1 / 39

Protocols Symmetric Key Establishment Kerberos

Protocols Symmetric Key Establishment Kerberos. Nicolas T. Courtois - U niversity C ollege L ondon. Multi-Party Protocols. Protocols. A security protocol is a sequence of communications that two or more principals undertake to securely achieve an objective .

srendon
Télécharger la présentation

Protocols Symmetric Key Establishment Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ProtocolsSymmetric Key EstablishmentKerberos Nicolas T. Courtois - University College London

  2. Multi-Party Protocols Nicolas T. Courtois, January 2009

  3. Protocols A security protocol is a sequence of communications that two or more principals undertake to securely achieve an objective. Principals: people, organizations, governments, computers, USB devices, smart cards, concurrently running processes, etc… Nicolas T. Courtois, January 2009

  4. Securely? Need for a formal definition: • Objectives of the Attacker (win a certain game). • Resources • Access However carefully designed, protocols have subtle flaws found 20 years later. Types of attacks that the designer did neither intend nor imagine. Nicolas T. Courtois, January 2009

  5. What If? Many protocols have the following properties: • if all participants are honest, they work. • If participants are honest but curious, they learn nothing • if one participant cheats, • it will be detected • not always possible to know who cheated • It is usually always possible to disturb the protocol (denial of service) • not always possible to know who’s fault it was Nicolas T. Courtois, January 2009

  6. Overall Goal: The protocol will either securely succeed or abort. • moreover, if all participants are honest, including honest but curious, the protocol should always succeed Nicolas T. Courtois, January 2009

  7. The Dolev-Yao Model Defines an attacker for all cryptographic protocols. Nicolas T. Courtois, January 2009

  8. The Dolev-Yao Model Attacker = the Network • the attacker can read, modify, copy and create his own messages. • In other words, the attacker has totally compromised the ambient medium of communication (the network). ========== our minimum standard ========== Nicolas T. Courtois, January 2009

  9. Dynamic Authentication Nicolas T. Courtois, January 2009

  10. K K Symmetric Key Unilateral Auth. with a Nonce • randomB B A • A, MACK(randomB, B) Nicolas T. Courtois, January 2009

  11. PK Versions Nicolas T. Courtois, January 2009

  12. Public Key – Based Schemes Here more possibilities than with time. Two approaches exist. Alice has her private key SK(A). Two methods to demonstrate the knowledge of this key: • sign a message chosen by Bob. • decrypt a message encrypted by Bob with Alice’s public key. The message should contain a random, + ID of the receiver, +maybe some long padding… Nicolas T. Courtois, January 2009

  13. SKA PKA PKA PK-Unilateral with PK Encryption • h(rB), B, EPK(A)(rB, B) B A • rB Nicolas T. Courtois, January 2009

  14. SKA PKA PKA PKCert Same with PKI • certA • h(rB), B, EPK(A)(rB, B) B A • rB Nicolas T. Courtois, January 2009

  15. SKA PKA PKA PKCert PK-Unilateral with Dig. Sign. • rB B A • certA, rA, SSK(A)(rA, rB, B) Nicolas T. Courtois, January 2009

  16. K K Uni-directional vs. MutualAuthentication statement1, [interactive] proof1 statement2, [interactive] proof2 Nicolas T. Courtois, January 2009

  17. Key Establishment Nicolas T. Courtois, January 2009

  18. The Need Secure messaging: encrypt all exchanges (commands and data) between Alice and Bob. Key establishment is kind of always needed, even if Alice and Bob already share a key. Need for a session key (a short term key): Encrypted Nicolas T. Courtois, January 2009

  19. Why Short Term Keys? Need for a session key (a short term key): • limit key exposure, • in many systems (e.g. GSM) session keys are pre-computed in advance by a more secure part of the system (!) • bank card master key never used with data chosen by the user (foil DPA). • keys should be fresh in order to prevent reply of the messages from the last session => total session independence • cryptanalysis: security of symmetric crypto degrades with usage, => limit amount of data that the attacker can dispose of. • better to re-establish keys when needed, • avoid expensive storage of too many keys locally • in PK case, it is in fact TOTALLY impossible to use PK crypto to encrypt quantities of data, just too slow, so a symmetric key is always needed. • one method to get it is key establishment, studied here later. • second method is called hybrid encryption, e.g. in PGP / GNU PG. Nicolas T. Courtois, January 2009

  20. Key Establishment ? Three types, we study only two: • symmetric crypto + TTP • Application: Kerberos, enterprise networks • public key crypto + authentic[ated] channel • Application: SSL/TLS: e-commerce. encrypted Nicolas T. Courtois, January 2009

  21. Key Derivation Nicolas T. Courtois, January 2009

  22. Symmetric Key Derivation Again needed even if the key is already shared. key diversification = key derivation, very widely used in the industry long-term shared keyK IV / data EncryptK or Hash session keyshort-lived Nicolas T. Courtois, January 2009

  23. Symmetric Key Establishment No shared key. Requires a Trusted Third Party = TTP. • which is also a sort of “symmetric key infrastructure” (<> PKI). Example: Needham-Schroeder Symmetric Key Establishment Protocol, • Basis of the Kerberos protocol. Applications: domain server in Windows 2000 and better • security part of Microsoft Active Directory system Nicolas T. Courtois, January 2009

  24. Symmetric Needham-SchroederKey Exchange Protocol with TTP Nicolas T. Courtois, January 2009

  25. Needham-Schroeder - Summary There are two Needham-Schroeder protocols 1,2. Very different. Beware of confusion! • symmetric key est. N-S: broken by [Denning and Sacco 1981] • fixed by Denning and Sacco and in Kerberos v4/5 adding timestamps, • and by [Needham-Shroeder 1987] adding an extra nonce and extra messages. • VERY WIDELY used: Unix, Windows… • asymmetric mut. auth. N-S: attack was found [Lowe 1995] after as many as 17 years… Nicolas T. Courtois, January 2009

  26. Symmetric Needham-Schroeder [78] 3 Goals: Mutual Authentication and Key Establishment. T=Trusted Third Party, A and T have a shared key KAT 1) key retrieval: A T: A, B, rA (1) A  T: {rA, B, k, {k,A} _KBT } _KAT (2) so T knows k… A B: {k,A} _KBT (3) 2) key confirmation: A B: {rB}_k (4) A B: {rB -1}_k (5) ticket Nicolas T. Courtois, January 2009

  27. Kerberos Nicolas T. Courtois, January 2009

  28. Kerberos A protocol for enterprise networks. authentication + secure channels. Developed at MIT. • Fixed in Version 5 = RFC510. Very widely used [Microsoft,Unix,Cisco,Apple]. Nicolas T. Courtois, January 2009

  29. The n2 problem and Securing Public Networks • If we have n users, we need n2/2 keys * key size ! • How to distribute these keys ? Wish list: a combination of public key techniques and AES… But can this be solved with secret key techniques alone? Nicolas T. Courtois, January 2009

  30. Kerberos Goals • user->server authentication • + secure channels • works in enterprise networks • typically uses port 88 on machines • on Windows, Unix and Mac • supports Single Sign On • uses secret key cryptography only. • initially used only DES, 3DES added later. Nicolas T. Courtois, January 2009

  31. Outline Nicolas T. Courtois, January 2009

  32. Name-Based Authentication Two principals know each other by names in the central database. e.g. ncourtois.root@UCL.AC.UK they are authenticated as such Nicolas T. Courtois, January 2009

  33. Key Notion: Ticket Tickets are like one-time passwords. • They are encrypted, can be decrypted by the intended recipient only. • Can encapsulate other encrypted quantities (or tickets). • There are valid for limited time • bail expires eventually • Replay attacks are possible • must be timely: tickets have timestamps and expire • possible policy: check if the same ticket was used twice and deny access. Hassle from false alarms + reissue of new tickets. Nicolas T. Courtois, January 2009

  34. Simplified Kerberos = Symmetric N-S with Timestamps 3 Goals: Mutual Authentication and Key Establishment. T=Trusted Third Party, A and T have a shared key KAT L=Lifetime 1) key retrieval: A T: A, B (1) A  T: {tT, L, k, B, {tT,L,k,A} _KBT } _KAT (2) A B: {tT,L,k,A} _KBT, {A, tA}_k (3) 2) key confirmation: A B: {tA+1}_k (4) ticket service ticket Nicolas T. Courtois, January 2009

  35. Real Kerberos Two types of these Tickets at two different levels: • Master Ticket = Ticket Granting Ticket • allows to request many individual tickets • Service Ticket. Contains an Authenticator. • allows to access to one service at one moment for limited time Nicolas T. Courtois, January 2009

  36. Keys In Kerberos Highest level: long–term private keys KAT: One per each of • users • services • servers • Workstations Important question: Does the workstation store the key KAT? Could be used to clone it. No, they are typically derived from passwords by hashing • can be either permanent stored in the Active Directory database, or created each time when the user logs on with his workstation to the domain Nicolas T. Courtois, January 2009

  37. Kerberos Authentication Server = AS e.g. domain controller e.g. Ms Active Directory once per type of service: ftp, telnet, http, etc. Ticket Granting Service = TGScan be a different server as well Encrypted Service Ticket conveys an authenticator and a session key • client authenticated by the ticket • server authenticated [optional] • encrypted channel is created Nicolas T. Courtois, January 2009

  38. Kerberos Is Not Perfect • Requires to trust the TTP • Security requires tight clock synchronization. • Frequently relaxed for convenience. • Password changing method vary in different implementations • Key length: apparently simple DES 56-bit keys still widely used… Nicolas T. Courtois, January 2009

  39. Quiz • What is a session key? • Why is it needed if two principals already share a key? • Recall 5 types of dynamic authentication. • What is the purpose of the Needham-Schroeder protocol in a Windows 2000 domain? Nicolas T. Courtois, January 2009

More Related