1、PART IV MUTUAL TRUST,第14章 密钥管理与分发第15章 用户认证,第15章 用户认证,User Authentication,fundamental security building blockbasis of access control & user accountabilityis the process of verifying an identity claimed by or for a system entityhas two steps:identification - specify identifierverification - bind entit
2、y (person) and identifierdistinct from message authentication,Means of User Authentication,four means of authenticating users identity based one something the individual knows - e.g. password, PINpossesses - e.g. key, token, smartcardis (static biometrics) - e.g. fingerprint, retinadoes (dynamic bio
3、metrics) - e.g. voice, sign can use alone or combinedall can provide user authenticationall have issues,Authentication Protocols,used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues areconfidentiality to protect session keystimeliness to p
4、revent replay attacks,Replay Attacks,where a valid signed message is copied and later resentsimple replayrepetition that can be loggedrepetition that cannot be detectedbackward replay without modificationcountermeasures includeuse of sequence numbers (generally impractical)timestamps (needs synchron
5、ized clocks)challenge/response (using unique nonce),One-Way Authentication,required when sender & receiver are not in communications at same time (eg. email)have header in clear so can be delivered by email systemmay want contents of body protected & sender authenticated,Using Symmetric Encryption,a
6、s discussed previously can use a two-level hierarchy of keysusually with a trusted Key Distribution Center (KDC)each party shares own master key with KDCKDC generates session keys used for connections between partiesmaster keys used to distribute these to them,Needham-Schroeder Protocol,original thi
7、rd-party key distribution protocol for session between A and B mediated by KDC protocol overview is1. A KDC: IDA | IDB | N12. KDC A: EKaKs | IDB | N1 | EKbKs|IDA 3. A B: EKbKs|IDA4. B A: EKsN25. A B: EKsf(N2),Needham-Schroeder Protocol,used to securely distribute a new session key for communications
8、 between A & Bbut is vulnerable to a replay attack if an old session key has been compromisedthen message 3 can be resent convincing B that is communicating with Amodifications to address this require:timestamps (Denning 81)using an extra nonce (Neuman 93),One-Way Authentication,use refinement of KD
9、C to secure emailsince B no online, drop steps 4 & 5protocol becomes:1. A KDC: IDA | IDB | N12. KDC A: E(Ka, Ks|IDB|N1 | E(Kb,Ks|IDA)3. A B: E(Kb, Ks|IDA) | E(Ks, M)provides encryption & some authenticationdoes not protect from replay attack,Using Public-Key Encryption,have a range of approaches bas
10、ed on the use of public-key encryptionneed to ensure have correct public keys for other partiesusing a central Authentication Server (AS)various protocols exist using timestamps or nonces,Denning AS Protocol,Denning 81 presented the following:1. A - AS: IDA | IDB2. AS - A: EPRasIDA|PUa|T | EPRasIDB|
11、PUb|T 3. A - B: EPRasIDA|PUa|T | EPRasIDB|PUb|T | EPUbEPRaKs|T note session key is chosen by A, hence AS need not be trusted to protect ittimestamps prevent replay but require synchronized clocks,Kerberos,trusted key server system from MIT provides centralised private-key third-party authentication
12、in a distributed networkallows users access to services distributed through networkwithout needing to trust all workstationsrather all trust a central authentication servertwo versions in use: 4 & 5,Kerberos Requirements,its first report identified requirements as:securereliabletransparentscalableim
13、plemented using an authentication protocol based on Needham-Schroeder,Kerberos v4 Overview,a basic third-party authentication schemehave an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TG
14、T) have a Ticket Granting server (TGS)users subsequently request access to other services from TGS on basis of users TGTusing a complex protocol using DES,Kerberos v4 Dialogue,Kerberos 4 Overview,Kerberos Realms,a Kerberos environment consists ofa Kerberos servera number of clients, all registered w
15、ith serverapplication servers, sharing keys with serverthis is termed a realmtypically a single administrative domainif have multiple realms, their Kerberos servers must share keys and trust,Kerberos Realms,Kerberos Version 5,developed in mid 1990sspecified as Internet standard RFC 1510provides impr
16、ovements over v4addresses environmental shortcomingsencryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authand technical deficienciesdouble encryption, non-std mode of use, session keys, password attacks,Kerberos v5 Dialogue,Summary,have considered:
17、authentication using symmetric encryptionauthentication using asymmetric encryptionKerberos,Remote User Authentication,in Ch 14 saw use of public-key encryption for session key distributionassumes both parties have others public keysmay not be practicalhave Denning protocol using timestampsuses cent
18、ral authentication server (AS) to provide public-key certificatesrequires synchronized clockshave Woo and Lam protocol using noncescare needed to ensure no protocol flaws,One-Way Authentication,have public-key approaches for emailencryption of message for confidentiality, authentication, or bothmust
19、 now public keysusing costly public-key alg on long messagefor confidentiality encrypt message with one-time secret key, public-key encryptedfor authentication use a digital signaturemay need to protect by encrypting signatureuse digital certificate to supply public key,Federated Identity Management
20、,use of common identity management schemeacross multiple enterprises & numerous applications supporting many thousands, even millions of users principal elements are:authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self
21、-service password reset, federationKerberos contains many of these elements,Identity Management,Identity Federation,Standards Used,Security Assertion Markup Language (SAML)XML-based language for exchange of security information between online business partnerspart of OASIS (Organization for the Adva
22、ncement of Structured Information Standards) standards for federated identity managemente.g. WS-Federation for browser-based federationneed a few mature industry standards,Federated Identity Examples,One-Way Authentication,required when sender & receiver are not in communications at same time (eg. e
23、mail)have header in clear so can be delivered by email systemmay want contents of body protected & sender authenticated,Using Symmetric Encryption,can refine use of KDC but cant have final exchange of nonces, vis:1. A-KDC: IDA | IDB | N12. KDC - A: EKaKs | IDB | N1 | EKbKs|IDA 3. A - B: EKbKs|IDA |
24、EKsM does not protect against replayscould rely on timestamp in message, though email delays make this problematic,Public-Key Approaches,have seen some public-key approachesif confidentiality is major concern, can use:A-B: EPUbKs | EKsMhas encrypted session key, encrypted messageif authentication needed use a digital signature with a digital certificate:A-B: M | EPRaH(M) | EPRasT|IDA|PUa with message, signature, certificate,Summary,have discussed:digital signaturesauthentication protocols (mutual & one-way)digital signature algorithm and standard,
