Scribd
Upload
35 views24 pages

Key Management-Kerberos and PKI

Uploaded by

Devansh Gaur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
35 views24 pages

Key Management-Kerberos and PKI

Uploaded by

Devansh Gaur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 24

Key Management

Compiled by
Dr. Avita Katal
Assistant Professor(SG)
School of Computer Science
UPES,Dehradun

15.1
Chapter 15
Objectives
 To explain the need for a key-distribution center
 To show how a KDC can create a session key
To describe Kerberos as a KDC and an
authentication protocol
 To explain the need for certification authorities
for public keys
 To introduce the idea of a Public-Key
Infrastructure (PKI) and explain some of its duties

15.2
15-1 SYMMETRIC-KEY DISTRIBUTION

Symmetric-key cryptography is more efficient than


asymmetric-key cryptography for enciphering large
messages. Symmetric-key cryptography, however,
needs a shared secret key between two parties. The
distribution of keys is another problem.

Topics discussed in this section:


15.1.1 Key-Distribution Center: KDC
15.1.2 Session Keys
15.3
15.1.1 Key-Distribution Center: KDC

Figure 15.1 Key-distribution center (KDC)

15.4
15.1.1 Continued

Flat Multiple KDCs.

Figure 15.2 Flat multiple KDCs

15.5
15.1.1 Continued
Hierarchical Multiple KDCs

Figure 15.3 Hierarchical multiple KDCs

15.6
15.1.2 Session Keys
A KDC creates a secret key for each member. This secret
key can be used only between the member and the KDC,
not between two members.

Note
A session symmetric key between two parties is
used only once.

15.7
15.1.2 Continued
A Simple Protocol Using a KDC
Figure 15.4 First approach using KDC

15.8
15-2 KERBEROS

A backbone
Kerberos is an network allows protocol,
authentication several and
LANs to same
at the be
connected.
time a KDC, In that
a backbone
has become network, no station
very popular. is
Several
directly connected
systems, includingto Windows
the backbone;
2000,the use
stations are
Kerberos.
part of a LAN,
Originally and the
designed backbone
at MIT, connects
it has the LANs.
gone through several
versions.

Topics discussed in this section:


15.2.1 Servers
15.2.2 Operation
15.2.3 Using Different Servers
15.2.4 Kerberos Version 5
14.2.5 Realms
15.9
15.2.1 Servers
Figure 15.7 Kerberos servers

15.10
15.2.1 Continued

Authentication Server (AS)


The authentication server (AS) is the KDC in the
Kerberos protocol.

Ticket-Granting Server (TGS)


The ticket-granting server (TGS) issues a ticket for the
real server (Bob).

Real Server
The real server (Bob) provides services for the user
(Alice).

15.11
15.2.2 Operation
Figure 15.8 Kerberos example

15.12
15.2.3 Using Different Servers

Note that if Alice needs to receive services from different


servers, she need repeat only the last four steps.

15.13
15.2.4 Kerberos Version 5

The minor differences between version 4 and version 5


are briefly listed below:

1) Version 5 has a longer ticket lifetime.


2) Version 5 allows tickets to be renewed.
3) Version 5 can accept any symmetric-key algorithm.
4) Version 5 uses a different protocol for describing data
types.
5) Version 5 has more overhead than version 4.

15.14
15.2.5 Realms

Kerberos allows the global distribution of ASs and TGSs,


with each system called a realm. A user may get a ticket
for a local server or a remote server.

15.15
15-3 PUBLIC-KEY DISTRIBUTION

In asymmetric-key cryptography, people do not need to


know a symmetric shared key; everyone shields a
private key and advertises a public key.

Topics discussed in this section:


15.3.1 Public Announcement
15.3.2 Trusted Center
15.3.3 Controlled Trusted Center
15.3.4 Certification Authority
15.3.5 X.509
15.3.6 Public-Key Infrastructures (PKI)
15.16
15.3.1 Public Announcement

Figure 15.13 Announcing a public key

15.17
15.3.2 Trusted Center
Figure 15.14 Trusted center

15.18
15.3.3 Controlled Trusted Center
Figure 15.15 Controlled trusted center

15.19
15.3.4 Certification Authority
Figure 15.16 Certification authority

15.20
15.3.5 X.509

Certificate
Figure 15.17 shows the format of a certificate.

15.21
15.3.5 Continued

Certificate Renewal
Each certificate has a period of validity. If there is no
problem with the certificate, the CA issues a new
certificate before the old one expires.

Certificate Renewal
In some cases a certificate must be revoked before its
expiration.

Delta Revocation
To make revocation more efficient, the delta certificate
revocation list (delta CRL) has been introduced.

15.22
15.3.6 Public-Key Infrastructures (PKI)

Figure 15.19 Some duties of a PKI

15.23
15.3.6 Continued
Trust Model

Figure 15.20 PKI hierarchical model

15.24

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy