Transcript Slide 1
Kerberos Guilin Wang School of Computer Science 03 Dec. 2007 Outline ■ Password-based key agreement protocols (Continuing our last lecture). ■ Kerberos authentication protocol. 0. Password-based Protocols ■ In the NS protocol, both parties need to share longterm secrets with the server. For humans, long secret keys are not easy to memorize. ■ One naïve approach is to set long-term secrets as passwords. ■ For example, let Kbs=Pbs, a password shared btw B and S in the NS protocol. 0. Password-based Protocols ■ However, this approach suffers off-line dictionary attack. 3. A B : EPbs ( K , A) ■ That is, an attacker can try each possible P’ to decrypt EP-bs (K, A). If DP'[ EPbs ( K , A)] ... || A, P’ is likely the correct password. 0. Password-based Protocols ■ Off-line dictionary attack works since passwords are short strings with low entropy. ■ Countermeasures: - Enhance the strength of passwords by requiring certain length, format, and randomness. - Combine the password with a security token. 0. Password-based Protocols The following Encrypted Key Exchange (EKE) protocol can resist the off-line dictionary attack: ■ PK is an ephemeral public key generated by A. ■ B transfers K to A by using double encryptions. ■ Why EKE protocol is immune to the off-line dictionary attack? 1. Authentication & Key Exchange ■ The purpose of entity authentication is to prevent impersonation attack. ■ Authentication is important in key exchange. E.g, the DH protocol suffers the MITM attack. ■ Actually, key exchange techniques can also be used to realize authentication. Kerberos is such an example. ■ In the literature, the differences btw authentication and key exchange are not very clear sometimes. 1. Authentication & Key Exchange ■ Key exchange usually requires authentication. Otherwise, you are not sure with whom you are agreeing on a session key. ■ However, authentication does not necessarily involve key exchange. ■ For example, a successful authentication can enable a client to enjoy a service without encryption. 2. Kerberos: What is it? ■ In Greek mythology, Kerberos is the guardian of Hades, a dog with three heads. ■ In security community, Kerberos denotes the distributed authentication protocol developed from MIT's project Athena in 1980s. 2. Kerberos: What is it? ■ Kerberos has been widely accepted in industry. ■ Kerberos has been integrated into Windows and many many versions of Unix systems. ■ Full specification of Kerberos Version 5 is given by a draft Internet Standard RFC 1510. ■ Free source codes for different releases of Kerberos are available at the Kerberos website: http://web.mit.edu/Kerberos/ 2. Kerberos: Motivations In this scenario of distributed networks, there exist at least three threats: ■ User impersonation: A dishonest user may pretend to be another user from the same workstation. ■ Network address impersonation: A dishonest user can changes the network address of his/her workstation to impersonate another workstation. ■ Eavesdropping, replay attack, and so on. Attackers may try their best to access network service by mounting different attacks. 2.1 Kerberos: Basic Ideas Kerberos uses symmetric mechanisms to realize entity authentication and key exchange. Basically, Kerberos uses two kinds of credentials: ■ Tickets: Issued by a trusted administration server that shows who is granted to access a specific service. ■ Authenticators: Used to prove the identity of a communicating client. 2.1 Kerberos: Basic Ideas This is similar to the following immigration policy, which allows a foreigner to enter a country: ■ Visa (=tickets in Kerberos): Specifies who is allowed to entry this country for how many days. ■ Passport (=Authenticators in Kerberos): Shows your identity, i.e., who are you. 2.1 Kerberos: Basic Ideas In Kerberos system, there are three kinds of servers: ■ Kerberos authentication server (AS): A centralized trusted authentication server for the whole system, who issues long lifetime tickets. ■ Ticket-granting servers (TGS): Issue short lifetime tickets. ■ Service server S: Provide different service. 2.1 Kerberos: Basic Ideas 2.2 The Protocol Kerberos (Version 5) can be divided into three procedures from the view point of a client: ■ obtaining ticket-granting ticket, ■ obtaining service ticket, and ■ obtaining a concrete service. We now discuss the details. 2.2 The Protocol 2.2 The Protocol Here: ■ K_c is derived from the client’s password, which is shared with the AS. ■ K_tgs is a secret key shared btw the AS and the TGS. ■ K_1 is session key that enables the client to authenticate itself to the TGS server. 2.2 The Protocol Here: ■ A1 is an authenticator using K1. ■ K2 is a session key that enables the client to authenticate itself to the server S. ■ Ks is a secret key shared btw the TGS and a server S. 2.2 The Protocol Here: ■ A1 is an authenticator using K2. ■ K3 is a session key for coming secure communications. ■ The server S authenticates itself to the client in step 6. 2.3 Kerberos: Its Limitations ■ Single Failure Problem: If the AS is down, no user can access any resources. So Kerberos is prone to denial-of-service (DoS) attacks. - Duplicated AS? Possible, but not easy to maintain. ■ Clock Synchronization is needed, since timestamps are used. Reasonable time interval for clock skew? - Too short: Rejecting many valid requests. - Too long: Suffering replay attack. 2.3 Kerberos: Its Limitations ■ Limited Scalability: Usually, the AS can support with hundreds of thousands users. Suitable for a university but not for the Internet, where PKIs with digital certificates are better. ■ Off-line Password Attacks: Kerberos is vulnerable to this kind of attacks since a message is encrypted with a key derived from the client's password. 3. Summary ■ Introduced off-line dictionary attack. ■ Briefly discussed the relation btw entity authentication and key exchange. ■ Reviewed a practice-oriented authentication protocol: Kerberos. - Basic ideas - Technical mechanisms - Limitations Questions and Comments?