Scribd
Upload
197 views24 pages

The Version 4 Authentication Dialogue: Network Security

The document discusses the Kerberos Version 4 authentication dialogue. It describes two problems with the Kerberos V4 authentication process: 1) the lifetime of the ticket-granting ticket being too short or long creates security issues, and 2) servers need to authenticate themselves to users. The Kerberos solution involves the authentication server providing a secret session key to both the client and ticket-granting server to prove identity when requesting or granting tickets.

Uploaded by

Abdullah Shahid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
197 views24 pages

The Version 4 Authentication Dialogue: Network Security

The document discusses the Kerberos Version 4 authentication dialogue. It describes two problems with the Kerberos V4 authentication process: 1) the lifetime of the ticket-granting ticket being too short or long creates security issues, and 2) servers need to authenticate themselves to users. The Kerberos solution involves the authentication server providing a secret session key to both the client and ticket-granting server to prove identity when requesting or granting tickets.

Uploaded by

Abdullah Shahid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

The Version 4 Authentication Dialogue

Network Security

1
The Version 4 Authentication Dialogue
Objectives of the
Topic
• After completing this
topic, a student will
be able to
– explain Kerberos V4
authentication
dialogue.

2
The Version 4 Authentication Dialogue
Figures and material
in this topic have
been adapted from
• “Network Security
Essentials:
Applications and
Standards”, 2014 by
William Stalling.

3
The Version 4 Authentication Dialogue
• Two issues with the
more secure
authentication
dialogue:
• First problem is the
lifetime associated
with the ticket-
granting ticket.

4
The Version 4 Authentication Dialogue
• If this lifetime is very
short (e.g., minutes),
then the user will be
repeatedly asked for a
password.
• If the lifetime is long
(e.g., hours), then an
opponent has a
greater opportunity
for replay.

5
The Version 4 Authentication Dialogue
• An opponent could
capture a copy of the
ticket-granting ticket
and then wait for the
legitimate user to log
out.
• Then opponent could
forge the legitimate
user’s network
address and send the
message to the TGS.

6
The Version 4 Authentication Dialogue
• This would give the
opponent unlimited
access to the
resources and files
available to the
legitimate user.
• A similar issue arises
when an opponent
captures a service-
granting ticket.

7
The Version 4 Authentication Dialogue
• Thus, we arrive at an
additional
requirement.
• A network service (the
TGS or an application
service) must be able
to prove that the
person using a ticket is
the same person to
whom that ticket was
issued.

8
The Version 4 Authentication Dialogue
• The second problem is
that servers should
authenticate
themselves to users.
• An opponent can
sabotage the
configuration so that
messages to a server
were directed to
another location.

9
The Version 4 Authentication Dialogue
Kerberos Solution:
• The threat is that an
opponent will steal
the ticket and use it
before it expires.
• Let the AS provide
both the client and
the TGS with a secret
piece of information
in a secure manner.

10
The Version 4 Authentication Dialogue
• Then client can prove
its identity to TGS by
revealing secret
information, again in a
secure manner.
• Kerberos uses an
encryption key as the
secure information;
this is referred to as a
session key.

11
The Version 4 Authentication Dialogue
• The client sends a
message to the AS
requesting access to
the TGS.
• The AS responds with
a message, encrypted
with a key derived
from the user’s
password (KC), that
contains the ticket.

12
The Version 4 Authentication Dialogue
• The encrypted
message also contains
a copy of the session
key, KC,tgs.
• Because this session
key is inside the
message encrypted
with KC, only the
user’s client can read
it.

13
The Version 4 Authentication Dialogue
• The same session key
is included in the
ticket, which can be
read only by the TGS.
• Thus, the session key
has been securely
delivered to both C
and the TGS.

14
The Version 4 Authentication Dialogue

15
The Version 4 Authentication Dialogue
• Message (1) includes
a timestamp, so that
the AS knows that the
message is timely.
• Message (2) includes
several elements of
the ticket in a form
accessible to C.
• C learns that this
ticket is for TGS and
when it expires.
16
The Version 4 Authentication Dialogue
• Now C sends the TGS
a message that
includes the ticket
plus the ID of the
requested service.
• C also transmits an
authenticator, which
includes the ID and
address of C’s user
and a timestamp.

17
The Version 4 Authentication Dialogue
• The authenticator is
intended for use only
once and has a very
short lifetime.
• Now TGS can decrypt
the ticket with the key
that it shares with AS.
• This ticket indicates
that user C has been
provided with the
session key KC,tgs.
18
The Version 4 Authentication Dialogue
• The TGS uses the
session key to decrypt
the authenticator.
• The TGS can then
check the name and
address from the
authenticator with
that of the ticket and
with the network
address of the
incoming message.

19
The Version 4 Authentication Dialogue
• If all match, then the
TGS is assured that
the sender of the
ticket is indeed the
ticket’s real owner.

20
The Version 4 Authentication Dialogue

21
The Version 4 Authentication Dialogue
• C now has a reusable
service-granting ticket
for V. When C
presents this ticket, it
also sends an
authenticator.
• The server can
decrypt the ticket,
recover the session
key, and decrypt the
authenticator.

22
The Version 4 Authentication Dialogue
• If mutual
authentication is
required, the server
returns the value of
the timestamp from
the authenticator,
incremented by 1, and
encrypted in the
session key.
• C can decrypt this
message.

23
The Version 4 Authentication Dialogue

24

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy