KryptoKinght Protocol for Authentication and Key Distribution
Download
Report
Transcript KryptoKinght Protocol for Authentication and Key Distribution
Authentication and Key Establishment
(Needham-Schroeder, Kerberos and KryptoKnight)
February 19, 2003
Changho Choi
[email protected]
Agenda
Motivation
Basic concept for the authentication and key establishment
Needham-Schroeder
Kerberos
KryptoKnight
Summary
Motivation
How Securely?
Alice
Bob
Reliable authentication of communicating entities and
network users across an insecure network
Secure key establishment
Protect the privacy and integrity of communication
Centralized key management and authentication
Concepts and Classification
Key establishment: a shared secret becomes available to
two or more parties, for subsequent cryptographic use.
key transport protocol
key agreement protocol: key establishment technique in which
one party creates, and securely transfers it to the other(s).
a shared secret is derived by two (or more) parties
key pre-distribution vs. dynamic(session) key establishment
Use of trusted servers
trusted third party, trusted server, authentication server, key
distribution center (KDC), key translation center (KTC)
and certification authority (CA).
2-Party Mutual Authentication Protocol
(2PAP)
1. NA
Alice
2. NB,MACBA(NA,NB,B)
3. MACAB(NA,NB)
Bob
NA,NB : One time random number (Nonce)
MACAB, MACBA: Message Authentication Code with
a shared key
Needham-Schroeder
KDC
1. A,B,NA
Alice
2. {k,NA,B, {k,A}KB}KA
3. {k,A}KB
4. {NB}k
5. {NB-1}k
Bob’s
Server
A,B: identities of hosts,
KDC: Key Distribution Center
NA, NB : nonce
KA, KB: host keys shared by KDC and hosts
k: session key for the host A and B
{}k: Encryption with a key k
Needham-Schroeder
Properties
Protocol provides A and B with a shared key k with key
authentication
(4) and (5) provide entity authentication of A to B.
If acceptable for A to re-use key k with B, A may securely cache (3)
with k
To prevent replay of (4), {NA’}k should be appended to message (3),
and (4) should be replaced by {NA’-1, NB }k allowing A to verify B’s
knowledge of k
Kerberos
Enable network application to securely identify their peers
Host A provides its identity by presenting a ticket to host B
Tickets are issued by a trusted third party Key Distribution Center
(KDC)
There is a shared key between KDC and any host
Ticket is valid for a finite interval called its lifetime
Ticket contains session key, host’s identity and lifetime
of the session key
Initial ticket exchanging
KDC
1. A,B,NA
2. {k,NA,L,B}KA, {k,A,L}KB
3. {A,TA,L,B}k, {k,A,L}KB
Alice
A,B: identities of hosts
NA: nonce,
L: Life time
KA, KB: host keys shared by KDC and hosts
k: session key for the host A and B
{k,A,L}KB: Ticket
Bob’s
Server
Getting a Service Ticket
KDC
Usually
Co-located
2. {KA,TGS,NA}KA,{KA,TGS,A,L}KTGS
1. A,TGS,NA
5. {AA}KA,B, {TA,B}KB
3. B, NA’,
Alice
{A,L,TGS,TA}KA,TGS,
{KA,TGS,A,L}KTGS
4. {KA,B,NA’}KA,TGS ,
{TA,B}KB
TGS
Bob’s
Server
AA: A, L, B,TA
TA: Timestamp made by A
TA,B: KA,B,A, L
Kerberos Properties
Since timestamps are used, the hosts must provide both
secure and synchronized clocks
If initial shared keys are password-derived, protocol is no
more secure than secrecy of such password or their
resistance to password-guessing attack
Lifetime is intended to allow A to re-use the ticket
A creates new authenticator with new timestamp and same session
key k
Needham-Schroeder vs. Kerberos
Kerberos lifetime parameter is not present in N-S
In N-S, (2) (which is corresponds to Kerberos ticket) is
double-encrypted
Authentication here employs nonce rather than timestamp
Since B has no way of knowing if k is fresh, should k ever
be compromised, any party knowing it may both resend
message (3) and compute a correct message (5) to
impersonate A to B
This situation is ameliorated in Kerberos by the lifetime parameter
which limits exposure to a fixed time interval
KryptoKnight
Objective
Minimal, flexible and scalable authentication and key distribution
for various network settings
Basic Concepts and Design Issues
Minimal resource Utilization
Use hash function instead of encryption
Minimize the number of messages
Flexible operational scenarios
Scalable design
Use a nonce instead of time stamp
Basic Key Distribution
1. NA
2. NK, MACA(NA,NK,KDC) KaNew
Alice
optional
KDC
Not secure with respect to key integrity
3. MACa(NA,NK)
Any intruder can modify the key distribution and cause A to extract
a key not issued by the KDC
Timeliness of the KDC’s response
Authenticated Key Distribution
2-Party Authenticated Key Distributiion Protocol(2PAKDP)
NA
MACA(NA,NK,KDC), EA(MACA)NK
MACa(NA,NK)
Alice
Braiding
NK = KaNew
KDC’s nonce in flow 2 is hidden
optional
KDC
3-Party Scenarios
Assumption
Two entities(A and B) want to authenticate with each other
A and B have no shared secret
There is a mutually-trusted KDC whom they each share a secret
A-B-K Pull scenario
A is either unable, unauthorized, or unwilling to contact the
KDC
A
B
Na
Mac a (N a , K ab , B), E a (Mac
N b , Mac
Mac
ab
ab
a
) K ab ,
KDC
Na ,Nb ,A
Mac a (N a , K ab , B), E a (Mac
a
) K ab ,
Mac b (N b , K ab , A), E b (Mac
b
) K ab
(N a , N b , B )
(N a , N a ), Mac a (N a , K ab )
Mac a (N a , K ab ), Mac b (N b , K ab )
optional
K-A-B Push Scenario
Provide authentication on the forward flows to the KDC
Direct handshake (2PAP) between A and B is no longer
needed
Na
KDC
A
N a , N b , Mac a (N a , b , B), A
Mac a (N a , K ab , B), E a (Mac
a
) K ab ,
Mac b (N b , K ab , A), E b (Mac
b
) K ab
Mac
ab
(N a , N b ) ,
Mac b (N b , K ab , A), E b (Mac
b Mac b (N a , N b , B)
B
N b , Mac b (N a , N b , B)
optional
b
) K ab
Time-Based Push Scenario(K-A-B(t))
Connection between two parties is strictly controlled by servers in
highly sensitive communication systems
B is not available (i.e., is not on-line) at the time when A contacts the
KDC
Military system
In K-A-B and A-B-K, B need to maintain state – Nb, A’s name, etc
K-A-B(t) requires B to start keeping state starting only from flow 3
B has no connection to, or is otherwise unable to contact the KDC (i.e,
mobile entity)
Hybrid (Partial Clock Synchronization)
KDC-> A: Challenge-based, KDC->B: Time-based
K-A-B(t)
KDC
Na ,B
Mac a (N a , K ab , B), E a (Mac
a
) K ab ,
TS, Mac b (TS, K ab , A), E b (Mac
b
) K ab
A
B
N a ,TS, Mac b (TS, K ab , A),
E b (Mac
b
N b , Mac
ab
Mac
ab
) K ab
(N a , N b , B)
(N a , N b )
Extension for Inter-Domain Protocol
Kerberos
TGSlocal
1. {AA}KA,TGS,
{TA,TGS}KTGS ,
TGSrem
Alice
2. {KA,TGSrem}KA,TGS ,
{TA,TGSrem}KTGSrem
A
5. {AA}KA,B, {TA,B}KB
Remote
B Server
4. {KA,B}KA,TGSrem,
3. {AA}KA,TGSrem,
{TA,B}KB
{TA,TGSrem}KTGSrem,
B
TGSremote
Key Exchange in Kerberos
CS.UMN.EDU
UMN.EDU
EDU
MIT.EDU
EDU
UMD.EDU
O(N2)
MIT.EDU
O(logN)
UMN.EDU
CS.UMN.EDU
UMD.EDU
Inter-Domain protocols
Kerberos Problem
Puts most of the load on the initiating client
Client A may be a mobile unit: no connection to its own KDC
Client A may have a policy prohibiting it from communicating
with the outside without establishing a secure “context”
Client B may have a policy requiring it to consult its own KDC
first before contacting A’s KDC
Assumption
Existence of inter-domain keys
Keys that secure communication among KDCs in different domains
A-B-K inter-domain Protocol
(Without Inter-KDC communication)
B
A
KDC2
Na
Na ,Nb ,A
KDC1
Mac
Mac
12
(N a , K ab , A, B), E 12 (Mac
N b , Mac
B, N a ,
Mac
12
(N a , K ab , A, B), E 12 (Mac
Mac a (N a , K ab , B), E a (Mac
a
12
ab
12
(N a , N b , B )
) K ab
) K ab
Mac
ab
(N a , N b )
12
(N a , K ab , A, B), E 12 (Mac
Mac b (N b , K ab , A), E b (Mac
) K ab ,
b
12
) K ab ,
) K ab
With Inter-KDC communication
Environments
One of hosts (A or B) has no connection to its own KDC
Software size at one or both hosts is critical
Hide the inter-domain-ness of the protocol
The burden and complexity due to inter-domain issues can be isolated
in KDCs
KDCs can communicate among themselves more efficiently than
hosts
Protocols: A-B-K-K, K-K-A-B and K-K-A-B(t)
A-B-K-K Protocol
B
A
KDC2
Na
Na ,Nb ,A
KDC1
N a , N 2 , A, B
Mac a (N a , K ab , B), E a (Mac
Mac
12
a
(N 2 , K ab , B, A), E 12 (Mac
Mac a (N a , K ab , B), E a (Mac
a
) K ab ,
12
) K ab
) K ab ,
N b , Mac
ab
(N a , N b , B )
Mac
ab
(N a , N b )
Mac a (N a , K ab , B), E a (Mac
a
) K ab ,
Mac b (N b , K ab , A), E b (Mac
b
) K ab
Disadvantages in inter-KDC
communication
Sacrifice of the KDC’s stateless nature
KDC2 has to keep state between flows
At least A, B, Kab and Na must be kept
Alternatively, KDC2 can “export” the state information
Including the state variables in the flow to KDC1
KDC1 then simply echoes them back in its reply
Summary
Supporting a flexible range of network configurations,
avoiding reliance on tightly-synchronized clocks or
counters
Minimizing message sizes and cryptographic operations
Light-weight protocol in terms of resource usage and
suitable for low-end devices with limited memory and
processing capability
References
J. Kohl, B. Neuman, and T. Ts’o. The Evolution of the Kerberos
Authentication Service. In F. Brazier and D. Johansen, editors,
Distributed Open Systems. IEEE Computer Society Press,1994.
R. Bird, I. Gopal, A. Herzberg, P. Johnson, S. Kutten, R. Molva, and M.
Yung, “The KryptoKnight Famliy of Light-Weight Protocols for
Authentication and Key Distribution,” IEEE/ACM Transactions on
Networking, vol. 3, no. 1, pp. 31-41, 1995.
P. Janson, G. Tsudik, and M. Yung. Scalability and flexibility in
authentication services: the KryptoKnight approach. In Proc. of IEEE
INFOCOM, pages 725--736, April 1997.