![Page 1: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/1.jpg)
Authentication and Key Establishment(Needham-Schroeder, Kerberos and KryptoKnight)
February 19, 2003
Changho Choi
![Page 2: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/2.jpg)
Agenda
Motivation Basic concept for the authentication and key establishment Needham-Schroeder Kerberos KryptoKnight Summary
![Page 3: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/3.jpg)
Motivation
Reliable authentication of communicating entities and network users across an insecure network
Secure key establishment Protect the privacy and integrity of communication
Alice
Bob
How Securely?
Centralized key management and authentication
![Page 4: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/4.jpg)
Concepts and Classification
Key establishment: a shared secret becomes available to two or more parties, for subsequent cryptographic use.
key transport protocol one party creates, and securely transfers it to the other(s).
key agreement protocol: key establishment technique in which a shared secret is derived by two (or more) parties
key pre-distribution vs. dynamic(session) key establishment
Use of trusted servers trusted third party, trusted server, authentication server, key
distribution center (KDC), key translation center (KTC)
and certification authority (CA).
![Page 5: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/5.jpg)
2-Party Mutual Authentication Protocol(2PAP)
Alice
Bob
1. NA
2. NB,MACBA(NA,NB,B) 3. MACAB(NA,NB)
NA,NB : One time random number (Nonce)MACAB, MACBA: Message Authentication Code with a shared key
![Page 6: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/6.jpg)
KDC
Alice
Bob’sServer
1. A,B,NA2. {k,NA,B, {k,A}KB}KA
A,B: identities of hosts, KDC: Key Distribution CenterNA, NB : nonce
KA, KB: host keys shared by KDC and hostsk: session key for the host A and B{}k: Encryption with a key k
3. {k,A}KB
Needham-Schroeder
4. {NB}k5. {NB-1}k
![Page 7: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/7.jpg)
Needham-Schroeder
Properties Protocol provides A and B with a shared key k with key
authentication (4) and (5) provide entity authentication of A to B. If acceptable for A to re-use key k with B, A may securely cache
(3) with k To prevent replay of (4), {NA’}k should be appended to message (3),
and (4) should be replaced by {NA’-1, NB }k allowing A to verify B’s knowledge of k
![Page 8: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/8.jpg)
Kerberos
Enable network application to securely identify their peers Host A provides its identity by presenting a ticket to host B Tickets are issued by a trusted third party Key Distribution Center
(KDC) There is a shared key between KDC and any host Ticket is valid for a finite interval called its lifetime
Ticket contains session key, host’s identity and lifetime of the session key
![Page 9: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/9.jpg)
Initial ticket exchanging
KDC
1. A,B,NA2. {k,NA,L,B}KA, {k,A,L}KB
A,B: identities of hostsNA: nonce, L: Life time
KA, KB: host keys shared by KDC and hostsk: session key for the host A and B{k,A,L}KB: Ticket
3. {A,TA,L,B}k, {k,A,L}KBAlice
Bob’sServer
![Page 10: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/10.jpg)
Getting a Service Ticket
1. A,TGS,NA
2. {KA,TGS,NA}KA,{KA,TGS,A,L}KTGS
5. {AA}KA,B, {TA,B}KB
TGS
3. B, NA’, {A,L,TGS,TA}KA,TGS,{KA,TGS,A,L}KTGS 4. {KA,B,NA’}KA,TGS ,
{TA,B}KB
AA: A, L, B,TA
TA: Timestamp made by ATA,B: KA,B,A, L
KDC
AliceBob’sServer
UsuallyCo-located
![Page 11: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/11.jpg)
Kerberos Properties
Since timestamps are used, the hosts must provide both secure and synchronized clocks
If initial shared keys are password-derived, protocol is no more secure than secrecy of such password or their resistance to password-guessing attack
Lifetime is intended to allow A to re-use the ticket A creates new authenticator with new timestamp and same session
key k
![Page 12: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/12.jpg)
Needham-Schroeder vs. Kerberos
Kerberos lifetime parameter is not present in N-S In N-S, (2) (which is corresponds to Kerberos ticket) is do
uble-encrypted Authentication here employs nonce rather than timestamp Since B has no way of knowing if k is fresh, should k ever
be compromised, any party knowing it may both resend message (3) and compute a correct message (5) to impersonate A to B
This situation is ameliorated in Kerberos by the lifetime parameter which limits exposure to a fixed time interval
![Page 13: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/13.jpg)
KryptoKnight
Objective Minimal, flexible and scalable authentication and key distribution
for various network settings
Basic Concepts and Design Issues Minimal resource Utilization
Use hash function instead of encryption Minimize the number of messages
Flexible operational scenarios Scalable design
Use a nonce instead of time stamp
![Page 14: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/14.jpg)
Basic Key Distribution
Not secure with respect to key integrity Any intruder can modify the key distribution and cause A to extrac
t a key not issued by the KDC
Timeliness of the KDC’s response
Alice
1. NA
2. NK, MACA(NA,NK,KDC) KaNew
3. MACa(NA,NK)KDC
optional
![Page 15: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/15.jpg)
Authenticated Key Distribution
2-Party Authenticated Key Distributiion Protocol(2PAKDP)
Braiding KDC’s nonce in flow 2 is hidden
Alice
NA
MACA(NA,NK,KDC), EA(MACA)NK
MACa(NA,NK)
KDCNK = Ka
New optional
![Page 16: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/16.jpg)
3-Party Scenarios
Assumption Two entities(A and B) want to authenticate with each other A and B have no shared secret There is a mutually-trusted KDC whom they each share a secret
![Page 17: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/17.jpg)
)K,(N Mac),N,(NMac abaaaaab
A-B-K Pull scenario
A is either unable, unauthorized, or unwilling to contact the KDC
A B KDCaNA,N,N ba
abbbabbb
abaaabaa
K )(MacE A),,K,(NMac
,K )(MacE B),,K,(NMac
)B,N,(NMac,N
,K )(MacE B),,K,(NMac
baabb
abaaabaa
)K,(N Mac),K,(NMac abbbabaa
optional
![Page 18: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/18.jpg)
K-A-B Push Scenario
Provide authentication on the forward flows to the KDC Direct handshake (2PAP) between A and B is no longer
needed
A BKDC
aN
B),N,(N Mac,N babb
A B),,,(NMac,N ,N baaba
abbbabbb
baab
K )(MacE A),,K,(NMac
,)N,(NMac
abbbabbb
abaaabaa
K )(MacE A),,K,(NMac
,K )(MacE B),,K,(NMac
B),N,(N Mac babb optional
![Page 19: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/19.jpg)
Time-Based Push Scenario(K-A-B(t))
Connection between two parties is strictly controlled by servers in highly sensitive communication systems
Military system B is not available (i.e., is not on-line) at the time when A contacts the
KDC In K-A-B and A-B-K, B need to maintain state – Nb, A’s name, etc K-A-B(t) requires B to start keeping state starting only from flow 3
B has no connection to, or is otherwise unable to contact the KDC (i.e, mobile entity)
Hybrid (Partial Clock Synchronization) KDC-> A: Challenge-based, KDC->B: Time-based
![Page 20: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/20.jpg)
abbbabb
abaaabaa
K )(MacE A),,K(TS, MacTS,
,K )(MacE B),,K,(NMac
B),N,(NMac,N baabb
K-A-B(t)
A BKDC B ,Na
abbb
abba
K )(MacE
A),,K(TS, MacTS,,N
)N,(NMac baab
![Page 21: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/21.jpg)
Extension for Inter-Domain Protocol
![Page 22: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/22.jpg)
Kerberos
TGSlocal
A B5. {AA}KA,B, {TA,B}KB
2. {KA,TGSrem}KA,TGS ,
{TA,TGSrem}KTGSrem
TGSremote
1. {AA}KA,TGS, {TA,TGS}KTGS , TGSrem
3. {AA}KA,TGSrem,
{TA,TGSrem}KTGSrem
,
B
4. {KA,B}KA,TGSrem,
{TA,B}KB
AliceRemoteServer
![Page 23: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/23.jpg)
Key Exchange in Kerberos
CS.UMN.EDU
UMN.EDU
EDU
MIT.EDU
UMD.EDU
O(N2)
EDU
MIT.EDU UMN.EDU UMD.EDU
CS.UMN.EDUO(logN)
![Page 24: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/24.jpg)
Inter-Domain protocols
Kerberos Problem Puts most of the load on the initiating client Client A may be a mobile unit: no connection to its own KDC Client A may have a policy prohibiting it from communicating wit
h the outside without establishing a secure “context” Client B may have a policy requiring it to consult its own KDC fir
st before contacting A’s KDC
Assumption Existence of inter-domain keys
Keys that secure communication among KDCs in different domains
![Page 25: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/25.jpg)
)B,N,(N Mac,N
,K )(MacE B),A,,K,(NMac
baabb
ab1212aba12 abbbabbb
ab1212aba12
K )(MacE A),,K,(NMac
,K )(MacE B),A,,K,(NMac
A-B-K inter-domain Protocol(Without Inter-KDC communication)
AB
KDC2
KDC1
aN
)N,(NMac baab
A,N,N ba
ab1212aba12
a
K )(MacE B),A,,K,(NMac
,N B,
abaaabaa K )(MacE B),,K,(NMac
![Page 26: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/26.jpg)
With Inter-KDC communication
Environments One of hosts (A or B) has no connection to its own KDC Software size at one or both hosts is critical
Hide the inter-domain-ness of the protocol The burden and complexity due to inter-domain issues can be isolated
in KDCs KDCs can communicate among themselves more efficiently than h
osts
Protocols: A-B-K-K, K-K-A-B and K-K-A-B(t)
![Page 27: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/27.jpg)
)B,N,(NMac,N
,K )(MacE B),,K,(NMac
baabb
abaaabaa abbbabbb
abaaabaa
K )(MacE A),,K,(NMac
,K )(MacE B),,K,(NMac
A-B-K-K Protocol
AB
KDC2
KDC1
ab1212ab212
abaaabaa
K )(MacE A),B,,K,(NMac
,K)(MacE B),,K ,(NMac
aN
A,N,N ba
B A,,N,N 2a
)N,(NMac baab
![Page 28: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/28.jpg)
Disadvantages in inter-KDC communication
Sacrifice of the KDC’s stateless nature KDC2 has to keep state between flows
At least A, B, Kab and Na must be kept Alternatively, KDC2 can “export” the state information
Including the state variables in the flow to KDC1 KDC1 then simply echoes them back in its reply
![Page 29: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/29.jpg)
Summary
Supporting a flexible range of network configurations, avoiding reliance on tightly-synchronized clocks or counters
Minimizing message sizes and cryptographic operations Light-weight protocol in terms of resource usage and
suitable for low-end devices with limited memory and processing capability
![Page 30: Authentication and Key Establishment (Needham-Schroeder, Kerberos and KryptoKnight) February 19, 2003 Changho Choi choi@cs.umn.edu](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649f325503460f94c4ecab/html5/thumbnails/30.jpg)
References J. Kohl, B. Neuman, and T. Ts’o. The Evolution of the Kerberos Auth
entication Service. In F. Brazier and D. Johansen, editors, Distributed Open Systems. IEEE Computer Society Press,1994.
R. Bird, I. Gopal, A. Herzberg, P. Johnson, S. Kutten, R. Molva, and M. Yung, “The KryptoKnight Famliy of Light-Weight Protocols for Authentication and Key Distribution,” IEEE/ACM Transactions on Networking, vol. 3, no. 1, pp. 31-41, 1995.
P. Janson, G. Tsudik, and M. Yung. Scalability and flexibility in authentication services: the KryptoKnight approach. In Proc. of IEEE INFOCOM, pages 725--736, April 1997.