Professional Documents
Culture Documents
Digital Signatures
10
Certificate Authority
11
Revocation of Certificate
12
PROBLEM BEFORE
KERBEROS
PROBLEM BEFORE KERBEROS
• Terms:
• C = Client
• AS = authentication server
• V = server
• IDc = identifier of user on C
• IDv = identifier of V
• Pc = password of user on C
• ADc = network address of C
• Kv = secret encryption key shared by AS and V
• TS = timestamp
• || = concatenation
A SIMPLE AUTHENTICATION DIALOGUE
Problems:
Lifetime associated with the ticket-granting ticket
(1) If too short repeatedly asked for password
(2) If too long greater opportunity to replay
The threat is that an opponent will steal the ticket and use it before
it expires.
KERBEROS VERSION 4
Once per user logon session
cal TGS
2. Ticket for lo (AS)
3. Req
Client uest tic
ke t f o r
remote
TG S
4. Tick
e t fo r r
emote
T GS
(TGS)
(TGS)
Server Realm B
KERBEROS - EXAMPLE
The reason is that when the user wants to access a new service
(within the same logon session), the workstation can get a particular
service ticket from the TGS by using the housed ticket-granting ticket.
Similarly, the service ticket can be also used for multiple times to
access the same service server.
In addition, the codes for getting tickets could be implemented as
transparent procedures, i.e., the user may not notice that
authentication is taking place at all.
KERBEROS VERSION 5
KERBEROS - EXAMPLE
To use Kerberos:
need to have a KDC on your network
need to have Kerberised applications running on all participating
systems
major problem - US export restrictions
Kerberos cannot be directly distributed outside the US in source format
(& binary versions must obscure crypto routine entry points and have no
encryption)
else crypto libraries must be reimplementation locally
PUBLIC KEY CERTIFICATE
– X.509
INTERNET
Bob Alice
Plaintext Plaintext
PUBLIC KEY ENCRYPTION
Bob Alice
Public
Bob Key
STOP!!!!
Plaintext Are you sure that public
Ciphertext key really belong to
ALICE??
Public
-Alice’s ID
Key Encryption
-Alice’s Public Key
Plaintext
compare
CA (e.g. Verisign)
Alice’s Public Key
Public Alice
Bob Key
40
Public
Key
Digital
Signature
DIGITAL SIGNATURES
TYPICAL DIGITAL SIGNATURE APPROACH
DIGITAL SIGNATURE