Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa

Published byAvice Page Modified over 8 years ago

Similar presentations

Presentation on theme: "Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa"— Presentation transcript:

1 Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa (hassnaa.moustafa@orange-ftgroup.com)hassnaa.moustafa@orange-ftgroup.com Gilles Bourdon (gilles.bourdon@orange-ftgroup.com)gilles.bourdon@orange-ftgroup.com Tom Yu (tlyu@mit.edu)tlyu@mit.edu

2 Draft History This draft replaces the draft (Distributed Authentication Through Kerberos Tickets: Problem statement and Requirements ) that was published on June 2010.

3 Problem and motivation -Authentication and authorization to services access is still an open problem in wireless mesh network. -Distributed environments -Several users would need to communicate to several application servers and with each other in a single or multi-hop fashion -Each user could play the role of an application provider -The principle of using service tickets in Kerberos allows for a credentials distribution which is suitable for distributed environments, however, - The centralized approach in Kerberos have some restrictions (each user should communicate with the authentication server each time he needs services credentials). - Kerberos rather authenticates each node with respect to the authentication server and to the application server but not with respect to other nodes (during the multi-hop communication). -Although the multi-hop communication is transparent to the application, there is a need to handle the authentication and access control among the different multi-hop communicating nodes to prevent against malicious actions taken by the human users themselves. This draft proposes to use a common key obtained by Kerberos for authentication among each two nodes who communicate together in a multi-hop fashion. This common key is dynamic (renewable with time) for more security in dynamic and distributed wireless environment.

4 Requirements o Distributed environment consisting of fixed and mobile nodes. o Dynamic neighbors and dynamic application providers. o User Generated Content (UGC) application, in which each node could be a source of content (mainly multimedia contents) for other nodes in the network, e.g. transmitting video snapshots during festival events. o Hundreds of nodes (indoor or outdoor environment). o Personal devices (of low power) individually used by users. o Multihop communication. o Authentication and access control of each user node by a trusted third party. o Access control of each user by a trusted third party in a way that corresponds to the user subscription type and profile. o Mutual authentication between each pair of communicating users. o Limited bandwidth: need for minimizing traffic (minimizing the communication with the KDC). o Dynamic credentials (attributing dynamic credentials to be distributed to each user).

5 Kerberos Extension Solution Proposal 1/2 o Each user node wishing to access the services offered by the mesh network -Firstly sends a request to the KDC in order to authenticate with respect to the network operator and to obtain the TGT (similar process to classical Kerberos authentication approach). - Then, the user node re-contacts the KDC in order to obtain the necessary credentials. -The classical Kerberos TGS request should be extended to illustrate the need of extra credentials for authentication with intermediate nodes along the multi-hop communication. -Legitimate user receives the credentials in form of shared secrets according to his user profile and to the required service. o The shared secrets could take the form of service tickets sent through - Normal Kerberos TGS request process, where the service is the relaying process and each relay is considered as a service provider node. Or - The classical Kerberos TGS reply message could be extended to include these shared secrets. o To avoid the shared secret compromise, several shared secrets (taking the form of a service ticket obtained through a TGS request) could be obtained with each shared secret valid for a given time interval.

6 o Shared secrets distribution mean should not compromise the security of the whole network: - If shared secrets are required by each mesh node at each time interval, this would generate lot of traffic during the communication with the KDC. - If shared secrets for future time intervals are pre-generated by the KDC and given in batch to each user, this would optimize traffic, but if a node is compromised at an interval of time, all the shared secrets would be known and the network would be compromised. o The KDC sends to each mesh node the current interval shared secret and the pre-generated ones for the future, while each pre-generated shared secret is encrypted with a key corresponding to its related time interval. - This encryption key should sent to each mesh node in the corresponding time interval either through Kerberos protocol or through a multicast routing protocol. o Group keys can be also considered allowing - To have a shared secret for each group of mesh nodes (Mesh nodes sharing the same group key are nodes sharing some common characteristics “making a cluster, hierarchal group keys for example,...”. ) - Each mesh node participate to more than one group and hence to have several group keys - If one group key is compromised it could be deleted by the KDC. Kerberos Extension Solution Proposal 2/2

7 Potential Use-Cases o Temporary network infrastructure deployment for special events (sport events, music festivals,..). - Users communicate with the application servers (that could be locally deployed) either directly or through passing by other users. - Users themselves can play the role of application providers contributing to the diffusion of multimedia services (video snapshots on the event, video streams with inserted comments, video streaming for what was missed in the event, downloading an interactive audio-visual program for the event,...). o Community networks. - A user owns the home gateway to the Internet and allows other distributed users to have access to the internet through passing by his home gateway. - Users may need to pass by other users (in the community network) in order to reach the home gateway. A need for dynamic credentials distribution on the different participating nodes and controlling the access of each user to the authorized service for a duration corresponding to his subscription. A need for credentials distribution in a dynamic manner (adapting to the random configuration of the community network) to allow mutual authentication between each pair of communicating users and between each user and the home gateway providing the Internet access.

8 Next Step WG Comments.

Download ppt "Distributed Authentication in Wireless Mesh Networks Through Kerberos Tickets draft-moustafa-krb-wg-mesh-nw-00.txt Hassnaa Moustafa"

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
SCSC 455 Computer Security

SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.

Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.

TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Universität Rostock1 A P2P network traffic and access control protocol Herwig Unger Albert – Einstein-Str. 23, 18051 Rostock, Germany Phone: +49 381 498.

Universität Rostock1 A P2P network traffic and access control protocol Herwig Unger Albert – Einstein-Str. 23, Rostock, Germany Phone:
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Similar presentations

Ads by Google