Authentication Applications
Authentication Applications
We cannot enter into alliance with
We cannot enter into alliance with
neighbouring princes until we are
neighbouring princes until we are
acquainted with their designs.
acquainted with their designs.
—
—
The Art of War
The Art of War
, Sun Tzu
, Sun Tzu
Authentication Applications
Authentication Applications
will consider authentication functions
will consider authentication functions
developed to support application-
developed to support application-
level authentication & digital
level authentication & digital
signatures
signatures
will consider Kerberos – a private-
will consider Kerberos – a private-
key authentication service
key authentication service
then X.509 directory authentication
then X.509 directory authentication
service
service
Kerberos
Kerberos
trusted key server system from MIT
trusted key server system from MIT
provides centralised private-key
provides centralised private-key
third-party authentication in a
third-party authentication in a
distributed network
distributed network
•
allows users access to services
allows users access to services
distributed through network
distributed through network
•
without needing to trust all workstations
without needing to trust all workstations
•
rather all trust a central authentication
rather all trust a central authentication
server
server
two versions in use: 4 & 5
two versions in use: 4 & 5
Kerberos Requirements
Kerberos Requirements
first published report identified its
first published report identified its
requirements as:
requirements as:
•
security-an eavesdropper shouldn’t be able to get
security-an eavesdropper shouldn’t be able to get
enough information to impersonate the user
enough information to impersonate the user
•
reliability- services using Kerberos would be
reliability- services using Kerberos would be
unusable if Kerberos isn’t available
unusable if Kerberos isn’t available
•
transparency-users should be unaware of its
transparency-users should be unaware of its
presence
presence
•
scalability- should support large number of users
scalability- should support large number of users
implemented using a 3
implemented using a 3
rd
rd
party authentication
party authentication
scheme using a protocol proposed by
scheme using a protocol proposed by
Needham-Schroeder (NEED78)
Needham-Schroeder (NEED78)
Kerberos 4 Overview
Kerberos 4 Overview
a basic third-party authentication scheme
a basic third-party authentication scheme
•
uses DES buried in an elaborate protocol
uses DES buried in an elaborate protocol
Authentication Server (AS)
Authentication Server (AS)
•
user initially negotiates with AS to identify self
user initially negotiates with AS to identify self
•
AS provides a non-corruptible authentication
AS provides a non-corruptible authentication
credential (ticket-granting ticket TGT)
credential (ticket-granting ticket TGT)
Ticket Granting server (TGS)
Ticket Granting server (TGS)
•
users subsequently request access to other
users subsequently request access to other
services from TGS on basis of users TGT
services from TGS on basis of users TGT
Kerberos 4 Overview
Kerberos 4 Overview
Kerberos Realms
Kerberos Realms
a Kerberos environment consists of:
a Kerberos environment consists of:
•
a Kerberos server
a Kerberos server
•
a number of clients, all registered with server
a number of clients, all registered with server
•
application servers, sharing keys with server
application servers, sharing keys with server
this is termed a realm
this is termed a realm
•
typically a single administrative domain
typically a single administrative domain
if have multiple realms, their Kerberos
if have multiple realms, their Kerberos
servers must share keys and trust
servers must share keys and trust
Kerberos Version 5
Kerberos Version 5
developed in mid 1990’s
developed in mid 1990’s
provides improvements over v4
provides improvements over v4
•
addresses environmental shortcomings
addresses environmental shortcomings
encryption algorithm, network protocol, byte order,
encryption algorithm, network protocol, byte order,
ticket lifetime, authentication forwarding, inter-realm
ticket lifetime, authentication forwarding, inter-realm
authentication
authentication
•
and technical deficiencies
and technical deficiencies
double encryption, non-standard mode of use,
double encryption, non-standard mode of use,
session keys, password attacks
session keys, password attacks
specified as Internet standard RFC 1510
specified as Internet standard RFC 1510
X.509 Authentication Service
X.509 Authentication Service
part of CCITT X.500 directory service
part of CCITT X.500 directory service
standards
standards
•
distributed servers maintaining some info database
distributed servers maintaining some info database
defines framework for authentication services
defines framework for authentication services
•
directory may store public-key certificates
directory may store public-key certificates
•
with public key of user
with public key of user
•
signed by certification authority
signed by certification authority
also defines authentication protocols
also defines authentication protocols
uses public-key crypto & digital signatures
uses public-key crypto & digital signatures
•
algorithms not standardized, but RSA
algorithms not standardized, but RSA
recommended
recommended
X.509 Certificates
X.509 Certificates
issued by a Certification Authority (CA),
issued by a Certification Authority (CA),
containing:
containing:
•
version (1, 2, or 3)
version (1, 2, or 3)
•
serial number (unique within CA) identifying certificate
serial number (unique within CA) identifying certificate
•
signature algorithm identifier
signature algorithm identifier
•
issuer X.500 name (CA)
issuer X.500 name (CA)
•
period of validity (from - to dates)
period of validity (from - to dates)
•
subject X.500 name (name of owner)
subject X.500 name (name of owner)
•
subject public-key info (algorithm, parameters, key)
subject public-key info (algorithm, parameters, key)
•
issuer unique identifier (v2+)
issuer unique identifier (v2+)
•
subject unique identifier (v2+)
subject unique identifier (v2+)
•
extension fields (v3)
extension fields (v3)
•
signature (of hash of all fields in certificate)
signature (of hash of all fields in certificate)
notation
notation
CA<<A>>
CA<<A>>
denotes certificate for A signed
denotes certificate for A signed
by CA
by CA
X.509 Certificates
X.509 Certificates
Obtaining a
Obtaining a
Certificate
Certificate
any user with access to the public
any user with access to the public
key of the CA can verify the user
key of the CA can verify the user
public key that was certified
public key that was certified
only the CA can modify a certificate
only the CA can modify a certificate
without being detected
without being detected
cannot be forged, certificates can be
cannot be forged, certificates can be
placed in a public directory
placed in a public directory
CA Hierarchy
CA Hierarchy
if both users share a common CA then
if both users share a common CA then
they are assumed to know its public key
they are assumed to know its public key
otherwise CA's must form a hierarchy
otherwise CA's must form a hierarchy
use certificates linking members of
use certificates linking members of
hierarchy to validate other CA's
hierarchy to validate other CA's
•
each CA has certificates for clients (forward)
each CA has certificates for clients (forward)
and parent (backward)
and parent (backward)
each client trusts parents certificates
each client trusts parents certificates
enable verification of any certificate from
enable verification of any certificate from
one CA by users of all other CAs in
one CA by users of all other CAs in
hierarchy
hierarchy
CA Hierarchy Use
CA Hierarchy Use
Certificate Revocation
Certificate Revocation
certificates have a period of validity
certificates have a period of validity
may need to revoke before expiration,
may need to revoke before expiration,
eg:
eg:
1.
1.
user's private key is compromised
user's private key is compromised
2.
2.
user is no longer certified by this CA
user is no longer certified by this CA
3.
3.
CA's certificate is compromised
CA's certificate is compromised
CAs maintain list of revoked certificates
CAs maintain list of revoked certificates
•
the Certificate Revocation List (CRL
the Certificate Revocation List (CRL
)
)
users should check certificates with CA’s
users should check certificates with CA’s
CRL
CRL
Authentication Procedures
Authentication Procedures
X.509 includes three alternative
X.509 includes three alternative
authentication procedures:
authentication procedures:
•
One-Way Authentication
One-Way Authentication
•
Two-Way Authentication
Two-Way Authentication
•
Three-Way Authentication
Three-Way Authentication
all use public-key signatures
all use public-key signatures
Nonce
Nonce
a nonce is a parameter that varies
a nonce is a parameter that varies
with time. A nonce can be a time
with time. A nonce can be a time
stamp, a visit counter on a Web
stamp, a visit counter on a Web
page, or a special marker intended
page, or a special marker intended
to limit or prevent the unauthorized
to limit or prevent the unauthorized
replay or reproduction of a file.
replay or reproduction of a file.
Nonce
Nonce
from
from
RFC 2617
RFC 2617
:
:
•
For applications where no possibility of replay
For applications where no possibility of replay
attack can be tolerated the server can use one-
attack can be tolerated the server can use one-
time nonce values which will not be honored
time nonce values which will not be honored
for a second use. This requires the overhead of
for a second use. This requires the overhead of
the server remembering which nonce values
the server remembering which nonce values
have been used until the nonce time-stamp
have been used until the nonce time-stamp
(and hence the digest built with it) has
(and hence the digest built with it) has
expired, but it effectively protects against
expired, but it effectively protects against
replay attacks.
replay attacks.
One-Way Authentication
One-Way Authentication
One message ( A->B) used to
One message ( A->B) used to
establish
establish
•
the identity of A and that message is
the identity of A and that message is
from A
from A
•
message was intended for B
message was intended for B
•
integrity & originality (message hasn’t
integrity & originality (message hasn’t
been sent multiple times)
been sent multiple times)
message must include timestamp,
message must include timestamp,
nonce, B's identity and is signed by A
nonce, B's identity and is signed by A
Two-Way Authentication
Two-Way Authentication
Two messages (A->B, B->A) which
Two messages (A->B, B->A) which
also establishes in addition:
also establishes in addition:
•
the identity of B and that reply is from B
the identity of B and that reply is from B
•
that reply is intended for A
that reply is intended for A
•
integrity & originality of reply
integrity & originality of reply
reply includes original nonce from A,
reply includes original nonce from A,
also timestamp and nonce from B
also timestamp and nonce from B
Three-Way Authentication
Three-Way Authentication
3 messages (A->B, B->A, A->B) which
3 messages (A->B, B->A, A->B) which
enables above authentication without
enables above authentication without
synchronized clocks
synchronized clocks
has reply from A back to B containing
has reply from A back to B containing
a signed copy of nonce from B
a signed copy of nonce from B
means that timestamps need not be
means that timestamps need not be
checked or relied upon
checked or relied upon
X.509 Version 3
X.509 Version 3
has been recognized that additional
has been recognized that additional
information is needed in a certificate
information is needed in a certificate
•
email/URL, policy details, usage constraints
email/URL, policy details, usage constraints
rather than explicitly naming new fields a
rather than explicitly naming new fields a
general extension method was defined
general extension method was defined
extensions consist of:
extensions consist of:
•
extension identifier
extension identifier
•
criticality indicator
criticality indicator
•
extension value
extension value
Certificate Extensions
Certificate Extensions
key and policy information
key and policy information
•
convey info about subject & issuer keys,
convey info about subject & issuer keys,
plus indicators of certificate policy
plus indicators of certificate policy
certificate subject and issuer
certificate subject and issuer
attributes
attributes
•
support alternative names, in alternative
support alternative names, in alternative
formats for certificate subject and/or
formats for certificate subject and/or
issuer
issuer
certificate path constraints
certificate path constraints
•
allow constraints on use of certificates
allow constraints on use of certificates
by other CA’s
by other CA’s