1 / 25

Authentication and Key Distribution

Authentication and Key Distribution. Suman K Reddy Burjukindi CSC - 8320. Outline. Part 1 – Motivation Needham-Schroeder Protocol Kerberos Part 2 – Current Research Part 3 – Future Work References. Part 1: Motivation. Introduction:.

luisa
Download Presentation

Authentication and Key Distribution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication andKey Distribution Suman K Reddy Burjukindi CSC - 8320

  2. Outline • Part 1 – Motivation Needham-Schroeder Protocol Kerberos • Part 2 – Current Research • Part 3 – Future Work • References

  3. Part 1: Motivation Introduction: • Reliable authentication of communicating entities and network users across an insecure network • Secure key establishment. • Protect the privacy and integrity of communication How Securely? Alice Bob

  4. Motivation • Key establishment: a shared secret becomes available to two or more parties, for subsequent cryptographic use. • key transport protocol • one party creates, and securely transfers it to the other(s). • key agreement protocol: key establishment technique in which • a shared secret is derived by two (or more) parties • key pre-distribution vs. dynamic(session) key establishment • Use of trusted servers • trusted third party, trusted server, authentication server, key distribution center (KDC), key translation center (KTC) and certification authority (CA).

  5. Needham-Schroeder Protocol (1978) • First to use the encryption techniques for authentication and key distribution. KDC 2. {k,NA,B, {k,A}KB}KA 1. A,B,NA 3. {k,A}KB Bob’s Server 4. {NB}k Alice 5. {NB-1}k A,B: identities of hosts, KDC: Key Distribution Center NA, NB : nonce KA, KB: host keys shared by KDC and hosts k: session key for the host A and B {}k: Encryption with a key k

  6. Needham-Schroeder Protocol (1978) • A->S : A, B, NA A requests S to supply a key for communication with B • S->A: {NA, B, k, {A, k} KB } KA S returns a message encrypted in A’s secret key, containing a newly generated key k, and a ticket encrypted in B’s secret key • A->B: {A, k} KB A sends the ticket to B • B->A: {NB} k B decrypts the ticket and uses the new key k to encrypt the nonce NB • A->B: {NB - 1} k A demonstrates to B that it was the sender of the previous message by returning an agreed transformation of NB

  7. Needham-Schroeder Protocol (1978) • Properties • Protocol provides A and B with a shared key k with key authentication • (4) and (5) provide entity authentication of A to B. • If acceptable for A to re-use key k with B, A may securely cache (3) with k • To prevent replay of (4), {NA’}k should be appended to message (3), and (4) should be replaced by {NA’-1, NB}k allowing A to verify B’s knowledge of k.

  8. Needham-Schroeder Protocol (1978) Drawback: • Denning and Sacco found a drawback that if session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps. • Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B. • Denning and Sacco found a protocol named as Denning – Sacco Protocol in the year 1981 which uses timestamps rather than nonce to guarantee message freshness. • Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake but drawback is that all machines must be clock-synchronized with authentication server.

  9. Kerberos • Enable network application to securely identify their peers • Host A provides its identity by presenting a ticket to host B • Tickets are issued by a trusted third party Key Distribution Center (KDC) • There is a shared key between KDC and any host • Ticket is valid for a finite interval called its lifetime • Ticket contains session key, host’s identity and lifetime of the session key

  10. Kerberos Initial Ticket Exchanging KDC 2. {k,NA,L,B}KA, {k,A,L}KB 1. A,B,NA Bob’s Server 3. {A,TA,L,B}k, {k,A,L}KB Alice A,B: identities of hosts NA: nonce, L: Life time KA, KB: host keys shared by KDC and hosts k: session key for the host A and B {k,A,L}KB: Ticket

  11. Usually Co-located Kerberos • Getting a Service Ticket KDC 2. {KA,TGS,NA}KA,{KA,TGS,A,L}KTGS 1. A,TGS,NA Bob’s Server 5. {AA}KA,B, {TA,B}KB Alice 3. B, NA’, {A,L,TGS,TA}KA,TGS, {KA,TGS,A,L}KTGS 4. {KA,B,NA’}KA,TGS , {TA,B}KB AA: A, L, B,TA TA: Timestamp made by A TA,B: KA,B,A, L TGS

  12. Kerberos • Since timestamps are used, the hosts must provide both secure and synchronized clocks • If initial shared keys are password-derived, protocol is no more secure than secrecy of such password or their resistance to password-guessing attack • Lifetime is intended to allow A to re-use the ticket • A creates new authenticator with new timestamp and same session key k

  13. Kerberos Drawbacks: • Single point of failure. Requires continuous availability of a central server. • Kerberos requires the clocks of the involved hosts to be synchronized. • All authentication being controlled by a centralized KDC server, compromising of this infrastructure allows an attacker to impersonate any user.

  14. Part 2 – Current Research • EAP-Sens: a security architecture for wireless sensor networks….M. Abdul Alim, BehcetSarikaya…..November, 2008

  15. Why EAP- Sens ??? • Deployment of WSN’s – more common – wide variety of applications – collecting and disseminating sensitive information. • Security and reliability – major concerns, WSN’s count on proper operation of forwarders – entity authentication required. • Recent years – many security protocols – SPINS, Tinysec, LiSP, LEAP provide data confidentiality, message integrity and data encryption but none of them provide authentication or key management functions. • Extensible Authentication Protocol [EAP] , an authentication framework supporting multiple authentication mechanisms.

  16. EAP-Sens • A security protocol based on Extensible Authentication Protocol for IEEE 802.15.4 networks. [ Design, implementation and simulation] • IEEE 802.15.4 networks ?? • It uses the Generalized Pre-Shared Key authentication method for entity authentication and key establishment preventing unauthorized devices from joining the network. • EAP uses four messages – a)EAP-Request b)EAP-Response c)EAP-Success d)EAP-Failure

  17. EAP-Sens • The actual authentication messages are exchanged between EAP server and EAP peer in EAP-Request and EAP-Response messages until successful completion of authentication or authentication fails. • If authentication fails EAP server sends EAP-Failure to EAP peer otherwise sends EAP-Success. • On successful authentication EAP server and EAP peer establish a Master Session Key. • EAP server then sends the MSK to authenticator to be used as shared secret key between authenticator and EAP peer .

  18. GPSK EAP Authentication Figure shows the EAP procedure of the authentication of messages.

  19. EAP-Sens EAP-Sens operation: • In EAP-Sens, each node shares a secret key (PSK) with the authentication server which is loaded into the sensor node when it is programmed before deployment. • Functions 1) Authenticating PAN Coordinator’s Neighbors 2) Authenticating Distant Nodes

  20. EAP – Sens Key Hierarchy PSK- Pre Shared Key KEK- Key Encryption Key MSK- Master Session Key TK – Temporal Key AMSK- Auxiliary MSK Kmac – Authentication key

  21. EAP-Sens • EAP-Sens Authentication time: - For a supplicant to complete EAP-Sens authentication successfully and get access to the network in a N-node network, with d average degree of neighbors, time required t = (10 × logd(N)) × tx + (12 + 10 × logd(N)) × tmic • Total authentication time t increases logarithmically with the increase in the number of nodes in the network. • EAP-Sens takes very less time to authenticate when compared to other protocols on IEEE 802.15.4 compliant sensor nodes.

  22. Comparison of Authentication Times forDifferent Protocols The picture clearly shows that EAP-Sens requires least time to authenticate when compared to other protocols.

  23. EAP-Sens Summary: • On simulating EAP-Sens using NS-2 for performance evaluation showed that EAP-Sens performs better than all other existing WSN security protocols. • Implementing a prototype version of EAP-Sens in TinyOS to estimate code size and memory requirements indicates that EAP-Sens can be implemented on sensor devices like Mica2, Telos and Tmote. • EAP-Sens can also be used in medical monitoring and meter readings for utility services.

  24. Part 3: Future Research • EAP-Sens has been very good in the static environments. It is important to also study its performance in mobile environments. • IETF Kerberos is working on the Encryption and Checksum specifications and AES Encryption for Kerberos 5 to solve security issues.

  25. References • “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson • Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999 • The KryptoKnightfamily of light-weight protocols for authentication and key distribution Bird, R.   Gopal, I.   Herzberg, A.   Janson, P.   Kutten, S.   Molva, R.   Yung, M.IBM Corp., Research Triangle Park, NC; Feb, 1995 • EAP-Sens: a security architecture for wireless sensor networksM. Abdul Alim, BehcetSarikaya, Nov 2008 • http://en.wikipedia.org/wiki/Needham-Schroeder [March 29, 2007] • http://web.mit.edu/Kerberos/ [April 2, 2007] • http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 [April 8, 2007]

More Related