Internet Authentication Applications - Integrated Computer Security - Lecture Slides, Slides of Computer Security

These lecture slides are very easy to understand the ntegrated Computer Security system.The major points in these lecture slides are:Internet Authentication Applications, Kerberos, Initially Developed, Commercially Supported Versions, Trusted, Third Party, Identity, Identity to Clients, Kerberos Server, Kerberos Protocol

Typology: Slides

2012/2013

Uploaded on 04/25/2013

bageshri
bageshri 🇮🇳

4.3

(24)

175 documents

1 / 21

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Lecture 23
Internet Authentication Applications
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15

Partial preview of the text

Download Internet Authentication Applications - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!

Lecture 23

Internet Authentication Applications

Kerberos Overview

  • initially developed at MIT
  • software utility available in both the public domain and in commercially supported versions
  • issued as an Internet standard and is the defacto standard for remote authentication
  • overall scheme is that of a trusted third party authentication service
  • requires that a user prove his or her identity for each service invoked and requires servers to prove their identity to clients

Kerberos Protocol

  • use an Authentication Server (AS)
    • user initially negotiates with AS for identity verification
    • AS verifies identity and then passes information on to an application server which will then accept service requests from the client
  • need to find a way to do this in a secure way
    • if client sends user’s password to the AS over the network an opponent could observe the password
    • an opponent could impersonate the AS and send a false validation

Kerberos Overview

Kerberos Realms

  • if multiple realms:
    • their Kerberos servers must share a secret key and trust the Kerberos server in the other realm to authenticate its users
    • participating servers in the second realm must also be willing to trust the Kerberos server in the first realm

Kerberos

Realms

Kerberos Performance Issues

  • see larger client-server installations
  • Kerberos performance impact in a large-scale

environment:

  • very little if system is properly configured
  • tickets are reusable which reduces traffic
  • Kerberos security is best assured by placing the

Kerberos server on an isolated machine

  • motivation for multiple realms is administrative
    • not performance related

Certificate Authority (CA)

certificate consists of:

  • a public key plus a User ID of the key owner
  • signed by a trusted third party
  • typically the third party is a CA that is trusted by the user community (such as a government agency or a financial institution)

user can present his or her public key to the authority in a secure manner and obtain a certificate

  • user can then publish the certificate
  • anyone needing this user’s public key can obtain the certificate and verify that it is valid by way of the attached trusted signature

X.509 Authentication Service

  • universally accepted standard for formatting

public-key certificates

  • widely used in network security applications,
    • including IPsec, SSL, SET, and S/MIME
  • part of CCITT X.500 directory service standards
  • uses public-key crypto & digital signatures
  • algorithms not standardized
  • but RSA recommended

X.509 Certificates

PKIX Management Functions

registration initialization certification

key pair

recovery

key pair

update

revocation

request

cross

certification

Federated Identity Management

  • use of common identity management scheme
    • across multiple enterprises and numerous applications
    • supporting many thousands, even millions of users
  • principal elements are:
    • authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation

Standards Used

Extensible Markup Language (XML)

characterizes text elements in a document on appearance, function, meaning, or context

Simple Object Access Protocol (SOAP)

for invoking code using XML over HTTP

WS-Security

set of SOAP extensions for implementin g message integrity and confidentialit y in Web services

Security Assertion Markup Language (SAML)

XML-based language for the exchange of security information between online business partners

Federated Identity Management