Presentation on theme: "Kerberos and X.509 Fourth Edition by William Stallings"— Presentation transcript:
1Kerberos and X.509 Fourth Edition by William Stallings Lecture slides by Lawrie Brown(Changed by Somesh Jha)
2Authentication Applications will consider authentication functionsdeveloped to support application-level authentication & digital signatureswill consider Kerberos – a private-key authentication servicethen X.509 directory authentication service
3Kerberos trusted key server system from MIT provides centralised private-key third-party authentication in a distributed networkallows users access to services distributed through out the networkwithout needing to trust all workstationsrather all trust a central authentication servertwo versions in use: 4 & 5One of the best known and most widely implemented trusted third party key distribution systems. It was developed as part of Project Athena at MIT.
4Kerberos Requirements first published report identified its requirements as:securityreliabilitytransparencyscalabilityimplemented using an authentication protocol based on Needham-Schroeder
5Kerberos 4 Overview a basic third-party authentication scheme have an Authentication Server (AS)users initially negotiate with AS to identify themselvesAS provides a non-corruptible authentication credential (ticket granting ticket TGT)have a Ticket Granting server (TGS)users subsequently request access to other services from TGS on basis of users TGTThe core of Kerberos is the Authentication and Ticket Granting Servers – these are trusted by all users and servers and must be securely administered.
6A Simple Authentication Dialogue (1) C -> AS : IDC || PC || IDVC = clientAS = authentication serverIDC = identifier of user on CPC = password of user on CIDV = identifier of server VC asks user for the passwordAS checks that user supplied the right password
7Message 2 (2) AS -> C : Ticket Ticket = E K(V) [IDC || ADC || IDV] K(V) = secret encryption key shared by AS and VADC = network address of CTicket cannot be altered by C or an adversary
8Message 3 (3) C -> V: IDC || Ticket Server V decrypts the ticket and checks various fieldsADC in the ticket binds the ticket to the network address of CHowever this authentication scheme has problems
9ProblemsEach time a user needs to access a different service he/she needs to enter their passwordRead several timesPrint, mail, or file serverAssume that each ticket can be used only once (otherwise open to replay attacks)Password sent in the clear
10Authentication Dialogue II Once per user logon session(1) C -> AS: IDC || IDTGS(2) AS -> C: E K(C) [TicketTGS]TicketTGS is equal toE K(TGS) [IDC || ADC || IDTGS|| TS1 || Lifetime1 ]
11Explaining the fields TGS = Ticket-granting server IDTGS = Identifier of the TGSTicketTGS = Ticket-granting ticket or TGTTS1 = timestampLifetime1 = lifetime for the TGTK (C) = key derived from user’s password
12Messages (3) and (4) Once per type of service (3) C -> TGS: IDC || IDV || TicketTGS(4) TGS -> C : TicketVTicketV is equal toE K(V) [ IDC || ADC || IDV ||TS2 || Lifetime2 ]K(V): key shared between V and TGSIs called the service-granting ticket (SGT)
13Message 5 Once per service session (5) C -> V: IDC || TicketV C says to V “I am IDC and have a ticket from the TGS” . Let me in!Seems secure, but..There are problems
14Problems Lifetime of the TGT Same problem with SGT Short : user is repeatedly asked for their passwordLong : open to replay attackOscar captures TGT and waits for the user to logoffSends message (3) with network address IDC (network address is easy to forge)Same problem with SGT
15What should we do?A network service (TGS or server) should be able to verify thatperson using the ticket is the same as the person that the ticket was issued toRemedy : use an authenticatorServer should also authenticate to userOtherwise can setup a “fake” serverA “fake” tuition payment server and capture the student’s credit cardRemedy : use a challenge-response protocol
16Kerberos Realms a Kerberos environment consists of: a Kerberos servera number of clients, all registered with serverapplication servers, sharing keys with serverthis is termed a realmtypically a single administrative domainif have multiple realms, their Kerberos servers must share keys and trust
17Kerberos Version 5 developed in mid 1990’s provides improvements over v4addresses environmental shortcomingsencryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authenticationand technical deficienciesdouble encryption, non-standard mode of use, session keys, password attacksspecified as Internet standard RFC 1510
18Reading assignment Inter-realm authentication in version 4 Version 5 PagesVersion 5Fixes some shortcomings of version 4Page
19X.509 Authentication Service part of CCITT X.500 directory service standardsdistributed servers maintaining some info databasedefines framework for authentication servicesdirectory may store public-key certificateswith public key of usersigned by certification authorityalso defines authentication protocolsuses public-key crypto & digital signaturesalgorithms not standardised, but RSA recommendedX.509 is the Internationally accepted standard for how to construct a public key certificate, and is becoming widely used. It has gone through several versions. It is used by S/MIME secure , SSL/TLS secure Internet links (eg for secure web).
20X.509 Certificatesissued by a Certification Authority (CA), containing:version (1, 2, or 3)serial number (unique within CA) identifying certificatesignature algorithm identifierissuer X.500 name (CA)period of validity (from - to dates)subject X.500 name (name of owner)subject public-key info (algorithm, parameters, key)issuer unique identifier (v2+)subject unique identifier (v2+)extension fields (v3)signature (of hash of all fields in certificate)notation CA<<A>> denotes certificate for A signed by CAThe X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used.
21Obtaining a Certificate any user with access to CA can get any certificate from itonly the CA can modify a certificatebecause cannot be forged, certificates can be placed in a public directory
22CA Hierarchyif both users share a common CA then they are assumed to know its public keyotherwise CA's must form a hierarchyuse certificates linking members of hierarchy to validate other CA'seach CA has certificates for clients (forward) and parent (backward)each client trusts parents certificatesenable verification of any certificate from one CA by users of all other CAs in hierarchyAll very easy is both parties use the same CA. If not, then there has to be some means to form a chain of certifications between the CA's used by the two parties. And that raises issues about whether the CA's are equivalent, whether they used the same policies to generate their certificates, and how much you're going to trust a CA at some remove from your own. These are all open issues.
23CA Hierarchy Use Stallings Fig 14-4. Track chains of certificates: A acquires B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>B acquires A certificate using chain: Z<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>>
24Certificate Revocation certificates have a period of validitymay need to revoke before expiryuser's private key is compromiseduser is no longer certified by this CACA's certificate is compromisedCA’s maintain list of revoked certificatesthe Certificate Revocation List (CRL)users should check certs with CA’s CRL
25Authentication Procedures X.509 includes three alternative authentication procedures:One-Way AuthenticationTwo-Way AuthenticationThree-Way Authenticationall use public-key signaturesThe X.509 standard specifies the authentication protocols that can be used when obtaining and using certificates. 1-way for unidirectional messages (like ), 2-way for interactive sessions when timestamps are used, 3-way for interactive sessions with no need for timestamps (and hence synchronised clocks).
26One-Way Authentication 1 message ( A->B) used to establishthe identity of A and that message is from Amessage was intended for Bintegrity & originality of messagemessage must include timestamp, nonce, B's identity and is signed by A
27Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition:the identity of B and that reply is from Bthat reply is intended for Aintegrity & originality of replyreply includes original nonce from A, also timestamp and nonce from B
28Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clockshas reply from A back to B containing signed copy of nonce from Bmeans that timestamps need not be checked or relied uponReading assignment: pages
29X.509 Version 3has been recognised that additional information is needed in a certificate/URL, policy details, usage constraintsrather than explicitly naming new fields defined a general extension methodextensions consist of:extension identifiercriticality indicatorextension value
30Certificate Extensions key and policy informationconvey info about subject & issuer keys, plus indicators of certificate policycertificate subject and issuer attributessupport alternative names, in alternative formats for certificate subject and/or issuercertificate path constraintsallow constraints on use of certificates by other CA’s
31Summary have considered: Kerberos trusted key server system X.509 authentication and certificates