Week 6 - Key Distribution and User Authentication Flashcards
What is message authentication?
Message authentication are the procedures of verifying the transmitted messages have not been altered and the source is authentic.
What is user authentication?
User authentication is the process of verifying the validity of a claimed identity to gain access to a system.
What are the two steps that are involved in user authentication?
The two steps in user authentication are:
- Identification step
- Presenting an identifier to the security system - Verification step
- Presenting or generating authentication information confirming the binding between the system and the identifier
What is the NIST Model for user authentication?
NIST SP 800-63-2 defines electronic authentication as the process of verifying user identities presented electronically to a system. It ensures that the authenticated user is authorized for specific actions and can occur over open networks like the Internet or locally within LANs.
What are the 4 means of authentication?
Authentication Methods:
- Something you know: Like passwords or PINs.
- Something you have (token): Such as cryptographic keys or smart cards.
- Drawbacks: Prone to being forged, stolen, or lost, with added management overhead.
- Something you are (static biometrics): Examples include fingerprints or retina scans.
- Something you do (dynamic biometrics): Such as voice patterns or typing rhythms.
- Drawbacks: May have false positives/negatives, face challenges with user acceptance, and entail costs and inconvenience.
What are the 4 options for the delivery of a key for a two part key distribution?
Key Exchange Scenarios:
- Direct Key Exchange:
- Party A selects a key and physically delivers it to Party B. (Suitable if network is small, awkward otherwise)
- Key Exchange via Third Party:
- A third party selects a key and physically delivers it to both A and B. (Suitable if network is small, awkward otherwise)
- Key Update with Shared Key:
- If A and B share an old key, A encrypts a new key with the old key and transmits it to B. (Suitable for any network size, bad if attackers have obtained the old key)
- Key Exchange via Encrypted Connection to Third Party:
- If A and B have an encrypted connection to a third party C, C delivers a key on the encrypted link to both A and B.
(Preferable for large networks)
- If A and B have an encrypted connection to a third party C, C delivers a key on the encrypted link to both A and B.
What is a KDC?
Key Distribution Centre (KDC):
- Determines authorized communication between systems/parties.
- Provides one-time session keys for granted connections between two parties.
Operation of a KDC:
1. When party A seeks to connect to party B:
2. A sends a connection-request packet to the KDC.
3. Communication between A and the KDC is encrypted using a Master Key shared by A and the KDC.
4. If approved, the KDC generates a one-time session key, encrypts it with a Permanent Key known by A, B, and the KDC.
5. A and B establish a connection and transmit encrypted data using the session key.
What is Kerberos?
Kerberos is a centralized authentication protocol and key distribution service developed by MIT to manage user access to services in a network. It relies on symmetric encryption and has two versions: Kerberos version 4, which is being phased out, and Kerberos version 5, which corrects security deficiencies and is issued as a proposed Internet Standard (RFC 4120).
What are the steps in the Kerberos Process
- Authentication Request: The user initiates the authentication process by sending a request to the Key Distribution Center (KDC) for accessing a service.
- Ticket Granting Ticket (TGT) Request: The KDC responds by sending a Ticket Granting Ticket (TGT) encrypted with the user’s password. This TGT allows the user to request service tickets without repeatedly entering their password.
- TGT Validation: The user decrypts the TGT using their password and retains it for future use.
- Service Ticket Request: When the user needs to access a specific service, they send a request to the KDC for a service ticket.
- Service Ticket Issuance: The KDC verifies the user’s identity and issues a service ticket encrypted with the service’s secret key.
- Service Access: The user sends the service ticket to the desired service, granting access. The service verifies the ticket’s authenticity using its secret key.
What is a kerberos realm?
A Kerberos Realm refers to a complete Kerberos environment comprising a Kerberos server, which stores all registered user IDs and hashed passwords, and shares symmetric secret keys with registered application servers. Within the realm, there are Kerberos principals, representing registered clients/users and application servers.
What is a kerberos principal?
A kerberos principal is a service or a user that is known to the kerberos system.
What are the limitations of Kerberos Version 4?
Question: What are the limitations of Kerberos Version 4?
Environmental Shortcomings:
- Encryption System Dependence: Kerberos Version 4 relies heavily on encryption systems, potentially limiting its flexibility and adaptability.
- Internet Protocol Dependence: It is dependent on specific internet protocols, which may constrain its interoperability in diverse network environments.
- Message Byte Ordering: Byte ordering issues can arise, complicating communication between systems with different byte orders.
- Ticket Lifetime: The duration of tickets issued by Kerberos Version 4 may pose limitations on their usability and flexibility.
- Authentication Forwarding: Limited support for authentication forwarding may hinder seamless authentication processes.
Technical Deficiencies:
- Double Encryption: Vulnerabilities related to double encryption methods used in Kerberos Version 4.
- Vulnerable PCBC Encryption: Potential weaknesses in the PCBC (Propagating Cipher Block Chaining) encryption technique employed.
- Session Keys: The management and security of session keys may present challenges or vulnerabilities.
- Password Attacks: Vulnerabilities to password-based attacks, which may compromise system security.
What are the new elements introduced in Kerberos Version 5 compared to Version 4?
Realm:
- Definition: Indicates the realm to which the user belongs within the Kerberos environment.
- Usage: Helps in routing authentication requests and identifying the user’s domain or administrative domain.
Options:
- Definition: Allows clients to request specific flags to be set in the returned ticket.
- Usage: Enables clients to customize the characteristics or permissions associated with the ticket they receive.
Times:
- Definition: Specifies time-related settings requested by the client in the ticket.
- Components:
- From (start time): Indicates the starting time of ticket validity.
- Till (end time): Specifies the expiration time of the ticket.
- Rtime (renew-till time): Specifies the deadline until which the ticket can be renewed.
Nonce:
- Definition: A random value included in the message to ensure freshness and prevent replay attacks.
- Usage: Helps verify the integrity of messages exchanged between the client and the Kerberos server.
Subkey:
- Definition: An optional element used for specific session-related purposes.
- Usage: Provides additional security or functionality for certain sessions within the Kerberos environment.
What are public key certificates?
Public key certificates are digital documents that bind a public key to an entity, such as an individual, organization, or device. They serve as a form of identification and verification in cryptographic systems. These certificates are issued by trusted certificate authorities and contain information about the entity, along with their public key, which can be used for encryption, authentication, and secure communication over networks like the internet.
What is X.509
X.509 is an International Telecommunication Union standard defining the format of public-key certificates.
