Development of security strategies using Kerberos in wireless networks

Authentication is the primary function used to reduce the risk of illegitimate access to IT services of any organisation. Kerberos is a widely used authentication protocol for authentication and access control mechanisms. This thesis presents the development of security strategies using Kerberos authentication protocol in wireless networks, Kerberos-Key Exchange protocol, Kerberos with timed-delay, Kerberos with timed-delay and delayed decryption, Kerberos with timed-delay, delayed decryption and password encryption properties. This thesis also includes a number of other research works such as, frequently key renewal under pseudo-secure conditions and shut down of the authentication server to external access temporarily to allow for secure key exchange. A general approach for the analysis and verification of authentication properties as well as Kerberos authentication protocol are presented. Existing authentication mechanisms coupled with strong encryption techniques are considered, investigated and analysed in detail. IEEE 802.1x standard, IEEE 802.11 wireless communication networks are also considered. First, existing security and authentication approaches for Kerberos authentication protocol are critically analysed with the discussions on merits and weaknesses. Then relevant terminology is defined and explained. Since Kerberos exhibits some vulnerabilities, the existing solutions have not treated the possibilities of more than one authentication server in a strict sense. A three way authentication mechanism addresses possible solution to this problem. An authentication protocol has been developed to improve the three way authentication mechanism for Kerberos. Dynamically renewing keys under pseudo-secure situations involves a temporary interruption to link/server access. After describing and analysing a protocol to achieve improved security for authentication, an analytical method is used to evaluate the cost in terms of the degradation of system performability. Various results are presented. An approach that involves a new authentication protocol is proposed. This new approach combines delaying decryption with timed authentication by using passwords and session keys for authentication purposes, and frequent key renewal under secure conditions. The analysis and verification of authentication properties and results of the designed protocol are presented and discussed. Protocols often fail when they are analysed critically. Formal approaches have emerged to analyse protocol failures. Abstract languages are designed especially for the description of communication patterns. A notion of rank functions is introduced for analysing purposes as well. An application of this formal approach to a newly designed authentication protocol that combines delaying the decryption process with timed authentication is presented. Formal methods for verifying cryptographic protocols are created to assist in ensuring that authentication protocols meet their specifications. Model checking techniques such as Communicating Sequential Processes (CSP) and Failure Divergence Refinement (FDR) checker, are widely acknowledged for effectively and efficiently revealing flaws in protocols faster than most other contemporaries. Essentially, model checking involves a detailed search of all the states reachable by the components of a protocol model. In the models that describe authentication protocols, the components, regarded as processes, are the principals including intruder (attacker) and parameters for authentication such as keys, nonces, tickets, and certificates. In this research, an automated generation tool, CASPER is used to produce CSP descriptions. Proposed protocol models rely on trusted third parties in authentication transactions while intruder capabilities are based on possible inductions and deductions. This research attempts to combine the two methods in model checking in order to realise an abstract description of intruder with enhanced capabilities. A target protocol of interest is that of Kerberos authentication protocol. The process of increasing the strength of security mechanisms usually impacts on performance thresholds. In recognition of this fact, the research adopts an analytical method known as spectral expansion to ascertain the level of impact, and which resulting protocol amendments will have on performance. Spectral expansion is based on state exploration. This implies that it is subject, as model checking, to the state explosion problem. The performance characteristics of amended protocols are examined relative to the existing protocols. Numerical solutions are presented for all models developed

Analisa Proses Autentikasi RADIUS (Remote Access Dial-IN User Service) dan Kerberos Server

ABSTRAKSI: Protokol autentikasi digunakan untuk mengatur mekanisme bagaimana tata cara berkomunikasi, baik antara client ke domain-domain jaringan maupun antar client dengan domain yang berbeda dengan tetap menjaga keamanan pertukaran data. Autentikasi (Authentication) yaitu proses pengesahan identitas pengguna (end user) untuk mengakses jaringan. Proses ini diawali dengan pengiriman kode unik misalnya, username, password, pin, sidik jari oleh pengguna kepada server. Pada Tugas Akhir ini diimplementasikan Protokol Autentikasi RADIUS dan Kerberos, dengan skenario login client bersamaan. Dari hasil implementasi dan analisa data didapat perbedaan proses autentikasi RADIUS dan Kerberos dimana Protokol mekanisme Protokol RADIUS yang lebih sederhana daripada Protokol Kerberos membuat Protokol RADIUS lebih cepat dalam pemprosesan autentikasi, delay proses autentikasi Protokol RADIUS adalah 50.92 % dari delay proses autentikasi Protokol Kerberos. Bandwith yang digunakan pada Protokol Radius bernilai 3.81% dari yang digunakan di Protokol Kerberos. Jitter pada Proses Autentikasi RADIUS dan Kerberos berperformansi baik sampai dengan 6 user yaitu pada RADIUS bernilai 0,00005-0,00049 detik dan pada Kerberos bernilai 0.000127-0.000465 detik. Kata Kunci : Protokol Autentikasi, Kerberos, RADIUS, Client, ServerABSTRACT: Authentication Protocol is used to adjust the mechanism of how the procedures for communication, both between the client to the network domains and between clients with different domains while maintaining the security of data exchange Authentication is the user identity validation process (end users) to access the network. This process begins with sending a unique code such as usernames, passwords, pins, user fingerprints to the server. In this Final Project is implemented RADIUS authentication protocol and Kerberos, the client login same scenario. From implementation result and data analysis the difference of process authentication RADIUS and of Kerberos where Protocol Protocol mechanism of RADIUS more simple than Protocol of Kerberos make Protocol of RADIUS quicker in process of authentication, delay process Protocol authentication of RADIUS is 50.92 % from delay process Protocol authentication of Kerberos. Bandwith that used at Protocol of Radius valuable 3.81% from which used at Protocol of Kerberos. Jitter of Process Authentication RADIUS and of Kerberos have good performance up to 6 user that is the value RADIUS 0,00005-0,00049 second and the value Kerberos 0.000127-0.000465 second. Keyword: Authentication Protocol, Kerberos, RADIUS, Client, Serve

A Review of Authentication Protocols

Authentication is a process that ensures and confirms a users identity. Authorization is the process of giving someone permissions to do or have something. There are different types of authentication methods such as local password authentication, server-based-password authentication, certificate-based authentication, two-factor authentication etc. Authentication protocol developed for Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP). There are different types of application for authentications are as follows: 1.protocols developed for PPP Point-to-Point Protocol 2. Authentication, Authorization and Accounting 3.Kerberos

Cloud Storage Performance and Security Analysis with Hadoop and GridFTP

Even though cloud server has been around for a few years, most of the web hosts today have not converted to cloud yet. If the purpose of the cloud server is distributing and storing files on the internet, FTP servers were much earlier than the cloud. FTP server is sufficient to distribute content on the internet. Therefore, is it worth to shift from FTP server to cloud server? The cloud storage provider declares high durability and availability for their users, and the ability to scale up for more storage space easily could save users tons of money. However, does it provide higher performance and better security features? Hadoop is a very popular platform for cloud computing. It is free software under Apache License. It is written in Java and supports large data processing in a distributed environment. Characteristics of Hadoop include partitioning of data, computing across thousands of hosts, and executing application computations in parallel. Hadoop Distributed File System allows rapid data transfer up to thousands of terabytes, and is capable of operating even in the case of node failure. GridFTP supports high-speed data transfer for wide-area networks. It is based on the FTP and features multiple data channels for parallel transfers. This report describes the technology behind HDFS and enhancement to the Hadoop security features with Kerberos. Based on data transfer performance and security features of HDFS and GridFTP server, we can decide if we should replace GridFTP server with HDFS. According to our experiment result, we conclude that GridFTP server provides better throughput than HDFS, and Kerberos has minimal impact to HDFS performance. We proposed a solution which users authenticate with HDFS first, and get the file from HDFS server to the client using GridFTP

Soft Constraint Programming to Analysing Security Protocols

Security protocols stipulate how the remote principals of a computer network should interact in order to obtain specific security goals. The crucial goals of confidentiality and authentication may be achieved in various forms, each of different strength. Using soft (rather than crisp) constraints, we develop a uniform formal notion for the two goals. They are no longer formalised as mere yes/no properties as in the existing literature, but gain an extra parameter, the security level. For example, different messages can enjoy different levels of confidentiality, or a principal can achieve different levels of authentication with different principals. The goals are formalised within a general framework for protocol analysis that is amenable to mechanisation by model checking. Following the application of the framework to analysing the asymmetric Needham-Schroeder protocol, we have recently discovered a new attack on that protocol as a form of retaliation by principals who have been attacked previously. Having commented on that attack, we then demonstrate the framework on a bigger, largely deployed protocol consisting of three phases, Kerberos.Comment: 29 pages, To appear in Theory and Practice of Logic Programming (TPLP) Paper for Special Issue (Verification and Computational Logic