Download Internet Authentication Applications - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!
Lecture 23
Internet Authentication Applications
Kerberos Overview
- initially developed at MIT
- software utility available in both the public domain and in commercially supported versions
- issued as an Internet standard and is the defacto standard for remote authentication
- overall scheme is that of a trusted third party authentication service
- requires that a user prove his or her identity for each service invoked and requires servers to prove their identity to clients
Kerberos Protocol
- use an Authentication Server (AS)
- user initially negotiates with AS for identity verification
- AS verifies identity and then passes information on to an application server which will then accept service requests from the client
- need to find a way to do this in a secure way
- if client sends user’s password to the AS over the network an opponent could observe the password
- an opponent could impersonate the AS and send a false validation
Kerberos Overview
Kerberos Realms
- if multiple realms:
- their Kerberos servers must share a secret key and trust the Kerberos server in the other realm to authenticate its users
- participating servers in the second realm must also be willing to trust the Kerberos server in the first realm
Kerberos
Realms
Kerberos Performance Issues
- see larger client-server installations
- Kerberos performance impact in a large-scale
environment:
- very little if system is properly configured
- tickets are reusable which reduces traffic
- Kerberos security is best assured by placing the
Kerberos server on an isolated machine
- motivation for multiple realms is administrative
Certificate Authority (CA)
certificate consists of:
- a public key plus a User ID of the key owner
- signed by a trusted third party
- typically the third party is a CA that is trusted by the user community (such as a government agency or a financial institution)
user can present his or her public key to the authority in a secure manner and obtain a certificate
- user can then publish the certificate
- anyone needing this user’s public key can obtain the certificate and verify that it is valid by way of the attached trusted signature
X.509 Authentication Service
- universally accepted standard for formatting
public-key certificates
- widely used in network security applications,
- including IPsec, SSL, SET, and S/MIME
- part of CCITT X.500 directory service standards
- uses public-key crypto & digital signatures
- algorithms not standardized
- but RSA recommended
X.509 Certificates
PKIX Management Functions
registration initialization certification
key pair
recovery
key pair
update
revocation
request
cross
certification
Federated Identity Management
- use of common identity management scheme
- across multiple enterprises and numerous applications
- supporting many thousands, even millions of users
- principal elements are:
- authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation
Standards Used
Extensible Markup Language (XML)
characterizes text elements in a document on appearance, function, meaning, or context
Simple Object Access Protocol (SOAP)
for invoking code using XML over HTTP
WS-Security
set of SOAP extensions for implementin g message integrity and confidentialit y in Web services
Security Assertion Markup Language (SAML)
XML-based language for the exchange of security information between online business partners
Federated Identity Management