service attributes Principal Attribute service Principal Data consumers apply Principal references to obtain attribute data Identity Provider Data consumer Data consumer Principals Identity control Attribute authenticate, interface locator manage their identity elements Data consumers obtain Principal Identifier identifiers, attribute authentication translation references Figure 23.5 Generic Identity Management Architecture

  18. Standards Used Security Extensible Simple Object Assertion Markup Markup Access Protocol WS-Security Language Language (XML) (SOAP) (SAML) XML-based characterizes set of SOAP language for text elements extensions for the exchange in a document implementing for invoking of security on message code using information appearance, XML over integrity and between function, HTTP confidentiality online meaning, or in Web business context services partners

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html Outline HTTP Basic Authentication HTTP Digest Authentication 1

349 views • 8 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and

Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and

Internet Security Certficate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN Daniel Schwarz Nrnberg, Internet Security Dozent: Prof. Dr. Trommler 27.April 2004 Overview: 1. Introduction I. PKIX 2. Basics

560 views • 35 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Authentication and Encryption Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 The In

Authentication and Encryption Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 The In

In Internet Security: Authentication and Encryption Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 The In Internet: A Utopian Vision The In Internet: Reality Main Questions First who are the bad actors or r adversarie ies?

515 views • 24 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Networking and the Internet Lecture 4 COMPSCI.111 Todays lecture u History of the

Networking and the Internet Lecture 4 COMPSCI.111 Todays lecture u History of the

Networking and the Internet Lecture 4 COMPSCI.111 Todays lecture u History of the Internet u How the Internet works u Network protocols The telephone u 1876: first successful bi-directional transmission of clear speech by Alexander Bell

534 views • 29 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

685 views • 30 slides
Lecture 18: The Internet and the Web Computer Literacy 1h Thursday 4/11/2004 Lecture Overview

Lecture 18: The Internet and the Web Computer Literacy 1h Thursday 4/11/2004 Lecture Overview

Lecture 18: The Internet and the Web Computer Literacy 1h Thursday 4/11/2004 Lecture Overview Topics covered The origin of the Internet The Internet and Network organisation The Web: client-server model The Web:

443 views • 6 slides
Build a Micro HTTP Server for Embedded System Connect to devices more easily Jian-Hong Pan

Build a Micro HTTP Server for Embedded System Connect to devices more easily Jian-Hong Pan

Build a Micro HTTP Server for Embedded System Connect to devices more easily Jian-Hong Pan (StarNight) @ ELCE / OpenIoT Summit Europe 2016 Outline History Micro HTTP Server on RTOS HTTP Protocol FreeRTOS Header &

1.76k views • 108 slides
BENCHMARKING OF WEB SERVICES PLATFORMS An evaluation with the TPC-App benchmark Daniel F.

BENCHMARKING OF WEB SERVICES PLATFORMS An evaluation with the TPC-App benchmark Daniel F.

BENCHMARKING OF WEB SERVICES PLATFORMS An evaluation with the TPC-App benchmark Daniel F. Garca, Javier Garca, Manuel Garca, Ivan Peteira Departamento de Informtica, Oviedo University, Campus de Viesques, Gijn, Spain {dfgarcia, javier,

323 views • 6 slides
VAMOS: Virtualization Aware Middleware Abel Gordon 1 Muli Ben-Yehuda 1,2 Dennis Filimonov 2 Mahor

VAMOS: Virtualization Aware Middleware Abel Gordon 1 Muli Ben-Yehuda 1,2 Dennis Filimonov 2 Mahor

VAMOS: Virtualization Aware Middleware Abel Gordon 1 Muli Ben-Yehuda 1,2 Dennis Filimonov 2 Mahor Dahan 2 1 IBM Research Haifa 2 Technion Israel Institute of Technology VAMOS WIOV 2011 VAMOS: Virtualization Aware Middleware

262 views • 15 slides
Seamless Offloading of Web App Computations From Mobile Device to Edge Clouds via HTML5 Web

Seamless Offloading of Web App Computations From Mobile Device to Edge Clouds via HTML5 Web

Seamless Offloading of Web App Computations From Mobile Device to Edge Clouds via HTML5 Web Worker Migration Hyuk Jin Jeong Seoul National University SoCC 2019 Virtual Machine & Optimization Laboratory Department of Electrical and

824 views • 29 slides
Detecting if LTE is the Bottleneck with BurstTracker Arjun Balasingam , Manu Bansal, Rakesh Misra,

Detecting if LTE is the Bottleneck with BurstTracker Arjun Balasingam , Manu Bansal, Rakesh Misra,

Detecting if LTE is the Bottleneck with BurstTracker Arjun Balasingam , Manu Bansal, Rakesh Misra, Kanthi Nagaraj, Rahul Tandra, Sachin Katti, Aaron Schulman Diagnosing Poor Streaming Quality 360p 2 Diagnosing Poor Streaming Quality 360p 2

626 views • 49 slides
Deploying Python Applications with httpd Jeff Trawick http://emptyhammock.com/

Deploying Python Applications with httpd Jeff Trawick http://emptyhammock.com/

Introduction Generalities Brass Tacks Configuration/deployment example For Further Study Deploying Python Applications with httpd Jeff Trawick http://emptyhammock.com/ trawick@emptyhammock.com April 14, 2015 ApacheCon US 2015 Introduction

700 views • 51 slides
An ASGI Server from scratch P G Jones - 2020-07-23 pgjones.dev 1 https://pgjones.dev/talks/ |

An ASGI Server from scratch P G Jones - 2020-07-23 pgjones.dev 1 https://pgjones.dev/talks/ |

An ASGI Server from scratch P G Jones - 2020-07-23 pgjones.dev 1 https://pgjones.dev/talks/ | https://github.com/pgjones/asgi_server_from_scratch Me pgjones.dev moneyed.co.uk @pgjones github/gitlab @pdgjones twitter 2 Aim HTTP ASGI

309 views • 28 slides
Immutable deployments: the new classic way for service deployment Adopt the new immutable

Immutable deployments: the new classic way for service deployment Adopt the new immutable

Immutable deployments: the new classic way for service deployment Adopt the new immutable infrastructure paradigm using your old toolbox. Matteo Valentini @_Amygos Warning! The events depicted in this talk are real. Any similarity to any

824 views • 37 slides

More recommend