220 likes | 434 Views
Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION. Prepared by: Karthik V Puttaparthi kputtaparthi1@student.gsu.edu. OUTLINE. Overview Protocols and Communication Services Design of Authentication Protocols Needham-Schroeder Protocol
E N D
Chapter 8.5AUTHENTICATION AND KEY DISTRIBUTION Prepared by: Karthik V Puttaparthi kputtaparthi1@student.gsu.edu
OUTLINE • Overview • Protocols and Communication Services • Design of Authentication Protocols • Needham-Schroeder Protocol • Denning-Sacco Protocol • Kerberos Protocol • Kerberos Protocol Version V • References
PROTOCOLS AND COMMUNICATION SERVICES • Authentication is the process of verifying the identity of an object entity. • Password verification is a simple example of one-way user identification. • In a distributed environment, there is a greater need to authenticate the machine the user connects to as well. • This type of mutual authentication is even more important for communication between autonomous principals under different administrative authorities in a client/server distributed environment.
PROTOCOLS AND COMMUNICATION SERVICES Messages being exchanged must also be authenticated such that they are free of forgery, counterfeiting and repudiation. • Forgery could occur when a communication key is compromised. • A counterfeit is the replay of a secret message in the context of communication. • Repudiation is the denial of sending what seems to be an authenticated message.
PROTOCOLS AND COMMUNICATION SERVICES • For message authenticity, an irreproducible secret message digest can be used to sign the message. • Secrecy of information can be accomplished by encryption using secret keys.
Design of Authentication Protocols ConnectionConnectionless Peer processes Client / Server • Authentication protocols are all about distribution and management of secret keys. • Key distribution in a distributed environment is an implementation of distributed authentication protocols.
Design of Authentication Protocols • Design of distributed authentication protocols depends on underlying communication service, i.e. connectionless or connection-oriented. • Most distributed applications follow Client/Server programming paradigm and Client/Server interaction is viewed as request / reply communication. • Session key can also be used for Client / Server communication. Conceptually similar with tickets. • A ticket is a signed certificate that contains information for authenticating the client. • Kerberos Protocol was the first one to use the ticket notion.
Design of Authentication Protocols • All protocols assume that some secret information is held initially by each principal. • Authentication is achieved by one principal demonstrating the other that it holds that secret information. • All protocols assume that system environment is very insecure and is open for attack.
Design of Authentication Protocols • Message received by a principal must have its origin authenticity, integrity and freshness verified. • To achieve these goals, most protocols need to rely on an authentication server. • Authentication server delivers good quality session keys to requesting principals securely.
Design of Authentication Protocols • Protocol are divided into two categories to verify the freshness of a message. • First category uses nonce and challenge/ response handshake to verify freshness. • Second category uses timestamps and assumes that all machines in distributed system are clock-synchronized.
Needham-Schroeder Protocol (1978) • First to use the encryption techniques for authentication and key distribution. • Five Steps… • A->S : A, B, Na • S->A: {Na, B, Kab, {A, Kab}Kbs}Kas • A->B: {A, Kab}Kbs • B->A: {Nb}Kab • A->B: {Nb - 1}Kab • A contacts S which returns a session key and certificate encrypted with Kbs. • B decrypts it and does a nonce handshake with A assure the freshness. • Subtracting 1 from Nb in last message ensures that its not a replay of the previous message from B to A.
Needham-Schroeder Protocol (1978) • Five Steps… • A->S : A, B, Na • S->A: {Na, B, Kab, {A, Kab}Kbs}Kas • A->B: {A, Kab}Kbs • B->A: {Nb}Kab • A->B: {Nb - 1}Kab • Denning and Sacco found a drawback. • If session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps. • Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.
Denning-Sacco Protocol (1981) • Uses timestamps rather than nonce to guarantee message freshness. • A->S: A, B • S->A: {B, Kab,Ts{A, Kab, Ts}Kbs}Kas • A->B: {A, Kab, Ts}Kbs A and B can verify the message freshness by checking: Clock–T < Δt1 + Δt2
Denning-Sacco Protocol (1981) • Clock is the local clock time. Δt1 is normal discrepancy between server’s clock and local clock. Δt2 is expected network delay. • So long Δt1 + Δt2 is less than the interval between two contiguous authentication sessions, message freshness is guaranteed. • Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake. • But drawback is that all machines must be clock-synchronized with authentication server.
Kerberos Protocol (1980) • As a part of project Athena at MIT, Kerberos is one of the most promising implementation of authentication service. • Based on Needham-Schroeder but also uses timestamps suggested by Denning-Sacco. • Authentication service is divided on two servers: Kerberos Server and Ticket Granting Server (TGS).
Kerberos Protocol (1980) • Simplified version of Kerberos that treats Kerberos server and TGS as single entity S. 1. A->S: A, B 2. S->A: {Kab, Ticketab}Kas Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs 3. A->B: Authenticatorab, Ticketab Where Authenticatorab = {A, addr, Ta}Kab 4. B->A: {Ta + 1}Kab • A sends its own identity to S before it connect to B. • S responds with session key Kab and a ticket for B.
Kerberos Protocol (1980) 1. A->S: A, B 2. S->A: {Kab, Ticketab}Kas Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs 3. A->B: Authenticatorab, Ticketab Where Authenticatorab = {A, addr, Ta}Kab 4. B->A: {Ta + 1}Kab • Ticket contains identities of B and A, IP of A, timestamp Ts, lifetime L and a session key to identify A. • A now creates its own authenticator containing A’s identity, its IP and timestamp and sends it to B along with the B’s ticket. • B decrypts the ticket and authenticator, and compares two pieces of information.
Kerberos Protocol (1980) • First, their identity and address information must match. • Second, discrepancy between time in authenticator and current local time must not exceed a predetermined value. • If these match, B authenticates the A’s identity and allows the service request to proceed. • Drawbacks of Kerberos were identified by Bellovin and Merritt. • Drawback includes difficulty in adapting to all environments, and the need for special purpose hardware. • To fix some of these problems, Kerberos has been upgraded to version V.
Kerberos Protocol Version V 1993 K C S G
Kerberos Protocol Version V (cont…) • This protocol separates the authentication server S into Kerberos server (K) for authentication and Ticket Granting Server (G). • Client (C) first sends identity for itself and TGS to Authentication Server K. (Message 1) • Authentication Server K does the initial login and grants ticket for TGS. (Message 2) • Client (C) sends authenticator to TGS to identify itself (like simplified Kerberos). (Message 3)
Kerberos Protocol Version V 1993 • Message 4 and 5 are similar to Message 2 and 3 respectively. • Most widely implemented protocol. • Implemented in Distributed Computing Environment (DCE) security service and SESAME (A Secure European System for Application in a Multi-vendor Environment).
References • “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson • On the design of authentication protocols for third generationieeexplore.ieee.org/iel5/8635/27371/01217358.pdf • Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999 • http://en.wikipedia.org/wiki/Needham-Schroeder [March 29, 2007] • http://web.mit.edu/Kerberos/ [April 2, 2007] • http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 [April 8, 2007]