Presentation is loading. Please wait.

Presentation is loading. Please wait.

Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL.

Published byFelix Ross Modified over 9 years ago

Similar presentations

Presentation on theme: "Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL."— Presentation transcript:

1 Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL

2 Outline ● Introduction ● Kerberos 5 ● Formalization ● Properties ● Vulnerabilities

3 Overview of Results ● Formalize cross-realm authentication in Kerberos 5 Use MSR ● Adapt Dolev-Yao intruder to cross-realm setting ● Prove property of a critical field in cross-realm ticket ● Highlight vulnerabilities in the presence of compromised intermediate realms Kerberos specifications disclaim responsibility for these

4 Background and Related Work ● Kerberos – intra-realm has been extensively studied Kerberos 4 analyzed using inductive approach (Bella & Paulson) Kerberos 5 Simplified version analysed with Murφ (Mitchell, Mitchell, & Stern) Detailed formalization of intra-realm authentication analyzed using MSR (Butler, Cervesato, Jaggard, Scedrov) Current project is a continuation of this work ● Cross-realm authentication Hierarchical organization of authentication servers (Birrell et al.) Similar to natural organization for Kerberos Define local trust policies that mitigate global security exposure (Gligor et al.)

5 Kerberos 5 ● Authentication Single sign-on Repeatedly authenticate a client to multiple servers ● Authentication Server (KAS) Provides long term (e.g., 1 day) ticket called a Ticket Granting Ticket (TGT) Uses client's long term key (e.g., derived from password) ● Ticket Granting Server (TGS) Provides short term (e.g., 5 minutes) ticket called Service Ticket (ST) based on client's TGT Client uses ST to access the server 5

6 Intra-Realm Messages Client (C)KAS TGS (T) Server (S) Want to use T Credentials (TGT) Want to use S; here is TGT Credentials to use S (ST) Want to use S; here is ST OK Application Messages

7 Cross-Realm Kerberos 5 ● Authenticate clients across organizational boundaries Simpler administration Better user experience UPENN.EDU CIS.UPENN.EDU MATH.UPENN.EDU Realm KDCClients Servers

8 Cross-Realm Kerberos 5 ● Register KDC of foreign realm as a server in local realm Cross-realm key Service ticket for foreign KDC is interpreted as a TGT Client KDC 1 KDC 2 Server 2 Local Realm Foreign Realm Server 1 Cross-realm key Want S 2 ST for S 1 =TGT K 2 ST for S 2

9 Cross-Realm Messages C KDC 1 R1R1 R2R2 R n-1 RnRn KDC 2 KDC n-1 KDC n S... IR ST 1 =TGT 2 ST 2 =TGT 3 ST n-2 =TGT n-1... ST n-1 =TGT n ST n Application Messages

10 Cross-Realm Kerberos 5 ● Recommended organization of realms is hierarchical “Shortcuts” allowed ● Authentication path is path through traversed realms TGS adds previous realm name to TRANSITED field

11 Formalization ● Use MSR 2.0 (Cervesato) ● Models both intra- and cross-realm authentication Is a continuation of prior work done on intra-realm authentication ● Includes the minimum level of detail we believe necessary to prove properties on authentication, confidentiality, and the effect of compromised realms ● Validation using MSR implementation developed by Cervesato, Reich, and Stehr underway

12 Formalization ● Realm type Each principal is parameterized by realm it lives in ● Database keys modified to handle cross-realm keys ● rTGS allows us to view this principal as an application server in one realm and a TGS in another realm ● Support for TRANSITED field ● Rule for TGS returning a cross-realm ticket ● Existing rules and types updated

13 Intruder Model ● Intra-realm setting: unavoidable assumption is that the KAS and TGS behave honestly ● Cross-realm setting: must consider compromised remote KDC Local system administrator has no control over other realms How can a compromised remote KDC affect the rest of the Kerberized network? ● If a realm is compromised then the intruder possesses all of the database (long-term) keys ● Assume a worst-case scenario in which all principals communicate on the same network

14 Theorem ● If there are any compromised realms involved in authentication then at least one of them will appear in the TRANSITED field ● If invalid/improper authentication took place then the intruder possessed one of the following keys The client's long-term secret key A cross-realm key for some pair of TGSs on the authentication path The key shared by the end-server and the TGS of that realm C KDC 1 KDC n S... KDC i KDC i+1

15 Proof Methods ● Rank and corank functions Inspired by Schneider's rank functions in CSP k-Rank - work done using key k (data origin authentication) E-Corank - work needed using keys from E (secrecy) ● Valid credential presented to S has positive rank No MSR facts of positive rank at start of protocol run Examine principal and intruder rules Which keys must be lost to allow intruder to increase rank? Which honest principals can increase this rank?

16 Proof Outline ● S sees a valid request (a fact with positive rank) ● If honest principal created this fact, he did so after seeing a fact of (a different) positive rank Every honest TGS adds name of preceding realm ● If intruder created this fact, then the key used has been lost to the intruder ● Chain this argument backwards (reaching a fact created by the intruder or C's initial request---no facts of positive rank initially, so this process must stop) If intruder created some fact in the chain, then some key has been lost; the compromised realm is named in the request If the intruder did not, then exactly the transited realms appear in the transited field

17 Vulnerabilities ● Kerberos specifications make no guarantees if a trusted foreign realm becomes compromised Therefore these vulnerabilities are not attacks and the specification disclaims responsibility for them ● System administrators should be made aware of exactly what damage can be done by a compromised foreign realm ● Identified 3 vulnerabilities There may be more

18 Vulnerability 1 ● All TGSs on the authentication path are capable of learning the key shared between the server and the client as well as all of the session keys shared by the client and each TGS on the authentication path C KDC n S KDC i KDC i+1 Session keys...

19 Vulnerability 2 ● Remote TGS can impersonate a client anywhere outside of the client's realm C TGS i TGS i+1... S I'm C, here is cross-realm ticket TGS i gave me OK, here is cross-realm ticket for TGS i+2 I'm,C here is service ticket TGS n gave me TGS n OK C ?

20 Vulnerability 3 ● If there is a compromised KDC on the authentication path then that KDC can trick the client into believing she is following a false authentication path C KDC i Knows session keys KDC b1... KDC bn C believes Auth. Path = KDC 1,..., KDC n Actual Auth. Path = KDC 1,..., KDC i, KDC b1,..., KDC bn

21 Conclusions ● Formalized cross-realm authentication in Kerberos 5 ● Extended Dolev-Yao intruder ● Characterized minimum requirements in view of assessing confidentiality and authentication properties ● Documented a range of harmful behaviors

22 Future Work ● Prove traditional confidentiality and authentication properties ● Analyze PKINIT and PKCROSS subprotocols that may help mitigate the harm that a compromised KDC can inflict

23 Sample Rule  X: msg  T: TGS R T  T n : ts R n  AK : shK C T  t C : time if Auth C (X,T,AK), DesiredHop(C,T n,R T,R n ),clock C (t C ).   n 2 : nonce N(X,{C,t C } AK,C,T n,n 2 ) L(C,T n,T,AK,n 2 ) ● This is part of the client's role in TGS exchange  C: client R C

24 Intruder Model ● Assume a worst-case scenario in which all principals communicate on the same network ● Single Dolev-Yao intruder that can impersonate clients, end-servers, and KDCs  R : realm  P : tcs R  k : dbK R P  I(k). if compromised(R)

Download ppt "Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
KERBEROS www.unix.org.ua/orelly/networking/puis/ch19_06.htm.

KERBEROS
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google