1 / 21

Kerberos Authentication

Kerberos Authentication. Alternative to one time passwords. Need for an authentication scheme which never sends the passwords in clear text form over the network.

chiara
Télécharger la présentation

Kerberos Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos Authentication

  2. Alternative to one time passwords • Need for an authentication scheme which never sends the passwords in clear text form over the network. • One time password is an example where the actual password is not sent along the communication line, rather a derivative is sent on to the server. • Authentication methods based on cryptography are required. • Also there is a need to authenticate for services without entering password every time. • E.g. r-commands on Unix.

  3. One-time passwords • As the name implies a password is used only once. Typically password is generated by applying repeatedly MD5 algorithm on a secret password. • Let p the password and f is the one-way MD5 function. Initially let n=9, then the first time password transmitted for verification will be f9(p) and next time it will be f 8(p) and so on.

  4. Kerberos Authentication • Alternative to one-time passwords • Allow workstations to authenticate themselves to services running on servers without ever sending a password in clear text over the network.

  5. Kerberos Authentication • Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an application server or server) without sending data across the network. • Developed as part of MIT’s Project Athena.

  6. The Word of “Kerberos” • Also spelled as Cerberus. n. The watch dog of Hades (in the ancient Greece), whose duty was to guard the entrance -- against whom or what does not clearly appear; ...it is known to have three heads. ...--- The Enlarged Devil’s Dictionary,byAmbrose Bierce

  7. How Kerberos works? • Kerberos authentication scheme uses a series of encrypted messages to a verifier (server) that a client is running on behalf of a particular user. • More precisely that the client has knowledge of an encryption key that is known by the user and the authentication server. • The users encryption key is derived and should be thought of as a password; similarly, each application server shares an encryption key with the authentication server- call this key as the sever key.

  8. How Kerberos works? • The client (C)and server (V) do not initially share an encryption key. • Whenever the client authenticates itself to a new verifier it relies on the authentication server (AS) to generate a new encryption key and distribute it securely to both parties. • This new encryption key is called session key and a ticket mechanism is used to distribute this key to the verifier.

  9. Kerberos Ticket? • Ticket is a certificate issued by the authentication server, encrypted using server key. • Ticket contains a random session key, which will be used to for the authentication of the principal to the verifier, the name of the principal to whom the session key was issued, and an expiration time after which the session key is no longer valid (time stamp). • The ticket is not sent directly to the verifier, but is instead sent to the client who forwards it to the verifier as part of the application request. • Since the ticket is encrypted in the server key, known only by the authentication server and the indented verifier, it is not possible for the client to modify the ticket without detection.

  10. Basic Kerberos (simplified) symbols used: c: client/client name v: server/server name AS: authentication service n: nonce Kc,v: shared key btwn c & v timeexp: expiring time Kc: shared key btwn c & AS Kv: shared key btwn v & AS Ksubsession: a session key btwn c & v

  11. authentication service 1 2 3 server 4 Basic Kerberos (simplified) Client 1. client-name, server-name, expiring-time, random-num. 2. DESKc(Kc,v, expiring-time,random-num.,...), DESKv(Tc,v) 3. DESKc,v(time-stamp, session-key,...), DESKv(Tc,v) 4. DESKc,v(time-stamp), (this step is optional) where Tc,v = Kc,v, client-name, expiring-time, ...

  12. Full Kerberos (simplified) Symbols used: c: client/client name v: server/server name AS: authentication service TGS: ticket grant service n: nonce Kc,v: shared key btwn c & v timeexp: expiring time Kc: shared key btwn c & AS Kv: shared key btwn v & AS Ktgs: shared key btwn TGS & AS Kc,tgs: shared key btwn c & TGS Ksubsession: a session key btwn c & v

  13. Identification • An Identification (ID) Protocol allows one party (say Alice) to convince another party (say Bob) of her identity • similar to Authentication. • But an ID protocol must also meet a more stringent requirement: • It must be secure against ALL THREE types of attacks Marvin can mount (see Attacks slide) • Protocol Eavesdropping • Impersonating as Verifier to Prover • Honest Verifier knowledge compromise • Hence it’s also called a “passport protocol”.

  14. Exercise • State whether or not each of the following is an ID protocol, and if not, describe an attack (one of the 3 type/s) that it succumbs to: • Challenge-and-Response Protocol • One-way function based Password Protocol

  15. Schnorr passport protocol • Involving • A trusted authority (TA) to issue “certificates/passports” • A certificate holder • A verifier

  16. Setting up by the TA • TA’s public key = (y, p, q, g), where • p = a prime of at least 512 bits. • q = a 160-bit prime divisor of p-1. • g = h(p-1)/qmod p, where h is any integer with 1 < h < p-1 s.t. h(p-1)/q mod p > 1(g has order q mod p.) • y = g -x mod p, where x is an integer randomly selected from [1, q-1]. • TA’s secret key is x.

  17. Issuing a certificate by TA x a Alice TA IDAlice || V Check the ID, and then using Schnorr signature to sign (IDAlice || V ). Let W = sign(IDAlice ||V ) W • Alice’s certificate: (IDAlice || V || W) • Alice’s secret: a

  18. Schnorr signature - Signing a doc M by TA • To sign a document M=(IDAlice || V), TA does the following: • randomly pick an integer k from [1, q-1]. • r = Hash(gk mod p, M) • s = (k + x * r)) mod q,where Hash is a 1-way hash. • TA’s signature on M is the pair of numbers W=(r, s).

  19. How Alice proves her ID to Bob a Alice Bob Forwarding cert. (IDAlice || V || W) Verify the cert. If not OK, then abort. OK Q c d Accept if Q=gdVcmod p

  20. Important points • Setting up & certificate issuing are one-off operations. • Bob the verifier needs to have access to TA’s public key. • The actual proving protocol has 2 parts: • Shows that the certificate is OK, & • Demonstrate that Alice “knows” the secret associated with the certificate.

  21. Security of Schnorr Protocol • The Schnorr protocol (slightly modified) can be proved to be an ID Protocol, assuming that the discrete-logarithm problem is difficult: • The probability that Marvin can successfully masquerade Alice to an Honest verifier Bob is negligibly small, even if Marvin mounts all of the three types of attacks.

More Related