Chapter 14Authentication Applications

Kerberos

(Secure Electronic Transaction)

(Privacy Enhanced Mail)

Kerberossupport application-level authentication developed by MIT provides centralized private-key third-party authentication in a distributed networkallows users access to services distributed through networkwithout needing to trust all workstationsrather all trust a central authentication servertwo versions in use: 4 & 5

Kerberos Requirementsfirst published report identified its requirements as:securityreliabilitytransparencyscalabilityimplemented using an authentication protocol based on Needham-Schroeder

Kerberos(Users) (Server Hosts) (Ticket Granting Server) (Authentication Server) Kerberos(Server-Client architecture)

KerberosKerberos

Kerberos

Kerberos

Kerberos

Secure Electronic Transactions (SET)open encryption & security specificationto protect Internet credit card transactionsdeveloped in 1996 by Mastercard, Visa etcnot a payment systemrather a set of security protocols & formatssecure communications amongst partiestrust from use of X.509v3 certificatesprivacy by restricted info to those who need it

(Secure Electronic Transaction) SET

(Secure Electronic Transaction)(Electronic Wallet)(Merchant Server) (Payment Gateway)(Certificate Authority)SET

(Secure Electronic Transaction)

SET TechnologyCondifientiality (Privacy): Integrity() Non-repudiation Authentication() Visa

Cryptographic ModulesDES, RSA, CDMFRandom Number GeneratorHashFunction SHA-1, MD5Digital Signature - RSA public key cryptographyAuthentification ModulePKCS#1, 5, 7X.509 ext 3PolicyCertificate Authority

(Secure Electronic Transaction)

(Digital Certificate)

V.S.

(Secure Electronic Transaction)

SET Transactioncustomer opens accountcustomer receives a certificatemerchants have their own certificatescustomer places an ordermerchant is verified by certificateorder and payment are sentmerchant requests payment authorizationmerchant confirms ordermerchant provides goods or servicemerchant requests payment

Dual Signaturecustomer creates dual messagesorder information (OI) for merchantpayment information (PI) for bankneither party needs details of otherbut must know they are linkeduse a dual signature for thissigned concatenated hashes of OI & PI

Cardholder Sends Purchase Request

Merchant Verifies Purchase Request

Merchant Verifies Purchase Request verifies cardholder certificates using CA sigsverifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature keyprocesses order and forwards the payment information to the payment gateway for authorization (described later)sends a purchase response to cardholder

Payment Gateway Authorizationverifies all certificatesdecrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization blockverifies merchant's signature on authorization blockdecrypts digital envelope of payment block to obtain symmetric key & then decrypts payment blockverifies dual signature on payment blockverifies that transaction ID received from merchant matches that in PI received (indirectly) from customerrequests & receives an authorization from issuersends authorization response back to merchant

Payment Capturemerchant sends payment gateway a payment capture requestgateway checks requestthen causes funds to be transferred to merchants accountnotifies merchant using capture response

(Privacy Enhanced Mail) (Privacy Enhanced Mail)

(Privacy Enhanced Mail)PEM

(Privacy Enhanced Mail) PEM

(Privacy Enhanced Mail)

(Privacy Enhanced Mail)PEM

(Privacy Enhanced Mail)

(Privacy Enhanced Mail)MIC-CLEAR PEM MIC-ONLY MIC-CLEARPEMPEM ENCRYPTED PEM PEM

(Privacy Enhanced Mail)Proc-Type PEM Content-Domain MIC-Info PEMDEK-Info Key-Info Originator-Certificate PEM

(Privacy Enhanced Mail)MIC-ONLY Proc-Type: 4,MIC-ONLYContent-Domain: RFC822Originator-Certificate: Issuer-Certificate: MIC-Info: RSA-MD5,RSA, jV2OfH+nnXHU8bnL8kPAad/mSQlTDZlbVuxvZAOVRZ5q5+Ejl5bQvqNeqOUNQjr6EtE7K2QDeVMCyXsdJlA8fA==() LSBBIG1lc3NhZ2UgZm9yIHVzZSBpbiB0ZXN0aW5nLg0KLSBGb2xsb3dpbmcgaXMgYSBibGFuayBsaW5lOg0KDQpUaGlzIGlzIHRoZSBlbmQuDQo=()

(Privacy Enhanced Mail)ENCRYPTED Proc-Type: 4, ENCRYPTEDContent-Domain: RFC822DEK-Info: DES-CBC,BFF968AA74691AC1Originator-Certificate: Key-Info: RSA, I3rRIGXUGWAF8js5wCzRTkdhO34PTHdRZY9Tuvm03M+NM7fx6qc5udixps2Lng0+wGrtiUm/ovtKdinz6ZQ/aQ==()Issuer-Certificate: MIC-Info: RSA-MD5,RSA, UdFJR8u/TIGhfH65ieewe2lOW4tooa3vZCvVNGBZirf/7nrgzWDABz8w9NsXSexvAjRFbHoNPzBuxwmOAFeA0HJszL4yBvhG()Recipient-ID-Asymmetric: MFExCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEPMA0GA1UECxMGQmV0YSAxMQ8wDQYDVQQLEwZOT1RBUlk=,66Key-Info: RSA, O6BS1ww9CTyHPtS3bMLD+L0hejdvX6Qv1HK2ds2sQPEaXhX8EhvVphHYTjwekdWv7x0Z3Jx2vTAhOYHMcqqCjA== qeWlj/YJ2Uf5ng9yznPbtD0mYloSwIuV9FRYx+gzY+8iXd/NQrXHfi6/MhPfPF3djIqCJAxvld2xgqQimUzoS1a4r7kQQ5c/Iua4LqKeq3ciFzEv/MbZhA== ()

One of the best known and most widely implemented trusted third party key distribution systems. It was developed as part of Project Athena at MIT.Stallings Fig 17-10.Stallings Fig 17-11.