Research on Password Authentication Protocol Based on TCP/IP application layer

Source: Internet
Author: User

Internet is prevalent all over the world. Its basic protocol is Transmission Control Protocol/Internet Protocol (TCP/IP ). TCP/IP is a network communication protocol that regulates all communication devices on the network, especially data exchange and transmission between one host and another. however, at the beginning of the TCP/IP protocol design, the security of the Protocol was not taken into account. Therefore, the security of the TCP/IP protocol is in line with the hierarchical model of the TCP/IP architecture, implemented through the "Supplement" method. for example, in the application layer security, including S-HTTP, PGP, S/MIME, SET and other protocols, the authentication protocol is the first level necessary to obtain system services, studying and analyzing system authentication protocols is essential for ensuring secure network communication. Authentication is a process in which the claimant presents his/her ID to the validators. The purpose of authentication is to allow other Members to trust the facts claimed by the claimant. common authentication protocols include user password authentication protocol (PAP), challenge-handshake protocol (CHAP), Kerberos authentication protocol and X.509 protocol. this article briefly describes the basic ideas of these authentication protocols, and comprehensively compares the system's practicability, scalability, and management to provide the environment for use. the Kerberos authentication protocol is discussed in detail, and the improved authentication protocol design is proposed.Research on Kerberos Authentication ProtocolKerberos authentication is a typical network security authentication protocol. It uses symmetric keys to precisely authenticate Client/Server applications. It mainly solves the following problems: in a public distributed environment, users on workstation want to access servers distributed on the network and want the server to restrict access by authorized users, and can authenticate service requests [6]. The overall framework of the Kerberos authentication protocol is as follows:

The figure shows that there are four different roles in the Kerberos Authentication Protocol: client (user (C), server (S) that provides a certain service, and authentication server () and the ticket permitted server (TGS ). each user (C) must have an authentication key (Kc, the authentication key is shared by the user and the authentication server AS a symmetric encryption key Ktgs, while the ticket allows the server (TGS) and server (S) to share a symmetric encryption key Ks.

In general, the Kerberos authentication protocol can be divided into the following three steps:

Step 1: authentication service exchange. including messages (1) and (2). the user (C) proves his identity to the authentication server (AS) to obtain the ticket license (TGT ). the formal description of the Protocol is as follows:

(1) C → AS (2) AS → C

Step 2: exchange the ticket License Service. including messages (3) and (4). the user requests a Service License (SGT) from the Ticket Server (TGS) for access to the server (S ). the formal description of the Protocol is as follows:

(3) TGS → C (4) C → TGS

Step 3: The user exchanges messages with the server, including messages (5) and (6). The user uses the requested service.

(5) C → S (6) S → C

From the above process analysis, we can find that the Kerberos Authentication Protocol has the following problems:

1). All user (C) account information is stored in an authentication server (AS). If the server is intruded, the security of the entire network will be compromised.

2 ). the original authentication service may be stored or replaced. although the timestamp is used to prevent replay attacks, it may still work within the validity period of the ticket. as a matter of fact, attackers can prepare forged messages in advance. Once a ticket is obtained, the forged ticket will be issued immediately, which is hard to be checked out within a short period of time.

3). Service License tickets are correctly synchronized based on all the clock in the network. If the host time is incorrect, the original authentication tickets may be replaced. Because most network time protocols are insecure, this can cause serious problems in Distributed Computer Systems.

4) Kerberos is weak in preventing Password Guessing Attacks. Attackers can use long-term monitoring to collect a large number of bills and perform password guessing through computation and key analysis. When the user-selected password is not strong enough, it cannot effectively prevent password guessing attacks.

5) The secret shared by the Kerberos server and the user is the user's password. When the server responds, it does not verify the authenticity of the user. Instead, it is assumed that only valid users have the password. If the attacker records the request for response packets, it is easy to form code-based attacks.

6) In fact, the most serious attack is malware attacks. The Kerberos Authentication Protocol depends on the absolute credibility of the Kerberos software. Attackers can use the software that executes the Kerberos protocol and records user passwords to replace the Kerberos software of all users to launch attacks. Generally, password software installed in insecure computers will face this problem.

7 ). although the Kerberos authentication protocol can be used in a large-scale network environment, in a distributed system, the authentication center is very difficult to manage, allocate, store, and update shared keys. and its configuration is not a simple task.

From the limitations and problems of Kerberos, we can find that many of its defects are caused by the separate use of symmetric key technology. Therefore, it is recommended that the public key encryption mechanism be organically integrated into the Kerberos authentication protocol to overcome the disadvantages of poor confidentiality and poor scalability.

Research on other security authentication protocols at the application layer

In addition to the Kerberos authentication protocol, the TCP/IP application layer security authentication protocol also includes the User Password Authentication Protocol (PAP), challenge-handshake protocol (CHAP) And X.509 protocol. the following is a comprehensive comparison of the system's practicability, scalability, and management, and provides its advantages and disadvantages and use environment for reference. see table 3.1 below:

 

The above comparison shows that X.509 is the most widely used Authentication Standard and protocol based on the public key system, followed by Kerberos authentication protocol. therefore, in actual application, we can decide which security authentication protocol to choose based on the practicality, scalability, management, and cost of the system used [8].

Conclusion

Authentication is the core and foundation of the information security protection system and a prerequisite for many security processes. this article briefly studies the Security Authentication Protocol on the TCP/IP application layer, and comprehensively compares and evaluates the system's practicability, scalability, and management, and provides a reference environment. the Kerberos authentication protocol is discussed in detail, and the improved authentication protocol design is proposed. we hope this will have some technical value and theoretical significance for the current application of network information security.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.