Slide 1

Chapter 4 - Kerberos Network Security and Management Fall 2014 http://www.faisalakhan.com/contentPage/Classes Dr. Faisal Kakar faisal.khan@gatech.edu Office: Room no. 01, FICT Building Slide 2 Kerberos, v4 and v5 Provides a complete protocol for authentication and secure communications for hosts connected by a data communications network Provides secure "tickets" to hosts that can be used to initiate a secure message exchange Standard message formats for encrypted and signed messages, or signed plaintext messages Formats for encoding expiration time, names,... Allows "read-only" slave KDC's (distributed KDCs) 2 Slide 3 Keberos uses Mediated Authentication (with a Key Distribution Center, KDC ) Jack Jip KDC Mary Paul Peter Harry Dick Tom Alice Bob Trudi KDC has unique Secret Keys with all legitimate hosts. K bob K alice 3 Slide 4 Keberos Authentication Dialogue Slide 5 Slide 6 Slide 7 7 KDC Slide 8 Master KDC Slave KDC {db;Kmaster} Slave KDC Slave KDC Slave KDC Slave KDC Host Realm Replicated KDCs (slaves) are read only. Entire Host-KDC database is downloaded periodically 8 Version 5 Slide 9 Realm Wonderland KDC (Lion) Lion Lion can also be a "principal" in Wonderland (with the Queen's OK) Realm Oz KDC (Hatter) DorothyAlice 1 2 3 Alice wants to talk to Dorothy 9 Slide 10 PlaintextCipher Block Chaining (PPCBC) m1m2m3 IV(+) EEE Key c1c2c3 The 1st 64-bit message segment is XOR'ed with an initial vector (IV). Each following message segment is XOR'ed with the preceding ciphertext and plaintext segments-for privacy & integrity. 10 Slide 11 Kerberos Message Integrity Check (Message Digest) MIC is Hash( ) The Hash algorithm was never published (but source code can be obtained) It is based on a checksum algorithm designed by Juneman to use mod 2^31-1 (prime), but changed to use 2^63-1 (not prime). Cryptographers worry that it might be breakable, or reversible (to get K session ). 11 Slide 12 Network Layer (IP) Addresses in Tickets Only 4 bytes available, so limited to Internet Protocol (Novel, IBM, Appletalk, IPv6... longer) Makes "spoofing" harder, IP address must be stolen from network as well as Ticket from Alice. Prevents delegation, giving the ticket to another host to represent you (which is allowed by Kerberos V5) 12 Slide 13 Why Study Kerberos v4 (Why doesn't everyone switch to v5) Kerberos V4 is working well in many systems Switching to V5 requires stopping the network and upgrading every host at once before restart Kerberos V5 is inefficient in some ways compared to V4 13 Slide 14 Kerberos v5 Cryptographic Algorithms Kerberos v4 used Plaintext Cipher Block Chaining and modified Juneman hash Kerberos v5 can use a variety of encryptions (DES in practice) and hashes (MD4, MD5). Primary MIC (message integrity check) uses { confounder + MD5(confounder & message)}K' K' = Kalice-bob (+) F0F0F0F0F0F0F0F0 A more modern MIC that is not used is MD5(Kalice-bob & message) 14 Slide 15 Password security Do not send in clear except over short secure channels (avoid using Telnet, FTP, http (for passwords), ) Choose had to guess passwords, enforce. Force changing passwords periodically Avoid keeping password in memory longer than necessary to generate the user's key. Send hash of (key+nonce) to KDC for authentication Add salt before hashing passwords for pw database Add realm name to password before hashing for pw db Originally UNIX stored a hash of each User s password in a globally readable account. This can be attacked by hashing all common words for a reverse lookup table. 15 Slide 16 Message Security and Integrity Only exchange messages with authenticated hosts Develop a session key and separate MIC key using initial password exchange Encrypt Diffie-Hellman exchanges to prevent Bucket Brigade (man-in-middle) attacks. Use MICs, especially with self-synchronizing encryptions that survive permuting message blocks (e.g., ECB). Get "random" numbers from true sources Protect Master KDC Key and hashed-key database 16 Slide 17 Concepts Used in Kerberos Central Key Server (KDC) - n rather than n*(n-1)/2 sets of keys. Could enforce Connection Policy. Distributed KDCs (Slave KDCs) to prevent Denial of Service (DoS) Attack. Use of password hashes, for verifying password without storing password. Dictionary Attack - use of salt to improve security. Message hashes for Message Integrity Check (MIC). Authentication exchange - nonce to prevent Replay Attack . Standard block encryption algorithm (DES) with unique cipher feedback. Session keys to reduce exposure of primary keys. Version 4 to 5 upgrade difficult. Newer systems (SSL, PGP, SSH) negotiate to find the best common algorithms available to both. 17