Authentication ApplicationsAuthentication Applications

We cannot enter into alliance with We cannot enter into alliance with neighbouring princes until we are neighbouring princes until we are acquainted with their designs.acquainted with their designs.

——The Art of WarThe Art of War, Sun Tzu, Sun Tzu

Authentication ApplicationsAuthentication Applications

will consider authentication functionswill consider authentication functions developed to support application-developed to support application-

level authentication & digital level authentication & digital signaturessignatures

will consider Kerberos – a private-key will consider Kerberos – a private-key authentication serviceauthentication service

then X.509 directory authentication then X.509 directory authentication serviceservice

KerberosKerberos

trusted key server system from MIT trusted key server system from MIT provides centralised private-key third-provides centralised private-key third-

party authentication in a distributed party authentication in a distributed networknetwork• allows users access to services distributed allows users access to services distributed

through networkthrough network• without needing to trust all workstationswithout needing to trust all workstations• rather all trust a central authentication rather all trust a central authentication

serverserver two versions in use: 4 & 5two versions in use: 4 & 5

Kerberos RequirementsKerberos Requirements first published report identified its first published report identified its

requirements as:requirements as:• security-an eavesdropper shouldn’t be able to get security-an eavesdropper shouldn’t be able to get

enough information to impersonate the userenough information to impersonate the user• reliability- services using Kerberos would be reliability- services using Kerberos would be

unusable if Kerberos isn’t availableunusable if Kerberos isn’t available• transparency-users should be unaware of its transparency-users should be unaware of its

presencepresence• scalability- should support large number of usersscalability- should support large number of users

implemented using a 3implemented using a 3rdrd party authentication party authentication scheme using a protocol proposed by scheme using a protocol proposed by Needham-Schroeder (NEED78)Needham-Schroeder (NEED78)

Kerberos 4 OverviewKerberos 4 Overview

a basic third-party authentication schemea basic third-party authentication scheme• uses DES buried in an elaborate protocoluses DES buried in an elaborate protocol

Authentication Server (AS)Authentication Server (AS) • user initially negotiates with AS to identify self user initially negotiates with AS to identify self • AS provides a non-corruptible authentication AS provides a non-corruptible authentication

credential (ticket-granting ticket TGT) credential (ticket-granting ticket TGT) Ticket Granting server (TGS)Ticket Granting server (TGS)

• users subsequently request access to other users subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT

Kerberos 4 OverviewKerberos 4 Overview

Kerberos RealmsKerberos Realms

a Kerberos environment consists of:a Kerberos environment consists of:• a Kerberos servera Kerberos server• a number of clients, all registered with servera number of clients, all registered with server• application servers, sharing keys with serverapplication servers, sharing keys with server

this is termed a realmthis is termed a realm• typically a single administrative domaintypically a single administrative domain

if have multiple realms, their Kerberos if have multiple realms, their Kerberos servers must share keys and trustservers must share keys and trust

Kerberos Version 5Kerberos Version 5

developed in mid 1990’sdeveloped in mid 1990’s provides improvements over v4provides improvements over v4

• addresses environmental shortcomingsaddresses environmental shortcomings encryption algorithm, network protocol, byte order, encryption algorithm, network protocol, byte order,

ticket lifetime, authentication forwarding, inter-realm ticket lifetime, authentication forwarding, inter-realm authenticationauthentication

• and technical deficienciesand technical deficiencies double encryption, non-standard mode of use, double encryption, non-standard mode of use,

session keys, password attackssession keys, password attacks

specified as Internet standard RFC 1510specified as Internet standard RFC 1510

X.509 Authentication Service X.509 Authentication Service part of CCITT X.500 directory service part of CCITT X.500 directory service

standardsstandards• distributed servers maintaining some info databasedistributed servers maintaining some info database

defines framework for authentication services defines framework for authentication services • directory may store public-key certificatesdirectory may store public-key certificates• with public key of userwith public key of user• signed by certification authority signed by certification authority

also defines authentication protocols also defines authentication protocols uses public-key crypto & digital signatures uses public-key crypto & digital signatures

• algorithms not standardized, but RSA recommended algorithms not standardized, but RSA recommended

X.509 CertificatesX.509 Certificates issued by a Certification Authority (CA), issued by a Certification Authority (CA),

containing: containing: • version (1, 2, or 3) version (1, 2, or 3) • serial number (unique within CA) identifying certificate serial number (unique within CA) identifying certificate • signature algorithm identifier signature algorithm identifier • issuer X.500 name (CA) issuer X.500 name (CA) • period of validity (from - to dates) period of validity (from - to dates) • subject X.500 name (name of owner) subject X.500 name (name of owner) • subject public-key info (algorithm, parameters, key) subject public-key info (algorithm, parameters, key) • issuer unique identifier (v2+) issuer unique identifier (v2+) • subject unique identifier (v2+) subject unique identifier (v2+) • extension fields (v3) extension fields (v3) • signature (of hash of all fields in certificate) signature (of hash of all fields in certificate)

notation notation CA<<A>>CA<<A>> denotes certificate for A signed denotes certificate for A signed by CAby CA

X.509 CertificatesX.509 Certificates

Obtaining a Obtaining a Certificate Certificate

any user with access to the public any user with access to the public key of the CA can verify the user key of the CA can verify the user public key that was certified public key that was certified

only the CA can modify a certificate only the CA can modify a certificate without being detected without being detected

cannot be forged, certificates can be cannot be forged, certificates can be placed in a public directory placed in a public directory

CA Hierarchy CA Hierarchy

if both users share a common CA then if both users share a common CA then they are assumed to know its public key they are assumed to know its public key

otherwise CA's must form a hierarchy otherwise CA's must form a hierarchy use certificates linking members of use certificates linking members of

hierarchy to validate other CA's hierarchy to validate other CA's • each CA has certificates for clients (forward) each CA has certificates for clients (forward)

and parent (backward) and parent (backward) each client trusts parents certificates each client trusts parents certificates enable verification of any certificate from enable verification of any certificate from

one CA by users of all other CAs in one CA by users of all other CAs in hierarchy hierarchy

CA Hierarchy UseCA Hierarchy Use

Certificate RevocationCertificate Revocation

certificates have a period of validitycertificates have a period of validity may need to revoke before expiration, eg:may need to revoke before expiration, eg:

1.1. user's private key is compromiseduser's private key is compromised

2.2. user is no longer certified by this CAuser is no longer certified by this CA

3.3. CA's certificate is compromisedCA's certificate is compromised CAs maintain list of revoked certificatesCAs maintain list of revoked certificates

• the Certificate Revocation List (CRLthe Certificate Revocation List (CRL)) users should check certificates with CA’s users should check certificates with CA’s

CRLCRL

Authentication ProceduresAuthentication Procedures

X.509 includes three alternative X.509 includes three alternative authentication procedures: authentication procedures: • One-Way Authentication One-Way Authentication • Two-Way Authentication Two-Way Authentication • Three-Way Authentication Three-Way Authentication

all use public-key signaturesall use public-key signatures

NonceNonce

a nonce is a parameter that varies a nonce is a parameter that varies with time. A nonce can be a time with time. A nonce can be a time stamp, a visit counter on a Web stamp, a visit counter on a Web page, or a special marker intended to page, or a special marker intended to limit or prevent the unauthorized limit or prevent the unauthorized replay or reproduction of a file. replay or reproduction of a file.

NonceNonce

from from RFC 2617RFC 2617::• For applications where no possibility of replay For applications where no possibility of replay

attack can be tolerated the server can use one-attack can be tolerated the server can use one-time nonce values which will not be honored time nonce values which will not be honored for a second use. This requires the overhead of for a second use. This requires the overhead of the server remembering which nonce values the server remembering which nonce values have been used until the nonce time-stamp have been used until the nonce time-stamp (and hence the digest built with it) has expired, (and hence the digest built with it) has expired, but it effectively protects against replay but it effectively protects against replay attacks.attacks.

One-Way AuthenticationOne-Way Authentication

One message ( A->B) used to One message ( A->B) used to establish establish • the identity of A and that message is the identity of A and that message is

from A from A • message was intended for B message was intended for B • integrity & originality (message hasn’t integrity & originality (message hasn’t

been sent multiple times) been sent multiple times) message must include timestamp, message must include timestamp,

nonce, B's identity and is signed by A nonce, B's identity and is signed by A

Two-Way AuthenticationTwo-Way Authentication

Two messages (A->B, B->A) which Two messages (A->B, B->A) which also establishes in addition:also establishes in addition:• the identity of B and that reply is from B the identity of B and that reply is from B • that reply is intended for A that reply is intended for A • integrity & originality of reply integrity & originality of reply

reply includes original nonce from A, reply includes original nonce from A, also timestamp and nonce from Balso timestamp and nonce from B

Three-Way AuthenticationThree-Way Authentication

3 messages (A->B, B->A, A->B) which 3 messages (A->B, B->A, A->B) which enables above authentication without enables above authentication without synchronized clocks synchronized clocks

has reply from A back to B containing a has reply from A back to B containing a signed copy of nonce from B signed copy of nonce from B

means that timestamps need not be means that timestamps need not be checked or relied upon checked or relied upon

X.509 Version 3X.509 Version 3

has been recognized that additional has been recognized that additional information is needed in a certificateinformation is needed in a certificate • email/URL, policy details, usage constraintsemail/URL, policy details, usage constraints

rather than explicitly naming new fields a rather than explicitly naming new fields a general extension method was definedgeneral extension method was defined

extensions consist of:extensions consist of:• extension identifierextension identifier• criticality indicatorcriticality indicator• extension valueextension value

Certificate ExtensionsCertificate Extensions

key and policy informationkey and policy information• convey info about subject & issuer keys, convey info about subject & issuer keys,

plus indicators of certificate policyplus indicators of certificate policy certificate subject and issuer attributescertificate subject and issuer attributes

• support alternative names, in alternative support alternative names, in alternative formats for certificate subject and/or formats for certificate subject and/or issuerissuer

certificate path constraintscertificate path constraints• allow constraints on use of certificates by allow constraints on use of certificates by

other CA’sother CA’s