Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Similar documents
CPSC 467b: Cryptography and Computer Security

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Information Security CS 526

CPSC 467: Cryptography and Computer Security

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Trusted Intermediaries

AIT 682: Network and Systems Security

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Authentication Handshakes

Cryptography (Overview)

CSC 474/574 Information Systems Security

Security Handshake Pitfalls

Outline Key Management CS 239 Computer Security February 9, 2004

SSH. Partly a tool, partly an application Features:

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Transport Level Security

Authentication & Authorization

Security Handshake Pitfalls

Overview. SSL Cryptography Overview CHAPTER 1

Chapter 9: Key Management

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Kerberos MIT protocol

CHAPTER 3. ENHANCED KERBEROS SECURITY: An application of the proposed system

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

"When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short

CSCE 813 Internet Security Kerberos

E-commerce security: SSL/TLS, SET and others. 4.1

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

The Kerberos Authentication Service

Transport Layer Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Datasäkerhetsmetoder föreläsning 7

(2½ hours) Total Marks: 75

HTTPS is Fast and Hassle-free with Cloudflare

Persistent key, value storage

Overview of Kerberos(I)

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

SSL/TLS. How to send your credit card number securely over the internet

User Authentication. Modified By: Dr. Ramzi Saifan

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Authentication. Chapter 2

Introduction and Overview. Why CSCI 454/554?

AIT 682: Network and Systems Security

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Security Handshake Pitfalls

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

1 Identification protocols

Radius, LDAP, Radius used in Authenticating Users

Cryptographic Protocols 1

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

The Kerberos Authentication System Course Outline

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Chapter 4 Authentication Applications

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

Cryptography and Network Security

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Cryptographic Checksums

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Overview of Authentication Systems

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

5. Authentication Contents

Lecture Note 6 KEY MANAGEMENT. Sourav Mukhopadhyay

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Securing Internet Communication: TLS

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Security issues in Distributed Systems

Network Security: Kerberos. Tuomas Aura

CS November 2018

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Defeating All Man-in-the-Middle Attacks

Chapter 8 Web Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

WAP Security. Helsinki University of Technology S Security of Communication Protocols

In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.

Network Security Chapter 8

Security: Focus of Control. Authentication

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

User Authentication. Modified By: Dr. Ramzi Saifan

Verteilte Systeme (Distributed Systems)

CSCE 715: Network Systems Security

Security: Focus of Control

MTAT Applied Cryptography

Transcription:

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005

Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based on them. What happened when you use your Yale netid and password? How does our system authenticate yourself Internet is a tough environment, security protocols need to deal with many different scenarios of attacks.

Think about Authentication Authentication provides a means to identify a client that requires access to some system. Network services, such as telnet, pop3, and nfs, need to authenticate individual users, by using their passwords, for example. We use our netid/password to access sis, email, pantheon and etc everyday. Note that firewalls can not replace authentication In general, good users may be on bad hosts, and bad users may be on good hosts. Thus, blocking traffic based on IP addresses and port numbers is not sufficient The mechanism for authentication is typically undertaken through the exchange of keys or certificates between the client and the server. What should we do?

Use of Password over a Network Of course, passwords should not be sent in clear text What about sending encrypted passwords? No, they should not be sent over the network either. This is to avoid replay attacks Next slide shows a typical method of defending against password replay attacks. The method uses no encrypted password

Use of Challenges to Defend Against Password Replay Client Server Password Client s Name Enter password Compute a hash value using challenge and password Send hash value Offline Operation Challenge (time-dependent value, a randomly select value, or both) Verify received hash value

The O(N 2 ) Password Management Problem Each of the N servers authenticates each of the N users Every server keeps track of the password of every user Thus a total of O(N 2 ) pieces of information items to manage Kerberos Objective: Provide an O(N) Solution Use a single authentication server that has trusted relationship with N clients and N servers. Thus, only O(N) keys to worry about The authentication server will generate session keys (aka tickets ) for each client-server session

What is Kerberos? Part of project Athena (MIT). Trusted 3rd party authentication scheme. Key Distribution Center (KDC) Assumes that hosts are not trustworthy. Requires that each client (each request for service) prove it s identity. Does not require user to enter password every time a service is requested!

Kerberos: etymology The 3-headed dog that guards the entrance to Hades Fluffy, the 3 headed dog, from Harry Potter and the Sorcerers Stone Originally, the 3 heads represented the 3 A s (Authentication, Authorization, and Accounting ) We ll focus on authentication

How Kerberos Tickets Work (Daily Experience) A user first gets a ticket from the Kerberos authentication server. A ticket is like a driver's license issued by the DMV When attempting to make use of a network service, the user presents the ticket to the service, along with the user s authenticator. The service then examines the ticket and the authenticator to verify the identity of the user. If all checks out, then the user is accepted This is like a customer presenting his driver s license to a supermarket manager when trying to cash a personal check. In this case, the customer s authenticator is the customer s face with which the supermarket manager can match the photo on the driver s license Note that a ticket can be used many times until it expires

Kerberos Authentication Kerberos Authentication Server (AS) Key Registration 1 2 Key Registration Client (C) 3 Application Server (S) 1. Req for application server ticket 2. Ticket for application server 3. Req for service

Kerberos Terminology and Abbreviations c client id s server id addr client s IP address life lifetime of ticket TGS ticket granting server K x x s secret key (x being a client or server) K x,y session key for x and y {abc}k x abc encrypted in x s key T x,y x s ticket to use y (used many times) A x authenticator for x, containing x s name (e.g., zheng.ma@yale.edu, current time (to defeat replay) and checksum

Kerberos Authentication (Detail) Kerberos Authentication Server (AS) In essence, the Kerberos system is for the purpose of producing a session key, i.e., ticket that C and S can use 1. Req for S ticket 2. S ticket Client (C) 3. Req for Service Application Server (S) 1. c, s 2. {K c,s, {T c,s }K s }K c 3. {A c }K c,s, {T cs }K s T c,s contains session key K c,s In step 2, user enters password to decrypt the received message If S can decode {A c }K c,s, then user must have entered the correct password!

Kerberos Authentication w/ TGS Kerberos Authentication Server (AS) Key Ticket Granting Server (TGS) Key Registration 1 2 3 Client (C) 4 5 Key Application Server (S) 1. Req for TGS ticket 2. Ticket for TGS 3. Req for application server ticket 4. Ticket for application server 5. Req for service

Kerberos Authentication w/ TGS (Detail) Kerberos Authentication Server (AS) Ticket Granting Server (TGS) 1. c, tgs 1 2 3 Client (C) 4 5 Application Server (S) 2. {K c, tgs, {T c, tgs }K tgs }K c 3. s, {A c }K c, tgs, {T c, tgs }K tgs 4. {K c,s, {T c,s }K s }K c,tgs 5. {A c }K c,s, {T cs }K s In step 4 client uses stored K c,tgs rather than user entering password. This is convenient. But system now needs to believe that client can be trusted for the period when K c,tgs is valid

Kerberos Stateless Model TGS does not send {K c,s }K s to S directly. Instead, TGS sends {T c,s }K s, with T c,s containing K c,s, to C and let C forward it to S Otherwise, S would need to keep state, i.e., keep received K c,s around, and this would complicate implementation In general, servers do not talk to each other directly. Clients initialize transactions and complete them This stateless model is simple and elegant

Scaling Kerberos To scale, divide the network into realms each having its own AS and its own TGS To allow for cross-realm authentication, i.e., to allow users in one realm to access services in another, the user's realm may register a remote TGS (RTGS) in the service's realm To reduce cross-realm registration, use a hierarchy of realms

Kerberos Authorization and Accounting In Kerberos, authorization and accounting are supported by having AS inserting some predefined information, e.g., access control list, in the ticket It is encrypted in the ticket, so it is tamper-proof The information are left for the server to interpret

Advantages of Kerberos Passwords aren t exposed to eavesdropping Password is only typed to the local workstation It never travels over the network It is never transmitted to a remote server Password guessing more difficult Single Sign-on More convenient: only one password, entered once Users may be less likely to store passwords Stolen tickets hard to reuse Need authenticator as well, which can t be reused Much easier to effectively secure a small set of limited access machines (the AS s) Easier to recover from host compromises Centralized user account administration

Kerberos caveats Kerberos server can impersonate anyone AS is a single point of failure Can have replicated AS s AS could be a performance bottleneck Everyone needs to communicate with it frequently Not a practical concern these days Having multiple AS s alleviates the problem If local workstation is compromised, user s password could be stolen by a trojan horse Only use a desktop machine or laptop that you trust Use hardware token pre-authentication Kerberos vulnerable to password guessing attacks Choose good passwords! Use hardware pre-authentication Hardware tokens, Smart cards etc

Summary of Kerberos Kerberos provides an authentication server (AS) that issues tickets or session keys to clients for various services The O(N 2 ) password management problem is alleviated In addition, by using the TGS, users no longer need to type in passwords all the time AS and TGS need to be trusted For large systems, should PKI (Public Key Infrastructure) be used instead? For small systems, do we need Kerberos? SSH may be just fine.

Ssshhhhh... Be very quiet so Eve can t hear anything Encrypt the communication between the terminal and the server How?

Simplified SSH Protocol Terminal Login: zm25 Password: *********** login sends E KU < zm25, password> matrix matrix.cs.yale.edu Eve Can t decrypt without KR matrix

Actual SSH Protocol time Client 1 Compares to stored KU S 3 requests connection KU S, KU t E KU S [E KUt [r]] { IDEA 3DES } All traffic encrypted using r and selected algorithm. Can do regular login (or something more complicated). Server KU S - server s 2 public host key KU t server s public key, changes every hour r 256-bit random number generated by client

Comparing to stored KU S It better be stored securely PuTTY stores it in windows registry (HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Ssh HostKeys)

Accept and Save SecureCRT Default choice!

Usability in normal environments has been a major design concern from the beginning, and SSH attempts to make things as easy for normal users as possible while still maintaining a sufficient level of security. Tatu Ylonen, SSH Secure Login Connections over the Internet, June 1996.

ssh.com s SSH

ssh Error

ISO/OSI Model SSL: Security at Transport Layer Application Layer Application Layer Presentation Layer Presentation Layer Session Layer Session Layer Transport Layer Transport Layer Network Layer Network Layer Data Link Layer Data Link Layer Physical Layer Physical Layer Peer-to-peer Network Layer Network Layer Data Link Layer Data Link Layer Physical Layer Physical Layer Application Layer Application Layer Presentation Layer Presentation Layer Session Layer Session Layer Transport Layer Transport Layer Network Layer Network Layer Data Link Layer Data Link Layer Physical Layer Physical Layer Flow of bits

Security at the Transport Layer Secure Socket Layer (SSL) Developed by Netscape to provide security in WWW browsers and servers SSL is the basis for the Internet standard protocol Transport Layer Security (TLS) protocol (compatible with SSLv3) Key idea: Connections and Sessions A SSL session is an association between two peers An SSL connection is the set of mechanisms used to transport data in an SSL session

Secure Socket Layer (SSL) Each party keeps session information Session identifier (unique) The peer s X.503(v3) certificate Compression method used to reduce volume of data Cipher specification (parameters for cipher and MAC) Master secret of 48 bits Connection information Random data for the server & client Server and client keys (used for encryption) Server and client MAC key Initialization vector for the cipher, if needed Server and client sequence numbers Provides a set of supported cryptographic mechanisms that are setup during negotiation (handshake protocol)

An example of key exchange using public/private keys SSL (Secure Socket Layer) and TLS (Transport Layer Security) use public/private keys to exchange a secret key used during a session The SSL handshake consists of several steps, as follows: Step 1: The client contacts the server and sends SSL version number, a random number X, and some additional information Step 2: The server sends the client the SSL version number, random number Y, and its public key (packaged into a certificate) Step 3: The client verifies that the server is who is says it is by examining the certificate (more on this in a bit) Step 4: The client creates a premaster secret using X, Y, and other information. It encrypts the secret using the server s public key. Step 5: If the server has requested authentication, the client sends its own certificate and the premaster secret to the server Step 6: The server authenticates the client by examining the client s certificate, uses its private key to decrypt the premaster secret, then uses it to generate the master secret. The client also generates the master secret. Step 7: Both the client and the server use the master secret to generate the session secret key Steps 8 (9): The client (server) sends a message to the server (client) telling it that it will use the secret key. It sends a second message encrypted with the secret key

Acknowledgements Credits of some slides and images: http://www.upenn.edu/computing/pennkey/docs/kerbpres/ 200207Kerberos.htm http://www.eecs.harvard.edu/cs143/ http://www.cs.virginia.edu/~evans/cs551/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback