10) chapter 4 - authentication applications

8/8/2019 10) Chapter 4 - Authentication Applications

1/42

11

ChapterChapter 44

Authentication ApplicationsAuthentication Applications


2/42

22

OutlineOutline

Security ConcernsSecurity Concerns

KerberosKerberos

X.X.509509 Authentication ServiceAuthentication ServiceRecommended reading and Web SitesRecommended reading and Web Sites


3/42

33

KERBEROSKERBEROS

In Greek mythology, a many headed dog, theIn Greek mythology, a many headed dog, the

guardian of the entrance of Hadesguardian of the entrance of Hades


4/42

44

KERBEROS: EnvironmentKERBEROS: Environment

Users on workstations wish to access services onUsers on workstations wish to access services onservers distributed over network.servers distributed over network.

Network

Workstations Servers


5/42

55

KERBEROSKERBEROS

Three threats exist:Three threats exist:

User pretend to be another user.User pretend to be another user.

User alter the network address of a

User alter the network address of aworkstation.workstation.

User eavesdrop on exchanges and use aUser eavesdrop on exchanges and use areplay attack.replay attack.


6/42

66

KERBEROSKERBEROS

Provides a centralized authenticationProvides a centralized authenticationserver to authenticate users to serversserver to authenticate users to serversand servers to users.and servers to users.

Relies on conventional encryption, makingRelies on conventional encryption, makingno use of publicno use of public--key encryptionkey encryption

Two versions: versionTwo versions: version 44 andand 55

VersionVersion 44 makes use of DESmakes use of DES


7/42

77

KERBEROS: MotivationKERBEROS: Motivation

Network evolutionNetwork evolution

Dedicated PCDedicated PC no network connectionno network connection

Single Centralized ServerSingle Centralized Server Distributed Servers:Distributed Servers: 33 security approachessecurity approaches

WorkstationWorkstation--basedbased

ServerServer--basedbased

ServiceService--basedbased -->> KERBEROSKERBEROS


8/42

88

KERBEROS: RequirementsKERBEROS: Requirements

SecureSecure

ReliableReliable

TransparentTransparentScalableScalable

Therefore useTherefore use

trustedtrusted 33rdrd party authentication service.party authentication service.


9/42

99

KERBEROSKERBEROS 44: Entities: Entities

Terms:Terms: C = ClientC = Client

AS = authentication serverAS = authentication server V = serverV = server

IDIDcc = identifier ofuser on C= identifier ofuser on C

IDIDvv = identifier of server V= identifier of server V

ADcADc = network address of C= network address of C PPcc = password ofuser on C= password ofuser on C

KKvv = secret encryption key shared by AS an V= secret encryption key shared by AS an V

TS = timestampTS = timestamp

|| = concatenation|| = concatenation


10/42

1010

KERBEROSKERBEROS 44

Building up the full protocol:Building up the full protocol:

Simple authentication dialogueSimple authentication dialogue

More secure a

uthentication dialog

ueMore sec

ure a

uthentication dialog

ue

KERBEROSKERBEROS 44 authentication dialogueauthentication dialogue


11/42

1111

A Simple Authentication DialogueA Simple Authentication Dialogue

Network


AuthenticationServer


12/42

1212

Authentication ServerAuthentication Server -- ASAS

AS knows passwordsAS knows passwords

of allu

sersof allu

sers

AS shares a uniqueAS shares a uniquesecret key with eachsecret key with each

serverserver


13/42

1313


(1)(1) CC AS: AS: IIDDcc |||| PPcc |||| IIDDvv

(2)(2)ASAS C:C: Ticket Ticket

(3)(3) CC V:V: IIDDcc |||| TicketTicket

Ticket = ETicket = EKKvv[[IIDDcc |||| ADADcc |||| IIDDvv]]


14/42

1414


Ticket encrypted to prevent forgeryTicket encrypted to prevent forgery

IDvIDv for server to verify its decryptionfor server to verify its decryption

IDcIDc for verify that this ticket is for Cfor verify that this ticket is for CADcADc to prevent masquerading fromto prevent masquerading fromother workstationother workstation


15/42

1515


ProblemsProblems

Users have to enter password every timeUsers have to enter password every timeaccessing the server/serviceaccessing the server/service

Plaintext transmission ofusers passwordPlaintext transmission ofusers password


16/42

1616

A More Secure Authentication DialogueA More Secure Authentication Dialogue

Network


AuthenticationServerTicket Granting ServerTicket Granting Server


17/42

1717

Ticket Granting ServerTicket Granting Server -- TGSTGS

TGS grants a ticket for aTGS grants a ticket for a

particular serviceparticular service(Ticket(Ticketvv))

First, user must be authenticated at ASFirst, user must be authenticated at ASand obtain ticketand obtain ticket--granting ticketgranting ticket

(Ticket(Tickettgstgs))

TicketTickettgstgs is saved at workstationis saved at workstation


18/42

1818


Once per user logon session:Once per user logon session:

((11) C) C AS: IDc AS: IDc || IDtgs|| IDtgs((22)) ASAS C: EC: EKKCC [Ticket[Tickettgstgs]]

Once per type of service:Once per type of service:

((33) C) C TGS: IDTGS: IDCC |||| IDvIDv ||Ticket||Tickettgstgs

((44) TGS) TGS

C:C: TicketTicketvv

Once per service session:Once per service session:

((55) C) CV:V: IDIDCC |||| TicketTicketvv


19/42

1919


TicketTickettgstgs = E= EKKtgstgs [ID[IDCC||AD||ADCC||ID||IDtgstgs||TS||TS11||||LifetimeLifetime11]]

TicketTicketvv = E= EKKvv[ID[IDCC||AD||ADCC||ID||IDVV||TS||TS22||||LifetimeLifetime22]]

(K(Ktgstgs -- key known only by AS and TGS)key known only by AS and TGS)

(K(Kvv -- key known only by server and TGS)key known only by server and TGS)


20/42

2020


Users password is not transmitted.Users password is not transmitted.

TicketTickettgstgs is encrypted by key derived fromis encrypted by key derived from

users password.users password.Tickets are reusable but are timestampedTickets are reusable but are timestampedto prevent replay attack.to prevent replay attack.


21/42

2121


Problems:Problems:

Lifetime associated with the ticketLifetime associated with the ticket--grantinggrantingticketticket

If too shortIf too short repeatedly asked for passwordrepeatedly asked for password

If too longIf too long greater opportunity to replaygreater opportunity to replay

Similarly for serviceSimilarly for service--granting ticketgranting ticket

Opponent masquerades as serverOpponent masquerades as server


22/42

2222

VersionVersion 44 Authentication DialogueAuthentication Dialogue

Authentication Service Exhange: To obtain TicketAuthentication Service Exhange: To obtain Ticket--Granting TicketGranting Ticket

((11) C) C AS: AS: IDcIDc || IDtgs ||TS|| IDtgs ||TS11((22) AS) AS C:C: EEKcKc [K[Kc,tgsc,tgs|| ID|| IDtgstgs || TS|| TS22 || Lifetime|| Lifetime22 || Ticket|| Tickettgstgs]]

TicketTickettgstgs = E= EKKtgstgs[K[Kc,tgsc,tgs||ID||IDcc||AD||ADcc||ID||IDtgstgs||TS||TS22||||LifetimeLifetime22]]

To counter replay attack and prove userTo counter replay attack and prove user

identityidentity AS provides session key to TGS and userAS provides session key to TGS and user

(K(Kc,tgsc,tgs))

Timestamp is also includedTimestamp is also included


23/42

2323

VersionVersion 44 Authentication DialogueAuthentication DialogueTicketTicket--Granting Service Echange: To obtain ServiceGranting Service Echange: To obtain Service--Granting TicketGranting Ticket

((33) C) C TGS: IDvTGS: IDv ||Ticket||Tickettgstgs ||Authenticator||Authenticatorcc

((44) TGS) TGS C: EC: EKcKc [K[Kc,vc,v|| ID|| IDvv || TS|| TS44 || Ticket|| Ticketvv]]

TicketTickettgstgs = E= EKKtgstgs[K[Kc,tgsc,tgs||ID||IDcc||AD||ADcc||ID||IDtgstgs||TS||TS22||||LifetimeLifetime22]]TicketTicketvv = E= EKKvv[K[Kc,vc,v||ID||IDcc||AD||ADcc||ID||IDvv||TS||TS44||||LifetimeLifetime44]]

AuthenticatorAuthenticatorcc = E= EKKc,tgsc,tgs[ID[IDcc||AD||ADcc||TS||TS33]]

Authenticator very short lifetime to prevent replayAuthenticator very short lifetime to prevent replay

KKc,vc,v is session key between user and serveris session key between user and server


24/42

2424

VersionVersion 44 Authentication DialogueAuthentication DialogueClient/Server Authentication Exhange: To Obtain ServiceClient/Server Authentication Exhange: To Obtain Service

((55) C) C V: Ticket V: Ticketvv || Authenticator|| Authenticatorcc

((66) V) V C:C: EEKKc,vc,v[TS[TS55 ++11]]

TicketTicketvv = E= EKKvv[K[Kc,vc,v||ID||IDcc||AD||ADcc||ID||IDvv||TS||TS44||||LifetimeLifetime44]]AuthenticatorAuthenticatorcc = E= EKKc,vc,v[ID[IDcc||AD||ADcc||TS||TS55]]

If also require server to prove itself to user thenIf also require server to prove itself to user then

((66) is used.) is used.


25/42

2525

Overview of KerberosOverview of Kerberos


26/42

2626

Realms and Multiple KerberiRealms and Multiple Kerberi

The KERBEROS environment we had justThe KERBEROS environment we had justcovered is called acovered is called a realmrealm..

There can be multiple realms where userThere can be multiple realms where userin one realm can access services inin one realm can access services inanother realm.another realm.

KERBEROS server in each realm shares aKERBEROS server in each realm shares a

secret key with servers in another realm.secret key with servers in another realm.KERBEROS servers are registered with oneKERBEROS servers are registered with oneanother.another.


27/42

2727

Request for Service in Another RealmRequest for Service in Another Realm


28/42

2828

KERBEROSKERBEROS 44 Environmental LimitationsEnvironmental Limitations

Encryption system dependence (Encryption system dependence (V.V.44 DES)DES)

Internet protocol dependenceInternet protocol dependence

Message byte orderingMessage byte ordering

Ticket lifetimeTicket lifetime

Authentication forwardingAuthentication forwarding

Interrealm authenticationInterrealm authentication


29/42

2929

KERBEROSKERBEROS 44 Technical LimitationsTechnical Limitations

Double encryptionDouble encryption message (message (22) and () and (44))

PCBC encryption (propagating blockPCBC encryption (propagating block

chaining)chaining) has weaknesshas weaknessSession keysSession keys can be used repeatedlycan be used repeatedly

Password attacksPassword attacks


30/42

3030

Kerberos Encryption TechniquesKerberos Encryption TechniquesPasswordPassword--toto--Key TransformationKey Transformation


31/42

3131

Kerberos Encryption TechniquesKerberos Encryption TechniquesPasswordPassword--toto--Key TransformationKey Transformation


32/42

3232

PCBC ModePCBC Mode


33/42

3333

KerberosKerberos -- in practicein practiceCC

urrently have twoK

erberos versionsurrently have twoK

erberos versions:: 44 : restricted to a single realm: restricted to a single realm

55 : allows inter: allows inter--realm authenticationrealm authentication

Kerberos vKerberos v55 is an Internet standardis an Internet standard

specified in RFCspecified in RFC15101510, and used by many utilities, and used by many utilities

TTo use

Kerberoso use

Kerberos::

need to have a KDC on your networkneed to have a KDC on your network

need to have Kerberized applications running on allneed to have Kerberized applications running on allparticipating systemsparticipating systems

major problemmajor problem -- US export restrictionsUS export restrictions

Kerberos cannot be directly distributed outside the US inKerberos cannot be directly distributed outside the US insource format (& binary versions must obscure cryptosource format (& binary versions must obscure cryptoroutine entry points and have no encryption)routine entry points and have no encryption)

else crypto libraries must be implemented locallyelse crypto libraries must be implemented locally


34/42

3434

X.X.509509 Authentication ServiceAuthentication Service

X.X.509509 is a part ofis a part of X.X.500500 directory servicedirectory service Distributed set of servers that maintains aDistributed set of servers that maintains a

database aboutusers.database aboutusers.

Each certificate contains the public key ofEach certificate contains the public key ofa user and is signed with the private keya user and is signed with the private keyof a CA.of a CA.

Isused in S/MIME, IP Sec

urity, SS

L/T

LSIs

used in S/MIME, IP Sec

urity, SS

L/T

LSand SET.and SET.

RSA is recommended for use.RSA is recommended for use.


35/42

3535


36/42

3636

X.X.509509 FormatsFormats


37/42

3737

TypicalTypical Digital Signature ApproachDigital Signature Approach


38/42

3838

Obtaining a Users CertificateObtaining a Users Certificate

Characteristics of certificates generated byCharacteristics of certificates generated byCA:CA:

Any user with access to the public key of theAny user with access to the public key of theCA can recover the user public key that wasCA can recover the user public key that wascertified.certified.

No party other than the CA can modify theNo party other than the CA can modify the

certificate without this being detected.certificate without this being detected.


39/42

3939

X.X.509509 CA HierarchyCA Hierarchy


40/42

4040

Revocation of CertificatesRevocation of Certificates

Reasons for revocation:Reasons for revocation:

The users secret key is assumed to beThe users secret key is assumed to becompromised.compromised.

The user is no longer certified by this CA.The user is no longer certified by this CA.

The CAs certificate is assumed to beThe CAs certificate is assumed to becompromised.compromised.


41/42

4141

Authentication ProceduresAuthentication Procedures


42/42

4242

Recommended Reading andRecommended Reading and

WEB SitesWEB Siteswww.whatis.com (search for kerberos)www.whatis.com (search for kerberos)

Bryant, W. Designing an AuthenticationBryant, W. Designing an AuthenticationSystem: A Dialogue in Four Scenes.System: A Dialogue in Four Scenes.http://web.mit.edu/kerberos/www/dialogue.htmlhttp://web.mit.edu/kerberos/www/dialogue.html

Kohl, J.; Neuman, B. The Evolotion ofKohl, J.; Neuman, B. The Evolotion of

the Kerberos Authentication Servicethe Kerberos Authentication Servicehttp://web.mit.edu/kerberos/www/papers.htmlhttp://web.mit.edu/kerberos/www/papers.html

http://www.isi.edu/gost/info/kerberos/http://www.isi.edu/gost/info/kerberos/

10) chapter 4 - authentication applications

Documents