240 likes | 263 Views
An Overview of the GSS-API and Kerberos. Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation. Purpose. Provide the background to understand and evaluate the Symbol/Intel proposal to base 802.11 security services on the GSS-API. Agenda. What is the GSS-API? GSS-API Mechanisms.
E N D
An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation Bob Beach and Jesse Walker
Purpose • Provide the background to understand and evaluate the Symbol/Intel proposal to base 802.11 security services on the GSS-API Bob Beach and Jesse Walker
Agenda • What is the GSS-API? • GSS-API Mechanisms Bob Beach and Jesse Walker
What is the GSS-API? (1) • Generic Security Services Applications Programming Interface, defined by RFC 2743 • RFC 2744 gives standard ‘C’ bindings, RFC 2853 for Java bindings • but we will use it as an abstract service interface • The GSS-API interface is implemented by GSS-API mechanisms • each mechanism is a security system • interface is independent of mechanisms Bob Beach and Jesse Walker
What is the GSS-API? (2) • Credentials Management • GSS_Acquire_cred, GSS_Release_cred, GSS_Add_cred, etc. • Context Management • GSS_Init_sec_context, GSS_Accept_sec_context, GSS_Delete_sec_context, GSS_Inquire_context, GSS_Context_time, etc. • Per-Message Calls • GSS_Wrap, GSS_Unwrap, etc. • Support Calls • GSS_Import_name, GSS_Export_name, GSS_Display_status, etc. Bob Beach and Jesse Walker
The GSS-API Model • Step 1: Establish a security context • Step 2: Use established security context to secure message exchanges Bob Beach and Jesse Walker
Authentication Token Peer ID + Continue GSS_Init_sec_context Authentication Token + OK GSS_Accept_sec_context OK GSS_Init_sec_context Establishing a Security Context Initiator Responder Bob Beach and Jesse Walker
Data Data Wrapped Data GSS_Wrap GSS_Unwrap Using a Security Context Peer 1 Peer 2 Bob Beach and Jesse Walker
Agenda • What is the GSS-API? • GSS-API Mechanisms Bob Beach and Jesse Walker
Some GSS-API Mechanisms • SPNEGO (RFC 2478) - negotiate the other mechanisms • Kerberos (RFC 1510, RFC 1964) - centralized key server based on shared secrets • SPKM (RFC 2025) - 1- and 2-way public key based authentication • LIPKEY (RFC 2847) - one-way authentication a la SSL; a species of SPKM • SRP (draft-ietf-cat-srpgm-xx.txt) - secure remote password; a species of SPKM • SASL (draft-ietf-cat-sasl-gssapi-xx.txt) - one time password • PKINIT (draft-ietf-cat-kerberos-pk-init-xx.txt) - use public key to register secret with Kerberos KDC Bob Beach and Jesse Walker
Kerberos, SRP, SPKM + Continue GSS_Init_sec_context Kerberos + OK GSS_Accept_sec_context OK GSS_Init_sec_context SPNEGO Initiator Responder Bob Beach and Jesse Walker
What is Kerberos? • Authentication and Key Distribution Protocol • Developed in late 1980s, latest version is Rev 5 • RFC 1510; RFC 1964 fits it into GSS-API framework • Default authentication protocol in Windows 2000 Domain Login • Widely deployed in UNIX shops Bob Beach and Jesse Walker
How does Kerberos work? • Three major elements: • Principal: a user or system (username, password) • Services (FTP, email, telnet, RF services) • Key Distribution Center - maps principals to keys • Three step model: • user mutually authenticates with KDC (KRB_AP_REQ/KRB_AP_REP exchange) • KDC issues user authorization to access a service (KRB_TGT_REQ/KRB_TGT_REP exchange) • user gains access to service by presenting authorization Bob Beach and Jesse Walker
User Authentication • KRB_AP_REQ message asks the KDC for access to the Ticket Granting Service • KDC creates a unique authentication key for authenticating self with Ticket Granting Service, encrypts it under the user’s password, and sends it back to the user in the KRB_AP_REQ message • The user decrypts the message and gains access to the authentication key. • Password is never sent over the airwaves Bob Beach and Jesse Walker
Issuing Authorization • KRB_TGT_REQ asks for authorization to a particular service • message is protected with authentication key returned by KDC in KRB_AP_REP message • KDC decrypts message and examines request. • If request is OK, KDC creates a session key to be use between the user and the service. • KRB_TGT_REP from KDC contains two copies of the session key, one encrypted under user’s authentication key, and other under service’s Bob Beach and Jesse Walker
Gaining Access to the Service • User decrypts the KRB_TGT_REP message to get session key and a “ticket” for the server • User prepares and sends token to server containing “ticket”, other info, encrypted under session key • Service decrypts “ticket” using its own authentication key received from KDC and gains access to session key • Decrypts rest of request and processes request • Service sends reply to user to authenticate Bob Beach and Jesse Walker
KRB_TGT_REQ KRB_AP_REQ GSS_Init_sec_context Ticket, Authenticator KRB_AP_REP KRB_TGT_REP Authenticator + Continue GSS_Accept_sec_context + OK GSS_Init_sec_context OK Kerberos as used by GSS-API KDC Initiator Responder Bob Beach and Jesse Walker
KRB_TGT_REQ GSS_Init_sec_context Ticket, Authenticator KRB_TGT_REP Authenticator + Continue GSS_Accept_sec_context + OK GSS_Init_sec_context OK PKINIT + Kerberos KDC Initiator Responder Bob Beach and Jesse Walker
GSS_Init_sec_context SPKM parameters, n Crypt(K) + Continue Sig, SigCert, CryptCert GSS_Accept_sec_context + Continue GSS_Init_sec_context + OK GSS_Accept_sec_context OK SPKM Initiator Responder Bob Beach and Jesse Walker
GSS_Init_sec_context username, ga Hash1(K) + Continue Hash2(K) gb + x, s, n GSS_Accept_sec_context + Continue K = gabxnb GSS_Init_sec_context K = ((gb + x) - x)(a+nh(s, password) + Continue GSS_Accept_sec_context + OK GSS_Init_sec_context OK SRP Initiator Responder database: username, x = gh(s,password), s Bob Beach and Jesse Walker
Conclusions • GSS-API is • simple, well-defined interface • widely deployed and well-tested • Kerberos is • simple to implement • a GSS-API mechanism providing mutual authentication and key distribution • widely deployed and well-tested Bob Beach and Jesse Walker
Feedback? Bob Beach and Jesse Walker