DOC PREVIEW
WUSTL CSE 571S - Overview of Authentication Systems

This preview shows page 1-2-3-4-5 out of 16 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

9-1©2007 Raj JainCSE571SWashington University in St. LouisOverview of Overview of Authentication SystemsAuthentication SystemsRaj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-07/9-2©2007 Raj JainCSE571SWashington University in St. LouisOverviewOverview! Passwords! Address based authentication! Key Distribution Center (KDC)! Certification Authorities (CAs)! Multiple Trust Domains! Session Keys! Delegation9-3©2007 Raj JainCSE571SWashington University in St. LouisPasswordsPasswords! Do not store passwords in clear. Store hashes.⇒ Subject to offline attack! Encrypt the hash storage.⇒ Where do you keep the master key?! Do not transmit passwords in clear.! Use password as a key to encrypt a challenge.⇒ Cryptographic Authentication9-4©2007 Raj JainCSE571SWashington University in St. LouisAddress based authenticationAddress based authentication! /etc/hosts.equiv file in UNIX.! John Smith can do on B whatever he is allowed to do on A.⇒ Users need to have the same name on all machines.! Per user .rhosts files. Lists <address, remote account name> that can access this account.! Issue: Attacker can gain access to all machines! Attacker can change IP addresses of machines and can access remote resources of all users on that machine.! Attacker can use source route <A, X, D> to send messages to D (from A).9-5©2007 Raj JainCSE571SWashington University in St. LouisMachine vs. Person AuthenticationMachine vs. Person Authentication! Machines can store long secret keys.! Person's password can be used to decrypt a long secret key or private key.9-6©2007 Raj JainCSE571SWashington University in St. LouisSecret Keys for an NSecret Keys for an N--System NetworkSystem Network! n system need n(n-1)/2 pairs of secret keys! Each system remembers n-1 keys.! If a new system comes in n new key are generated.! If a system leaves, n-1 keys are removed.ABDCEF9-7©2007 Raj JainCSE571SWashington University in St. LouisKey Distribution Center (KDC)Key Distribution Center (KDC)! Each node is configured with KDC's key! KDC has all the keys.! KDC sends a key encrypted with A's key and B's key to A.! Issues:" If KDC is compromised, all systems are compromised." KDC is single point of failure or performance bottleneck." KDC has to be on-line all the time.ABDCEFKDC9-8©2007 Raj JainCSE571SWashington University in St. LouisCertification Authorities (CAs)Certification Authorities (CAs)! Unsigned public keys can be tampered.! Public Keys are signed by CAs ⇒ Certificates.! Each system is configured with CA's public key.! CA's don't have to be on-line.! A compromised CA cannot decrypt conversations.9-9©2007 Raj JainCSE571SWashington University in St. LouisCertificate Revocations Lists (CRL)Certificate Revocations Lists (CRL)! The lists are published regularly.! Certificates are checked in a recent CRL.! Certificate contains user's name, public key, expiration time, a serial number, and CA's signature on the content.9-10©2007 Raj JainCSE571SWashington University in St. LouisKDCs in Multiple Trust DomainsKDCs in Multiple Trust Domains9-11©2007 Raj JainCSE571SWashington University in St. LouisKDCs in Multiple Trust Domains (Cont)KDCs in Multiple Trust Domains (Cont)! Issue: Every pair of KDC needs a shared key ⇒ KDC hierarchy! Issue: Every pair of KDC needs a shared key ⇒ KDC hierarchy! Some pairs of KDCs have a secret key9-12©2007 Raj JainCSE571SWashington University in St. LouisCA's in Multiple DomainsCA's in Multiple Domains! Each CA has a certificate from the other.! Alice with Boris's certificate and Boris's CA's certificate issued by Alice's CA can authenticate BorisAliceCAAliceBorisCABorish9-13©2007 Raj JainCSE571SWashington University in St. LouisSession KeysSession Keys! Public key is used to exchange a secret key.! Each session should start with a new secret key.9-14©2007 Raj JainCSE571SWashington University in St. LouisDelegationDelegation! Authentication forwarding! A signed message with time limit and details of privileges9-15©2007 Raj JainCSE571SWashington University in St. LouisSummarySummary! Passwords should not be stored or transmitted in clear ⇒ Use to generate keys! Address based authentication is not safe.! Key Distribution Center (KDC): Single point of failure! Certification Authorities (CAs) sign public keys.! Multiple Trust Domains: Hierarchy of KDCs or CAs9-16©2007 Raj JainCSE571SWashington University in St. LouisHomework 9Homework 9! Read Chapter 9 of the textbook! Submit answers to Exercise 9.3! Extend the scenario in Section 9.7.4.1 Multiple KDC Domains to a chain of three KDCs. In other words assume that Alice wants to talk to Boris through a chain of three KDCs (Alice’s KDC, A KDC that has shared keys with both Alice’s KDC and Boris’s KDC and finally, Boris’s KDC). Give the sequence of events necessary to establish


View Full Document

WUSTL CSE 571S - Overview of Authentication Systems

Documents in this Course
IP sec

IP sec

28 pages

Load more
Download Overview of Authentication Systems
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Overview of Authentication Systems and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Overview of Authentication Systems 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?