Authentication: can be defined as determining an identity to the required level of assurance.

Authentication Application : Deals with the authentication function that have been developed to
support application-level authentication

Authentication Applications

Developed to support application-level authentication and digital signatures

Most widely used services:

Kerberos

X.509

Kerberos a private-key authentication service

X.509 a public-key directory authentication service

An authentication service developed for Project Athena at MIT

Provides

strong security on physically insecure network

a centralized authentication server which authenticates

Users to servers

Servers to users

Relies on conventional encryption rather than public-key encryption

Kerberos is an authentication protocol and a software suite implementing this protocol.

Kerberos uses symmetric cryptography to authenticate clients to services and vice versa.

Other possible uses of Kerberos include allowing users to log into other machines in a local-area
network, authentication for web services, authenticating email client and servers, and
authenticating the use of devices such as printers

Problem: Not trusted workstation to identify their users correctly in an open distributed environment

3 Threats:

Pretending to be another user from the workstation

Sending request from the impersonated workstation

Replay attack to gain service or disrupt operations

Solution:

Building elaborate authentication protocols at each server

A centralized authentication server (Kerberos)

Requirements for KERBEROS

Secure:

An opponent does not find it to be the weak link

Reliable:

The system should be able to back up another

Transparent:

An user should not be aware of authentication

Scalable:

The system supports large number of clients and severs

KERBEROS VERSION 4

Version 4 is most widely used version

Version 4 uses of DES

Version 4 build up to the full protocol by looking at several hypothetical dialogues

Version 5 corrects some of the security deficiencies of Version 4

Problem:

An opponent can pretend to be another client and obtain unauthorized privileges on server machine.

Solution :

Server must be able to confirm the identities of client who request service.

Kerberos Version 4: Dialog 1- Simple

Kerberos uses the concept of a ticket as a token that proves the identity of a user. Tickets are digital
documents that store session keys. They are typically issued during a login session and then can be used
instead of passwords for any Kerberized services.
 Kerberos Version 4: Dialog 1- Simple

Ticket=E(kv[IDc,ADc,IDv])
11 7/15/2016 KERBEROS

C = client

AS = Authentication server

V = Server

IDc = Identifier of user on C

Idv = Identifier of V

Pc = Password of user on C

Adc = Network address of C

kv=Secret Key between AS and V (Server)

Problem:

1. the no. of times the password should be entered should be minimized.

2. Plaintext transmission of password

Solution :

1. Ticket-granting Server; Issues ticket to user who have been authenticated to AS

2. The client can use this ticket to request multiple service granting ticket.
 Kerberos Version 4 : Dialog 2-More Secure
ticketTGS=EKtgs[IDc,ADc,IDtgs,TS1,LifeTime1 ]

Once per user logon session

Once per type of service

4-TicketV
7/15/2016 KERBEROS 13

Kerberos Version 4 : Dialog 2

- More Secure Cont.

Once per service session

5- TicketV+ IDc

TicketV=EKv[IDc,ADc,IDv,Ts2,Lifetime2]

7/15/2016 KERBEROS 14

During the course of authentication, a client receives two tickets:

A ticket-granting ticket (TGT), which acts as a global identifier for a user and a session key

A service ticket, which authenticates a user to a particular service

These tickets include time stamps that indicate an expiration time after which they become invalid. This
expiration time can be set by Kerberos administrators depending on the service.The ticket is encrypted
with a secret key (Kv) known only to TGS and the server , preventing alteration.

Kerberos Servers

To accomplish secure authentication, Kerberos uses a trusted third party known as a key distribution
center (KDC), which is composed of two components, typically integrated into a single server:

An authentication server (AS), which performs user authentication

A ticket-granting server (TGS), which grants tickets to users

The authentication server keeps a data base storing the secret keys of the users and services. The
secret key of a user is typically generated by performing a one-way hash of the user-provided
password. Kerberos is designed to be modular, so that it ca

n be used with a number of encryption protocols, with AES being the default cryptosystem.

Kerberos aims to centralize authentication for an entire networkrather than storing sensitive
authentication information at each users machine, this data is only maintained in one presumably
secure location.

Problem(The Version 4 Authentication Dialogue):

1. Lifetime associated with ticket granting ticket

Lifetime associated with the ticket-granting ticket

If to short repeatedly asked for password

If to long greater opportunity to replay

2. Requirement for servers to authenticate themselves to user.

AS provide both the client and the TGS with a secret piece of information in a secure manner.

Client can prove its identity to TGS by revealing the secret information in a secure manner.

Done by using an encryption key Session Key in Kerberos.

 A technique for distributing the Session Key is,

Version 4 Authentication Dialogue

Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C AS: IDc || IDtgs ||TS1
(2) AS C: EKc [Kc,tgs|| IDtgs || TS 2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket

(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service

(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]

Kerberos: The Version 4 Authentication Dialog

Once per user logon session

KERBEROS
ticketTGS=EKtgs [Kc.tgs,
IDc,ADc,IDtgs,TS2, LifeTime2 ]

7/15/2016 KERBEROS 1
 Kerberos: The Version 4 Authentication Dialog
Cont.

Once per type of service

ticketTGS=EKtgs [Kc.tgs,IDc,ADc,IDtgs, TS2, LifeTime2 ] KERBEROS

AuthenticatorC=EKc.tgs[IDc,ADc,TS3]
ticketV=EKV[Kc.v,IDc,ADc,IDv, TS4, LifeTime4 ]

3- TicketTGS + AuthenticatorC + IDv

4-EKc.tgs[ Kc.v,IDv,Ts4,Ticketv]

7/15/2016 KERBEROS 19

Kerberos: The Version 4 Authentication Dialog

Cont.

Once per service session

5- TicketV+ AuthenticatorC

6- EKc.v[TS5+1]

TicketV=EKv [Kv.c, IDc, ADc, IDv, TS4, Lifetime4]

AuthenticatorC=EKc.v [IDc,ADc,TS5]

7/15/2016 KERBEROS 20
 Kerberos Overview

7/15/2016 KERBEROS 21

Kerberos Realms

A single administrative domain includes:

a Kerberos server

a number of clients, all registered with server

application servers, sharing keys with server

What will happen when users in one realm need access to service from other realms?:

Kerberos provide inter-realm authentication

Inter-realm Authentication

Kerberos server in each realm shares a secret key with other realms.

It requires

Kerberos server in one realm should trust the one in other realm to authenticate its
users

The second also trusts the Kerberos server in the first realm
Request for Service in another realm:

7/15/2016 KERBEROS 24