Network Security: A More Secure Authentication Dialogue
Network Security: A More Secure Authentication Dialogue
Network Security: A More Secure Authentication Dialogue
Network Security
1
A More Secure Authentication Dialogue
Objectives of the
Topic
• After completing this
topic, a student will
be able to
– describe a more
secure
authentication
dialogue.
2
A More Secure Authentication Dialogue
3
A More Secure Authentication Dialogue
• Two issues with the
simple authentication
dialogue :
• 1. The number of
times a user has to
enter a password
should be minimized.
• 2. A plaintext
transmission of the
password should be
avoided.
4
A More Secure Authentication Dialogue
• Suppose each ticket
can be used only
once.
• If user C logs on to a
workstation in the
morning and checks
his or her mail at a
mail server, C has to
supply a password to
get a ticket for the
mail server.
5
A More Secure Authentication Dialogue
• Similarly, if a user
wishes to access a
print server, a mail
server, a file server,
and so on, the first
instance of each
access would require
a new ticket and
hence require the
user to enter the
password.
6
A More Secure Authentication Dialogue
• This authentication
scheme employs a
new server, known as
the ticket-granting
server (TGS).
• TGS, issues tickets to
users who have been
authenticated to AS.
• The user first requests
a ticket-granting ticket
(Tickettgs) from the AS.
7
A More Secure Authentication Dialogue
• The client module in
the user workstation
saves this ticket.
• Each time the user
requires access to a
new service, the client
applies to the TGS,
using the ticket to
authenticate itself.
8
A More Secure Authentication Dialogue
• The TGS then grants a
ticket for the
particular service.
• The client saves each
service-granting ticket
and uses it to
authenticate its user
to a server each time
a particular service is
requested.
9
A More Secure Authentication Dialogue
Details
• 1. The client requests
a ticket-granting ticket
on behalf of the user
by sending its user’s
ID to the AS, together
with the TGS ID,
indicating a request to
use the TGS service.
10
A More Secure Authentication Dialogue
• 2. The AS responds
with a ticket that is
encrypted with a key
that is derived from
the user’s password
(KC), which is already
stored at the AS.
11
A More Secure Authentication Dialogue
• When this response
arrives at the client,
the client prompts the
user for his or her
password, generates
the key, and attempts
to decrypt the
incoming message.
12
A More Secure Authentication Dialogue
• If correct password is
supplied, the ticket is
successfully
recovered.
• Thus, we have used
the password to
obtain credentials
from Kerberos
without having to
transmit the password
in plaintext.
13
A More Secure Authentication Dialogue
• The ticket-granting
ticket is to be
reusable.
• The client now has a
reusable ticket and
need not bother the
user for a password
for each new service
request.
14
A More Secure Authentication Dialogue
• To avoid an opponent
from capturing and
using the ticket, the
ticket includes a
timestamp, indicating
the date and time at
which the ticket was
issued, and a lifetime,
indicating the length
of time for which the
ticket is valid.
15
A More Secure Authentication Dialogue
• 3. The client requests
a service-granting
ticket on behalf of the
user. For this purpose,
the client transmits a
message to the TGS
containing the user’s
ID, the ID of the
desired service, and
the ticket-granting
ticket.
16
A More Secure Authentication Dialogue
• 4. The TGS decrypts
the incoming ticket
using a key shared
only by the AS and the
TGS (Ktgs) and verifies
the success of the
decryption by the
presence of its ID. It
checks to make sure
that the lifetime has
not expired.
17
A More Secure Authentication Dialogue
• Then it compares the
user ID and network
address with the
incoming information
to authenticate the
user. If user is
permitted access to
the server V, the TGS
issues a ticket to grant
access to the
requested service.
18
A More Secure Authentication Dialogue
• 5. The client requests
access to a service on
behalf of the user. For
this purpose, the
client transmits a
message to the server
containing the user’s
ID and the service
granting ticket. The
server authenticates
by using the contents
of the ticket.
19
A More Secure Authentication Dialogue
20
A More Secure Authentication Dialogue
• This new scenario
satisfies the two
requirements of only
one password query
per user session and
protection of the user
End password.
21