COEN 350 Kerberos. Provide authentication for a user that works on a workstation. Uses secret key technology Because public key technology still had patent.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

COEN 350 Kerberos.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Lecture 10: Mediated Authentication
Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications
Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Authentication & Kerberos
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
CS470, A.SelcukKerberos1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Kerberos Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Strong Password Protocols
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Anjum Reyaz-Ahmed.  Part I : Authentication Protocols  Kerberos Protocol  Needham-Schroder Protocol  Part II: Current Literary Review  “Elliptical.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)
KERBEROS. Introduction trusted key server system from MIT.Part of project Athena (MIT).Developed in mid 1980s. provides centralised private-key third-party.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Cerberus (from Kerberos, demon of the pit): Monstrous three-headed dog (sometimes said to have fifty or one- hundred heads), (sometimes) with a snake for.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
KERBEROS SYSTEM Kumar Madugula.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
Cryptography and Network Security
Kerberos Part of project Athena (MIT).
KERBEROS.
AIT 682: Network and Systems Security
Presentation transcript:

COEN 350 Kerberos

Provide authentication for a user that works on a workstation. Uses secret key technology Because public key technology still had patent projection. Implements authentication by Needham & Schroeder. On the market in versions 4 and 5.

Kerberos Kerberos consists of Key Distribution Center (KDC) Runs on a physically secure node Library of Subroutines Modifies known UNIX libraries such as telnet, rlogin, …

Key Distribution Center KDC: Database of keys for all users Invents and hands out keys for each transaction between clients. Alice KDC Bob Alice wants Bob K Alice { K AB for Bob }K Bob {K AB for Alice}

Key Distribution Center Message from KDC to Bob has some problems. Timing problem: Alice needs to wait to make sure that Bob got the key. Change the protocol so that Alice receives a ticket to talk to Bob.

Key Distribution Center Alice KDC Bob Alice wants Bob K Alice {Use K AB for Bob} Ticket for Bob := K Bob {Use K AB for Alice} I’m Alice, my ticket is K Bob {Use K AB for Alice}

Key Distribution Center Needham Schroeder: Combines KDC operation with authentication. Uses nonces instead of timestamps to prevent replay attacks. A (sequential / random) number used only once.

Needham Schroeder AliceKDC BobN 1, Alice, Bob K Alice {N 1, Bob, K AB, ticket to Bob} K AB {N 2 -1, N 3 } K AB {N 3 -1} Ticket, K AB {N 2 } Ticket = K Bob {K AB, Alice}

Trudy waits until Alice makes a request to the KDC.Trudy now incorporates Bob. Needham Schroeder AliceKDC BobN 1, Alice, Bob Purpose of the nonce is the following scenario: Assume that Trudy has stolen an old key of Bob’s and stolen the message where Alice previously has requested a key. Bob has in the meantime changed his key. Trudy (KDC) K Alice {N 1, Bob, K AB, ticket to Bob} Trudy as Bob Ticket = K Bob {K AB, Alice}, … Trudy impersonates the KDC and replays the old captured message, which looks like a normal message. Trudy can now successfully authenticate herself to Alice as Bob. But the nonces make all messages unique!

Message 2: K Alice {N 1, Bob, K AB, ticket} with ticket = K Bob {K AB,Alice} N 1 prevents replay attacks. “Bob” to prevent Trudy from trying to play Bob. Ticket does not have to be sent encrypted with Alice’s key. Needham Schroeder

Message 3: ticket, K AB {N 2 } Alice presents a challenge together with her ticket. Bob decodes ticket to find K AB. He decodes the latter part of the message to find the challenge. Needham Schroeder

Message 4: K AB {N 2 -1,N 3 } Bob solves Alice’s challenge. Bob sends Alice his own challenge. Your turn: What is the vulnerability if message 4 were to read: K AB {N 2 -1}, K AB {N 3 } ? Needham Schroeder Answer on next two slides.

Needham Schroeder Answer: Trudy eavesdrops on an exchange and then splices her own messages to Bob:

Needham Schroeder Alice Bob Ticket, K AB {N 2 } K AB {N 2 -1}, K AB {N 3 } Trudy (later) Replays Ticket, K AB {N 2 }K AB {N 2 -1} K AB {N 4 } Trudy (second connection) Ticket, K AB {N 4 } K AB {N 4 -1} K AB {N 5 } Trudy now resumes her first connection: K AB {N 4 -1} and is authenticated

Needham Schroeder Expanded Needham Schroeder Prevents replay attacks after Alice’s key was stolen and changed.

Needham Schroeder Vulnerability Scenario Alice has a previous key J Alice that Trudy captured. Alice has changed her key to K Alice. Trudy has captured a previous login request from Alice to KDC: KDC sent J Alice {N 1,Bob,J AB,K Bob {J AB,Alice}}

Needham Schroeder Vulnerability Scenario Trudy has J Alice {N 1,Bob,J AB,K Bob {J AB,Alice}} Trudy calculates J AB and K Bob {J AB,Alice} with J Alice. Trudy now impersonates Alice to Bob. She sends her round 3 message to Bob: N 2, K Bob {J AB,Alice} She can complete the Needham Schroeder protocol with Bob. Since the KDC no longer participates, informing the KDC of the change does not prevent Trudy from succeeding impersonating Alice to Bob.

Needham Schroeder Solution: Prevent replays after long duration: Clock and date. Certificate from Bob. Extended Needham Schroeder picks the latter.

Extended Needham Schroeder Alice to Bob: I want to talk to you. Bob to Alice: K Bob {N B } Alice to KDC: N 1, “Alice wants Bob”, K Bob {N B } KDC to Alice: K Alice {N 1,“Bob”,K AB, K Bob {K AB, “Alice”, N B }} Alice to Bob: K Bob {K AB, “Alice”, N B }, K AB {N 2 } Bob to Alice: K AB {N 2 -1,N 3 } Alice to Bob:K AB {N 3 -1}. N B prevents the previous attack. Bob can determine whether Alice is using the key that the KDC has.

Otway Rees Replaces extended Needham Schroeder Uses only 5 messages Speed-up results from the “suspicious party” (Bob) going to the KDC.

Otway Rees Alice to Bob:N C, Alice Bob K Alice {N A,N C,“A.”,“B.”} Bob to KDC:K Alice {N A,N C, Alice, Bob, K Bob {N B,N C,“A.”,“B.”} KDC to BobN C, K Alice {N A,K AB }, K Bob {N B,K AB } Bob to Alice:K Alice {N A,K AB } Alice to Bob:K AB {N C }

Kerberos Based on Needham Schroeder, but uses time instead of nonces. Approximate time is easy in distributed systems.

Kerberos Kerberos Authentication Service: Alice to KDCN 1 “Alice wants Bob” KDC to AliceK Alice {N 1, “Bob”, K AB, K Bob {K AB, Alice, expir. Time}} Alice to BobK Bob {K AB, “Alice”, expir. Time}, K AB {cur. Time} Bob to AliceK AB {cur. Time +1}

Kerberos Kerberos Setup Master key shared by KDC with each principal. When Alice logs into her machine, her station asks the KDC for a session key for Alice. The KDC also gives her a Ticket Granting Ticket. (TGT) Alice’s workstation retains only the session key and the TGT. Alice’s workstation uses the TGT to receive other tickets from the Ticket Granting Service (TGS).

Kerberos Two entities: Key distribution center. Authentication Server (AS) Ticket granting server (TGS). Both need the same database, so they are usually on the same machine.

Kerberos Logging in: AliceWorkstation AS Alice AS_REQ{Alice} AS_REP{K Alice {S Alice,TGT}} Password? K Alice Workstation calculates session key S Alice and TGT, throws K Alice away. TGT = K KDC {Alice, S A }

Kerberos Why wait for the password? Workstation should know Alice’s password for minimum time. Kerberos v. 5 changes this. The workstation would contain data on which a password cracker could be run.

Kerberos Purpose of TGT AS, TGS does not need to retain session state. Can recuperate quickly from a crash.

Kerberos Remote Login Step 1: Get a ticket for Bob. Step 2: Use the ticket to log into Bob.

Kerberos Alice Workstation TGS rlogin Bob TGS_REQ{ Alice to Bob, TGT, S A {timestamp}} Gets S A from TGT, verifies timestamp, creates ticket to Bob K Bob { Alice, K AB } TGS_REP{ S A {“Bob”, K AB, K Bob {Alice, K AB }}

Kerberos Workstation Bob AP_REQ{ K Bob {Alice, K AB }, K AB {timestamp}} Bob decrypts the ticket to find K AB. He then checks the timestamp. AP_REP{ K AB {timestamp + 1}} Workstation authenticates Bob because Bob has proven he knows K AB.

Kerberos After the successful rlogin, Alice and Bob are not forced to use K AB But they can.

Kerberos Replicated KDC To remedy single point of failure. To remedy bottleneck. Critical design point is the master key database. Can be made read-only at replicated KDC and updated by a single master. Updates of the master key database need to be protected against substitution attacks.

Kerberos Realms Every entity in a Kerberos realm trusts the Kerberos TGS & AS. Each realm has its own master key database. Principals in one realm can be authenticated to principals in another realm.

Kerberos Alice Realm 1 Realm 2 Realm 3 Request and ticket for KDC in Realm 2 Request and ticket for KDC in Realm 3 Request

Kerberos A single rogue KDC cannot subvert this process and grant tickets for things in other realms.

Kerberos Tickets contain Newly minted authentication key K AB Name of requestor Expiration Time At most 23 hours

Kerberos Keys contain version numbers. This allows a key change without invalidating all pending requests. Important for batch jobs when additional authentication is not possible.

Kerberos Kerberos messages contain network addresses in the TGT. The TGS checks for the network address when granting tickets. This is not much of a protection It is easy to fake network addresses But together with a firewall might be useful to thwart attackers from outside.

Kerberos Kerberos puts 4B IPv4 address inside a ticket. Recipient of ticket checks whether the source IP address is the same as in the ticket. Prevents use of a stolen session key and TGT. Probably not worth the trouble, since it is easy to spoof IP addresses. Generates problems with NAT. Makes delegation of rights difficult / impossible.

Kerberos Version 5 updates ASN.1 data representation language No fixed message formats. Adds considerable overhead. ASN.1 is presented in COEN 351.

Kerberos Optional delegation. Delegation of rights allows someone to give them their access rights for a limited scope and limited time. Important to allow access to resources by a long-lasting batch-job. Cannot be done by handing out the master key, or there would be no limitation to the delegation. Handing tickets to the batch-job will not work if they are used after they expire.

Kerberos Optional delegation. Kerberos v. 5 allows Alice to ask for a TGT with a network address different from her address. This TGT is not usable by Alice, but can be used by some entity to act on Alice’s behalf.

Kerberos Optional delegation. Limited Delegation Alice can give Bob tickets to the specific service that he will need acting on her behalf. Instead of giving Bob a TGT. Alice can give Bob a TGT with the AUTHORIZATION- DATA field specified. This field is interpreted by the application, not Kerberos. Application reads the field to determine what Bob can do. OSF/DCE and Windows 2000 use this field extensively.

Kerberos Optional Delegation Flag in TGT indicates whether delegation is allowed: Forwardable Flag TGT can be exchanged for a TGT with a different network layer address. Alice decides whether the new TGT still has the forwardable flag set. In this way, Bob can ask Carol to act for him on behalf of Alice, … Proxiable Flag TGT can be used to request tickets (but not TGTs) with a different network address.

Kerberos Ticket Lifetimes There is a need for longer lived tickets, but granting them in general poses security risks. K v. 5 allows Specifying a start time. An end time. Authorization time. Renew till times.

Kerberos Alice can: Get a renewable ticket. Ticket is valid for 100 years. But Alice needs to renew it daily. Renewing a ticket is done by Giving the ticket to the KDC and have the KDC reissue it. If there is something wrong, the KDC can be told to not renew the ticket. KDC only needs to retain revocation data for the ticket lifetime. Uses the renewable flag.

Kerberos Alice can: Get a postdated ticket. Used to run a batch-job sometimes in the future. Kerberos uses the Start-Time field to indicate the future moment when the ticket becomes valid. Original post-dated ticket is marked invalid. If Bob wants to use the ticket, Bob has to present it to the KDC, which clears the invalid field. This allows revocation of postdated tickets.

Kerberos Key Versions KDC maintains versions of keys. Stored as key (encrypted version of Alice’s key) p_kvno (Alice’s key version number) k_kvno (Version of KDC key used to obtain key ) Needed for Post-dated tickets Renewable tickets

Kerberos Making Master Keys Different Master keys in different realms should be different, when generated with the same password. Kerberos v.5 uses a password to key hash function that has the realm name as an additional parameter. Keys are different in different realms in an unpredictable way.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.