Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt

Prof. Rupesh G. Vaishnav
rupesh.vaishnav@darshan.ac.in
94280-37452
Information & Network Security (2170709) Darshan Institute of Engineering & Technology
UNIT-9
Remote user
authentication

Unit-9 Remote user authentication Darshan Institute of Engineering & Technology 2
INS is very Interesting Subject
Outline
 Remote user authentication with symmetric encryption
 Remote user authentication with asymmetric encryption
 Kerberos

Remote user authentication with symmetric encryption
Mutual Authentication
1. A ---> KDC
IDa || IDb || N1
2. KDC ---> A
E(Ka, [Ks || IDb || N1 || E(Kb,[Ks || IDa)])
3. A ---> B
E(Kb, [Ks || IDa])
4. B ---> A
E(Ks, N2)
5. A ---> B
E(Ks, f(N2))

Remote user authentication with symmetric encryption
One-way Authentication
1. A ---> KDC
IDa || IDb || N1
2. KDC ---> A
E(Ka, [Ks || IDb || N1 || E(Kb, [Ks ||
IDa])])
3. A ---> B
E(Kb, [Ks || IDa]) || E(Ks, M)

Kerberos
 Kerberos provides a trusted third-party authentication service
that enables clients and servers to establish authenticated
communication.
 Kerberos is an authentication service designed for use in a
distributed environment.
 Version 4 of Kerberos makes use of DES, to provide the
authentication service.

Kerberos – Simple Dialogue
1. C ---> AS: IDc || Pc || IDv
2. AS ---> C: Ticket
3. C ---> V: IDc || Ticket
Ticket = E(Kv, [IDc, ADc, IDv])
Authentication
Server-AS
Application
Server - V
User - C
(1)
(2)
(3)

Kerberos – Simple Dialogue
1. C ---> AS: IDc || Pc || IDv
2. AS ---> C: Ticket
3. C ---> V: IDc || Ticket
Ticket = E(Kv, [IDc, ADc, IDv])
 Where,
• C = Client
• AS = Authentication Server
• V = Server
• IDc = Identification of user C
• Idv = Identification of V
• Pc = Password on User C
• Adc = Network Address of C
• Kv = Secret key shared by AS and V

Kerberos – More Secure Dialogue
Client-C
Ticket Granting
Server-TGS
Authentication
Server-AS
TicketTGS to access
TGS
Request for
TicketTGS
Request
for TicketV
Request for
TicketV
Request for
Service

Kerberos – More Secure Dialogue
 Once per user logon session
1. C ---> AS: IDc || IDTGS
2. AS ---> C: E(Kc, TicketTGS)
 Once per type of service
1. C ---> TGS: IDc || IDv || TicketTGS
2. TGS ---> C: TicketV
 Once per service session
1. C ---> V: IDc || TicketV
TicketTGS = E(KTGS, [IDc, ADc, IdTGS, TS1,
Lifetime1])
TicketV = E(KV, [IDc, ADc, IdV, TS2, Lifetime2])

Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt

Kerberos Version 4 – Step-1
 The client sends a plaintext request to the AS asking for a ticket it
can use to talk to the TGS.
 Request:
• Login name
• TGS name
 Since this request contains only well-known names, it does not
need to be sealed.
C--->AS : IDc||IDtgs||TS1

 The AS finds the keys corresponding to the login name and the
TGS name.
 The AS creates a ticket:
• Login name
• TGS name
• Client network address
• TGS session key
 The AS seals the ticket with the TGS secret key.
AS--->C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||
Tickettgs])
Tickettgs=E(Ktgs, [Kc,tgs||IDc||ADc||IDtgs||TS2||
Lifetime2])

 The client decrypts the message using the user’s password as the
secret key.
 The client now has a session key and ticket that can be used to
contact the TGS.
 The client cannot see inside the ticket, since the client does not
know the TGS secret key.
 When a client wants to start using a server (service), the client
must first obtain a ticket.
 The client composes a request to send to the TGS
C--->TGS: Idv||Tickettgs||Authenticatorc

 The TGS decrypts the ticket using it’s secret key. Inside is the TGS
session key.
 The TGS decrypts the authenticator using the session key.
 The TGS check to make sure login names, client addresses and TGS
server name are all ok.
 TGS makes sure the authenticator is recent.
 Builds a ticket for the client and requested server. The ticket is
sealed with the server key.
 Creates a session key
 Seals the entire message with the tgs session key and sends it to
the client.
TGS--->C: E(Kc,tgs, [Kc,v||IDv||TS4||Ticketv])

Tickettgs=E(Ktgs, [Kc,tgs||IDc||ADc||IDtgs||TS2||
Lifetime2])
TicketV=E(KV, [Kc,V||IDc||ADc||IDV||TS4||
Lifetime4])
AuthenticatorC=E(Kc,tgs, [IDc||ADc||TS3])

Kerberos Version 4 – Step-5, 6
 The client now decrypts the TGS response using the TGS session
key.
 The client now has a session key for use with the new server, and
a ticket to use with that server.
 The client can contact the new server using the same format used
to access the TGS.
TicketV=E(KV, [Kc,V||IDc||ADc||IDV||TS4||
Lifetime4])
AuthenticatorC=E(Kc,v, [IDc||ADc||TS5])

Ticket
 Each request for a service requires a ticket.
 A ticket provides a single client with access to a single server.
 Tickets are dispensed by the “ticket granting server” (TGS), which
has knowledge of all the encryption keys.
 Tickets are meaningless to clients, they simply use them to gain
access to servers.
 The TGS seals (encrypts) each ticket with the secret encryption key
of the server.
 Sealed tickets can be sent safely over a network - only the server
can make sense out of it.
 Each ticket has a limited lifetime (a few hours).

Ticket Contents
 Client name (user login name)
 Server name
 Client host network address
 Session key for client/server
 Ticket lifetime
 Creation timestamp

Remote user authentication with Asymmetric encryption
Mutual Authentication

Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt

More Related Content

Similar to Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt (20)

More from VivekanandaGN1 (20)

Recently uploaded (20)

Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt

Editor's Notes