1 / 16

ECE-8843 csc.gatech/copeland/jac/8843/ Prof. John A. Copeland

ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 4a - Kerberos. Kerberos, v4 and v5.

virginia-wiley
Télécharger la présentation

ECE-8843 csc.gatech/copeland/jac/8843/ Prof. John A. Copeland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 4a - Kerberos

  2. Kerberos, v4 and v5 Provides a complete protocol for authentication and secure communications for hosts connected by a data communications network • Provides secure "tickets" to hosts that can be used to initiate a secure message exchange • Standard message formats for encrypted and signed messages, or signed plaintext messages • Formats for encoding expiration time, names, ... • Allows "read-only" slave KDC's (distributed KDCs) 2

  3. Keberos uses Mediated Authentication ) (with a Key Distribution Center, KDC Bob Jack Alice Kbob Kalice Mary Tom KDC Paul Dick Trudi Jip Harry Peter 3 KDC has unique Secret Keys with all legitimate hosts.

  4. Alice Alice Bob has Alice PC (human) Key {Ka,{TGT;Kk}; hashes logs on Shared Dist. Kak} Alice's to Ctr Secret Key passwork Alice, Alice wants gen.s to get a (PC) with KDC, Bob,{TGT;Kk}, DES Key, Kab, has Kk {time;Ka} Kbob Kalice=Ka {Bob,Kab,Ticket -Bob; Ka} {time; Kab}, {Kab,Alice; Kbob} ="Ticket" {time + 1, Kab} After the 1st exchange with the KDC, Alice has a session key, Ka, and a "Ticket-Granting Ticket" that she can use to request "Tickets" from KDC • PC erases Alice's password and Kak from disk and RAM. • Time(stamp) is used as nonce (seconds after 1/1/1970) 4

  5. 5

  6. Slave Host KDC Host Slave Host Host KDC Host Master Host KDC Slave {db;Kmaster} Host KDC Host Host Slave Host Slave KDC Host Realm KDC • Replicated KDCs (slaves) are read only. • Entire Host-KDC dasebase is downloaded periodically 6

  7. KDC (Hatter) KDC Lion (Lion) 1 2 Alice Dorothy 3 Lion can also be a Realm Realm "principal" in Wonderland Oz Wonderland (with the Queen's OK) Alice wants to talk to Dorothy 7

  8. Plaintext Cipher Block Chaining ( P PCBC) m1 m2 m3 IV (+) (+) (+) E E E Key c1 c2 c3 The 1st 64-bit message segment is XOR'ed with an initial vector (IV). Each following message segment is XOR'ed with the preceding ciphertext and plaintext segments-for privacy & integrity . 8

  9. Kerberos Message Integrity Check (Message Digest) MIC is Hash(<Ksession,message>) The Hash algorithm was never published (but source code can be obtained) It is based on a checksum algorithm designed by Juneman to use mod 2^31-1 (prime), but changed to use 2^63-1 (not prime). Cryptographers worry that it might be breakable, or reversible (to get Ksession). 9

  10. Network Layer (IP) Addresses in Tickets Only 4 bytes available, so limited to Internet Protocol (Novel, IBM, Appletalk, IPv6... longer) Makes "spoofing" harder, IP address must be stolen from network as well as Ticket from Alice. Prevents delegation, giving the ticket to another host to represent you (which is allowed by Kerberos V5) 10

  11. Why Study Kerberos v4 (Why doesn't everyone switch to v5) Kerberos V4 is working well in many systems Switching to V5 requires stopping the network and upgrading every host at once before restart Kerberos V5 is inefficient in some ways compared to V4 • Specified in ASN.1 (abstraction good and bad) • Example: 11 bytes required for 4-byte IP address. 11

  12. Kerberos v5 Cryptographic Algorithms Kerberos v4 used Plaintext Cipher Block Chaining and modified Juneman hash Kerberos v5 can use a variety of encryptions (DES in practice) and hashes (MD4, MD5). One primary MIC uses • { confounder + MD5(confounder & message)}K' • K' = Kalice-bob (+) F0F0F0F0F0F0F0F0 A more modern MIC that is not used is • MD5(Kalice-bob & message) 12

  13. Do not send in clear except over short secure channels • Choose had to guess passwords, enforce. • Force changing passwords periodically • Avoid keeping password in memory longer than necessary to generate the user's master key (w KDC) • Send hash of (key+nonce) to KDC for authentication • Add salt before hashing passwords for pw database • Add realm name to password before hashing for pw db Password security Originally UNIX stored a hash of each User’s password in a globally readable account. This can be attacked by hashing all common words for a reverse lookup table. 13

  14. Message Security and Integrity Only exchange messages with authenticated hosts Develop a session key and separate MIC key using initial password exchange Encrypt Diffie-Hellman exchanges to prevent Bucket Brigade (man-in-middle) attacks. Use MICs, especially with self-synchronizing encryptions (e.g., PCBC) which survive permutations of message blocks. Get "random" numbers from true sources Protect Master KDC Key and hashed-key database 14

  15. Bonus Entropy of Data, H H = sum[i=1 to k]{Pi * log2(1/Pi)} (bits of information per symbol) Where: k = number of states (or symbols) Pi = probability of the i’th state (ni/N) If the symbols are binary numbers with 8 bits: H = 8 -> complete disorder or randomness H < 8 -> some order (ASCII text, H = 4 - 5 bits) 15

  16. 16

More Related