Scribd
Upload
38 views27 pages

INS - Lecture13 - Authentication Application - Upd

The document outlines user authentication principles, emphasizing the importance of verifying identities through user IDs and passwords. It discusses security concerns, including impersonation and replay attacks, and presents methods to mitigate these risks, such as timestamps and challenge/response mechanisms. Additionally, it introduces Kerberos as a centralized authentication service that uses symmetric encryption to authenticate users and servers, detailing its operational processes and potential vulnerabilities.

Uploaded by

telacet362
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
38 views27 pages

INS - Lecture13 - Authentication Application - Upd

The document outlines user authentication principles, emphasizing the importance of verifying identities through user IDs and passwords. It discusses security concerns, including impersonation and replay attacks, and presents methods to mitigate these risks, such as timestamps and challenge/response mechanisms. Additionally, it introduces Kerberos as a centralized authentication service that uses symmetric encryption to authenticate users and servers, detailing its operational processes and potential vulnerabilities.

Uploaded by

telacet362
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 27

User

Authentication
Remote User-
Authentication Principles
• The process of verifying an identity
claimed by or for a system entity
• An authentication process consists
of two steps:

© 2017 Pearson Education, Ltd., All rights reserved.


User Identification
• For example, user Alice Toklas could have the user identifier
ABTOKLAS.
• This information needs to be stored on any server or computer system
that Alice wishes to use and could be known to system administrators
and other users.
• A typical item of authentication information associated with this user ID
is a password, which is kept secret (known only to Alice and to the
system).
• If no one is able to obtain or guess Alice’s password, then the
combination of Alice’s user ID and password enables administrators to
set up Alice’s access permissions and audit her activity. Because
Alice’s ID is not secret, system users can send her e-mail, but because
her password is secret, no one can pretend to be Alice.

3
User Authentication
• In essence, identification is the means by which a
user provides a claimed identity to the system; user
authentication is the means of establishing the
validity of the claim. Note that user authentication is
distinct from message authentication.
• As defined in Chapter 12, message authentication is
a procedure that allows communicating parties to
verify that the contents of a received message have
not been altered and that the source is authentic.
This chapter is concerned solely with user
authentication.
4
Means of User
Authentication

• For network-based user authentication, the most


important methods involve cryptographic keys and
something the individual knows, such as a password
© 2017 Pearson Education, Ltd., All rights reserved.
Security Concerns
• Only authorize users access the services
• Authentication of users on client machine
• Impersonations
• key concerns are confidentiality and
timeliness
• to provide confidentiality must encrypt
identification and session key info
• need timeliness to prevent replay
attacks

6
Mutual Authentication
• Protocols which enable communicating parties
to satisfy themselves mutually about each
other’s identity and to exchange session keys

© 2017 Pearson Education, Ltd., All rights reserved.


Replay Attacks
1. The simplest replay attack is one in which the
opponent simply copies a message and replays it
later
2. An opponent can replay a timestamped message
within the valid time window
3. An opponent can replay a timestamped message
within the valid time window, but in addition, the
opponent suppresses the original message; thus,
the repetition cannot be detected
4. Another attack involves a backward replay
without modification and is possible if symmetric
encryption is used and the sender cannot easily
recognize the difference between messages sent
and messages received on the basis of content

© 2017 Pearson Education, Ltd., All rights reserved.


Approaches to Coping
With Replay Attacks
• Attach a sequence number to each message used in an
authentication exchange
– A new message is accepted only if its sequence number is
in the proper order
– Difficulty with this approach is that it requires each party to
keep track of the last sequence number for each claimant it
has dealt with
– Generally, not used for authentication and key exchange
because of overhead

– Timestamps
– Requires that clocks among the various participants be
synchronized
– Party A accepts a message as fresh only if the message contains a
timestamp that, in A’s judgment, is close enough to A’s knowledge
of current time

– Challenge/response
– Party A, expecting a fresh message from B, first sends B a nonce
(challenge) and requires that the subsequent message (response)
received from B contain the correct nonce value
© 2017 Pearson Education, Ltd., All rights reserved.
One-Way
Authentication

© 2017 Pearson Education, Ltd., All rights reserved.


Remote User-
Authentication Using
Symmetric Encryption

© 2017 Pearson Education, Ltd., All rights reserved.


Motivation
• In simple client-server networks
authentication requirements
-user authentication on client
-Services used by only privilege users
-Prevent impersonation
• Considering distributed network
architecture clients & centralized or
distributed servers

12
Three approaches could be considered
for Authentication

-Rely on each workstation to assure identity of


its users and each server enforce policy
-Client system authenticate to server, but
trust client system for user identification
- User needs to prove his identity for each
invoked service & server prove identity to
client
*Or use an authentication server
13
Authentication Server

• How will authentication server


perform authentication ?
• Problems with authentication
servers in general ????
– Opponent could capture the ticket transmitted from
AS and reuse it
– Password for the service in the ticket in plaintext, so
attacker capture it and use the service
– Number of times user has to enter the password.

14
KERBEROS

In Greek mythology, a many headed dog,


the guardian of the entrance of Hades

15
KERBEROS
• Authentication service developed as
part of Project Athena at MIT
• Provides a centralized authentication
server to authenticate users to
servers and servers to users.
• Relies on conventional encryption,
making no use of public-key
encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
KERBEROS
• A workstation cannot be trusted to
identify its users correctly to network
services
• Users wish to access services on
servers.
• Three threats exist:
– User pretend to be another user.
– User alter the network address of a
workstation.
– User eavesdrop on exchanges and use a
replay attack. 17
Kerberos Requirements
• The first published report on Kerberos
listed the following requirements:

© 2017 Pearson Education, Ltd., All rights reserved.


Kerberos Version 4
• Makes use of DES to provide the authentication
service
• Authentication server (AS)
– Knows the passwords of all users and stores these in a
centralized database
– Shares a unique secret key with each server
• Ticket
– Created once the AS accepts the user as authentic;
contains the user’s ID and network address and the
server’s ID
– Encrypted using the secret key shared by the AS and the
server

– Ticket-granting server (TGS)


– Issues tickets to users who have been authenticated to AS
– Each time the user requires access to a new service the client
applies to the TGS using the ticket to authenticate itself
– The TGS then grants a ticket for the particular service
– The client saves each service-granting ticket and uses it to
authenticate its user to a server each time a particular service is
requested
© 2017 Pearson Education, Ltd., All rights reserved.
Kerberos Version 4
• Terms:
– C = Client
– AS = authentication server
– V = server
– IDc = identifier of user on C
– IDv = identifier of V
– Pc = password of user on C
– ADc = network address of C
– Kv = secret encryption key shared by AS an
V
– TS = timestamp
– || = concatenation
Henric Johnson 20
A Simple Authentication
Dialogue
(1)C  AS: IDc || Pc || IDv
(2) AS  C: Ticket
(3) C  V: IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

21
Version 4
Authentication
Dialogue
• Problems:
– Lifetime associated with the ticket-granting
ticket
– If too short  repeatedly asked for password
– If too long  greater opportunity to replay
• The threat is that an opponent will steal
the ticket and use it before it expires

22
The Version 4
Authentication
Dialogue

© 2017 Pearson Education, Ltd., All rights reserved.


Version 4 Authentication
Dialogue
Authentication Service Exhange: To obtain Ticket-Granting
Ticket
(1) C  AS: IDc || IDtgs ||TS1
(2) AS  C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Exchange: To obtain Service-


Granting Ticket
(3) C  TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS  C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exchange: To Obtain Service


(5) C  V: Ticketv || Authenticatorc
(6) V  C: EKc,v[TS5 +1]
24
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Summary
Summarize the lecture based on your learning

You might also like