Скачать презентацию Kerberos Authentication 1 Alternative to one time Скачать презентацию Kerberos Authentication 1 Alternative to one time

92e02080f6a69378c8ab161eaffd20f6.ppt

  • Количество слайдов: 21

Kerberos Authentication 1 Kerberos Authentication 1

Alternative to one time passwords Need for an authentication scheme which never sends the Alternative to one time passwords Need for an authentication scheme which never sends the passwords in clear text form over the network. One time password is an example where the actual password is not sent along the communication line, rather a derivative is sent on to the server. Authentication methods based on cryptography are required. Also there is a need to authenticate for services without entering password every time. q E. g. r-commands on Unix. 2

One-time passwords As the name implies a password is used only once. Typically password One-time passwords As the name implies a password is used only once. Typically password is generated by applying repeatedly MD 5 algorithm on a secret password. Let p the password and f is the one-way MD 5 function. Initially let n=9, then the first time password transmitted for verification will be f 9(p) and next time it will be f 8(p) and so on. 3

Kerberos Authentication Alternative to one-time passwords Allow workstations to authenticate themselves to services running Kerberos Authentication Alternative to one-time passwords Allow workstations to authenticate themselves to services running on servers without ever sending a password in clear text over the network. 4

Kerberos Authentication Kerberos is a distributed authentication service that allows a process (a client) Kerberos Authentication Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an application server or server) without sending data across the network. Developed as part of MIT’s Project Athena. 5

The Word of “Kerberos” Also spelled as Cerberus. n. The watch dog of Hades The Word of “Kerberos” Also spelled as Cerberus. n. The watch dog of Hades (in the ancient Greece), whose duty was to guard the entrance -- against whom or what does not clearly appear; . . . it is known to have three heads. . --- The Enlarged Devil’s Dictionary, by Ambrose Bierce 6

How Kerberos works? Kerberos authentication scheme uses a series of encrypted messages to a How Kerberos works? Kerberos authentication scheme uses a series of encrypted messages to a verifier (server) that a client is running on behalf of a particular user. More precisely that the client has knowledge of an encryption key that is known by the user and the authentication server. The users encryption key is derived and should be thought of as a password; similarly, each application server shares an encryption key with the authentication server- call this key as the sever key. 7

How Kerberos works? The client (C)and server (V) do not initially share an encryption How Kerberos works? The client (C)and server (V) do not initially share an encryption key. Whenever the client authenticates itself to a new verifier it relies on the authentication server (AS) to generate a new encryption key and distribute it securely to both parties. This new encryption key is called session key and a ticket mechanism is used to distribute this key to the verifier. 8

Kerberos Ticket? Ticket is a certificate issued by the authentication server, encrypted using server Kerberos Ticket? Ticket is a certificate issued by the authentication server, encrypted using server key. Ticket contains a random session key, which will be used to for the authentication of the principal to the verifier, the name of the principal to whom the session key was issued, and an expiration time after which the session key is no longer valid (time stamp). The ticket is not sent directly to the verifier, but is instead sent to the client who forwards it to the verifier as part of the application request. Since the ticket is encrypted in the server key, known only by the authentication server and the indented verifier, it is not possible for the client to modify the ticket without detection. 9

Basic Kerberos (simplified) symbols used: c: client/client name v: server/server name AS: authentication service Basic Kerberos (simplified) symbols used: c: client/client name v: server/server name AS: authentication service n: nonce Kc, v: shared key btwn c & v timeexp: expiring time Kc: shared key btwn c & AS Kv: shared key btwn v & AS Ksubsession: a session key btwn c & v 10

Basic Kerberos (simplified) authentication service 1 Client 2 3 4 server 1. client-name, server-name, Basic Kerberos (simplified) authentication service 1 Client 2 3 4 server 1. client-name, server-name, expiring-time, random-num. 2. DESKc(Kc, v, expiring-time, random-num. , . . . ), DESKv(Tc, v) 3. DESKc, v(time-stamp, session-key, . . . ), DESKv(Tc, v) 4. DESKc, v(time-stamp), (this step is optional) where Tc, v = Kc, v, client-name, expiring-time, . . . 11

Full Kerberos (simplified) Symbols used: c: client/client name v: server/server name AS: authentication service Full Kerberos (simplified) Symbols used: c: client/client name v: server/server name AS: authentication service TGS: ticket grant service n: nonce Kc, v: shared key btwn c & v timeexp: expiring time Kc: shared key btwn c & AS Kv: shared key btwn v & AS Ktgs: shared key btwn TGS & AS Kc, tgs: shared key btwn c & TGS Ksubsession: a session key btwn c & v 12

Identification An Identification (ID) Protocol allows one party (say Alice) to convince another party Identification An Identification (ID) Protocol allows one party (say Alice) to convince another party (say Bob) of her identity q similar to Authentication. But an ID protocol must also meet a more stringent requirement: q It must be secure against ALL THREE types of attacks Marvin can mount (see Attacks slide) • Protocol Eavesdropping • Impersonating as Verifier to Prover • Honest Verifier knowledge compromise Hence it’s also called a “passport protocol”. 13

Exercise State whether or not each of the following is an ID protocol, and Exercise State whether or not each of the following is an ID protocol, and if not, describe an attack (one of the 3 type/s) that it succumbs to: q. Challenge-and-Response Protocol q. One-way function based Password Protocol 14

Schnorr passport protocol Involving q. A trusted authority (TA) to issue “certificates/passports” q. A Schnorr passport protocol Involving q. A trusted authority (TA) to issue “certificates/passports” q. A certificate holder q. A verifier 15

Setting up by the TA TA’s public key = (y, p, q, g), where Setting up by the TA TA’s public key = (y, p, q, g), where qp = a prime of at least 512 bits. qq = a 160 -bit prime divisor of p-1. qg = h(p-1)/q mod p, where h is any integer with 1 < h < p-1 s. t. h(p-1)/q mod p > 1 (g has order q mod p. ) qy = g -x mod p, where x is an integer randomly selected from [1, q-1]. TA’s secret key is x. 16

Issuing a certificate by TA a Alice IDAlice || V W x TA Check Issuing a certificate by TA a Alice IDAlice || V W x TA Check the ID, and then using Schnorr signature to sign (IDAlice || V ). Let W = sign(IDAlice ||V ) • Alice’s certificate: (IDAlice || V || W) • Alice’s secret: a 17

Schnorr signature - Signing a doc M by TA To sign a document M=(IDAlice Schnorr signature - Signing a doc M by TA To sign a document M=(IDAlice || V), TA does the following: qrandomly pick an integer k from [1, q-1]. qr = Hash(gk mod p, M) qs = (k + x * r)) mod q, where Hash is a 1 -way hash. TA’s signature on M is the pair of numbers W=(r, s). 18

How Alice proves her ID to Bob a Alice Forwarding cert. (IDAlice || V How Alice proves her ID to Bob a Alice Forwarding cert. (IDAlice || V || W) OK Bob Verify the cert. If not OK, then abort. Q c d Accept if 19 Q=gd. Vc mod p

Important points Setting up & certificate issuing are one-off operations. Bob the verifier needs Important points Setting up & certificate issuing are one-off operations. Bob the verifier needs to have access to TA’s public key. The actual proving protocol has 2 parts: q. Shows that the certificate is OK, & q. Demonstrate that Alice “knows” the secret associated with the certificate. 20

Security of Schnorr Protocol The Schnorr protocol (slightly modified) can be proved to be Security of Schnorr Protocol The Schnorr protocol (slightly modified) can be proved to be an ID Protocol, assuming that the discrete-logarithm problem is difficult: q. The probability that Marvin can successfully masquerade Alice to an Honest verifier Bob is negligibly small, even if Marvin mounts all of the three types of attacks. 21