Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Chapter 10 Real world security protocols 1.

Similar presentations


Presentation on theme: "Kerberos Chapter 10 Real world security protocols 1."— Presentation transcript:

1

2 Kerberos Chapter 10 Real world security protocols 1

3 Kerberos In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades Wouldnt it make more sense to guard the exit? In security, Kerberos is an authentication system based on symmetric key crypto Originated at MIT Based on work by Needham and Schroeder Relies on a Trusted Third Party (TTP) Chapter 10 Real world security protocols 2

4 Motivation for Kerberos Authentication using public keys N users N key pairs Authentication using symmetric keys N users requires about N 2 keys Symmetric key case does not scale! Kerberos based on symmetric keys but only requires N keys for N users But must rely on TTP Advantage is that no PKI is required Chapter 10 Real world security protocols 3

5 Kerberos KDC Kerberos Key Distribution Center or KDC Acts as a TTP TTP must not be compromised! KDC shares symmetric key K A with Alice, key K B with Bob, key K C with Carol, etc. Master key K KDC known only to KDC KDC enables authentication and session keys Keys for confidentiality and integrity In practice, the crypto algorithm used is DES Chapter 10 Real world security protocols 4

6 Kerberos Tickets KDC issues a ticket containing info needed to access a network resource KDC also issues ticket-granting tickets or TGT s that are used to obtain tickets Each TGT contains Session key Users ID Expiration time Every TGT is encrypted with K KDC TGT can only be read by the KDC Chapter 10 Real world security protocols 5

7 Kerberized Login Alice enters her password Alices workstation Derives K A from Alices password Uses K A to get TGT for Alice from the KDC Alice can then use her TGT (credentials) to securely access network resources Plus: Security is transparent to Alice Minus: KDC must be secure --- its trusted! Chapter 10 Real world security protocols 6

8 Kerberized Login Kerberos used for authentication Key K A derived from Alices password KDC creates session key S A Workstation decrypts S A, TGT, forgets K A TGT = E(Alice, S A, K KDC ) Chapter 10 Real world security protocols Alice Alices Alice wants password a TGT E(S A,TGT, K A ) KDC Computer 7

9 Alice Requests Ticket to Bob Once Alices computer receives the TGT, it can then use the TGT to request to network resource For example, spse Alice wants to talk to Bob Alices computer presents the TGT to KDC, along with an authenticator that is design to avoid a replay It responds with a ticket to Bob Then Alice computer can use the ticket to Bob to comm with Bob via his computer Chapter 10 Real world security protocols 8

10 Alice Requests Ticket to Bob REQUEST = (TGT, authenticator) where authenticator = E(timestamp, S A ) REPLY = E(Bob, K AB, ticket to Bob, S A ) ticket to Bob = E(Alice, K AB, K B ) KDC gets S A from TGT to verify timestamp Chapter 10 Real world security protocols Alice Talk to Bob I want to talk to Bob REQUEST REPLY KDC Computer 9

11 Alice Uses Ticket to Bob ticket to Bob = E(Alice, K AB, K B ) authenticator = E(timestamp, K AB ) Bob decrypts ticket to Bob to get K AB which he then uses to verify timestamp Chapter 10 Real world security protocols ticket to Bob, authenticator E(timestamp + 1,K AB ) Alices Computer Bob 10

12 Kerberos Session key S A used for authentication Can also be used for confidentiality/integrity Timestamps used for mutual authentication Recall that timestamps reduce number of messages Acts like a nonce that is known to both sides Note: time is a security-critical parameter! Chapter 10 Real world security protocols 11

13 Kerberos Security: Questions 1.When Alice logs in, KDC sends E(S A,TGT,K A ) where TGT = E(Alice, S A, K KDC ) Q: Why is TGT encrypted with K A ? A: Extra work and no added security! 2.Q: In Alices Kerberized login to Bob, why can Alice remain anonymous? A: ticket to Bob = E(Alice, K AB, K B ) Chapter 10 Real world security protocols 12

14 Kerberos Security: Questions 3.Q: Why is ticket to Bob sent to Alice? A: If the ticket to Bob arrives at Bob before Alice initiates contact with Bob, the Bob would need to maintain the state, that is, he would have to remember the key K AB and it is for Alice and so on. 4.Q: Where is replay prevention in Kerberos? A: timestamp Chapter 10 Real world security protocols 13

15 Kerberos Design Alternatives 1.Kerberos could have Alices workstation remember password and use that for authentication Then no KDC required, but scaling issue will problem session key S A used for authentication Hard to protect password on workstation Every computer on the network would become TTP Chapter 10 Real world security protocols 14

16 Kerberos Design Alternatives 2.Could have KDC remember session key instead of putting it in a TGT Then no need for TGT s But stateless KDC is big feature of Kerberos Chapter 10 Real world security protocols 15

17 Kerberos Keys In Kerberos, K A = h(Alices password) Could instead generate random K A and Compute K h = h(Alices password) And workstation stores E(K A, K h ) Then K A need not change (on workstation or KDC) when Alice changes her password But E(K A, K h ) subject to password guessing This alternative approach is often used in applications (but not in Kerberos) Chapter 10 Real world security protocols 16


Download ppt "Kerberos Chapter 10 Real world security protocols 1."

Similar presentations


Ads by Google