Chapter 23 - Internet Authentication Applications

Kerberos

• unsecured networks prone to man-in-the-middle attacks that compromise sensitive data

• Kerberos: standard, public-domain-based remote authentication protocol

• developed by MIT

• trusted third party

• requires user to prove identity for each service + servers prove identity to each client

• Kerberos anatomy/servers - “realm”

  • client - person that request authentication

  • application - resource client tries to access

  • Kerberos - in between client + app

    • Includes authentication server to verify identity

    • ticketing server to avoid direct sensitive exchange of data

• 3 TGT exchanges

  • client authentication request: client logs in + requests application → authentication server → once match create encrypted ticket granting ticket (TGT) → sends TGT back to client

    • TGT contains the session key + message

      • multiple realms should have a shared secret key

  • authentication server response: client sends TGT to ticketing server → Ticket Granting Server (TGS) further encrypts with session key → validates and grants TGT back to client

  • client sents TGT to application server → application creates a service ticket → client service ticket to host

• TGT removes need for sending passwords over unsecure network, allows use of encrypted tickets

  • Differentiate from hashing

  • reduces risk of theft or interception

• Version 4 Kerberos widely used since 1980s

• Used DES (low key bits)

• Version 5 addressed scalability of DES by using AES

  • Also promoted cross realm authentication

• Kerberos designed for large-scale, muti-realm servers

• Kerberos must be installed securely and isolated

Certificate Authroity (CA)

• certificate authority assigns public key to an owner to prevent impersonation

• a certificate is created by a trusted, third party that actually binds the key w/ its owner

  • CA belongs to trusted authorites

• X.509 is the digital standard for public key certificates for most security applications

• Contains:

  • Subject - identity of certificate owner

  • Public Key of certificate owner

  • Issuer - CA

  • Validity

  • Digital Signature of above

• Long-lived certificates have high validity and don’t require much renewal

• Short-lived certificates have limited validity as they bypass

• Proxy certificates address short-lived certificate demerits and are acknowledged using extensions

• Attribute certificates have validity based on roles/attributes over identity (eg. admins)

Public Key Infrastructure

• Public Key Infrastructure (PKI) all assets that create public keys

• Includes:

  • CA

  • Registration Authority (RA) - authenticates a certificate that refers to CA

  • Digital Certificates

  • Trust Store - repository of all the certificates (includes unused certificates)

Summary

• Kerberos

  • Realms

  • Versions

  • Requirements

• Certificate Authority

  • X.509

• Public Key Infrastructure