- Remote User Authentication Principles
- Remote User Authentication Using Symmetric Encryption
- Kerberos
- Remote User Authentication Using Asymmetric Encryption
- Federated Identity Management
Mutual authentication protocols enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys.
Kerberos is an authentication service designed for use in a distributed environment.
Kerberos provides a trusted third-party authentication service that enables clients and servers to establish authenticated communication.
Identity management is a centralized, automated approach to provide enterprise-wide access to resources by employees and other authorized individuals.
Identity federation is, in essence, an extension of identity management to multiple security domains.
- Mutual Authentication
- One-Way Authentication
Such protocols enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys.
- Identification Step
- Verification Step
- Something the individual knows
- Password || PINS
- Something the individual possesses
- TOKENs
- Something the individual is
- Static biometrics - fingerprint || retina || face
- Something the individual does
- Dynamic biometrics - Voice Pattern || Handwriting characteristics
#[fit] Challenges in Mutual Authentication
- Confidentiality
- Masquerade
- Compromization of Session Keys
- Prior existence of secret or public keys
- Timeliness
- Replays
- Simple Replay
- Repetion that can be logged
- Repetition that cannot be detected
- Backward replay without modification
- Sequence Numbers
- Timestamps
- Challenge / Response
- Mutual Authentication
- One-Way Authentication
- [NEED78]
- [DENN81, DENN82]
- [KEHN92]
#3.3 Kerberos
- Environment Shortcomings
- Technical Deficiencies
- Encryption system dependence
- Internet protocol dependence
- Message Byte Ordering
- Ticket Lifetime
- Authentication Forwarding
- Inter-Realm Authentication
- DES Dependency of v4
-IP Protocol Addresses only
- Did not follow convention of byte ordering/ was ambigious
- ASN.1 - Abstract Syntax Notation One
- BER - Basic Encoding Rules
- 8 bit life time
- Unit of 5 mins
- total (2^8)*5 = 1280 mins ~= 21 hours
- Explicit start and end time in v5
- No forwarding of credentials
- Example - Printing a File on a network
- Lack of interoperability
- N Realms = (N^2) Kerberos-to-kerberos relationships
- Double Encryption
- PCBC Encryption
- Session Key
- Password Attacks
- Redundant Double encryption
- Removed in v5
- Propagating Cipher Block Chaining
- Non-standard
- Possible threat of replay attack
- Use of sub-session key between client and server
- Vulnerable to password attack
- Bruteforce or dictionary attacks
- Mutual Authentication
- One-Way Authentication
- Identity Management
- Identity Federation
Federated identity management is a relatively new concept dealing with the use of a common identity management scheme across multiple enterprises and numerous applications and supporting many thousands, even millions, of users.
Identity management is a centralized, automated approach to provide enterprisewide access to resources by employees and other authorized individuals.
- Authentication
- Authorization
- Accounting
- Provisioning
- Workflow Automation
- Delegated Administration
- Password Synchronization
- Self-service Password Reset
- Federation
Identity federation is, in essence, an extension of identity management to multiple security domains. Such domains include autonomous internal business units, external business partners, and other third-party applications and services.
The goal is to provide the sharing of digital identities so that a user can be authenticated a single time and then access applications and resources across multiple domains.