SlideShare una empresa de Scribd logo

Authentication services

Descargar como PPT, PDF
Greater Noida Institute Of Technology
Greater Noida Institute Of Technology

following Authentication services in cryptography

Ingeniería
1 de 23
Authentication ApplicationsAuthentication Applications We cannot enter into alliance withWe cannot enter into alliance with neighbouring princes until we areneighbouring princes until we are acquainted with their designs.acquainted with their designs. ——The Art of WarThe Art of War, Sun Tzu, Sun Tzu
Authentication ApplicationsAuthentication Applications  will consider authentication functionswill consider authentication functions  developed to support application-developed to support application- level authentication & digitallevel authentication & digital signaturessignatures  will consider Kerberos – a private-will consider Kerberos – a private- key authentication servicekey authentication service  then X.509 directory authenticationthen X.509 directory authentication serviceservice
KerberosKerberos  trusted key server system from MITtrusted key server system from MIT  provides centralised private-keyprovides centralised private-key third-party authentication in athird-party authentication in a distributed networkdistributed network • allows users access to servicesallows users access to services distributed through networkdistributed through network • without needing to trust all workstationswithout needing to trust all workstations • rather all trust a central authenticationrather all trust a central authentication serverserver  two versions in use: 4 & 5two versions in use: 4 & 5
Kerberos RequirementsKerberos Requirements  first published report identified itsfirst published report identified its requirements as:requirements as: • security-an eavesdropper shouldn’t be able to getsecurity-an eavesdropper shouldn’t be able to get enough information to impersonate the userenough information to impersonate the user • reliability- services using Kerberos would bereliability- services using Kerberos would be unusable if Kerberos isn’t availableunusable if Kerberos isn’t available • transparency-users should be unaware of itstransparency-users should be unaware of its presencepresence • scalability- should support large number of usersscalability- should support large number of users  implemented using a 3implemented using a 3rdrd party authenticationparty authentication scheme using a protocol proposed byscheme using a protocol proposed by Needham-Schroeder (NEED78)Needham-Schroeder (NEED78)
Kerberos 4 OverviewKerberos 4 Overview  a basic third-party authentication schemea basic third-party authentication scheme • uses DES buried in an elaborate protocoluses DES buried in an elaborate protocol  Authentication Server (AS)Authentication Server (AS) • user initially negotiates with AS to identify selfuser initially negotiates with AS to identify self • AS provides a non-corruptible authenticationAS provides a non-corruptible authentication credential (ticket-granting ticket TGT)credential (ticket-granting ticket TGT)  Ticket Granting server (TGS)Ticket Granting server (TGS) • users subsequently request access to otherusers subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT
Kerberos 4 OverviewKerberos 4 Overview
Kerberos RealmsKerberos Realms  a Kerberos environment consists of:a Kerberos environment consists of: • a Kerberos servera Kerberos server • a number of clients, all registered with servera number of clients, all registered with server • application servers, sharing keys with serverapplication servers, sharing keys with server  this is termed a realmthis is termed a realm • typically a single administrative domaintypically a single administrative domain  if have multiple realms, their Kerberosif have multiple realms, their Kerberos servers must share keys and trustservers must share keys and trust
Kerberos Version 5Kerberos Version 5  developed in mid 1990’sdeveloped in mid 1990’s  provides improvements over v4provides improvements over v4 • addresses environmental shortcomingsaddresses environmental shortcomings  encryption algorithm, network protocol, byte order,encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realmticket lifetime, authentication forwarding, inter-realm authenticationauthentication • and technical deficienciesand technical deficiencies  double encryption, non-standard mode of use,double encryption, non-standard mode of use, session keys, password attackssession keys, password attacks  specified as Internet standard RFC 1510specified as Internet standard RFC 1510
X.509 Authentication ServiceX.509 Authentication Service  part of CCITT X.500 directory servicepart of CCITT X.500 directory service standardsstandards • distributed servers maintaining some info databasedistributed servers maintaining some info database  defines framework for authentication servicesdefines framework for authentication services • directory may store public-key certificatesdirectory may store public-key certificates • with public key of userwith public key of user • signed by certification authoritysigned by certification authority  also defines authentication protocolsalso defines authentication protocols  uses public-key crypto & digital signaturesuses public-key crypto & digital signatures • algorithms not standardized, but RSAalgorithms not standardized, but RSA recommendedrecommended
X.509 CertificatesX.509 Certificates  issued by a Certification Authority (CA),issued by a Certification Authority (CA), containing:containing: • version (1, 2, or 3)version (1, 2, or 3) • serial number (unique within CA) identifying certificateserial number (unique within CA) identifying certificate • signature algorithm identifiersignature algorithm identifier • issuer X.500 name (CA)issuer X.500 name (CA) • period of validity (from - to dates)period of validity (from - to dates) • subject X.500 name (name of owner)subject X.500 name (name of owner) • subject public-key info (algorithm, parameters, key)subject public-key info (algorithm, parameters, key) • issuer unique identifier (v2+)issuer unique identifier (v2+) • subject unique identifier (v2+)subject unique identifier (v2+) • extension fields (v3)extension fields (v3) • signature (of hash of all fields in certificate)signature (of hash of all fields in certificate)  notationnotation CA<<A>>CA<<A>> denotes certificate for A signeddenotes certificate for A signed by CAby CA
X.509 CertificatesX.509 Certificates
Obtaining aObtaining a CertificateCertificate  any user with access to the publicany user with access to the public key of the CA can verify the userkey of the CA can verify the user public key that was certifiedpublic key that was certified  only the CA can modify a certificateonly the CA can modify a certificate without being detectedwithout being detected  cannot be forged, certificates can becannot be forged, certificates can be placed in a public directoryplaced in a public directory
CA HierarchyCA Hierarchy  if both users share a common CA thenif both users share a common CA then they are assumed to know its public keythey are assumed to know its public key  otherwise CA's must form a hierarchyotherwise CA's must form a hierarchy  use certificates linking members ofuse certificates linking members of hierarchy to validate other CA'shierarchy to validate other CA's • each CA has certificates for clients (forward)each CA has certificates for clients (forward) and parent (backward)and parent (backward)  each client trusts parents certificateseach client trusts parents certificates  enable verification of any certificate fromenable verification of any certificate from one CA by users of all other CAs inone CA by users of all other CAs in hierarchyhierarchy
CA Hierarchy UseCA Hierarchy Use
Certificate RevocationCertificate Revocation  certificates have a period of validitycertificates have a period of validity  may need to revoke before expiration,may need to revoke before expiration, eg:eg: 1.1. user's private key is compromiseduser's private key is compromised 2.2. user is no longer certified by this CAuser is no longer certified by this CA 3.3. CA's certificate is compromisedCA's certificate is compromised  CAs maintain list of revoked certificatesCAs maintain list of revoked certificates • the Certificate Revocation List (CRLthe Certificate Revocation List (CRL))  users should check certificates with CA’susers should check certificates with CA’s CRLCRL
Authentication ProceduresAuthentication Procedures  X.509 includes three alternativeX.509 includes three alternative authentication procedures:authentication procedures: • One-Way AuthenticationOne-Way Authentication • Two-Way AuthenticationTwo-Way Authentication • Three-Way AuthenticationThree-Way Authentication  all use public-key signaturesall use public-key signatures
NonceNonce  a nonce is a parameter that variesa nonce is a parameter that varies with time. A nonce can be a timewith time. A nonce can be a time stamp, a visit counter on a Webstamp, a visit counter on a Web page, or a special marker intended topage, or a special marker intended to limit or prevent the unauthorizedlimit or prevent the unauthorized replay or reproduction of a file.replay or reproduction of a file.
NonceNonce  fromfrom RFC 2617RFC 2617:: • For applications where no possibility of replayFor applications where no possibility of replay attack can be tolerated the server can use one-attack can be tolerated the server can use one- time nonce values which will not be honoredtime nonce values which will not be honored for a second use. This requires the overhead offor a second use. This requires the overhead of the server remembering which nonce valuesthe server remembering which nonce values have been used until the nonce time-stamphave been used until the nonce time-stamp (and hence the digest built with it) has(and hence the digest built with it) has expired, but it effectively protects againstexpired, but it effectively protects against replay attacks.replay attacks.
One-Way AuthenticationOne-Way Authentication  One message ( A->B) used toOne message ( A->B) used to establishestablish • the identity of A and that message isthe identity of A and that message is from Afrom A • message was intended for Bmessage was intended for B • integrity & originality (message hasn’tintegrity & originality (message hasn’t been sent multiple times)been sent multiple times)  message must include timestamp,message must include timestamp, nonce, B's identity and is signed by Anonce, B's identity and is signed by A
Two-Way AuthenticationTwo-Way Authentication  Two messages (A->B, B->A) whichTwo messages (A->B, B->A) which also establishes in addition:also establishes in addition: • the identity of B and that reply is from Bthe identity of B and that reply is from B • that reply is intended for Athat reply is intended for A • integrity & originality of replyintegrity & originality of reply  reply includes original nonce from A,reply includes original nonce from A, also timestamp and nonce from Balso timestamp and nonce from B
Three-Way AuthenticationThree-Way Authentication  3 messages (A->B, B->A, A->B) which3 messages (A->B, B->A, A->B) which enables above authentication withoutenables above authentication without synchronized clockssynchronized clocks  has reply from A back to B containing ahas reply from A back to B containing a signed copy of nonce from Bsigned copy of nonce from B  means that timestamps need not bemeans that timestamps need not be checked or relied uponchecked or relied upon
X.509 Version 3X.509 Version 3  has been recognized that additionalhas been recognized that additional information is needed in a certificateinformation is needed in a certificate • email/URL, policy details, usage constraintsemail/URL, policy details, usage constraints  rather than explicitly naming new fields arather than explicitly naming new fields a general extension method was definedgeneral extension method was defined  extensions consist of:extensions consist of: • extension identifierextension identifier • criticality indicatorcriticality indicator • extension valueextension value
Certificate ExtensionsCertificate Extensions  key and policy informationkey and policy information • convey info about subject & issuer keys,convey info about subject & issuer keys, plus indicators of certificate policyplus indicators of certificate policy  certificate subject and issuercertificate subject and issuer attributesattributes • support alternative names, in alternativesupport alternative names, in alternative formats for certificate subject and/orformats for certificate subject and/or issuerissuer  certificate path constraintscertificate path constraints • allow constraints on use of certificatesallow constraints on use of certificates by other CA’sby other CA’s

Recomendados

public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Cryptography
CryptographyCryptography
CryptographySidharth Mohapatra
 
Kerberos
KerberosKerberos
KerberosRafatSamreen
 
Kerberos
KerberosKerberos
KerberosRahul Pundir
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 

Recomendados

public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructurevimal kumar
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyBharat Kumar Katur
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Cryptography
CryptographyCryptography
CryptographySidharth Mohapatra
 
Kerberos
KerberosKerberos
KerberosRafatSamreen
 
Kerberos
KerberosKerberos
KerberosRahul Pundir
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Kerberos
KerberosKerberos
KerberosSparkbit
 
kerberos
kerberoskerberos
kerberossameer farooq
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Authentication
AuthenticationAuthentication
Authenticationprimeteacher32
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
Cryptography
CryptographyCryptography
CryptographyShivanand Arur
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyAdri Jovin
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptographyCysinfo Cyber Security Community
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
ch14.ppt
ch14.pptch14.ppt
ch14.pptSomuPatil8
 
Ch14
Ch14Ch14
Ch14Joe Christensen
 

Más contenido relacionado

La actualidad más candente

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyAdri Jovin
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 

La actualidad más candente (20)

Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Kerberos
KerberosKerberos
Kerberos
 
kerberos
kerberoskerberos
kerberos
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
Authentication
AuthenticationAuthentication
Authentication
 
IP Security
IP SecurityIP Security
IP Security
 
Cryptography
CryptographyCryptography
Cryptography
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
Kerberos
KerberosKerberos
Kerberos
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 
Email security
Email securityEmail security
Email security
 
Email security
Email securityEmail security
Email security
 

Similar a Authentication services

Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxRAMESHMRA21130030110
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Computer security module 4
Computer security module 4Computer security module 4
Computer security module 4Deepak John
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 CertificatesSou Jana
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 
Module 4 network and computer security
Module 4 network and computer securityModule 4 network and computer security
Module 4 network and computer securityDeepak John
 
Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3Don Kim
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocolCT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocolHarini737456
 
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...Farooq Khan
 

Similar a Authentication services (20)

ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
Ch14
Ch14Ch14
Ch14
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptx
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Computer security module 4
Computer security module 4Computer security module 4
Computer security module 4
 
Unit 4.ppt
Unit 4.pptUnit 4.ppt
Unit 4.ppt
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
1165839977.pptx
1165839977.pptx1165839977.pptx
1165839977.pptx
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Kerberos
KerberosKerberos
Kerberos
 
Module 4 network and computer security
Module 4 network and computer securityModule 4 network and computer security
Module 4 network and computer security
 
Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3Design and Analyze Secure Networked Systems - 3
Design and Analyze Secure Networked Systems - 3
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocolCT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
 
6. Kerberos.ppt
6. Kerberos.ppt6. Kerberos.ppt
6. Kerberos.ppt
 
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
SDWAN Concept - Certificate and keys Roles in Controllers and vEdge Router Au...
 

Más de Greater Noida Institute Of Technology

Más de Greater Noida Institute Of Technology (20)

Airline Analysis of Data Using Hadoop
Airline Analysis of Data Using HadoopAirline Analysis of Data Using Hadoop
Airline Analysis of Data Using Hadoop
 
College Administration Management System
College Administration Management System College Administration Management System
College Administration Management System
 
Web security
Web securityWeb security
Web security
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
Viruses worms
Viruses wormsViruses worms
Viruses worms
 
Spoofing
SpoofingSpoofing
Spoofing
 
Sentimental Analysis of twitter data .
Sentimental Analysis of twitter data .Sentimental Analysis of twitter data .
Sentimental Analysis of twitter data .
 
Hacking Question and Answer
Hacking Question and Answer Hacking Question and Answer
Hacking Question and Answer
 
Security tools
Security toolsSecurity tools
Security tools
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
BroadBand Over powerline .
BroadBand Over powerline .BroadBand Over powerline .
BroadBand Over powerline .
 
Modern Networking Hacking
Modern Networking HackingModern Networking Hacking
Modern Networking Hacking
 
Network security
Network securityNetwork security
Network security
 
Lifi Technology
Lifi TechnologyLifi Technology
Lifi Technology
 
Hack wireless internet connections or wifi
Hack wireless internet connections or wifiHack wireless internet connections or wifi
Hack wireless internet connections or wifi
 
Hacking step (Methodology)
Hacking step (Methodology)Hacking step (Methodology)
Hacking step (Methodology)
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
How to become Hackers .
How to become Hackers .How to become Hackers .
How to become Hackers .
 

Último

kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadhamedmustafa094
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEGEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEselvakumar948
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesMayuraD1
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdfKamal Acharya
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiessarkmank1
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 

Último (20)

kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEGEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 

Authentication services

  • 1. Authentication ApplicationsAuthentication Applications We cannot enter into alliance withWe cannot enter into alliance with neighbouring princes until we areneighbouring princes until we are acquainted with their designs.acquainted with their designs. ——The Art of WarThe Art of War, Sun Tzu, Sun Tzu
  • 2. Authentication ApplicationsAuthentication Applications  will consider authentication functionswill consider authentication functions  developed to support application-developed to support application- level authentication & digitallevel authentication & digital signaturessignatures  will consider Kerberos – a private-will consider Kerberos – a private- key authentication servicekey authentication service  then X.509 directory authenticationthen X.509 directory authentication serviceservice
  • 3. KerberosKerberos  trusted key server system from MITtrusted key server system from MIT  provides centralised private-keyprovides centralised private-key third-party authentication in athird-party authentication in a distributed networkdistributed network • allows users access to servicesallows users access to services distributed through networkdistributed through network • without needing to trust all workstationswithout needing to trust all workstations • rather all trust a central authenticationrather all trust a central authentication serverserver  two versions in use: 4 & 5two versions in use: 4 & 5
  • 4. Kerberos RequirementsKerberos Requirements  first published report identified itsfirst published report identified its requirements as:requirements as: • security-an eavesdropper shouldn’t be able to getsecurity-an eavesdropper shouldn’t be able to get enough information to impersonate the userenough information to impersonate the user • reliability- services using Kerberos would bereliability- services using Kerberos would be unusable if Kerberos isn’t availableunusable if Kerberos isn’t available • transparency-users should be unaware of itstransparency-users should be unaware of its presencepresence • scalability- should support large number of usersscalability- should support large number of users  implemented using a 3implemented using a 3rdrd party authenticationparty authentication scheme using a protocol proposed byscheme using a protocol proposed by Needham-Schroeder (NEED78)Needham-Schroeder (NEED78)
  • 5. Kerberos 4 OverviewKerberos 4 Overview  a basic third-party authentication schemea basic third-party authentication scheme • uses DES buried in an elaborate protocoluses DES buried in an elaborate protocol  Authentication Server (AS)Authentication Server (AS) • user initially negotiates with AS to identify selfuser initially negotiates with AS to identify self • AS provides a non-corruptible authenticationAS provides a non-corruptible authentication credential (ticket-granting ticket TGT)credential (ticket-granting ticket TGT)  Ticket Granting server (TGS)Ticket Granting server (TGS) • users subsequently request access to otherusers subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT
  • 7. Kerberos RealmsKerberos Realms  a Kerberos environment consists of:a Kerberos environment consists of: • a Kerberos servera Kerberos server • a number of clients, all registered with servera number of clients, all registered with server • application servers, sharing keys with serverapplication servers, sharing keys with server  this is termed a realmthis is termed a realm • typically a single administrative domaintypically a single administrative domain  if have multiple realms, their Kerberosif have multiple realms, their Kerberos servers must share keys and trustservers must share keys and trust
  • 8. Kerberos Version 5Kerberos Version 5  developed in mid 1990’sdeveloped in mid 1990’s  provides improvements over v4provides improvements over v4 • addresses environmental shortcomingsaddresses environmental shortcomings  encryption algorithm, network protocol, byte order,encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realmticket lifetime, authentication forwarding, inter-realm authenticationauthentication • and technical deficienciesand technical deficiencies  double encryption, non-standard mode of use,double encryption, non-standard mode of use, session keys, password attackssession keys, password attacks  specified as Internet standard RFC 1510specified as Internet standard RFC 1510
  • 9. X.509 Authentication ServiceX.509 Authentication Service  part of CCITT X.500 directory servicepart of CCITT X.500 directory service standardsstandards • distributed servers maintaining some info databasedistributed servers maintaining some info database  defines framework for authentication servicesdefines framework for authentication services • directory may store public-key certificatesdirectory may store public-key certificates • with public key of userwith public key of user • signed by certification authoritysigned by certification authority  also defines authentication protocolsalso defines authentication protocols  uses public-key crypto & digital signaturesuses public-key crypto & digital signatures • algorithms not standardized, but RSAalgorithms not standardized, but RSA recommendedrecommended
  • 10. X.509 CertificatesX.509 Certificates  issued by a Certification Authority (CA),issued by a Certification Authority (CA), containing:containing: • version (1, 2, or 3)version (1, 2, or 3) • serial number (unique within CA) identifying certificateserial number (unique within CA) identifying certificate • signature algorithm identifiersignature algorithm identifier • issuer X.500 name (CA)issuer X.500 name (CA) • period of validity (from - to dates)period of validity (from - to dates) • subject X.500 name (name of owner)subject X.500 name (name of owner) • subject public-key info (algorithm, parameters, key)subject public-key info (algorithm, parameters, key) • issuer unique identifier (v2+)issuer unique identifier (v2+) • subject unique identifier (v2+)subject unique identifier (v2+) • extension fields (v3)extension fields (v3) • signature (of hash of all fields in certificate)signature (of hash of all fields in certificate)  notationnotation CA<<A>>CA<<A>> denotes certificate for A signeddenotes certificate for A signed by CAby CA
  • 12. Obtaining aObtaining a CertificateCertificate  any user with access to the publicany user with access to the public key of the CA can verify the userkey of the CA can verify the user public key that was certifiedpublic key that was certified  only the CA can modify a certificateonly the CA can modify a certificate without being detectedwithout being detected  cannot be forged, certificates can becannot be forged, certificates can be placed in a public directoryplaced in a public directory
  • 13. CA HierarchyCA Hierarchy  if both users share a common CA thenif both users share a common CA then they are assumed to know its public keythey are assumed to know its public key  otherwise CA's must form a hierarchyotherwise CA's must form a hierarchy  use certificates linking members ofuse certificates linking members of hierarchy to validate other CA'shierarchy to validate other CA's • each CA has certificates for clients (forward)each CA has certificates for clients (forward) and parent (backward)and parent (backward)  each client trusts parents certificateseach client trusts parents certificates  enable verification of any certificate fromenable verification of any certificate from one CA by users of all other CAs inone CA by users of all other CAs in hierarchyhierarchy
  • 14. CA Hierarchy UseCA Hierarchy Use
  • 15. Certificate RevocationCertificate Revocation  certificates have a period of validitycertificates have a period of validity  may need to revoke before expiration,may need to revoke before expiration, eg:eg: 1.1. user's private key is compromiseduser's private key is compromised 2.2. user is no longer certified by this CAuser is no longer certified by this CA 3.3. CA's certificate is compromisedCA's certificate is compromised  CAs maintain list of revoked certificatesCAs maintain list of revoked certificates • the Certificate Revocation List (CRLthe Certificate Revocation List (CRL))  users should check certificates with CA’susers should check certificates with CA’s CRLCRL
  • 16. Authentication ProceduresAuthentication Procedures  X.509 includes three alternativeX.509 includes three alternative authentication procedures:authentication procedures: • One-Way AuthenticationOne-Way Authentication • Two-Way AuthenticationTwo-Way Authentication • Three-Way AuthenticationThree-Way Authentication  all use public-key signaturesall use public-key signatures
  • 17. NonceNonce  a nonce is a parameter that variesa nonce is a parameter that varies with time. A nonce can be a timewith time. A nonce can be a time stamp, a visit counter on a Webstamp, a visit counter on a Web page, or a special marker intended topage, or a special marker intended to limit or prevent the unauthorizedlimit or prevent the unauthorized replay or reproduction of a file.replay or reproduction of a file.
  • 18. NonceNonce  fromfrom RFC 2617RFC 2617:: • For applications where no possibility of replayFor applications where no possibility of replay attack can be tolerated the server can use one-attack can be tolerated the server can use one- time nonce values which will not be honoredtime nonce values which will not be honored for a second use. This requires the overhead offor a second use. This requires the overhead of the server remembering which nonce valuesthe server remembering which nonce values have been used until the nonce time-stamphave been used until the nonce time-stamp (and hence the digest built with it) has(and hence the digest built with it) has expired, but it effectively protects againstexpired, but it effectively protects against replay attacks.replay attacks.
  • 19. One-Way AuthenticationOne-Way Authentication  One message ( A->B) used toOne message ( A->B) used to establishestablish • the identity of A and that message isthe identity of A and that message is from Afrom A • message was intended for Bmessage was intended for B • integrity & originality (message hasn’tintegrity & originality (message hasn’t been sent multiple times)been sent multiple times)  message must include timestamp,message must include timestamp, nonce, B's identity and is signed by Anonce, B's identity and is signed by A
  • 20. Two-Way AuthenticationTwo-Way Authentication  Two messages (A->B, B->A) whichTwo messages (A->B, B->A) which also establishes in addition:also establishes in addition: • the identity of B and that reply is from Bthe identity of B and that reply is from B • that reply is intended for Athat reply is intended for A • integrity & originality of replyintegrity & originality of reply  reply includes original nonce from A,reply includes original nonce from A, also timestamp and nonce from Balso timestamp and nonce from B
  • 21. Three-Way AuthenticationThree-Way Authentication  3 messages (A->B, B->A, A->B) which3 messages (A->B, B->A, A->B) which enables above authentication withoutenables above authentication without synchronized clockssynchronized clocks  has reply from A back to B containing ahas reply from A back to B containing a signed copy of nonce from Bsigned copy of nonce from B  means that timestamps need not bemeans that timestamps need not be checked or relied uponchecked or relied upon
  • 22. X.509 Version 3X.509 Version 3  has been recognized that additionalhas been recognized that additional information is needed in a certificateinformation is needed in a certificate • email/URL, policy details, usage constraintsemail/URL, policy details, usage constraints  rather than explicitly naming new fields arather than explicitly naming new fields a general extension method was definedgeneral extension method was defined  extensions consist of:extensions consist of: • extension identifierextension identifier • criticality indicatorcriticality indicator • extension valueextension value
  • 23. Certificate ExtensionsCertificate Extensions  key and policy informationkey and policy information • convey info about subject & issuer keys,convey info about subject & issuer keys, plus indicators of certificate policyplus indicators of certificate policy  certificate subject and issuercertificate subject and issuer attributesattributes • support alternative names, in alternativesupport alternative names, in alternative formats for certificate subject and/orformats for certificate subject and/or issuerissuer  certificate path constraintscertificate path constraints • allow constraints on use of certificatesallow constraints on use of certificates by other CA’sby other CA’s

Notas del editor

  1. One of the best known and most widely implemented trusted third party key distribution systems. It was developed as part of Project Athena at MIT.
  2. The core of Kerberos is the Authentication and Ticket Granting Servers – these are trusted by all users and servers and must be securely administered.
  3. Stallings Fig 14-1. Discuss in relation to Table 14-1 which details message exchanges.
  4. X.509 is the Internationally accepted standard for how to construct a public key certificate, and is becoming widely used. It has gone through several versions. It is used by S/MIME secure email, SSL/TLS secure Internet links (eg for secure web).
  5. The X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used.
  6. Stallings Fig 14-3.
  7. All very easy is both parties use the same CA. If not, then there has to be some means to form a chain of certifications between the CA&amp;apos;s used by the two parties. And that raises issues about whether the CA&amp;apos;s are equivalent, whether they used the same policies to generate their certificates, and how much you&amp;apos;re going to trust a CA at some remove from your own. These are all open issues.
  8. Stallings Fig 14-4. Track chains of certificates: A acquires B certificate using chain: X&amp;lt;&amp;lt;W&amp;gt;&amp;gt;W&amp;lt;&amp;lt;V&amp;gt;&amp;gt;V&amp;lt;&amp;lt;Y&amp;gt;&amp;gt;Y&amp;lt;&amp;lt;Z&amp;gt;&amp;gt;Z&amp;lt;&amp;lt;B&amp;gt;&amp;gt; B acquires A certificate using chain: Z&amp;lt;&amp;lt;Y&amp;gt;&amp;gt;Y&amp;lt;&amp;lt;V&amp;gt;&amp;gt;V&amp;lt;&amp;lt;W&amp;gt;&amp;gt;W&amp;lt;&amp;lt;X&amp;gt;&amp;gt;X&amp;lt;&amp;lt;A&amp;gt;&amp;gt;
  9. The X.509 standard specifies the authentication protocols that can be used when obtaining and using certificates. 1-way for unidirectional messages (like email), 2-way for interactive sessions when timestamps are used, 3-way for interactive sessions with no need for timestamps (and hence synchronised clocks).