Chapter 10 Real world security protocols

Slides:

Advertisements

Similar presentations

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.

Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

AUTHENTICATION AND KEY DISTRIBUTION

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Lecture 10: Mediated Authentication

KERBEROS LtCdr Samit Mehra (05IT 6018).

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Authentication Applications

1 Authentication Applications Ola Flygt Växjö University, Sweden

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Chapter 14 – Authentication Applications

Kerberos and X.509 Fourth Edition by William Stallings

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

SCSC 455 Computer Security

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Akshat Sharma Samarth Shah

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

1 An Introduction to Kerberos Shumon Huque ISC Networking & Telecommunications University of Pennsylvania March 19th 2003.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Authentication 3: On The Internet. 2 Readings URL attacks

Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

Information System Security Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính.

Lecture 5.2: Key Distribution: Private Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Kerberos  Kerberos was a 3-headed dog in Greek mythology Guarded the gates of the deadGuarded the gates of the dead Decided who might enterDecided who.

Cerberus (from Kerberos, demon of the pit): Monstrous three-headed dog (sometimes said to have fifty or one- hundred heads), (sometimes) with a snake for.

Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.

KERBEROS SYSTEM Kumar Madugula.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

1 Example security systems n Kerberos n Secure shell.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.

Radius, LDAP, Radius used in Authenticating Users

Authentication Protocol

Kerberos Part of project Athena (MIT).

Network Security Standards

Presentation transcript:

Chapter 10 Real world security protocols Kerberos Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberos In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades “Wouldn’t it make more sense to guard the exit?” In security, Kerberos is an authentication system based on symmetric key crypto Originated at MIT Based on work by Needham and Schroeder Relies on a Trusted Third Party (TTP) Chapter 10 Real world security protocols

Motivation for Kerberos Authentication using public keys N users  N key pairs Authentication using symmetric keys N users requires about N2 keys Symmetric key case does not scale! Kerberos based on symmetric keys but only requires N keys for N users But must rely on TTP Advantage is that no PKI is required Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberos KDC Kerberos Key Distribution Center or KDC Acts as a TTP TTP must not be compromised! KDC shares symmetric key KA with Alice, key KB with Bob, key KC with Carol, etc. Master key KKDC known only to KDC KDC enables authentication and session keys Keys for confidentiality and integrity In practice, the crypto algorithm used is DES Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberos Tickets KDC issues a ticket containing info needed to access a network resource KDC also issues ticket-granting tickets or TGTs that are used to obtain tickets Each TGT contains Session key User’s ID Expiration time Every TGT is encrypted with KKDC TGT can only be read by the KDC Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberized Login Alice enters her password Alice’s workstation Derives KA from Alice’s password Uses KA to get TGT for Alice from the KDC Alice can then use her TGT (credentials) to securely access network resources Plus: Security is transparent to Alice Minus: KDC must be secure --- it’s trusted! Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberized Login Alice wants Alice’s a TGT password E(SA,TGT, KA) Alice Computer KDC Kerberos used for authentication Key KA derived from Alice’s password KDC creates session key SA Workstation decrypts SA, TGT, forgets KA TGT = E(“Alice”, SA, KKDC) Chapter 10 Real world security protocols

Alice Requests Ticket to Bob Once Alice’s computer receives the TGT, it can then use the TGT to request to network resource For example, spse Alice wants to talk to Bob Alice’s computer presents the TGT to KDC, along with an “authenticator” that is design to avoid a replay It responds with a “ticket to Bob” Then Alice’ computer can use the ticket to Bob to comm with Bob via his computer Chapter 10 Real world security protocols

Alice Requests Ticket to Bob I want to talk to Bob Talk to Bob REQUEST REPLY Alice Computer KDC REQUEST = (TGT, authenticator) where authenticator = E(timestamp, SA) REPLY = E(“Bob”, KAB, ticket to Bob, SA) ticket to Bob = E(“Alice”, KAB, KB) KDC gets SA from TGT to verify timestamp Chapter 10 Real world security protocols

Alice Uses Ticket to Bob ticket to Bob, authenticator E(timestamp + 1,KAB) Alice’s Computer Bob ticket to Bob = E(“Alice”, KAB, KB) authenticator = E(timestamp, KAB) Bob decrypts “ticket to Bob” to get KAB which he then uses to verify timestamp Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberos Session key SA used for authentication Can also be used for confidentiality/integrity Timestamps used for mutual authentication Recall that timestamps reduce number of messages Acts like a nonce that is known to both sides Note: time is a security-critical parameter! Chapter 10 Real world security protocols

Kerberos Security: Questions When Alice logs in, KDC sends E(SA,TGT,KA) where TGT = E(“Alice”, SA, KKDC) Q: Why is TGT encrypted with KA? A: Extra work and no added security! Q: In Alice’s Kerberized login to Bob, why can Alice remain anonymous? A: ticket to Bob = E(“Alice”, KAB, KB) Chapter 10 Real world security protocols

Kerberos Security: Questions Q: Why is “ticket to Bob” sent to Alice? A: If the “ticket to Bob” arrives at Bob before Alice initiates contact with Bob, the Bob would need to maintain the state, that is, he would have to remember the key KAB and it is for Alice and so on. Q: Where is replay prevention in Kerberos? A: timestamp Chapter 10 Real world security protocols

Kerberos Design Alternatives Kerberos could have Alice’s workstation remember password and use that for authentication Then no KDC required, but scaling issue will problem session key SA used for authentication Hard to protect password on workstation Every computer on the network would become TTP Chapter 10 Real world security protocols

Kerberos Design Alternatives Could have KDC remember session key instead of putting it in a TGT Then no need for TGTs But stateless KDC is big feature of Kerberos Chapter 10 Real world security protocols

Chapter 10 Real world security protocols Kerberos Keys In Kerberos, KA = h(Alice’s password) Could instead generate random KA and Compute Kh = h(Alice’s password) And workstation stores E(KA, Kh) Then KA need not change (on workstation or KDC) when Alice changes her password But E(KA, Kh) subject to password guessing This alternative approach is often used in applications (but not in Kerberos) Chapter 10 Real world security protocols