Authentication Scenarios 2. Users share a password with a trusted - - PowerPoint PPT Presentation

authentication scenarios
SMART_READER_LITE
LIVE PREVIEW

Authentication Scenarios 2. Users share a password with a trusted - - PowerPoint PPT Presentation

Mar 31, 2023 113 likes •338 views

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

slide-1
SLIDE 1

Authentication Scenarios

2. Users share a password with a trusted authority (authentication servers)

Kerberos

slide-2
SLIDE 2

Challenge-response Symm.Key

What do we learn from previous attacks?

  • Timestamps: are valid only in a small time window
  • Sequence numbers attached to messages are

useful (to avoid replication attacks)

  • Nonce: we should careful use them (and we

require good random number generator)

slide-3
SLIDE 3

Kerberos

Kerberos provides authentication in distributed systems

– Guarantees safe access to network resources (e.g. printer, databases, etc.) – There i as central authority that allows to reduce the number of passwords that users must memorize

Reference:

– Proposed by MIT

http://web.mit.edu/kerberos/www/dialogue.html

– free download in US and Canada – Widespread use (e.g. windows)

slide-4
SLIDE 4

Kerberos

Scenario: A needs to access service provided by B – Authentication of A – Optional: authentication of B – Optional: decide session keys for secret communication and/or authentication

  • C is trusted server (authority that shares keys with A

and B)

  • Idea: use ticket to access services; tickets are valid in a

given time window

slide-5
SLIDE 5

Kerberos

  • KDC (Key Distribution Center) is the server

trusted and physically safe

  • Messages are safe with respect to

cryptographic attacks and data integrity

  • Kerberos provides security for applications

like

– telnet – rtools (rlogin, rcp, rsh) – Network file systems (NFS/AFS) – …

slide-6
SLIDE 6

Preliminaries

Each user (also named as principal) has a master secret key with KDC

– For human users master secret key is derived form password – For system resources are defined while configuring the application

Each principal is registered by the KDC All master keys are stored in the KDC database, encrypted with the KDC master key

slide-7
SLIDE 7

Tickets Alice, Bob, KDC

Alice Bob KDC 1 2 3

KA{KAB, KB{KAB, “Alice”,...}}

Ticket of Alice for Bob:KB{KAB, “Alice”,...}, KB: master key of Bob, KAB : session key to be used by A and B

  • nly Bob is able to decode and checks the message
slide-8
SLIDE 8

Kerberos: simplified version

A asks for a ticket TicketB for B 1. A sends to C: A,B,N (N, nonce) 2. C sends to: A TicketB,KAC(K,N,L,B) L=”lifetime

  • f ticket”

3. [A checks N and knows ticket lifetime] A sends to B: TicketB, K(A,tA) [authenticator] 4. [B checks that A’s identity in TicketB and in

  • authent. are the same, lifetime of ticket (that

is B’s clock is before L)] B sends to A: K(tA) [n this way shows knowledge of tA]

TicketB = KBC(K,A,”lifetime”), N nonce, K session key; “lifetime”= validity of ticket

slide-9
SLIDE 9

Session key and Ticket-granting Ticket (TGT)

Messages between host and KDC should be protected using the master key (derived form user’s password) For each request to the KDC:

– User must type the password each time – User’s password is temporarily stored (to avoid the user the need of retyping)

all above solutions are inadequate!

slide-10
SLIDE 10

Session key and Ticket-granting Ticket (TGT)

Proposed solution to reduce no. of times user types the password and/or master key

– At initial login a session key SA is derived for Alice by KDC – SA has a fixed lifetime (eg one day, 4 hours) – KDC gives Alice a TGT that includes session key SA and other useful information to identify Alice (encoded with Alice’s master key)

slide-11
SLIDE 11

Session key and Ticket-granting Ticket (TGT)

  • Kerberos’ client at Bob decode and stores:

– SB, for subsequent communication with KDC – TGT, to notify KDC use of SB

  • Subsequent request to KDC use TGT in the

initial message

  • Subsequent tickets provided by KDC are

decoded using SB User provides password only once No password is stored

slide-12
SLIDE 12

Kerberos 4

slide-13
SLIDE 13

Login

Local Host

  • f A

KDC A 1. <A,passwd>

  • 2. AS_REQ

Alice needs a TGT 3. generates SA and TGTA = KTGS{A, SA }

  • 4. AS_REP

KA{SA ,TGTA}

  • 5. local host

decodes and stores SA and TGTA

  • Local host of A= (current) Alice’s workstation
  • SA = session key for A
slide-14
SLIDE 14

Ticket request

Local Host

  • f A

A 1.print request: “lpr -Php1”

  • 2. TGS_REQ

[print request, TGTA =KTGS{A, SA } SA{timestamp}]

  • 3. generates KAP

decodes TGTA Checks SA{timestamp} authenticator generates Ticket for printer: TP = KP{A,KAP} TGS

  • 4. TGS_REP

SA{P, KAP, TP}

  • 5. local host

decodes and gets service using KAP & TP A is authenticted using timestamp P =printer

slide-15
SLIDE 15

Use of Ticket for printer P

Local Host At A A

  • 1. AP_REQ

[TP = KP{A,KAP}, KAP{timestamp}]

  • 2. decodes TP

And obtain KAP Checks authenticator Printer Server

  • 3. AP_REP

KAP{timestamp+1}

  • printer request is managed by A’s local host
  • there is mutual authentication using timestamp
slide-16
SLIDE 16

Authentication and time sinchronization

Authenticator == KX{timestamp}

  • Global Synchronous Clock is required
  • Authenticator is used to avoid

– replay of old mesages sent to the same server by the adversary (old messages are eliminated) – replay to a server (when there are many servers) – Authenticator DOES NOT guarantee data integrity (a MAC is required)

slide-17
SLIDE 17

KDC and TGS

  • KDC and TGS are similar (the same?) why do we

need two different entity?

– Hitorical reasons – One KDC can serve different systems (1 KDC many TGS)

  • multiple copies of KDC - availability and

performance

  • Consistency issues in KDC databases

– A single KDC stores information concerning principal (safer) – Periodically download inforamtion for other KDC

slide-18
SLIDE 18

Kerberos - Performance

  • KDC stores only TGT and tickets.
  • Most work is on client.
  • KDC is involved only at loign fo

provide TGT

  • KDC uses only permanet information
slide-19
SLIDE 19

Kerberos: Realms

In very large systems security and performance issues suggest to use not only a domain bu more (several many KDC) REALM

  • Each realm has a different master KDC
  • All KDC share the same KDC master key
  • two KDC in different realms have different

databases of users

slide-20
SLIDE 20

Kerberos V. 4: Realms

H3 Master KDC H1 H2 H8 H7 H6 H5 H4 Master KDC Master KDC Realm 2 Realm3 KDC KDC KDC KDC KDC KDC KDC H9 H10 Realm1

slide-21
SLIDE 21

Authentication between realms

Bob Alice Realm1 KDC

  • 1. TGS_REQ

[Bob@Realm1, Alice@Realm2]

  • 2. TGS_REP

credential for Realm2 KDC

  • 3. TGS_REQ

[Bob@Realm1, Alice@Realm2]

  • 5. AP_REQ

[Bob, KA{KBA, “Bob”,...}] Realm2 KDC

  • 4. TGS_REP

credential for Alice@Realm2

slide-22
SLIDE 22

Kerberos: version 5

Same philosophy Major changes

  • Integrity of messages, authentication using nonce (not only

timestamps)

  • Flexible encoding: many optional fields,

– allows future extensions – Overhead

Major extensions to the functionality

  • Delegation of rights: Alice allows Bob to use their own

resources

  • Renewable tickets: tickets can be used for long time
  • More encryption methods (Kerberos designed for DES)
  • Hierarchy or realms