Kerberos V5. Raj Jain. Washington University in St. Louis

Similar documents
Overview of Authentication Systems

Network Management. Raj Jain Raj Jain. Washington University in St. Louis

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Kerberos5 1. Kerberos V5

Trusted Intermediaries

AIT 682: Network and Systems Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

Network Security: Kerberos. Tuomas Aura

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Overview of Kerberos(I)

Key Management and Distribution

Modes of Operation. Raj Jain. Washington University in St. Louis

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Kerberos Introduction. Jim Binkley-

Cryptography and Network Security

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Network Security Essentials

Kerberos and Active Directory symmetric cryptography in practice COSC412

BACHELOR THESIS CAPABILITY OF KERBEROS MATTHIJS MEKKING

The KX.509 Protocol. William Doster Marcus Watts Dan Hyde University of Michigan ABSTRACT

Network Security: Classic Protocol Flaws, Kerberos. Tuomas Aura

Network Working Group. Category: Informational Cisco Systems J. Brezak Microsoft February 2002

KEY DISTRIBUTION AND USER AUTHENTICATION

User Authentication. Modified By: Dr. Ramzi Saifan

KEY DISTRIBUTION AND USER AUTHENTICATION

The Kerberos Authentication System Course Outline

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Course Administration

The Kerberos Authentication Service

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

CPSC 467b: Cryptography and Computer Security

User Authentication Principles and Methods

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

March 26, Abstract

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 3

CS Computer Networks 1: Authentication

Network Working Group Request for Comments: 4120 Obsoletes: 1510 Category: Standards Track K. Raeburn MIT July 2005

CSC/ECE 774 Advanced Network Security

Wireless Network Security

Network Working Group. C. Neuman ISI September 1993

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

CSCE 813 Internet Security Kerberos

Key management. Pretty Good Privacy

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Integrating a directory server

Coding & Information Theory Lab.

Internet security and privacy

Internet Engineering Task Force (IETF) Category: Standards Track. March 2017

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Lecture 1: Course Introduction

CSC 774 Network Security

Persistent key, value storage

ECE 646 Lecture 3. Key management

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Active Directory Attacks and Detection

ryptograi "ГС for Tom St Denis, Elliptic Semiconductor Inc. Simon Johnson and Author of the LibTom Project

Figure 13.1 ASN.1: abstract and transfer/concrete syntax relationship.

Digital Signature. Raj Jain

Authentication in Distributed Systems

Security issues in Distributed Systems

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Part II. Raj Jain. Washington University in St. Louis

Managing External Identity Sources

User Authentication. Modified By: Dr. Ramzi Saifan

Cryptography (Overview)

A Dynamic and Flexible Security Framework for Large Scale Distributed Systems. SUMMARY 1. Introduction... 2

Network Security. Chapter 7 Cryptographic Protocols

Block Cipher Operation

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

David Wetherall, with some slides from Radia Perlman s security lectures.

In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Chapter 4 Authentication Applications

Understanding the Local KDC

Transport Protocols. Raj Jain. Washington University in St. Louis

Chapter 9: Key Management

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

PKCS #10 v1.7: Certification Request Syntax Standard (Final draft)

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Internet 3.0: Ten Problems with Current Internet Architecture and a Proposal for the Next Generation

Symmetric Encryption 2: Integrity

Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On

Active Directory Attacks and Detection

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Security Handshake Pitfalls

CSE Computer Security

Novell Kerberos Login Method for NMASTM

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Radius, LDAP, Radius used in Authenticating Users

CS 392/6813: Computer Security Fall Nitesh Saxena. *Adopted from Previous Lectures by Nasir Memon

SNMP and Network Management

Unit-VI. User Authentication Mechanisms.

Transcription:

Kerberos V5 Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/ 11-1

Overview! Kerberos V4 Issues! ASN.1 and BER! Names, Delegation of Rights! Ticket Lifetimes! Cryptographic Algorithms! Hierarchy of Realms 11-2

Kerberos V4 Issues 1. Names, Instance, Realm (non standard) 1. Only DES encryption 2. Only IPv4 addresses 3. Byte ordering indicated in the message (ASN.1 better) 4. Maximum life time limited to 21 hours: 8 bit life time in units of 5 minutes 5. No delegation 6. Inter-realm authentication limited to pairs N 2 pairs 7. Double encryption of the ticket: K client [K server [...]] 8. PCBC does not detect interchange of cipher blocks 9. No subsession keys for long sessions 10. Brute force password attack 11-3

ASN.1! Abstract Syntax Notation One! Joint ISO and ITU-T standard, Original 1984, latest 2002.! Used to specify protocol data structures! X.400 electronic mail, X.500 and LDAP directory services, H.323 VOIP, SNMP, etc use ASN.1! Pre-Defined: INTEGER, BOOLEAN, BIT STRING, OCTET STRING! Constructed: SEQUENCE (structure), SEQUENCE OF (lists), CHOICE,... 11-4

ASN.1 Example AddressType ::= SEQUENCE { name OCTET STRING, number INTEGER, street OCTET STRING, city OCTET STRING, state OCTET STRING, zipcode INTEGER } 11-5

Encoding Rules! ASN.1 only specifies the structure.! Encoding rules indicate how to encode the structure in to bits on the wire.! Examples: Basic Encoding Rules (BER), Packed Encoding Rules (PER), XML Encoding rules (XER), Distinguished Encoding Rules (DER),...! In BER, everything is encoded as Tag-Length-Value. 11-6

BER Example! John Miller, 126 Main Street, Big City, MO 63130 30 80 04 0B 4A 6F 68 6E 20 4D 69 6C 6C 65 72 Seq. Len Oct Str Len J o h n M i l l e r 02 01 FE Int Len 123 04 0B 4D 61 69 6E 20 53 74 72 65 65 74 Oct str 11 M a i n S t r e e t 04 08 42 69 67 20 43 69 74 79 Oct Str Len B i g C i t y 04 02 4D 4F 02 02 F6 96 0 Oct Str Len M O Int len 63130 Null 11-7

Names! V4: Name, Instance, Realm (40 character each. Null terminated). Dot "." is illegal.! V5: Name can contain dot and can have many parts., e.g., jain.raj! V4: Realms are DNS names.! V5: Realms can be DNS names, X.500 names, etc 11-8

Delegation of Rights! Need: Backup job requires operators to access files! V5 allows requesting a TGT with a different address! Can include many addresses or no addresses Anyone.! TGT with operator's address can then be passed to the operator.! Can also request to include application specific restrictions in the TGT! These restrictions are copied in the tickets! Can request that TGT be forwardable One operator can pass it to another operator.! Can request that TGT be proxiable Alice can request a ticket from TGT for use by the operator.! Allowing delegation, forwarding, proxy, many addresses, no addresses are policy decisions 11-9

Ticket Lifetimes! V4: Lifetime is one octet max 256 in units of 5 minutes Max 21 hours! V5: Many timestamps, each in ASN.1 format (17 bytes in s)! Start Time! End Time! Auth Time: Time at which initial TGT was obtained! Renew Till: Must renew after this time! Start Time < End Time < Renew Till 11-10

Renewable Tickets! Tickets cannot be invalidated! Long term use permitted only if renewed frequently! Expired tickets cannot be renewed KDC does not have to remember revoked tickets for long time 11-11

! Start Time in future Postdated Tickets! Pre-invalidated Must be validated at the start time Allows revoking the authentication! May-Postdate flag in TGT TGS can issue post-dated tickets 11-12

Key Versions! Allows principals to change keys! Multiple versions of keys are kept at KDC and TGS! Each key is stored as <Key, Principal_KeyVersionNo, KDC_KeyVersionNo> Allows the possibility of KDC changing its key! Helpful for renewable and post-dated tickets! Renewal Tickets are issued with the latest keys 11-13

Master Keys in Different Realms! Password-to-key hash function uses realm name also! Attacker cannot use the same key in multiple realms (Attacker can still use the same password in multiple realms) 11-14

Optimizations! V4: Ticket is encrypted with client's key Ticket is already encrypted with Server's key Double encryption! V5: Ticket is not encrypted again! V4: Target's name inside the ticket! V5: No name inside the ticket 11-15

! V4: DES Cryptographic Algorithms! V5: Encryption field is type-value encoded Any encryption 11-16

Integrity-Only Algorithm! V4: Jueneman Checksum! V5: Choice of algorithms " rsa-md5-des " des-mac " des-mac-k " res-md4-des (optional) " rsa-md4-des-k (Optional) 11-17

Encryption for Privacy and Integrity! Choice: des-cbc-crc, des-cbc-md4, des-cbc-md5! Checksum is combined with the message and then encrypted with DES in CBC mode. 11-18

! V4: Limits to pairs! V5: Transition allowed. Hierarchy of Realms! B is registered with A and C is registered with B! x@a can get to y@c via B! List of all transited KDC's is put in the ticket! It is the applications responsibility to decide if some transited KDC is trustworthy A B C D E F G 11-19

Password Attacks! V4: Initial request in clear. Anyone can request TGT for president@whitehouse.gov! and use it for offline attack.! V5: Need to send pre-authentication data. Current time encrypted by user's key.! One can still do offline analysis of tickets received for another user.! V5 does not allow tickets for human users.! Attackers can still monitor pre-authenticated data and analyze it offline. 11-20

Key Inside Authenticator! Alice having two conversations with Bob! Attacker can inter-mingle packets and confuse! V5 allows Alice to use two different keys.! Alice puts a key in the authenticator along with the ticket.! Bob uses Alice-bob session key to decrypt the authenticator and then uses the key proposed by Alice to continue the conversation. 11-21

Double TGT Authentication! User's workstation get a TGT for the user and discard the master key generated from the password.! Xwindows applications need to authenticate to the user in order to write to his windows.! These tickets are encrypted with user's master keys! The workstation can send the user's TGT and the tickets to TGS and get back tickets encrypted with session key. 11-22

Public Keys for Users! Users can send a certificate to the KDC and get a reply encrypted with their public key.! KDC also keep a translation table to translate X.500 names in the certificate to Kerberos style names.! Kerberos style names are used in the tickets.! User can then send the ticket to older servers that do not know about public key.! This is called PKINIT 11-23

Summary! Kerberos V5 is design follows ISO ASN.1 General! General encryption, addresses, names! Allows delegation, post-dated tickets, renewals! Inter-realm authentication! Public Keys for users 11-24

Homework 11! Read chapter 14 of the text book! Submit answer to the following exercises: " Exercise 14.1: Suppose the Kerberos V5 password to key conversion function is identical to V4 but then takes the output that V4 would compute and xors it with the realm name. This would produce a different key in each realm, as desired. What is wrong with this algorithm? " Exercise 14.2: Consider the following variant of Kerberos. Instead of having postdated or renewable tickets, a server which notes that the authorization time is older than some limit presents the ticket to the TGS and asks if it should believe the ticket. What are the trade-offs of this approach relative to the Kerberos V5 approach. Hint: Compare TGS s work and consider revoked authentications. 11-25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback