1. Kerberos
a. Suitable for an distributed architecture consisting several servers and some clients
b. Based on symmertric key scheme
c. A 3rd-party provides authentication service
d. Fundamentals:
It’s too complicated. Let’s forget it for now
2.X.509 Authentication Service
a. Overview
i.Related to directory service
ii.A framework of authentication service, including the format of certificate and authentication protocols.
iii.Based on public-key cyrptography and digital signature
b.Certificates
i.Signed by CA by its private key
ii.Directory service provides an easily accessible location for users to obtain certificates
iii.Discribution of certificate
A.End users belong to the same CA: The certificate can be just put in a common directory or sent by EMAIL
B.End users belong to different CA: It will work if the two CAs have certificated each other
User X << CAx << CAy << Y — This is called "a chain of certificates"
The chain can involv more than 2 CAs
c.Expiration & Revocation
I.Certificate can expire
II.Certificate can be revoked before it’s expired. CA should maintain a list all revoked certificates (CRL)
3.PKI — Public Key Infrastructure
a. PKI: The set of hardware, software, people, poliies, and procedures needed to create, manage, store, distribute and revoke digital certificates based on asymmertric cryptography.
b.PKIX: A standard of PKI
It has five ingredients:
I.End Entity
II.CA
III.CRL Issuer
IV.Repository — Storing certificagtes and CRLs
V.Registration Authority(RA) — Administrative functions such as registration,key pair recovery,revocation and so on.
Appendix:
Verisign: A leading commercial vendor of X.509-related products