Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Similar documents
Trusted Intermediaries

AIT 682: Network and Systems Security

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Kerberos V5. Raj Jain. Washington University in St. Louis

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

CSC 474/574 Information Systems Security

Network Security: Kerberos. Tuomas Aura

The Kerberos Authentication System Course Outline

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Overview of Kerberos(I)

CSCE 813 Internet Security Kerberos

KEY DISTRIBUTION AND USER AUTHENTICATION

CPSC 467b: Cryptography and Computer Security

CSC/ECE 774 Advanced Network Security

Network Working Group. C. Neuman ISI September 1993

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

CSC 774 Network Security

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Authentication Handshakes

Cryptography and Network Security

Kerberos5 1. Kerberos V5

Security Handshake Pitfalls

User Authentication. Modified By: Dr. Ramzi Saifan

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Outline Key Management CS 239 Computer Security February 9, 2004

Chapter 9: Key Management

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Security issues in Distributed Systems

Network Security Essentials

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Kerberos and Active Directory symmetric cryptography in practice COSC412

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

Network Working Group Request for Comments: 4120 Obsoletes: 1510 Category: Standards Track K. Raeburn MIT July 2005

Cryptographic Checksums

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Network Security: Classic Protocol Flaws, Kerberos. Tuomas Aura

Security Handshake Pitfalls

Lecture 1: Course Introduction

AIT 682: Network and Systems Security

CIS 6930/4930 Computer and Network Security. Final exam review

Password. authentication through passwords

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Security Handshake Pitfalls

Datasäkerhetsmetoder föreläsning 7

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Network Security (NetSec)

Kerberos Introduction. Jim Binkley-

CS3235 Seventh set of lecture slides

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Information Security CS 526

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Fall 2010/Lecture 32 1

In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.

Network Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München

What did we talk about last time? Public key cryptography A little number theory

ISSN: EverScience Publications 149

Security Handshake Pitfalls

6. Security Handshake Pitfalls Contents

Guide to Windows 2000 Kerberos Settings

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Session Key Distribution

Unit-VI. User Authentication Mechanisms.

Authentication in Distributed Systems

Kerberos MIT protocol

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

The Kerberos Authentication Service

BACHELOR THESIS CAPABILITY OF KERBEROS MATTHIJS MEKKING

Radius, LDAP, Radius used in Authenticating Users

KEY DISTRIBUTION AND USER AUTHENTICATION

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

User Authentication. Modified By: Dr. Ramzi Saifan

CSC 482/582: Computer Security. Security Protocols

"When you have crossed the river and have advanced a little further, some aged women weaving at the loom will beg you to lend a hand for a short

AUTHENTICATION APPLICATION

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

User Authentication Protocols

Persistent key, value storage

Chapter 4 Authentication Applications

Course Administration

User Authentication Protocols Week 7

User Authentication Principles and Methods

Real-time protocol. Chapter 16: Real-Time Communication Security

EEC-682/782 Computer Networks I

CS Computer Networks 1: Authentication

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Digital Signatures. Secure Digest Functions

Authentication. Chapter 2

IMPLEMENTATION OF KERBEROS BASED AUTHENTICATED KEY EXCHANGE PROTOCOL FOR PARALLEL NETWORK FILE SYSTEMS IN CLOUD

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 3

Transcription:

Trusted Intermediaries CSC/ECE 574 Computer and Network Security Topic 7. Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center () Representative solution: Kerberos Based on secret key cryptography Solution #2 Public Key Infrastructure (PKI) Based on public key cryptography 1 CSC 474 Dr. Peng Ning 2 Outline CSC/ECE 574 Computer and Network Security Introduction Version 4: Basics Additional Capabilities Version 5 and Inter-Realm Authentication Topic 7.1 Kerberos 3 4 Goals of Kerberos Introduction 1. User server mutual authentication 2. Users should only need to authenticate once to obtain services from multiple servers 3. Should scale to large numbers of users and servers makes use of a Key Distribution Center so servers don t need to store information about users 5 6

Some Properties Example Scenario Kerberos uses only secret key (symmetric) encryption originally, only DES, but now 3DES and AES as well A stateless protocol s do not need to remember what messages have previously been generated or exchanged the state of the protocol negotiation is contained in the message contents Alice wants to make use of services from X, contacts the to authenticate, gets ticket to present to X Bob wants to make use of services from X and Y, contacts the, gets tickets to present to X and Y Alice Server X Bob 7 Server Y 8 The Infrastructure needed ( components) 1. the database of user information (IDs, password hash, shared secret key, etc.) 2. an authentication server (AS) 3. a ticket-granting server (TGS) The of course is critical and should be carefully guarded Secrets Managed by the A personal key used for encrypting/ decrypting the database, and for enciphering / deciphering message contents it sends to itself! A master (semi-permanent) shared key for each user a master shared key for each server 9 10 Passwords and Tickets 1. Alice provides a password when she logs into her workstation 2. Alice s workstation derives Alice s master key from the password asks the for a temporary session key K A 3. The provides a ticket-granting ticket (TGT) for Alice to use; eliminates need for repeated authentication further use of master key Basics of the Kerberos v4 Standard 11 12

Protocol Sketch (Common Case) Alice #1 Login + Password #4 Request service from V #2 Alice wants to authenticate #3 Here s Alice s TGT #5 Alice wants service from V #6 Here is key + ticket to use Alice s Workstation Msg#1: Enter Password #1 A W: Alice password Alice types in her user ID and password in unencrypted form into her workstation 1 A W: Alice password #7 Here is Alice s ticket for service + key to use #8 Alice s request for service is granted, using key supplied Server V 13 14 Msg#2: Request for Authentication #2. W : ID A TS 2 ID Workstation sends a message to with Alice s ID (in unencrypted form) Many of these messages contain timestamps, for a) liveness, and b) anti-replay ID includes name and realm (see later) Msg#3: Authentication Success #3. W: sends Alice s workstation a session key and a TGT encrypted with the master key shared between Alice and the K A- is derived from Alice s password, used to decrypt session key K A- 15 16 Msg#3: (cont d) The TGT is what allows the to be stateless means simpler, more robust design allows replicated s (see later) The TGT contains the session key to be used henceforth the user ID (Alice) the valid lifetime for the TGT Msg#4: Alice Requests Service V #4 A W: ReqServ(V) Alice enters (to workstation) a request to access the service provided by V 17 18

Msg#5: Workstation Requests Service V Msg#5 (cont d) #5 W : Workstation sends to the the TGT previously granted (proves Alice s identity) the server she wishes to request service from an authenticator for this message The authenticator is an encrypted timestamp why needed? (reminder: timestamps requires user and clocks to be loosely synchronized) 19 20 Msg#6: Generates Ticket Msg#6 (cont d) #6 W: The ticket contains ID of the initiating user decrypts the TGT and checks that lifetime has not expired gets the shared key K A- sends back to workstation identity of the server a shared key (K A-V ) for Alice and the server a ticket for Alice to present to V shared key K A-V lifetime of the ticket 21 22 Msg#7: Workstation Contacts Server #7 W V: Message contains ticket (from the ) authenticator If server V is replicated, ticket can be used with each server to receive service Msg#7 (cont d) Authenticator is valid for 5 minutes loose synchronization required replay attack possible for short period if server does not store previous authenticators 23 24

Msg#8: Server Authenticates to Alice #8 V W : K A-V (Chksum auth7 + 1) Reply to Alice s workstation contains timestamp sent by Alice, incremented by 1 Done! 1. Alice has authenticated to (which is trusted by server) 2. Server has authenticated to Alice 3. A session key has been negotiated, for encryption, message authentication, or both (but see previous discussions) 25 26 Key Updates Additional Capabilities Users will need to change their keys periodically, as do servers Implication: outstanding tickets (based on old keys) must be invalidated, and new ones issued how find all those old tickets and recall them? Alternative: allow key versions key version number to use is included in messages s and servers must allow overlap of old keys and new keys, allow time for use of old keys to age out 27 28 Replication A good strategy: allow multiple s for a single domain (availability, fault tolerance) Issue: how keep the databases consistent? one database copy is the master; all updates are first made to that this master DB is copied (downloaded) to the other s, either periodically, or on demand the transfer is authenticated Adding Network Addresses to Tickets Add IP addresses (in addition to user IDs) to tickets must match Source IP address in the packet containing the ticket, or message is rejected just one more piece of information to make attacks harder (not foolproof, spoofing IP addresses is relatively easy) Problems NATs will change IP addresses in packet headers but not in tickets prevents delegating access rights (i.e., a ticket) to a user at another location 29 30

Specification of Messages See the text, or RFC, for full details Kerberos v5 + Interrealm Authentication 31 32 Some Differences with v4 1. v5 uses ASN.1 syntax to represent messages a standardized syntax, not particularly easy to read but, very flexible (optional fields, variable field lengths, extensible value sets, ) 2. v5 extends the set of encryption algorithms 3. v5 supports much longer ticket lifetimes 4. v5 allows Pre-authentication to thwart password attacks 5. v5 allows delegation of user access / rights Delegation Giving someone else the right to access your services how is that useful? Some not-so-good ways to implement give someone else your password / key give someone else your tickets (TKT V s) Kerberos v5 provides 3 better choices 33 34 Delegation (cont d) Choice #1: Alice asks the to issue a TGT with Bob s network address she then passes this TGT and the corresponding session key to Bob in effect, she tells the she will be delegating this access right Choice #2: Alice asks the to issue a TGT directly to Bob, with Bob s address even better, although now the is required to contact Bob directly Delegation (cont d) Choice #3: Alice gets a TGT, gives it to Bob along with authorization data that will be passed to the application service, and must be interpreted by the application 35 36

Transitive Delegation Alice delegates to Bob who delegates to Carol who TGTs (for arbitrary service) can be transitively delegated if marked as forwardable Tickets (providing access to a specific service) can be transitively delegated if marked as proxiable Servers are not obligated to honor such requests for transitive delegation Pre-Authentication #3. W: Reminder: Msg #3 is encrypted by the with K A- could be used by adversary to mount a password- or key-guessing attack Solution: before Msg #2, require Alice to send pre-authentication data to the i.e., a timestamp encrypted with the shared master key this proves Alice knows the key 37 38 Pre-Authentication (cont d) Msg#6 still provides an opportunity for Alice to mount a password-guessing attack against the server key K V- solution: servers are not allowed to generate keys based on (weak) passwords Renewable Tickets Tickets in v5 can be valid for a long time, but have to be renewed periodically, by contacting the Each ticket contains authorization time start (valid) and end (expiration) times renew-until (latest possible valid) time Newly-issued (renewed) tickets will have a new session key 39 40 Renewable (cont d) Tickets can also be postdated valid in the future An expired ticket cannot be renewed Cryptographic Algorithms in v5 Message integrity only MD5 + encrypt result with DES using shared secret key use DES residue + others Encryption + integrity basic = DES/CBC with a CRC extended: 3DES + HMAC/SHA1 recently: AES/CBC + HMAC/SHA1 Note: secret key only 41 42

Sub-Session Keys Alice may wish to use different keys for different conversations/connections with the same server why? This is made possible by including in the authenticator of Msg #7 a subkey to use just for this connection v5 Messages See text or RFC for lots of details, and specifications of message formats and contents expanded to 43 44 Realms A realm is a group of resources sharing a single authority for authorization frequently the same as a DNS domain, and referred to by the domain name (e.g., ncsu.edu ) A realm consists of 1. (TGS, AS, and database) 2. users 3. servers Inter-Realm Authentication What if a user wants access to services located in a different realm? Simple solution: require Alice to be registered in each realm, has to undergo separate authentication in each More complex solution: the s cooperate to perform inter-realm authentication these s must have previously-negotiated shared secret keys receiving can decide for itself whether to accept credentials issued by another 45 46 Example Alice Ticket for remote service Grants service Requests TGT for local TGS TGT for local services Requests TGT for remote TGS TGT for remote services Requests ticket for local server Ticket for remote server local Realm A Realm B Inter-Realm (cont d) A complex extension is the notion of inter-realm paths (> 2 s cooperating) How find a path of cooperating s to a target? typical solution: hierarchy of s (only one possible path) A ticket will contain the path of realms traversed by this ticket the server receiving the ticket can decide if each of those realms is trustworthy, in order to accept or reject the ticket remote Remote Server 47 48

Summary 1. Kerberos is the most widely used authentication service 2. Modeled on the Needham-Schroeder protocol, but adds the TGT 3. v5 extends and fixes problems of v4; v4 no longer in active use 4. Inter-realm authentication scales to very large systems (e.g., the Internet) 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback