Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi

Published bySandra Day Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi"— Presentation transcript:

1

2 Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu

3 Agenda Motivation Basic concept for the authentication and key establishment Needham-Schroeder Kerberos KryptoKnight Summary

4 Motivation Reliable authentication of communicating entities and network users across an insecure network Secure key establishment Protect the privacy and integrity of communication Alice Bob How Securely? Centralized key management and authentication

5 Concepts and Classification Key establishment: a shared secret becomes available to two or more parties, for subsequent cryptographic use. key transport protocol one party creates, and securely transfers it to the other(s). key agreement protocol: key establishment technique in which a shared secret is derived by two (or more) parties key pre-distribution vs. dynamic(session) key establishment Use of trusted servers trusted third party, trusted server, authentication server, key distribution center (KDC), key translation center (KTC) and certification authority (CA).

6 2-Party Mutual Authentication Protocol (2PAP) Alice Bob 1. N A 2. N B,MAC BA (N A,N B,B) 3. MAC AB (N A,N B ) N A,N B : One time random number (Nonce) MAC AB, MAC BA : Message Authentication Code with a shared key

7 KDC Alice Bob ’ s Server 1. A,B,N A 2. {k,N A,B, {k,A}K B }K A A,B: identities of hosts, KDC: Key Distribution Center N A, N B : nonce K A, K B : host keys shared by KDC and hosts k: session key for the host A and B {} k : Encryption with a key k 3. {k,A}K B Needham-Schroeder 4. {N B }k 5. {N B -1}k

8 Needham-Schroeder Properties Protocol provides A and B with a shared key k with key authentication (4) and (5) provide entity authentication of A to B. If acceptable for A to re-use key k with B, A may securely cache (3) with k To prevent replay of (4), {N A ’} k should be appended to message (3), and (4) should be replaced by {N A ’-1, N B } k allowing A to verify B’s knowledge of k

9 Kerberos Enable network application to securely identify their peers Host A provides its identity by presenting a ticket to host B Tickets are issued by a trusted third party Key Distribution Center (KDC) There is a shared key between KDC and any host Ticket is valid for a finite interval called its lifetime Ticket contains session key, host’s identity and lifetime of the session key

10 Initial ticket exchanging KDC 1. A,B,N A 2. {k,N A,L,B}K A, {k,A,L}K B A,B: identities of hosts N A : nonce, L: Life time K A, K B : host keys shared by KDC and hosts k: session key for the host A and B {k,A,L}K B : Ticket 3. {A,T A,L,B}k, {k,A,L}K B Alice Bob ’ s Server

11 Getting a Service Ticket 1. A,TGS,N A 2. {K A,TGS,N A }K A,{K A,TGS,A,L}K TGS 5. {A A }K A,B, {T A,B }K B TGS 3. B, N A ’, {A,L,TGS,T A }K A,TGS, {K A,TGS,A,L}K TGS 4. {K A,B,N A ’ }K A,TGS, {T A,B }K B A A : A, L, B,T A T A : Timestamp made by A T A,B : K A,B,A, L KDC Alice Bob ’ s Server Usually Co-located

12 Kerberos Properties Since timestamps are used, the hosts must provide both secure and synchronized clocks If initial shared keys are password-derived, protocol is no more secure than secrecy of such password or their resistance to password-guessing attack Lifetime is intended to allow A to re-use the ticket A creates new authenticator with new timestamp and same session key k

13 Needham-Schroeder vs. Kerberos Kerberos lifetime parameter is not present in N-S In N-S, (2) (which is corresponds to Kerberos ticket) is double-encrypted Authentication here employs nonce rather than timestamp Since B has no way of knowing if k is fresh, should k ever be compromised, any party knowing it may both resend message (3) and compute a correct message (5) to impersonate A to B This situation is ameliorated in Kerberos by the lifetime parameter which limits exposure to a fixed time interval

14 KryptoKnight Objective Minimal, flexible and scalable authentication and key distribution for various network settings Basic Concepts and Design Issues Minimal resource Utilization Use hash function instead of encryption Minimize the number of messages Flexible operational scenarios Scalable design Use a nonce instead of time stamp

15 Basic Key Distribution Not secure with respect to key integrity Any intruder can modify the key distribution and cause A to extract a key not issued by the KDC Timeliness of the KDC’s response Alice 1. N A 2. N K, MAC A (N A,N K,KDC)  K a New 3. MAC a (N A,N K ) KDC optional

16 Authenticated Key Distribution 2-Party Authenticated Key Distributiion Protocol(2PAKDP) Braiding KDC’s nonce in flow 2 is hidden Alice NANA MAC A (N A,N K,KDC), E A (MAC A )  N K MAC a (N A,N K ) KDC N K = K a New optional

17 3-Party Scenarios Assumption Two entities(A and B) want to authenticate with each other A and B have no shared secret There is a mutually-trusted KDC whom they each share a secret

18 A-B-K Pull scenario A is either unable, unauthorized, or unwilling to contact the KDC A BKDC optional

19 K-A-B Push Scenario Provide authentication on the forward flows to the KDC Direct handshake (2PAP) between A and B is no longer needed A B KDC optional

20 Time-Based Push Scenario(K-A-B(t)) Connection between two parties is strictly controlled by servers in highly sensitive communication systems Military system B is not available (i.e., is not on-line) at the time when A contacts the KDC In K-A-B and A-B-K, B need to maintain state – Nb, A’s name, etc K-A-B(t) requires B to start keeping state starting only from flow 3 B has no connection to, or is otherwise unable to contact the KDC (i.e, mobile entity) Hybrid (Partial Clock Synchronization) KDC-> A: Challenge-based, KDC->B: Time-based

21 K-A-B(t) A B KDC

22 Extension for Inter-Domain Protocol

23 Kerberos TGS local A B 5. {A A }K A,B, {T A,B }K B 2. {K A,TGS rem }K A,TGS, {T A,TGS rem }K TGS rem TGS remote 1. {A A }K A,TGS, {T A,TGS }K TGS, TGS rem 3. {A A }K A,TGS rem, {T A,TGS rem }K TGS rem, B 4. {K A,B }K A,TGS rem, {T A,B }K B Alice Remote Server

24 Key Exchange in Kerberos CS.UMN.EDU UMN.EDU EDU MIT.EDU UMD.EDU O(N 2 ) EDU MIT.EDUUMN.EDUUMD.EDU CS.UMN.EDU O(logN)

25 Inter-Domain protocols Kerberos Problem Puts most of the load on the initiating client Client A may be a mobile unit: no connection to its own KDC Client A may have a policy prohibiting it from communicating with the outside without establishing a secure “context” Client B may have a policy requiring it to consult its own KDC first before contacting A’s KDC Assumption Existence of inter-domain keys Keys that secure communication among KDCs in different domains

26 A-B-K inter-domain Protocol (Without Inter-KDC communication) A B KDC2 KDC1

27 With Inter-KDC communication Environments One of hosts (A or B) has no connection to its own KDC Software size at one or both hosts is critical Hide the inter-domain-ness of the protocol The burden and complexity due to inter-domain issues can be isolated in KDCs KDCs can communicate among themselves more efficiently than hosts Protocols: A-B-K-K, K-K-A-B and K-K-A-B(t)

28 A-B-K-K Protocol A B KDC2 KDC1

29 Disadvantages in inter-KDC communication Sacrifice of the KDC’s stateless nature KDC2 has to keep state between flows At least A, B, Kab and Na must be kept Alternatively, KDC2 can “export” the state information Including the state variables in the flow to KDC1 KDC1 then simply echoes them back in its reply

30 Summary Supporting a flexible range of network configurations, avoiding reliance on tightly-synchronized clocks or counters Minimizing message sizes and cryptographic operations Light-weight protocol in terms of resource usage and suitable for low-end devices with limited memory and processing capability

31 References J. Kohl, B. Neuman, and T. Ts’o. The Evolution of the Kerberos Authentication Service. In F. Brazier and D. Johansen, editors, Distributed Open Systems. IEEE Computer Society Press,1994. R. Bird, I. Gopal, A. Herzberg, P. Johnson, S. Kutten, R. Molva, and M. Yung, “The KryptoKnight Famliy of Light-Weight Protocols for Authentication and Key Distribution,” IEEE/ACM Transactions on Networking, vol. 3, no. 1, pp. 31-41, 1995. P. Janson, G. Tsudik, and M. Yung. Scalability and flexibility in authentication services: the KryptoKnight approach. In Proc. of IEEE INFOCOM, pages 725--736, April 1997.

Download ppt "Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi"

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google