NETWORK + III Assignment Module 9

-

NETWORK + III Assignment Module 9
Harrison Valetski
October 16, 2015

What is User Authentication and how does it relate to PKI (Public Key Infrastructure) and Kerberos?
User authentication involves a user proving their identity through network communication. This is generally accomplished by one or more of three factors--something the user knows, something the user has, or something the user is. Some protocols combine two or more of these factors.
PKI consists of the management of certificates that contain key pairs. One key, the public key, is used to encrypt data that will be sent to the user through the network. It cannot decrypt the message itself. The corresponding key, the private key, is used to decrypt data that has been encrypted with the public key. Many applications use PKI in creative ways to exchange information securely.
Kerberos is commonly used in LANs and is the default authentication protocol on the latest Microsoft and Novell server systems. It uses a series of tickets that expire after their use or after a specific period of time. It's designed especially to prevent replay attacks in which a user's credentials are recorded and played back to gain access to resources.
Authentication is a process by which people prove their identities. For example, you have to use a driver's license or some other form of picture ID to prove that you are who you say you are when you check in for a flight. In person, this is not typically difficult, but over a network it can become much more complicated.
User authentication is a process by which users prove their identity over the network. This is generally accomplished in one of three methods, or a combination of them, also called factors. The three factors by which users prove their identity are as follows:
  • Something they know
  • Something they have
  • Something they are
Something a user knows could be a password or the personal identification number (PIN) that corresponds to their smart card. Something a user has could be a smart card or a cryptographic key. Something a user is would relate to biometric authentication, such as a fingerprint, voiceprint, cornea or iris scan, or a hand geometry print. You can also combine these factors to create even greater security.
Each of these factors of authentication uses different protocols. It's important that you understand your options in regard to each type of user authentication. In the following sections, I'll discuss the most common methods of user authentication.

PKI

Public Key Infrastructure (PKI) is a method of user authentication that falls into the “something I have” category. If the user possesses the right key (a series of mathematical computations), then the user can prove their identity and gain access to a resource. If the user does not have the right key, then they cannot gain access to the resource. The keys are stored in an electronic document called a certificate. An important part of PKI is the process of tracking the certificates themselves and to whom they are issued. The servers and services that verify a user's identity and track the certificate are called certificate servers.
You can use your own certificate server to track the certificates that you issue within your own organization. If you need to prove your identity to others, you can also use a third-party company, such as VeriSign, that specializes in verifying identities and issuing the appropriate certificates and keys. Most organizations use a certificate hierarchy whereby they trust someone because someone else trusts them.
PKI works by using a pair of keys called the public key and the private key. The public key identifies the user and can be used to encrypt data that will be sent to the user so that only the user can decrypt it. The public key does not decrypt data. Since it does not decrypt data, it can be freely distributed without a concern as to whether it will be stolen or intercepted. It's kind of like a key that only locks your house but will not unlock it. You wouldn't be worried if more people had a key that would only lock your house, would you?
The private key is the other key in the key pair and is very different from the public key. The private key is held only by the user and is not shared with anyone. It is stored by the user's operating system and automatically used by the operating system and by PKI-enabled applications. The private key simply decrypts anything that the public key has encrypted. In fact, it is the only key that can decrypt what the public key in its key pair has encrypted.
To put this into practice, let's say you wanted to send me an encrypted email. First, you would need for me to send you my public key. Using my email software, I would send you an email that contains my public key and gives you an opportunity to store it for use. You would then create your email and use my public key to encrypt the email. You would then send me the encrypted email, which I would then decrypt and open with my private key. The email software will actually handle the use of the keys for us; all we have to do is get the process started by selecting to use encrypted email between us. This is just one example, and there are many other uses of PKI for user authentication, encryption, and identity verification of the sender of a message.

Kerberos

Kerberos is an authentication protocol that was developed by MIT and named for the mythical three-headed dog that guards the gates of Hades over the River Styx. It is commonly used in LANs, and it is the default authentication protocol for Windows Active Directory and for Novell NDS systems. Kerberos was specifically designed to prevent replay attacks whereby a user records the process of authentication of a device to a resource and then “plays back” the appropriate pieces, thereby gaining access.
To prevent replay attacks, Kerberos uses a system of keys that expire as soon as they are used or after a definable period of time (usually five minutes). When users first log on, they receive a special token called a ticket-granting ticket (TGT). When they need access to a resource, their system will present the TGT to a server called a key distribution center (KDC), which is usually also a domain controller. The KDC will then give the user's computer either a key to access the resource or another TGT to access the next KDC that is in the path toward the resource. In a large network with multiple domains, this process may be repeated several times just to get access to the resource. In all cases, the TGTs and the keys obtained from them expire as soon as they are used and cannot be used again. Now you can see why they named it after the three-headed dog that guards the gates of Hades!
Kerberos works well when all the users are part of a network and are therefore authenticated by the domain controller. If the user is not from within the network, then special provisions can be made to make the user recognized by the network and therefore able to use Kerberos for authentication. These provisions will vary depending on the operating system, but it's often simpler to just use PKI for accounts that are not part of the network.

Popular posts from this blog

-
selection, iteration, sequence ubuntu-12043-desktop-amd64 VirtualBox-438-92456-Win http://medical-dictionary.thefreedictionary.com/Atomic+value http://en.wikipedia.org/wiki/Atomic_value http://www.docstoc.com/docs/26533470/EXAMPLE-FLIGHT-ITINERARY http://www.mulesoft.org/documentation/display/33X/Flight+Reservation+Example
Read more

learning normalization today data modeling

-
http://learn.jquery.com/about-jquery/how-jquery-works/ http://cocoadevcentral.com/d/learn_cocoa/ http://connect.microsoft.com/VisualStudio/feedback/details/350012/visual-studio-for-mac http://forums.appleinsider.com/t/67790/c-on-mac "I swear to construct my tables so that all nonkey columns are dependant on the key the whole key and nothing but the key so help me codd" normalization: referential integrity constraints not null unique key primary keys composite primary keys check constraint
Read more