|
Generic Security Service Algorithm For Secret Key Transaction
GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality. GSS-TSIG (RFC 3645) uses a mechanism like SPNEGO with Kerberos or NTLM. In Windows, this implementation is called ''Secure Dynamic Update''. GSS-TSIG uses TKEY records for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ..., the AS-REQ, AS-REP, TGS-REQ, TGS-REP exchanges must take place for granting of ticket and establishing a security context. The security context has a ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
TSIG
TSIG (transaction signature) is a computer-networking protocol defined in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update. Although queries to DNS may usually be made without authentication, updates to DNS must be authenticated, since they make lasting changes to the structure of the Internet naming system. As the update request may arrive via an insecure channel (the Internet), one must take measures to ensure the authenticity and integrity of the request. The use of a key shared by the client making the update and the DNS server helps to ensure the authenticity and integrity of the update request. A one-way hashing function serves to prevent malicious obs ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Authentication Protocol
An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks. Purpose With the increasing amount of trustworthy information being accessible over the network, the need for keeping unauthorized persons from access to this data emerged. Stealing someone's identity is easy in the computing world - special verification methods had to be invented to find out whether the person/computer requesting data is really who he says he is. The task of the authentication protocol is to specify the exact series of steps n ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Kerberos (protocol)
Kerberos () is a computer-network authentication protocol that works on the basis of ''tickets'' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric-key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.RFC 4556, abstract. Kerberos uses UDP port 88 by default. The protocol was named after the character '' Kerberos'' (or ''Cerberus'') from Greek mythology, the ferocious three-headed guard dog of Hades. History and development Massachusetts Institute of Technology (MIT) developed Kerberos in 1988 to protect network services provided by Project Athena. The protocol is ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
SPNEGO
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner. SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as ''Integrated Windows Authentication''. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. The HTTP Negotiate extension was later implemented with si ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
NTLM
In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings. NTLM passwords are considered weak because they can be brute-forced very easily with modern hardware. Protocol NTLM is a challenge–response authentication protocol which uses three messages to authenticate a client in a connection-oriented environment (connectionless is similar), and a fourth additional message if integrity i ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
TKEY Record
TKEY (transaction key) is a record type of the Domain Name System. TKEY RRs can be used in a number of different modes to establish shared keys between a DNS resolver and server. TKEY record format Mode field values * 0 - Reserved * 1 - Server assignment * 2 - Diffie-Hellman exchange * 3 - Generic Security Service Algorithm for Secret Key Transaction * 4 - Resolver assignment * 5 - key deletion * 6–65534 - available * 65535 - reserved; See also * Domain Name System * List of DNS record types This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resour ... References * , "Secret Key Establishment for DNS (TKEY RR)", D. Eastlake, September 2000 DNS record types {{Compu-domain-stub ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services. A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information, provides authentication and authorization mec ... [...More Info...] [...Related Items...] OR: [Wikipedia] [Google] [Baidu] |
