Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Transcription

1 CS 645 Security and Privacy in Computer Systems Lecture 7 The Kerberos authentication system Last Week Security policy, security models, trust Access control models The Bell-La Padula (BLP) model The Biba model The Low-Watermark model The Clark-Wilson model The Chinese Wall model (The Brewer and Nash model) Role-based (RBAC) History-based 2

2 Announcements Project #1 is due now! Midterm exam is next week (October 24) Will start promptly at 6:00pm Covers material from Lectures 1-7 Closed books, closed notes 3 The KERBEROS Authentication System

3 Key establishment using a KDC A network with n users If symmetric key cryptography is used, how many keys are required to allow each pair of users to communicate securely? Solutions to the n 2 key distribution problem Use centralized key management Use public key cryptography Key distribution center (KDC) It is a trusted third party (TTP) Must be online TTP TTP (1) (2) (3) (1) (2) A B A (3) B 5 Kerberos authentication protocol Uses tickets to authenticate users to services in TCP/IP networks over insecure channels Uses a trusted third-party (TTP) Based on the Needham-Schroeder protocol Based on symmetric key cryptography Widespread use 6

4 Kerberos - more facts Probably had the most impact of all security systems in the real world (except perhaps SSL) Built in most operating systems (Windows, Mac OS, Linux, etc.) It is the authentication mechanism for: Microsoft Active Directory to maintain centralized user information Devices like X-BOX Cable industry: authenticate set-top boxes and modems to their networks Mostly used at enterprise level 7 Kerberos Allows principals to authenticate themselves on an open (unprotected) network Packets can be read, inserted or modified Principals must protect their secret keys Hosts on the network must have loosely synchronized clocks (to prevent message replay) Key Distribution Center (KDC) shares a secret key (master key) with each principal (this is a long-term key) We will be using alternatively the terms master key and long term key, with the same meaning 8

5 Kerberos - messages and entities Ticket = allows users to access resources Ticket granting ticket (TGT) = allows users to get tickets to resources Authenticator = allows users to authenticate themselves to the KDC Key Distribution Center (KDC) = generates TGTs Ticket-Granting Server (TGS) = generates tickets KDC and TGS are collocated (need access to database of master keys) 9 Kerberos - overview User logins into workstation using username and password User s workstation asks KDC for a session key and a TGT (msg 1, 2) User s workstation uses session key, TGT, and authenticator to request a ticket from TGS (msg 3, 4) User s workstation uses the ticket to authenticate and use a resource in the network (msg 5) KDC TGS User 5 Resource 10

6 Notation A, B principals participating in a protocol S server (the TTP) T timestamp Δt an interval of time (validity period or expiration time) K a,b key shared between A, B {X} K X encrypted under K B A: {T 1 +1} Ka,b means B sends to A a timestamp incremented by 1, encrypted under key K a,b 11 Kerberos - setup phase Each user shares a long-term key (master key) with the KDC E.g., A shares K a with the KDC (A s master key) A needs to only remember a password and can derive K a from the password 12

7 Kerberos - obtaining a session key and a TGT A A, password Workstation A needs a TGT {S a, TGT} Ka KDC - creates key S a - finds A s master key K a - TGT = {A, S a, Δt} Kkdc Workstation derives K a (A s long-term key, shared between A and KDC) based on A s password TGT contains A s identity, user-kdc session key S a and validity period Δt of the ticket KDC returns (encrypted with A s master key K a ): A user-kdc session key S a A TGT encrypted with K kdc (KDC s master key) After decrypting {S a, TGT} Ka, workstation discards K a, and retains S a, TGT 13 Kerberos - TGT What is the purpose of TGT? Used by a principal to get a ticket to access a resource in the network Allows the KDC to operate stateless KDC does not store information with each request KDC only stores static database with master keys for users and resources This makes easy to replicate the KDC and recover from crashes 14

8 Kerberos - accessing a remote resource Two steps: User gets ticket from TGS User uses ticket to authenticate to remote resource 15 Kerberos - obtaining ticket A access resource B Workstation A wants to talk to B TGT = {A, S a, Δt} Kkdc authenticator = {T} Sa {B, K a,b, ticket to B} Sa TGS - creates key K a,b - decrypts TGT to get S a - verifies validity of Δt - decrypts authenticator - verifies timestamp T - finds B s master key K b - creates ticket to B: {A, K a,b, Δt} Kb Authenticator proves to TGS that the workstation knows the user-kdc session key S a K a,b is the session key that will be shared by A and B 16

9 Kerberos - sending request to resource A access resource B Workstation ticket to B = {A, K a,b, Δt} Kb authenticator = {T} Ka,b {T+1} Ka,b B - decrypts ticket to get K a,b - verifies validity of Δt - decrypts authenticator - verifies timestamp T B assumes that anyone with knowledge of K a,b acts on A s behalf B verifies if timestamp T is recent (e.g., within 5 minutes) B then grants request B s reply ensures mutual authentication 17 Kerberos - other facts Future requests for resource can reuse an unexpired TGT If user has an unexpired ticket for a resource, then it can send directly a request to the resource KDC and TGS require physical security Why? If attacker compromises the KDC, all bets are off! Clocks of all entities must be loosely synchronized Single point of failure at the central server (when Kerberos server is down, no one can log in) 18

10 Kerberos overview 19 What to read? Chapter 9.6 from the Textbook 20