Chapter 4: Key Distribution and User Authentication Flashcards
Key Distribution and User Authentication
How does the RFC 4949 define user authentication?
It is the process of verifying an identity claimed by or for a system entity and it consists of two steps.
- Identification: an identifier is presented to the system
- Verification/authentication: authentication information is presented or generated to corroborate the binding between the entity and the identifier.
In what 4 ways can a secret key be shared?
- A key could be selected by A and physically delivered to B.
- A third party could select the key and physically deliver it to A and B.
- If A and B have previously and recently used a key, one party could transmit the new key to the other, using the old key to encrypt the new key.
- If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
What is a permanent key?
It is used between entities for the purpose of distributing session keys.
What is a key distribution center (KDC)?
It provides a session key when communication permission has been granted between two systems.
What is kerberos?
It is a key distribution and user authentication service developed at MIT.
It relies exclusively on symmetric encryption.
It provides a centralised authentication server whose function is to authenticate users to servers and servers to users.
What environmental shortcomings does Kerberos v4 have and how have they been addressed in v5?
- Encryption system dependence: It requires the use of DES. V5, can use any encryption technique.
- Internet protocol dependence: Requires the use of Internet Protocol (IP) addresses. V5, any network address can be used.
- Message byte ordering: the sender of a message employs a byte ordering of their choosing. It does not follow established conventions. V5 uses ASN.1, and BER.
- Ticket lifetime: the lifetime is limited to ca 21 hours, due to how it is encoded. V5, tickets will have a start time and end time.
- Authentication forwarding: Does not allow credentials to be forwarded to other hosts and used by other clients. V5 does.
- Inter-realm authentication: interoperability among N realms requires on the order of N^2 Kerberos-to-Kerberos relationships. V5 supports a method that requires fewer relationships.
What technical deficiencies does v4 have?
- Double encryption: Tickets are encrypted twice, once with the secret key of the target server and once with a secret key known to the client. The 2nd one is redundant.
- PSBC encryption: Encryption makes use of a non-standard mode of DES known as propagating cipher block chaining mode. This mode is vulnerable to an attack that involves the interchange of ciphertext blocks.
- Session key: The same session key may be used repeatedly to gain service from a server, putting it at risk of a replay attack.
- Password attacks: a vulnerability in both versions.
What is the X.509 standard?
A universally accepted scheme for formatting public-key certificates. It is used in most network security applications (IPsec, SSL, S/MIME).
It is based on the use of public-key cryptography and digital signatures. It does not dictate the use of a specific DSA nor specific hash function.
What characteristics does a user certificate issued by a CA have?
- Any user with access to the public key of the CA can verify the user public key that was certified.
- No party other than the CA can modify the certificate without being detected.
What is a certificate revocation list?
A list containing all revoked but not expired certificates. Each entry in the list consists of the serial number of the revoked certificate and revocation date.
What is federated identity management?
A relatively new concept that deals with the use of a common identity management scheme across multiple enterprises and numerous applications and supporting many thousands, even millions of users.
What is identity management?
The what: a centralised, automated approach to provide enterprise-wide access to resources by employees and other authorised individuals.
The Focus: defining an identity for each user, associating attributes with the identity, enforcing a means by which a user can verify their identity.
The Central concept: the use of SSO.
What are 8 typical services provided by a federated identity management system?
Point of contact: authentication of users and management of user/server sessions.
SSO protocol services: provides a vendor-neutral security token service that supports SSO.
Trust services: A trust relationship it represented by the security tokens used to exchange information about a user, the cryptographic information used to protect the security tokens, and (optionally) the identity mapping rules applies to the information contained within the token.
Key services: management of keys and certificates.
Identity services: provides the interface to local data stores for identity-related information management.
Authorisation: granting access based on authentication.
Provisioning: account creation and registration. Establishment of access rights.
Management: services related to runtime configuration and deployment.
What is an identity provider?
It associates authentication information with a principal, and attributes and 1+ identifiers.
What is the goal of identity federation?
To facilitate the sharing of digital identities so that a user can be authenticated a single time and then access applications and resources across multiple domains.
