1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I....
-
Upload
jonathan-todd -
Category
Documents
-
view
217 -
download
3
Transcript of 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I....
![Page 1: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/1.jpg)
1
KERBEROS:AN AUTHENTICATION SERVICE
FOR OPEN NETWORK SYSTEMS
J. G. Steiner, C. Neuman, J. I. Schiller
MIT
![Page 2: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/2.jpg)
2
AUTHENTICATION SERVERS (I)
• Their mission is:
(a) To check identity of all users
(b) To prevent unauthorized accesses• Traditional solution is to use a pair
(userid, password)
– Very bad in a LAN environment– Too vulnerable to snooping
![Page 3: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/3.jpg)
3
AUTHENTICATION SERVERS (II)
• Another bad solution is to trust the kernel of sender’s machine:– Solution used by rlogin, rsh, rcp– Like trusting a foreign passport – Only works in well-controlled networks– Suffers from domino effect :
• Gaining full access to one machine gives full access to whole network
![Page 4: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/4.jpg)
4
CRYPTOGRAPHY (I)
1. Conventional Cryptography
– Uses same key for coding and encoding• Key could be a secret alphabet
– We now use much more complex schemes and much bigger keys
– Major problem is key distribution• Very hard without a trusted channel
![Page 5: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/5.jpg)
5
Example
• Assume we have a random stream of bits:r0 , r1 , r2 , r3 , ...
• We convert our message into a bit stream:m0 , m1 , m2 , m3 , ...
• Encode the message bitwise using XOR:ci = mi ri for i = 1, 2, 3 , ...
• Impossible to break if random bit stream istruly random and never reused
![Page 6: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/6.jpg)
6
CRYPTOGRAPHY (II)
2. Public-Key Cryptography
– Uses two keys:(a) A public key to encode: KP
(b) A secret key to decode: KS
– It is not possible to compute KS knowing KP
• The function KP = f ( KS ) is said to be hard to invert:
![Page 7: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/7.jpg)
7
CRYPTOGRAPHY (II)
– We should have
• { { cleartext }KP }KS = cleartext
• { { cleartext }KS }KP = cleartext
– Requires very long keys– Cannot pick an arbitrary secret key– Much slower than conventional cryptography
![Page 8: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/8.jpg)
8
Example
• Assume A knows KP, B and B knows KP, A
– A can send to B a secret message:
{ text } KP, B
– A can send to B a message that is signed:
A, { text } KS, A
– A can send to B a signed secret message:
{ A, { text }KS, A } KP, B
![Page 9: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/9.jpg)
9
Application
• Can combine conventional cryptography and public-key cryptography– A uses public-key cryptography to send to B a
signed secret message containing a session key KS
– A and B use this session key KS to continue their dialogue
![Page 10: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/10.jpg)
10
KERBEROS
• Authentication server using conventional keys• The Kerberos server has
– The key of each user– The key of the ticket granting service (TGS)
• Authentication is a two-step process– Get from kerberos a ticket for the TGS– Get from TGS the ticket for a given server
![Page 11: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/11.jpg)
11
WSK S
TGS
General Organization
Ticket granting service
Kerberos Server
Client c on workstation WS
2
1
3 4
5
6
![Page 12: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/12.jpg)
12
General Assumptions (I)
• Cannot trust the network:– Intruders can listen to all messages and
replay them later• Can trust the time service
– No intruder can reset any clock backward by more than a few minutes
![Page 13: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/13.jpg)
13
General Assumptions (II)
• Client c can trust the workstation WS on which she is logged on:– Cannot do encryption without a safe place to
encode and decode messages• Assumes the workstation is controlled by the
client– Not true for public workstations
![Page 14: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/14.jpg)
14
Step 1
• Client provides WS with its ID c:c WS: c
WS sends to Kerberos a request for a ticket for the TGS:
WS K: c, tgs
![Page 15: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/15.jpg)
15
Step 2
• Kerberos sends to WS a ticket Tc,tgs and a random session key Kc,tgs:
K WS: { Kc,tgs, { Tc,tgs }Ktgs }Kc
Both items are encrypted with the client key Kc
Ticket is encrypted with the secret key of the ticket granting service to prevent tampering by client
![Page 16: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/16.jpg)
16
The ticket (I)
• Note that the encrypted ticket is encrypted a second time by the client key KC
– In more recent versions of Kerberos
K WS: { Kc,tgs }Kc, { Tc,tgs}Ktgs
![Page 17: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/17.jpg)
17
The ticket (II)
• Tc,tgs = c, tgs, addr, timestamp, life, Kc,tgs
• It contains– The client's name c– The name of the ticket-granting service tgs– The IP address of the client addr– The current time timestamp– A ticket lifetime life – The random session key K c,tgs
![Page 18: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/18.jpg)
18
Step 3
• When WS receives Kerberos reply, it prompts the client c for her password and uses it to compute the user key
Kc = fn(password)
and uses Kc to decrypt the message
![Page 19: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/19.jpg)
19
WSK S
TGS
Shared Secrets
ServerKc
KtgsKs
![Page 20: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/20.jpg)
20
Step 3 (continued)
• WS then sends to the TGS – The name of the service s the client wants to
utilize– The encrypted ticket Tc,tgs
– An authenticator Ac,tgs encrypted with Kc,tgs
WS TGS: s, { Tc,tgs}Ktgs, { Ac,tgs }Kc,tgs
![Page 21: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/21.jpg)
21
The authenticator (I)
• Any intruder could replay a ticket that has already be submitted to TGS
• Authenticator contains– The client name c– Its address addr – The current time timestamp
Ac,tgs = c, addr, timestamp• Authenticator is encrypted with Kc,tgs
![Page 22: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/22.jpg)
22
The authenticator (II)
• Authenticator provides proof that WS was able to obtain the session key Kc,tgs by decrypting message number 2 using the right client key KC
• To detect replays of authenticators, TGS– Rejects authenticators that are too old
(say, by more than five minutes)– Keeps track of all recently received
authenticators
![Page 23: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/23.jpg)
23
Step 4
• The TGS replies by sending to the workstation– A ticket T cs for the service s
– A new random session key Kc,s
TGS WS: { Kc,s, { Tc,s}Ks}Kc,tgs
encrypted with the session key Kc,tgs shared by the client and the ticket granting service
![Page 24: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/24.jpg)
24
Step 4 (continued)
• Tc,s contains– The user's name c– The name of the service s – The IP address of the client addr– The current time timestamp– A new lifetime life – A new random session key Kc,s
• Tc,s is encrypted with the secret key of server s
![Page 25: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/25.jpg)
25
Step 5
• WS then sends to server S – the encrypted ticket Tc,s
– an authenticator Ac,s encrypted with Kc,s
WS S: { Tc,s }Ks, { Ac,s }Kc,s
![Page 26: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/26.jpg)
26
Step 5 (continued)
• Authenticator contains– the client name c– its address addr – the current time timestamp
Ac,s = c, addr, timestamp
• Authenticator is encrypted with the session key Kc,s shared by client and server
![Page 27: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/27.jpg)
27
Step 6
• If client wanted to authenticate server, the server replies with the authenticator time stamp plus one:
sWS: { timestamp + 1 }Kc,s
encrypted with the session key Kc,s
• This proves that s was able to obtain the session key Kc,s by decrypting message number 5 using its server key Ks
![Page 28: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/28.jpg)
28
Picking ticket lifetimes
• There is a trade-off in determining the optimal ticket lifetime:– Short ticket lifetimes make the system more
secure • Less delay between password change and
full effect of action– Short ticket lifetimes also make the system less
convenient for its users.
![Page 29: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/29.jpg)
29
The Kerberos server (I)
• Most critical part of the system– If it is compromised, all user passwords are
lost– If it is unavailable, nobody will be able to log
in• A compromised TGS would only force all users
to repeat the Kerberos login procedure
![Page 30: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/30.jpg)
30
The Kerberos server (II)
The Kerberos server is normally replicated on several sites:– No single point of failure– More difficult to maintain key secrecy
There is a single primary site and it is the only than can accept key change requests– Changing passwords is not a critical task
![Page 31: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/31.jpg)
31
LIMITATIONS
• Must maintain– secrecy of keys– integrity of time service
• Client must trust the workstation on which she is logged in
• Does not protect clients and servers against denial of service attacks
![Page 32: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/32.jpg)
32
OTHER SOLUTIONS (I)
• Could use a pair public key/private key– private keys cannot be generated from an
arbitrary password– impossible to memorize– must store them somewhere
• key ring of PGP is encrypted using a strong conventional encryption algorithm
![Page 33: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/33.jpg)
33
OTHER SOLUTIONS (II)
• Could use one-time passwords– Use a different password at each log in– Passwords can be managed by a smart card– User must always carry it with her– Some systems also require a password to use
the card and disable card after enough unsuccessful trials• Must keep card in a rigid container
![Page 34: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/34.jpg)
34
OTHER SOLUTIONS (III)
• SSH-2 uses– Diffie-Hellman key exchange
• Uses public keys and private keys• Produces a symmetric session key
– Strong integrity checking via message authentication codes.
![Page 35: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/35.jpg)
35
OTHER SOLUTIONS (IV)
• Two-factor authentication– Must provide
• Something you know (a password)• Something you have (a dongle or a phone)
– Google two-factor authentication:• Enter first name and password• Google sends a six-digit code to your phone
that you must then enter
![Page 36: 1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.](https://reader035.fdocuments.us/reader035/viewer/2022070403/56649f325503460f94c4ecbf/html5/thumbnails/36.jpg)
36
CONCLUSIONS
• Kerberos offers one of the best solutions for authentication in distributed systems– Does not require any special equipment– Does not significantly alter the user interface
• Main drawback is that the user must trust the workstation on which she is logged in– Works best for personal workstations