2023年全國碩士研究生考試考研英語一試題真題(含答案詳解+作文范文)_第1頁
已閱讀1頁,還剩34頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

1、PART IV MUTUAL TRUST,第14章 密鑰管理與分發(fā)第15章 用戶認證,第15章 用戶認證,,User Authentication,fundamental security building blockbasis of access control & user accountabilityis the process of verifying an identity claimed by or for

2、a system entityhas two steps:identification - specify identifierverification - bind entity (person) and identifierdistinct from message authentication,Means of User Authentication,four means of authenticating user

3、9;s identity based one something the individual knows - e.g. password, PINpossesses - e.g. key, token, smartcardis (static biometrics) - e.g. fingerprint, retinadoes (dynamic biometrics) - e.g. voice, sign can use a

4、lone or combinedall can provide user authenticationall have issues,Authentication Protocols,used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues areconfid

5、entiality – to protect session keystimeliness – to prevent replay attacks,Replay Attacks,where a valid signed message is copied and later resentsimple replayrepetition that can be loggedrepetition that cannot be dete

6、ctedbackward replay without modificationcountermeasures includeuse of sequence numbers (generally impractical)timestamps (needs synchronized clocks)challenge/response (using unique nonce),One-Way Authentication,requ

7、ired when sender & receiver are not in communications at same time (eg. email)have header in clear so can be delivered by email systemmay want contents of body protected & sender authenticated,Using Symmetric E

8、ncryption,as discussed previously can use a two-level hierarchy of keysusually with a trusted Key Distribution Center (KDC)each party shares own master key with KDCKDC generates session keys used for connections betwe

9、en partiesmaster keys used to distribute these to them,Needham-Schroeder Protocol,original third-party key distribution protocol for session between A and B mediated by KDC protocol overview is1. A ? KDC: IDA || IDB |

10、| N12. KDC ? A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]3. A ? B: EKb[Ks||IDA]4. B ? A: EKs[N2]5. A ? B: EKs[f(N2)],Needham-Schroeder Protocol,used to securely distribute a new session key for communications between

11、 A & Bbut is vulnerable to a replay attack if an old session key has been compromisedthen message 3 can be resent convincing B that is communicating with Amodifications to address this require:timestamps (Denning

12、 81)using an extra nonce (Neuman 93),One-Way Authentication,use refinement of KDC to secure emailsince B no online, drop steps 4 & 5protocol becomes:1. A ? KDC: IDA || IDB || N12. KDC ? A: E(Ka, [Ks||IDB||N1 ||

13、E(Kb,[Ks||IDA])])3. A ? B: E(Kb, [Ks||IDA]) || E(Ks, M)provides encryption & some authenticationdoes not protect from replay attack,Using Public-Key Encryption,have a range of approaches based on the use of public

14、-key encryptionneed to ensure have correct public keys for other partiesusing a central Authentication Server (AS)various protocols exist using timestamps or nonces,Denning AS Protocol,Denning 81 presented the followi

15、ng:1. A -> AS: IDA || IDB2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] 3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRa[Ks||T]] note session key is chosen by A, hence AS need not be tr

16、usted to protect ittimestamps prevent replay but require synchronized clocks,Kerberos,trusted key server system from MIT provides centralised private-key third-party authentication in a distributed networkallows users

17、 access to services distributed through networkwithout needing to trust all workstationsrather all trust a central authentication servertwo versions in use: 4 & 5,Kerberos Requirements,its first report identified

18、requirements as:securereliabletransparentscalableimplemented using an authentication protocol based on Needham-Schroeder,Kerberos v4 Overview,a basic third-party authentication schemehave an Authentication Server (

19、AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)users subsequently request access to othe

20、r services from TGS on basis of users TGTusing a complex protocol using DES,Kerberos v4 Dialogue,Kerberos 4 Overview,Kerberos Realms,a Kerberos environment consists ofa Kerberos servera number of clients, all register

21、ed with serverapplication servers, sharing keys with serverthis is termed a realmtypically a single administrative domainif have multiple realms, their Kerberos servers must share keys and trust,Kerberos Realms,Kerbe

22、ros Version 5,developed in mid 1990’sspecified as Internet standard RFC 1510provides improvements over v4addresses environmental shortcomingsencryption alg, network protocol, byte order, ticket lifetime, authenticati

23、on forwarding, inter-realm authand technical deficienciesdouble encryption, non-std mode of use, session keys, password attacks,Kerberos v5 Dialogue,Summary,have considered:authentication using symmetric encryptionau

24、thentication using asymmetric encryptionKerberos,Remote User Authentication,in Ch 14 saw use of public-key encryption for session key distributionassumes both parties have other’s public keysmay not be practicalhave

25、Denning protocol using timestampsuses central authentication server (AS) to provide public-key certificatesrequires synchronized clockshave Woo and Lam protocol using noncescare needed to ensure no protocol flaws,One

26、-Way Authentication,have public-key approaches for emailencryption of message for confidentiality, authentication, or bothmust now public keysusing costly public-key alg on long messagefor confidentiality encrypt mes

27、sage with one-time secret key, public-key encryptedfor authentication use a digital signaturemay need to protect by encrypting signatureuse digital certificate to supply public key,Federated Identity Management,use of

28、 common identity management schemeacross multiple enterprises & numerous applications supporting many thousands, even millions of users principal elements are:authentication, authorization, accounting, provisioni

29、ng, workflow automation, delegated administration, password synchronization, self-service password reset, federationKerberos contains many of these elements,Identity Management,Identity Federation,Standards Used,Securit

30、y Assertion Markup Language (SAML)XML-based language for exchange of security information between online business partnerspart of OASIS (Organization for the Advancement of Structured Information Standards) standards f

31、or federated identity managemente.g. WS-Federation for browser-based federationneed a few mature industry standards,Federated Identity Examples,One-Way Authentication,required when sender & receiver are not in comm

32、unications at same time (eg. email)have header in clear so can be delivered by email systemmay want contents of body protected & sender authenticated,Using Symmetric Encryption,can refine use of KDC but can’t have

33、final exchange of nonces, vis:1. A->KDC: IDA || IDB || N12. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]3. A -> B: EKb[Ks||IDA] || EKs[M] does not protect against replayscould rely on timestamp in messag

34、e, though email delays make this problematic,Public-Key Approaches,have seen some public-key approachesif confidentiality is major concern, can use:A->B: EPUb[Ks] || EKs[M]has encrypted session key, encrypted messa

35、geif authentication needed use a digital signature with a digital certificate:A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa] with message, signature, certificate,Summary,have discussed:digital signaturesauthenticati

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論