Ns 5

Network Security
Praptiba S Parmar, Assistant Professor

Computer science and Engineering Department
CHAPTER-5
Remote User Authentication with Symmetric
and Asymmetric Encryption
Remote user authentication with symmetric encryption
Mutual Authentication:
• A two-level hierarchy of symmetric encryption keys can be used to
provide confidentiality for communication in a
distributed environment.
• In general, this strategy involves the use of a trusted key distribution
centre(KDC).
• Each party in the network shares a secret key, known as a master key,
with the KDC.
• The KDC is responsible for generating keys to be used for a short time
over a connection between two parties, known as session keys, and for
distributing those keys using the master keys to protect the
distribution.
1. A KDC: IDA||IDB||N1
❑ Initiator A will communicate with KDC for the secret key. So A
will provide the identity of A(IDA), identity of B(IDB) and
nonce1(N1) to the key distribution centre.
2. KDC A:E(Ka,[Ks||IDB||N1||E(Kb,[Ks||IDA])])
◻ KDC will generate one session key for the communication between
A and B send to the A in 2nd step.
◻ KDC will reply to A and send one encrypted message to the user A.
◻ This encryption will be done using the master key (Ka) of A.
3. A B:E(Kb,[Ks||IDA])
◻ Now A will send this second portion E(Kb,[Ks||IDA]) to the B. This
equation is encrypted using master key of B.
4. B A:E(Ks,N2)
◻ In this step authentication will be achieved. B will send one
message that message will be encrypted using the session key and
nonce2(N2).
5. A B:E(Ks,f(N2))
◻ User A will send reply of that nonce using the secret key/session
key.
One way Authentication

❑ With some refinement, the KDC strategy is a candidate for
encrypted electronic mail.
❑ Here we wish to avoid requiring that the recipient B be on line at the
same time as the sender so step 4 and 5 must be eliminated from the
Needham Schrorer protocol.
❑ So there will be only 3 steps are performed in Needham protocol
that is called one way authentication.
1. A KDC:IDA||IDB||N1
◻ User A will communicate with KDC and get the session key from
the KDC
2. KDC:A:E(Ka,[Ks||IDB||N1])||E(Kb,[Ks||IDA])
◻ KDC will reply with the session key there are two message one will
encrypted using master key A and 2nd is encrypted using master key
of B.
3. A B:E(Kb,[Ks||IDA])||E(Ks,M)
◻ Also send one message from the user A side which is encrypted
using the session key Ks.
◻ So session key will be verified so no need to write setp4 and 5

◻ This approach guarantees that only intended recipient of a message
will be able to read it.
Remote user authentication with asymmetric encryption
Mutual Authentication:
1. E(PUb,[N1||IDA])
◻ User A send a request to user B. This requested message will be
encrypted using public key of B.
◻ After decryptiong this message user B will get two message
Nonce1(N1) and Identity of A(IDA).
2. E(PUa,[N1||N2])
◻ This reply message is encrypted using the public key of user A. so
this message will decrypt only with the private key of user A.
3. E(PUb,N1|)
◻ User A send a message to user B. Which is encrypted using the
public key of B.
4. E(PUb,E(PRa,Ks))
◻ User A will send a secret key to B. So user B receive that message
and decrypt that message using private key of B.
◻ After decrypted that the content of that message still encrypted
using the private key of A.
One Way Authentication:
Whenever communication on non-secure network there are focus on
two main areas:
1. Confidentiality
2. Authentication
If confidentiality is the primary concern then the following may be
more efficient
A B:E(PUb,Ks)||E(Ks,M)
For example, user A wants to communicate with user B then the
message(M) is encrypted using session key and session key(Ks) is
encrypted using public key (PUb) of user B.
This is more efficient then simply encrypting the entire message with
B’s public key.
If Authentication is the primary concern then the digital signature may
suffice
A B:M||E(PRa,H(M))
User A send request message to B. In this method, the message is
appended with digital signature (H(M)). And digital signature is
encrypted using private key of A(PRa).
So user B will decrypt that digital signature H(M) with the help of
public key of A. And then authentication is achieved.
Kerberos
❑ Kerberos provides a centralized authentication server whose

function is to authenticate users to servers and servers to users.
❑ In Kerberos Authentication server and database is used for client
authentication.
❑ Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC).
Kerberos
The main components of Kerberos are:
◻ Authentication Server (AS):
The Authentication Server performs the initial authentication and
ticket for Ticket Granting Service.
◻ Database:
The Authentication Server verifies the access rights of users in the
database.
◻ Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server
Kerberos – Simple Dialogue
◻
Kerberos – Simple Dialogue
◻
Ticket
◻ Each request for a service requires a ticket. A ticket provides
a single client with access to a single server.
◻ Tickets are dispensed by the “ticket granting server” (TGS),
which has knowledge of all the encryption keys.
◻ Tickets are meaningless to clients, they simply use them to
gain access to servers.
◻ The TGS seals (encrypts) each ticket with the secret
encryption key of the server.
◻ Sealed tickets can be sent safely over a network - only the
server can make sense out of it.
◻ Each ticket has a limited lifetime (a few hours).
Ticket Contents
◻ Client name (user login name)

◻ Server name
◻ Client host network address
◻ Session key for client/server
◻ Ticket lifetime
◻ Creation timestamp
Ticket Contents
Kerberos
≥
Kerberos
Step-1:
User login and request services on the host. Thus user requests for
ticket-granting service.
Step-2:
Authentication Server verifies user’s access right using database and then gives
ticket-granting-ticket and session key. Results are encrypted using the Password
of the user.
Step-3:
The decryption of the message is done using the password then send the ticket
to Ticket Granting Server. The Ticket contains authenticators like user names
and network addresses.
Kerberos
Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator
verifies the request then creates the ticket for requesting services from the
Server.
Step-5:
The user sends the Ticket and Authenticator to the Server.
Step-6:
The server verifies the Ticket and authenticators then generate access to the
service. After this User can access the services.
Kerberos Limitations
◻ Each network service must be modified individually for use with

Kerberos
◻ It doesn’t work well in a timeshare environment
◻ Secured Kerberos Server
◻ Requires an always-on Kerberos server
◻ Stores all passwords are encrypted with a single key
◻ Assumes workstations are secure
◻ May result in cascading loss of trust.
◻ Scalability
www.paruluniversity.ac.in

Ns 5

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ns 5

Uploaded by

Copyright:

Available Formats

Network Security

Praptiba S Parmar, Assistant Professor

One way Authentication

◻ So session key will be verified so no need to write setp4 and 5

❑ Kerberos provides a centralized authentication server whose

◻ Ticket Granting Server (TGS):

◻ Client name (user login name)

◻ Each network service must be modified individually for use with

You might also like