Network Security Essentials — Notes5. Authentication Applications

1. Kerberos

  a. Suitable for an distributed architecture consisting several servers and some clients

  b. Based on symmertric key scheme

  c. A 3rd-party provides authentication service

  d. Fundamentals:
It’s too complicated. Let’s forget it for now

2.X.509 Authentication Service

  a. Overview

    i.Related to directory service

   ii.A framework of authentication service, including the format of certificate and authentication protocols. 

  iii.Based on public-key cyrptography and digital signature


   i.Signed by CA by its private key

  ii.Directory service provides an easily accessible location for users to obtain certificates

iii.Discribution of certificate

   A.End users belong to the same CA: The certificate can be just put in a common directory or sent by EMAIL

   B.End users belong to different CA: It will work if the two CAs have certificated each other

     User X << CAx << CAy << Y  — This is called "a chain of certificates"

     The chain can involv more than 2 CAs   

  c.Expiration & Revocation

    I.Certificate can expire

   II.Certificate can be revoked before it’s expired. CA should maintain a list all revoked certificates (CRL)

3.PKI — Public Key Infrastructure

  a. PKI: The set of hardware, software, people, poliies, and procedures needed to create, manage, store, distribute and revoke digital certificates based on asymmertric cryptography.

  b.PKIX: A standard of PKI

     It has five ingredients:

        I.End Entity


      III.CRL Issuer

       IV.Repository — Storing certificagtes and CRLs

        V.Registration Authority(RA)  — Administrative functions such as registration,key pair recovery,revocation and so on.


  Verisign: A leading commercial vendor of X.509-related products     

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.