1. Authentication ApplicationsAuthentication Applications
We cannot enter into alliance withWe cannot enter into alliance with
neighbouring princes until we areneighbouring princes until we are
acquainted with their designs.acquainted with their designs.
——The Art of WarThe Art of War, Sun Tzu, Sun Tzu

2. Authentication ApplicationsAuthentication Applications
 will consider authentication functionswill consider authentication functions
 developed to support application-developed to support application-
level authentication & digitallevel authentication & digital
signaturessignatures
 will consider Kerberos – a private-will consider Kerberos – a private-
key authentication servicekey authentication service
 then X.509 directory authenticationthen X.509 directory authentication
serviceservice

3. KerberosKerberos
 trusted key server system from MITtrusted key server system from MIT
 provides centralised private-keyprovides centralised private-key
third-party authentication in athird-party authentication in a
distributed networkdistributed network
• allows users access to servicesallows users access to services
distributed through networkdistributed through network
• without needing to trust all workstationswithout needing to trust all workstations
• rather all trust a central authenticationrather all trust a central authentication
serverserver
 two versions in use: 4 & 5two versions in use: 4 & 5

4. Kerberos RequirementsKerberos Requirements
 first published report identified itsfirst published report identified its
requirements as:requirements as:
• security-an eavesdropper shouldn’t be able to getsecurity-an eavesdropper shouldn’t be able to get
enough information to impersonate the userenough information to impersonate the user
• reliability- services using Kerberos would bereliability- services using Kerberos would be
unusable if Kerberos isn’t availableunusable if Kerberos isn’t available
• transparency-users should be unaware of itstransparency-users should be unaware of its
presencepresence
• scalability- should support large number of usersscalability- should support large number of users
 implemented using a 3implemented using a 3rdrd
party authenticationparty authentication
scheme using a protocol proposed byscheme using a protocol proposed by
Needham-Schroeder (NEED78)Needham-Schroeder (NEED78)

5. Kerberos 4 OverviewKerberos 4 Overview
 a basic third-party authentication schemea basic third-party authentication scheme
• uses DES buried in an elaborate protocoluses DES buried in an elaborate protocol

Authentication Server (AS)Authentication Server (AS)
• user initially negotiates with AS to identify selfuser initially negotiates with AS to identify self
• AS provides a non-corruptible authenticationAS provides a non-corruptible authentication
credential (ticket-granting ticket TGT)credential (ticket-granting ticket TGT)
 Ticket Granting server (TGS)Ticket Granting server (TGS)
• users subsequently request access to otherusers subsequently request access to other
services from TGS on basis of users TGTservices from TGS on basis of users TGT

6. Kerberos 4 OverviewKerberos 4 Overview

7. Kerberos RealmsKerberos Realms
 a Kerberos environment consists of:a Kerberos environment consists of:
• a Kerberos servera Kerberos server
• a number of clients, all registered with servera number of clients, all registered with server
• application servers, sharing keys with serverapplication servers, sharing keys with server
 this is termed a realmthis is termed a realm
• typically a single administrative domaintypically a single administrative domain
 if have multiple realms, their Kerberosif have multiple realms, their Kerberos
servers must share keys and trustservers must share keys and trust

8. Kerberos Version 5Kerberos Version 5
 developed in mid 1990’sdeveloped in mid 1990’s
 provides improvements over v4provides improvements over v4
• addresses environmental shortcomingsaddresses environmental shortcomings
 encryption algorithm, network protocol, byte order,encryption algorithm, network protocol, byte order,
ticket lifetime, authentication forwarding, inter-realmticket lifetime, authentication forwarding, inter-realm
authenticationauthentication
• and technical deficienciesand technical deficiencies
 double encryption, non-standard mode of use,double encryption, non-standard mode of use,
session keys, password attackssession keys, password attacks
 specified as Internet standard RFC 1510specified as Internet standard RFC 1510

9. X.509 Authentication ServiceX.509 Authentication Service
 part of CCITT X.500 directory servicepart of CCITT X.500 directory service
standardsstandards
• distributed servers maintaining some info databasedistributed servers maintaining some info database
 defines framework for authentication servicesdefines framework for authentication services
• directory may store public-key certificatesdirectory may store public-key certificates
• with public key of userwith public key of user
• signed by certification authoritysigned by certification authority
 also defines authentication protocolsalso defines authentication protocols
 uses public-key crypto & digital signaturesuses public-key crypto & digital signatures
• algorithms not standardized, but RSAalgorithms not standardized, but RSA
recommendedrecommended

10. X.509 CertificatesX.509 Certificates
 issued by a Certification Authority (CA),issued by a Certification Authority (CA),
containing:containing:
• version (1, 2, or 3)version (1, 2, or 3)
• serial number (unique within CA) identifying certificateserial number (unique within CA) identifying certificate
• signature algorithm identifiersignature algorithm identifier
• issuer X.500 name (CA)issuer X.500 name (CA)
• period of validity (from - to dates)period of validity (from - to dates)
• subject X.500 name (name of owner)subject X.500 name (name of owner)
• subject public-key info (algorithm, parameters, key)subject public-key info (algorithm, parameters, key)
• issuer unique identifier (v2+)issuer unique identifier (v2+)
• subject unique identifier (v2+)subject unique identifier (v2+)
• extension fields (v3)extension fields (v3)
• signature (of hash of all fields in certificate)signature (of hash of all fields in certificate)
 notationnotation CA<<A>>CA<<A>> denotes certificate for A signeddenotes certificate for A signed
by CAby CA

11. X.509 CertificatesX.509 Certificates

12. Obtaining aObtaining a CertificateCertificate
 any user with access to the publicany user with access to the public
key of the CA can verify the userkey of the CA can verify the user
public key that was certifiedpublic key that was certified
 only the CA can modify a certificateonly the CA can modify a certificate
without being detectedwithout being detected
 cannot be forged, certificates can becannot be forged, certificates can be
placed in a public directoryplaced in a public directory

13. CA HierarchyCA Hierarchy
 if both users share a common CA thenif both users share a common CA then
they are assumed to know its public keythey are assumed to know its public key
 otherwise CA's must form a hierarchyotherwise CA's must form a hierarchy
 use certificates linking members ofuse certificates linking members of
hierarchy to validate other CA'shierarchy to validate other CA's
• each CA has certificates for clients (forward)each CA has certificates for clients (forward)
and parent (backward)and parent (backward)
 each client trusts parents certificateseach client trusts parents certificates
 enable verification of any certificate fromenable verification of any certificate from
one CA by users of all other CAs inone CA by users of all other CAs in
hierarchyhierarchy

14. CA Hierarchy UseCA Hierarchy Use

15. Certificate RevocationCertificate Revocation
 certificates have a period of validitycertificates have a period of validity
 may need to revoke before expiration,may need to revoke before expiration,
eg:eg:
1.1. user's private key is compromiseduser's private key is compromised
2.2. user is no longer certified by this CAuser is no longer certified by this CA
3.3. CA's certificate is compromisedCA's certificate is compromised
 CAs maintain list of revoked certificatesCAs maintain list of revoked certificates
• the Certificate Revocation List (CRLthe Certificate Revocation List (CRL))
 users should check certificates with CA’susers should check certificates with CA’s
CRLCRL

16. Authentication ProceduresAuthentication Procedures
 X.509 includes three alternativeX.509 includes three alternative
authentication procedures:authentication procedures:
• One-Way AuthenticationOne-Way Authentication
• Two-Way AuthenticationTwo-Way Authentication
• Three-Way AuthenticationThree-Way Authentication
 all use public-key signaturesall use public-key signatures

17. NonceNonce
 a nonce is a parameter that variesa nonce is a parameter that varies
with time. A nonce can be a timewith time. A nonce can be a time
stamp, a visit counter on a Webstamp, a visit counter on a Web
page, or a special marker intended topage, or a special marker intended to
limit or prevent the unauthorizedlimit or prevent the unauthorized
replay or reproduction of a file.replay or reproduction of a file.

18. NonceNonce
 fromfrom RFC 2617RFC 2617::
• For applications where no possibility of replayFor applications where no possibility of replay
attack can be tolerated the server can use one-attack can be tolerated the server can use one-
time nonce values which will not be honoredtime nonce values which will not be honored
for a second use. This requires the overhead offor a second use. This requires the overhead of
the server remembering which nonce valuesthe server remembering which nonce values
have been used until the nonce time-stamphave been used until the nonce time-stamp
(and hence the digest built with it) has(and hence the digest built with it) has
expired, but it effectively protects againstexpired, but it effectively protects against
replay attacks.replay attacks.

19. One-Way AuthenticationOne-Way Authentication
 One message ( A->B) used toOne message ( A->B) used to
establishestablish
• the identity of A and that message isthe identity of A and that message is
from Afrom A
• message was intended for Bmessage was intended for B
• integrity & originality (message hasn’tintegrity & originality (message hasn’t
been sent multiple times)been sent multiple times)
 message must include timestamp,message must include timestamp,
nonce, B's identity and is signed by Anonce, B's identity and is signed by A

20. Two-Way AuthenticationTwo-Way Authentication
 Two messages (A->B, B->A) whichTwo messages (A->B, B->A) which
also establishes in addition:also establishes in addition:
• the identity of B and that reply is from Bthe identity of B and that reply is from B
• that reply is intended for Athat reply is intended for A
• integrity & originality of replyintegrity & originality of reply
 reply includes original nonce from A,reply includes original nonce from A,
also timestamp and nonce from Balso timestamp and nonce from B

21. Three-Way AuthenticationThree-Way Authentication
 3 messages (A->B, B->A, A->B) which3 messages (A->B, B->A, A->B) which
enables above authentication withoutenables above authentication without
synchronized clockssynchronized clocks
 has reply from A back to B containing ahas reply from A back to B containing a
signed copy of nonce from Bsigned copy of nonce from B
 means that timestamps need not bemeans that timestamps need not be
checked or relied uponchecked or relied upon

22. X.509 Version 3X.509 Version 3
 has been recognized that additionalhas been recognized that additional
information is needed in a certificateinformation is needed in a certificate
• email/URL, policy details, usage constraintsemail/URL, policy details, usage constraints
 rather than explicitly naming new fields arather than explicitly naming new fields a
general extension method was definedgeneral extension method was defined
 extensions consist of:extensions consist of:
• extension identifierextension identifier
• criticality indicatorcriticality indicator
• extension valueextension value

23. Certificate ExtensionsCertificate Extensions
 key and policy informationkey and policy information
• convey info about subject & issuer keys,convey info about subject & issuer keys,
plus indicators of certificate policyplus indicators of certificate policy
 certificate subject and issuercertificate subject and issuer
attributesattributes
• support alternative names, in alternativesupport alternative names, in alternative
formats for certificate subject and/orformats for certificate subject and/or
issuerissuer
 certificate path constraintscertificate path constraints
• allow constraints on use of certificatesallow constraints on use of certificates
by other CA’sby other CA’s