CSCE 813 Internet Security Kerberos

Transcription

1 CSCE 813 Internet Security Kerberos Professor Lisa Luo Fall 2017

2 What is Kerberos? An authentication server system from MIT; versions 4 and 5 Provide authentication for a user that works on a workstation Allow users access to services distributed via network workstation workstation Kerberos FS Mail Printer 2

3 Question Whatisthe ThreatModel? 1. All users and servers trust Kerberos 2. Users trust the workstations 3

4 User Authentication vs. Message Authentication Alice workstation workstation Bob M FS Mail Printer Ø Message Authentication: o authenticate the origin of Message M o use the session key to authenticate message Ø User Authentication: o verify the identify of the communication entity: the person is indeed Bob o based on something you know; or something you are 4

5 When to perform each of them? 1. User authentication is usually performed at the beginning of a session 2. Once user s identify is verified, the session key is established 3. Then, message authentication is performed in the subsequence communication 5

6 Kerberos vs. PKI Both PKI and Kerberos can be used for authentication. But PKI is mainly used to authenticate a service, while Kerberos is to authenticate both services and users PKI mainly builds on asymmetric cryptography, while Kerberos mainly builds on symmetric cryptography PKI is used over the Internet, while Kerberos is typically used within a single organization 6

7 Kerberos Kerberos consists of Authentication Server (AS) Runs on a physically secure node Kerberos AS Name User 1 Key K C Server 1 K S

8 How does Kerberos authenticate users (perform user authentication)?

9 Design #1 Ticket S = K S {C IP C S} C, S, PW C AS Client Ticket S Server C, Ticket S

10 Question Why IP C is needed? o IP C tries to prevent stolen ticket from being used on another machine. 10

11 Problems for Design #1 1. Password PW C is send as plaintext 2. A user needs to supply a password every time when he wants to access a server (even the same server) ü Solution: Add a new component into Kerberos: ticket-granting server (TGS) è Design 2

12 Ticket tgs = K tgs {C IP C TGS} è ticket-granting ticket Ticket Smail = K Smail {C IP C S mail } è service-granting ticket AS workstation Kerberos TGS C, Ticket Smail Mail Printer 12

13 Problems for Design #2 Replay attack 1. An attacker captures Ticket tgs 2. Waits until the user logs off 3. Configures the attacker s workstation with the same IP address 4. Sends {C, S mail, Ticket tgs } to TGS and getsticket Smail ü Solution: add TimeStamp and LifeTime 13

14 Ticket tgs = K tgs {C IP C TGS TimeStamp Lifetime} Ticket Smail = K Smail {C IP C S mail TimeStamp Lifetime} AS workstation Kerberos TGS Ticket Smail Mail Printer 14

15 Problems for Design #3 1. If this lifetime is very short, then the user will be repeatedly asked for a password. 2. If the lifetime is long, then an opponent has a greater opportunity for replay. ü Solution: TGS or Server should check that the person using a ticket is the same person to whom that ticket was issued ü è add Message Authentication Code into ticket 15

16 The first part talks about how to authenticate users, next we will discuss how to authenticate messages

17 Question WhatisMessage Authentication Code? o A keyed-hash value M M H(K M) H(K M) MAC 17

18 What additional info is needed? To add Message Authentication Code into ticket, we need: a shared key 18

19 Ticket tgs = K tgs {C IP C TGS TimeStamp Lifetime} Ticket Smail = K Smail {C IP C S mail TimeStamp Lifetime} AS workstation Kerberos TGS C, Ticket Smail Auth C Mail 19

20 Where to get the shared key? To add Message Authentication Code into ticket, we need: a shared key The shared key between Client and TGS is provided by AS 20

21 Ticket tgs = K tgs {C IP C TGS TimeStamp Lifetime K C, tgs } Ticket Smail = K Smail {C IP C S mail TimeStamp Lifetime K c, S } Auth C = K C, tgs {C IP C TimeStamp} Auth C = K C, S {C IP C TimeStamp} AS workstation Kerberos TGS C, Ticket Smail, Auth C Mail 21

22 Question What happens if the Kerberos is down? o Cannot log in. o Cannot obtain new tickets. o Can keep using existing (non-expired) tickets. 22

23 Password-Changing Service If your password is leak, you want to change it. Another component in Kerberos: passwordchanging service 23

24 Ticket kpw =K kpw {C IP C KPW TimeStamp Lifetime K c, kpw } AS workstation Kerberos KPassword Q: Once you changed your password, could you tell others your old password? o No. Attackers can (1) decrypt K C {Ticket kpw, K c, kpw } and get K c, kpw (2) then decrypt K c, kpw {newpw} and then get your new password. ü Solution: Diffie-Hallman Key exchange (introduced in Kerberos 5) 24

25 Summary Kerberos is an authentication server system authenticates users authenticates messages 1. User Authentication: o verify the identify of the communication entity: the person to whom I am talking is Bob 2. Message Authentication: o authenticate the origin of Message M 25