Transcript Slide 1
Kerberos
Guilin Wang
School of Computer Science
03 Dec. 2007
Outline
■ Password-based key agreement protocols
(Continuing our last lecture).
■ Kerberos authentication protocol.
0. Password-based Protocols
■
In the NS protocol, both parties need to share longterm secrets with the server. For humans, long secret
keys are not easy to memorize.
■
One naïve approach is to set long-term secrets as
passwords.
■
For example, let Kbs=Pbs, a password shared btw B
and S in the NS protocol.
0. Password-based Protocols
■
However, this approach suffers off-line dictionary
attack.
3. A B : EPbs ( K , A)
■
That is, an attacker can try each possible P’ to decrypt
EP-bs (K, A). If
DP'[ EPbs ( K , A)] ... || A,
P’ is likely the correct password.
0. Password-based Protocols
■
Off-line dictionary attack works since passwords are
short strings with low entropy.
■
Countermeasures:
- Enhance the strength of passwords by requiring
certain length, format, and randomness.
- Combine the password with a security token.
0. Password-based Protocols
The following Encrypted Key Exchange (EKE) protocol
can resist the off-line dictionary attack:
■ PK is an ephemeral public key generated by A.
■ B transfers K to A by using double encryptions.
■ Why EKE protocol is immune to the off-line dictionary
attack?
1. Authentication & Key Exchange
■
The purpose of entity authentication is to prevent
impersonation attack.
■
Authentication is important in key exchange. E.g, the
DH protocol suffers the MITM attack.
■
Actually, key exchange techniques can also be used to
realize authentication. Kerberos is such an example.
■
In the literature, the differences btw authentication and
key exchange are not very clear sometimes.
1. Authentication & Key Exchange
■
Key exchange usually requires authentication.
Otherwise, you are not sure with whom you are
agreeing on a session key.
■
However, authentication does not necessarily involve
key exchange.
■
For example, a successful authentication can enable a
client to enjoy a service without encryption.
2. Kerberos: What is it?
■
In Greek mythology, Kerberos is the guardian of
Hades, a dog with three heads.
■
In security community, Kerberos denotes the
distributed authentication protocol developed from
MIT's project Athena in 1980s.
2. Kerberos: What is it?
■
Kerberos has been widely accepted in industry.
■
Kerberos has been integrated into Windows and many
many versions of Unix systems.
■
Full specification of Kerberos Version 5 is given by a
draft Internet Standard RFC 1510.
■
Free source codes for different releases of Kerberos
are available at the Kerberos website:
http://web.mit.edu/Kerberos/
2. Kerberos: Motivations
In this scenario of distributed networks, there exist at least
three threats:
■ User impersonation:
A dishonest user may pretend to be another user from the
same workstation.
■
Network address impersonation:
A dishonest user can changes the network address of his/her
workstation to impersonate another workstation.
■
Eavesdropping, replay attack, and so on.
Attackers may try their best to access network service by
mounting different attacks.
2.1 Kerberos: Basic Ideas
Kerberos uses symmetric mechanisms to realize entity
authentication and key exchange. Basically, Kerberos
uses two kinds of credentials:
■ Tickets:
Issued by a trusted administration server that shows
who is granted to access a specific service.
■
Authenticators:
Used to prove the identity of a communicating client.
2.1 Kerberos: Basic Ideas
This is similar to the following immigration policy,
which allows a foreigner to enter a country:
■ Visa (=tickets in Kerberos):
Specifies who is allowed to entry this country for how
many days.
■
Passport (=Authenticators in Kerberos):
Shows your identity, i.e., who are you.
2.1 Kerberos: Basic Ideas
In Kerberos system, there are three kinds of servers:
■ Kerberos authentication server (AS):
A centralized trusted authentication server for the whole
system, who issues long lifetime tickets.
■ Ticket-granting servers (TGS):
Issue short lifetime tickets.
■ Service server S:
Provide different service.
2.1 Kerberos: Basic Ideas
2.2 The Protocol
Kerberos (Version 5) can be divided into three
procedures from the view point of a client:
■
obtaining ticket-granting ticket,
■
obtaining service ticket, and
■
obtaining a concrete service.
We now discuss the details.
2.2 The Protocol
2.2 The Protocol
Here:
■ K_c is derived from the client’s password, which is
shared with the AS.
■ K_tgs is a secret key shared btw the AS and the TGS.
■ K_1 is session key that enables the client to
authenticate itself to the TGS server.
2.2 The Protocol
Here:
■ A1 is an authenticator using K1.
■ K2 is a session key that enables the client to
authenticate itself to the server S.
■ Ks is a secret key shared btw the TGS and a server S.
2.2 The Protocol
Here:
■ A1 is an authenticator using K2.
■ K3 is a session key for coming secure communications.
■ The server S authenticates itself to the client in step 6.
2.3 Kerberos: Its Limitations
■
Single Failure Problem: If the AS is down, no user
can access any resources. So Kerberos is prone to
denial-of-service (DoS) attacks.
- Duplicated AS? Possible, but not easy to maintain.
■
Clock Synchronization is needed, since timestamps
are used. Reasonable time interval for clock skew?
- Too short: Rejecting many valid requests.
- Too long: Suffering replay attack.
2.3 Kerberos: Its Limitations
■
Limited Scalability: Usually, the AS can support with
hundreds of thousands users. Suitable for a university
but not for the Internet, where PKIs with digital
certificates are better.
■
Off-line Password Attacks: Kerberos is vulnerable to
this kind of attacks since a message is encrypted with
a key derived from the client's password.
3. Summary
■
Introduced off-line dictionary attack.
■
Briefly discussed the relation btw entity authentication
and key exchange.
■
Reviewed a practice-oriented authentication protocol:
Kerberos.
- Basic ideas
- Technical mechanisms
- Limitations
Questions and Comments?