Unit-6

Network and System Security: Authentication Applications

Authentication applications are mechanisms that verify the identity of users and systems before granting
access to sensitive resources. Two major authentication systems are Kerberos and X.509 certificates.

1. Kerberos

Purpose:

• Kerberos is a network authentication protocol designed to provide strong authentication for

client/server applications using secret-key cryptography.

Developed by:

• MIT as part of Project Athena (1980s)

Key Features:

• Uses symmetric cryptography (shared secret keys).

• No passwords sent over the network.

• Protects against eavesdropping and replay attacks.

• Centralized Authentication Server.

Components in Kerberos:

Component Role

KDC (Key Distribution Central server that issues tickets. It has two parts: 1. Authentication Server
Center) (AS) 2. Ticket Granting Server (TGS)

AS (Authentication
Verifies user's identity and provides a Ticket Granting Ticket (TGT).
Server)

TGS (Ticket Granting

Issues service tickets based on TGTs for accessing different network services.
Server)

Client A user or process requesting service.

Server A resource or service that the client wants to access.

Kerberos Authentication Process (Steps):

1. User Login:
 o User enters username and password (locally).

2. Request Authentication (AS_REQ):

o The client sends a request to the Authentication Server (AS).

o The request includes the username but NOT the password.

3. AS Issues TGT (AS_REP):

o The AS verifies the user’s credentials.

o AS sends back:

▪ TGT (Ticket Granting Ticket) encrypted with the TGS's key.

▪ Session key (between client and TGS) encrypted with the user's password-derived
key.

4. Client Requests Service Ticket (TGS_REQ):

o Using the TGT, the client requests access to a specific service from TGS.

5. TGS Issues Service Ticket (TGS_REP):

o TGS issues a Service Ticket for the target server.

6. Client Accesses Service:

o The client presents the Service Ticket to the server.

o Server authenticates the client and establishes a session.

Important Concepts in Kerberos:

• Tickets:
Small, encrypted data structures that grant access rights.

• Session Key:
A temporary symmetric key for secure communication.

• Lifetime of Tickets:
Tickets are valid for a limited time to enhance security.

• Replay Attack Protection:

Use of timestamps to detect replayed requests.

• Mutual Authentication:
Both client and server verify each other's identity.
2. X.509 Certificates

Purpose:

• X.509 is a standard for public key certificates, used in asymmetric cryptography.

• It's a part of the Public Key Infrastructure (PKI) for secure communications.

Developed by:

• ITU-T (International Telecommunication Union)

Key Features:

• Provides identity verification using digital certificates.

• Based on public key cryptography (RSA, ECC, etc.).

• Supports authentication, confidentiality, and integrity.

Structure of an X.509 Certificate:

Field Description

Version Specifies which X.509 version is used (v1, v2, v3).

Serial Number Unique ID assigned by Certificate Authority (CA).

Signature Algorithm The algorithm used to sign the certificate (e.g., SHA-256 with RSA).

Issuer The CA that issued the certificate.

Validity Period Start and end dates during which the certificate is valid.

Subject Entity the certificate belongs to (e.g., domain name, person).

Subject Public Key Info The public key and algorithm associated with the subject.

Extensions (v3 only) Optional fields like Key Usage, Alternative Names, Certificate Policies.

Signature Digital signature by the issuer to validate the certificate's authenticity.

Key Concepts:

• Certificate Authority (CA):

Trusted third party that issues certificates.
 • Registration Authority (RA):
Verifies the entity’s identity before the CA issues a certificate.

• Certificate Revocation List (CRL):

List of certificates that have been revoked before their expiry date.

• Online Certificate Status Protocol (OCSP):

Protocol to check certificate status in real-time.

• Chain of Trust:

o Certificates can be verified through a hierarchy of trust.

o A root CA signs intermediate CAs, which then sign end-entity certificates.

X.509 Authentication Process (Simplified):

1. Server Sends Certificate:

During SSL/TLS handshake, the server sends its X.509 certificate to the client.

2. Client Verifies Certificate:

The client checks:

o Certificate’s signature.

o Whether the certificate is issued by a trusted CA.

o Certificate validity dates.

o Revocation status.

3. Secure Session Setup:

If verification passes, the client proceeds with encrypted communication using the server’s
public key.

Quick Comparison: Kerberos vs X.509

Aspect Kerberos X.509

Type of
Symmetric (secret key) Asymmetric (public/private keys)
Cryptography

Main Entity Authentication Server (AS) + TGS Certificate Authority (CA)

Authentication within a trusted Secure communication across open,

Primary Use
domain (e.g., corporate networks) untrusted networks (e.g., internet)
Aspect Kerberos X.509

Authentication
Ticket-based authentication Digital certificates and signatures
Mechanism

Replay Attack
Yes (timestamps) Yes (fresh keys, timestamps in protocols)
Protection

Summary

• Kerberos: Good for internal networks (e.g., company intranets) where centralized control is
possible.

• X.509: Ideal for global communications (e.g., websites, SSL/TLS) where public trust via CAs is
needed.

Secure Electronic Transaction (SET)

Purpose:

• SET is a standard protocol for securing credit card transactions over the Internet.

• Developed by Visa and Mastercard (with IBM, Microsoft, etc.).

Key Goals:

• Ensure confidentiality of payment information.

• Ensure integrity of transaction data.

• Authenticate cardholders and merchants.

• Prevent fraud and data theft.

Participants in SET:

Participant Role

Cardholder Person who owns a credit card and makes purchases.

Merchant Seller of goods/services accepting card payments.

Issuer Bank that issued the card to the cardholder.

Participant Role

Acquirer Merchant’s bank (processes card payments).

Payment Gateway Connects merchant to payment networks.

Certification Authority (CA) Issues digital certificates to parties to authenticate identities.

Important Concepts in SET:

• Digital Certificates:

o Issued to both cardholders and merchants.

o Based on X.509 certificates.

• Dual Signature:

o Mechanism that securely links order information (OI) and payment information (PI)
without revealing one to the other.

o Protects privacy and integrity.

• Encryption Methods:

o Symmetric Encryption: Used for protecting transaction data (fast).

o Asymmetric Encryption: Used for key exchange and authentication (RSA).

SET Transaction Steps (Simplified):

1. Initialization:

o Cardholder and merchant obtain digital certificates.

2. Purchase Request:

o Cardholder sends order information + payment information, both encrypted and digitally
signed (using dual signature).

3. Merchant Processing:

o Merchant verifies cardholder’s certificate and signature.

o Sends payment information to payment gateway.

4. Authorization Request:
 o Payment gateway requests authorization from the issuer bank.

5. Authorization Response:

o Issuer bank sends authorization back.

6. Confirmation:

o Merchant confirms the purchase to the cardholder.

7. Clearing and Settlement:

o Payment is transferred from the cardholder’s bank to the merchant’s bank.

System Security: Intruders

Intruders are individuals (or software) that attempt unauthorized access to systems.

Types of Intruders:

Type Description

Masquerader An unauthorized person who gains access by pretending to be an authorized user.

Misfeasor An authorized user who misuses their privileges.

Clandestine User A user who seizes control to evade audits and access controls.

Intrusion Techniques:

• Password guessing/brute-force.

• Exploitation of system/software vulnerabilities.

• Phishing and social engineering.

• Insider threats.

Intrusion Detection Systems (IDS):

Type Function

Host-based IDS (HIDS) Monitors activities on individual computers.

Type Function

Network-based IDS (NIDS) Monitors network traffic for suspicious activities.

Detection Approaches:

• Signature-based (pattern matching).

• Anomaly-based (deviation from normal behavior).

System Security: Viruses

Computer Viruses are programs that can replicate themselves and spread to other files or systems, usually
with malicious intent.

Virus Lifecycle:

1. Dormant Phase:

o Virus is idle, awaiting activation.

2. Propagation Phase:

o Virus copies itself into other programs or files.

3. Triggering Phase:

o Specific conditions activate the virus.

4. Execution Phase:

o Virus carries out its malicious function (e.g., data corruption).

Types of Viruses:

Type Description

File Infector Infects executable files (.exe, .com).

Boot Sector Virus Infects the master boot record (MBR) of a hard disk.

Macro Virus Infects applications like MS Word using macros.

Polymorphic Virus Changes its code to avoid detection.

Type Description

Metamorphic Virus Rewrites itself entirely when spreading.

Other Malware Related:

• Worms:
Standalone software that self-replicates over networks.
• Trojans:
Malicious code disguised as legitimate software.
• Ransomware:
Encrypts user data and demands payment.

Firewall Design Principles

Firewalls are security systems that monitor and control incoming and outgoing network traffic based on
predetermined security rules.

Objectives of a Firewall:

• Enforce a security policy.

• Restrict access between networks.

• Hide internal network details from outsiders.

• Log and audit traffic for analysis.

Firewall Design Features:

Feature Description

Packet Filtering Inspects packet headers and filters traffic based on IP address, port, or protocol.

Stateful Inspection Tracks active connections and only allows packets matching a valid connection.

Proxy Service Acts as an intermediary between users and services.

Application Gateway Filters traffic based on specific application data (e.g., HTTP, FTP).
Types of Firewalls:

Type Description

Packet Filtering Firewall Operates at the network layer; basic and fast.

Stateful Firewall Maintains state information about connections.

Application-level Gateway
Deep packet inspection at the application level.
(Proxy Firewall)

Manages TCP handshakes and sessions without inspecting packet

Circuit-level Gateway
contents.

Next-Generation Firewall Combines packet inspection, stateful filtering, intrusion prevention,

(NGFW) and deep packet inspection.

Placement of Firewalls:

• Between internal network and the internet.

• Between different segments of an internal network (e.g., separating sensitive servers).

Best Practices for Firewall Design:

• Default Deny Policy: Block all traffic unless explicitly permitted.

• Regular Updates: Keep firewall rules and firmware up-to-date.

• Segmentation: Use DMZ (Demilitarized Zone) for public-facing services.

• Logging and Monitoring: Maintain detailed logs of all firewall activities.

• Redundancy: Use failover firewalls for high availability.

Summary:
• SET: Secure credit card transactions (certificates + dual signatures).

• Intruders: Masqueraders, Misfeasors, Clandestine users.

• Viruses: Malware that infects systems — file, boot, macro, polymorphic.

• Firewalls: Protect networks using packet filtering, stateful inspection, proxies.