第四章 Authentication Applications 电子商务信息安全与管理教学课件.pptVIP

* * * * * * * * * * * * * * * * * * * * * * * * * Kerberos Version 5 Specified in RFC 1510 – 1993 Does not depend on DES - can use any encryption technique Internet protocol dependence V4 requires IP address V5 allows any network address type Arbitrary ticket lifetime – start and end time Authentication forwarding Interrealm authentication X.509 Authentication Service X.509 is part of X.500 series which defines a directory service 1988, V2-1993, V3-1995 Based on public-key cryptography and digital signatures Defines a framework for the provision of authentication services Repository of public key certificates Used in S/MIME, IPSec, SSL and SET Certificates Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority A certificate is associated with each user It’s the heart of the X.509 scheme X.509 Formats unique within CA CA who signed it name of user hash code of otherfields encrypted withCA’s private key Certificate Notation CAA = CA {V, SN, AI, CA, TA, A, AP} certificate of user A issued by certification authority CA Y{I} = the signing of I by Y encrypted hash code Certificate Characteristics If you have the public key of the CA, you can recover the user public key that was certified Only the certificate authority can modify the certificate Placed in a directory without special protection Certificate Characteristics If all users subscribe to the same CA, then there is common trust of that CA User can transmit his certificate directly to others Not all users can subscribe to the same CA Obtaining a user’s certificate How about more than one CA? How does A trusting CA X1 validate B’s certificate with X2? A obtains the certificate of X2 sign by X1 A goes back to the directory and obtains the certificate of B signed by X2A has used a chain of certificates to obtain B’s public key: X1X2 X2 B  B’s： X2X1 X1 A Chain of Certificates CA Hierarchy certificates for each CA aremaintained in the