Authentication2

Authentication2 - Certificate Authorities(CA KDCs are used...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Certificate Authorities (CA) KDCs are used to facilitate authentication in a network that relies on secret key cryptography. Certificate Authorities are a similar mechanism for allowing authentication that relies on public key cryptography. A CA is a trusted node that maintains the public keys for all nodes (Each node maintains its own private key). If a new node is inserted in the network, only that new node and the CA need to be configured with the public key for that node. A CA is involved in authenticating users by generating certificates A certificate for User X is a message containing “X” and X’s public key signed with the CA’s private key. X’s certificate: [“X”, (n,e) X , Expiration Time] CA X keeps the same certificate as long as he has the same public key. X appends the certificate to his messages. Since everyone knows the CA’s public key, they can decrypt the certificate and know X’s public key. The Certificate Authority model may have some advantages: 1. The CA does not need to be online. As a result, A. It is more secure than KDC B. It is not a performance bottleneck 2. If the CA were to crash, then nodes that already have their certificates can still operate. 3. Certificates are not security sensitive. A saboteur could delete Certificates, but not create fake ones or modify existing ones in any way since only the CA can generate signatures. 4. A compromised CA cannot decrypt conversations. A compromised CA could fool users into accepting a bogus public key and then carry out transactions with users. They still could not decrypt any previously encrypted messages where the real public key was used. One problem with the Certificate Authority model is how to handle certificates that refer to a deleted user or node. 1. What if User X is given a certificate for communication with User Z and User Z is removed from the system before it expires? 2. User X will still use his certificate until the expiration time expires 3. What kind of harm can this do? 4. User X can still exchange messages with User Z using his un- expired certificate. Solution : Maintain a Certificate Revocation List ( CRL ) at the CA. A Certificate is valid if: (1) it has a valid CA signature (2) has not expired (3) is not listed in the CA’s CRL list Certificates typically have an associated expiration time. Typically on the order of months (too long to wait if it needs to be revoked). The CA maintains a Certificate Revocation List ( CRL ). A CRL is issued periodically by the CA and contains all the revoked certificates. Each transaction is checked against the CRL. The X.509 standard has a defined format for storing a certificate as well as a CRL. An X.509 CRL includes a list of serial numbers of unexpired revoked certificates and an issue time for the CRL. Password Policy Review As mentioned before, passwords can be stolen, copied and guessed....
View Full Document

This note was uploaded on 10/13/2008 for the course CSC 405 taught by Professor Carter during the Spring '08 term at N.C. State.

Page1 / 20

Authentication2 - Certificate Authorities(CA KDCs are used...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online