21
1 Kerberos Authentication
1
Kerberos Authentication
2
Alternative to one time passwords
Need for an authentication scheme which never sends the passwords in clear text form over the network.
One time password is an example where the actual password is not sent along the communication line, rather a derivative is sent on to the server.
Authentication methods based on cryptography are required.
Also there is a need to authenticate for services without entering password every time. E.g. r-commands on Unix.
3
One-time passwords
As the name implies a password is used only once. Typically password is generated by applying repeatedly MD5 algorithm on a secret password.
Let p the password and f is the one-way MD5 function. Initially let n=9, then the first time password transmitted for verification will be f9(p) and next time it will be f 8(p) and so on.
4
Kerberos Authentication
Alternative to one-time passwords Allow workstations to authenticate
themselves to services running on servers without ever sending a password in clear text over the network.
5
Kerberos Authentication
Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an application server or server) without sending data across the network.
Developed as part of MIT’s Project Athena.
6
The Word of “Kerberos”
Also spelled as Cerberus. n. The watch dog of Hades (in the ancient Greece), whose duty was to guard the entrance -- against whom or what does not clearly appear; ...it is known to have three heads. ...
--- The Enlarged Devil’s Dictionary, by Ambrose Bierce
7
How Kerberos works?
Kerberos authentication scheme uses a series of encrypted messages to a verifier (server) that a client is running on behalf of a particular user.
More precisely that the client has knowledge of an encryption key that is known by the user and the authentication server.
The users encryption key is derived and should be thought of as a password; similarly, each application server shares an encryption key with the authentication server- call this key as the sever key.
8
How Kerberos works?
The client (C)and server (V) do not initially share an encryption key.
Whenever the client authenticates itself to a new verifier it relies on the authentication server (AS) to generate a new encryption key and distribute it securely to both parties.
This new encryption key is called session key and a ticket mechanism is used to distribute this key to the verifier.
9
Kerberos Ticket? Ticket is a certificate issued by the authentication
server, encrypted using server key. Ticket contains a random session key, which will
be used to for the authentication of the principal to the verifier, the name of the principal to whom the session key was issued, and an expiration time after which the session key is no longer valid (time stamp).
The ticket is not sent directly to the verifier, but is instead sent to the client who forwards it to the verifier as part of the application request.
Since the ticket is encrypted in the server key, known only by the authentication server and the indented verifier, it is not possible for the client to modify the ticket without detection.
10
Basic Kerberos (simplified)
symbols used:c: client/client namev: server/server nameAS: authentication servicen: nonceKc,v: shared key btwn c & vtimeexp: expiring timeKc: shared key btwn c & ASKv: shared key btwn v & ASKsubsession: a session key
btwn c & v
11
1 2
Basic Kerberos (simplified)
authentication service
Client 34 server
1. client-name, server-name, expiring-time, random-num.
2. DESKc(Kc,v, expiring-time,random-num.,...), DESKv(Tc,v)
3. DESKc,v(time-stamp, session-key,...), DESKv(Tc,v)
4. DESKc,v(time-stamp), (this step is optional)
where Tc,v = Kc,v, client-name, expiring-time, ...
12
Full Kerberos (simplified)
Symbols used:c: client/client namev: server/server nameAS: authentication serviceTGS: ticket grant servicen: nonceKc,v: shared key btwn c & vtimeexp: expiring timeKc: shared key btwn c & ASKv: shared key btwn v & ASKtgs: shared key btwn TGS & ASKc,tgs: shared key btwn c & TGSKsubsession: a session key btwn c & v
13
Identification
An Identification (ID) ProtocolIdentification (ID) Protocol allows one party (say Alice) to convince another party (say Bob) of her identity similar to Authentication.
But an ID protocol must also meet a more stringent requirement: It must be secure against ALL THREE types of attacks
Marvin can mount (see Attacks slide) • Protocol Eavesdropping
• Impersonating as Verifier to Prover
• Honest Verifier knowledge compromise
Hence it’s also called a “passport protocol”.
14
Exercise
State whether or not each of the following is an ID protocol, and if not, describe an attack (one of the 3 type/s) that it succumbs to:Challenge-and-Response ProtocolOne-way function based Password Protocol
15
Schnorr passport protocol
InvolvingA trusted authority (TA) to issue
“certificates/passports”A certificate holderA verifier
16
Setting up by the TA
TA’s public key = (y, p, q, g), wherep = a prime of at least 512 bits.q = a 160-bit prime divisor of p-1.g = h(p-1)/q mod p, where h is any integer with 1 <
h < p-1 s.t. h(p-1)/q mod p > 1
(g has order q mod p.)y = g -x mod p, where x is an integer randomly
selected from [1, q-1].
TA’s secret key is x.
17
Issuing a certificate by TA
Alice TA xIDAlice || V
W
pgV
qaa
R
mod
]1,1[
Check the ID, and then usingSchnorr signatureto sign (IDAlice || V ).Let W = sign(IDAlice ||V )
•Alice’s certificate: (IDAlice || V || W)
•Alice’s secret: a
a
18
Schnorr signature - Signing a doc M by TA
To sign a document M=(IDAlice || V), TA does the following:randomly pick an integer k from [1, q-1].r = Hash(gk mod p, M)s = (k + x * r)) mod q,
where Hash is a 1-way hash.
TA’s signature on M is the pair of numbers W=(r, s).
19
How Alice proves her ID to Bob
Alice Boba Forwarding cert.(IDAlice || V || W)
OK
pgQ
qkk
R
mod
]1,1[
Verify the cert.If not OK, then abort.
Q
]]1,1[ qc Rc
qcakd mod dAccept ifQ=gdVc mod p
20
Important points
Setting up & certificate issuing are one-off operations.
Bob the verifier needs to have access to TA’s public key.
The actual proving protocol has 2 parts:Shows that the certificate is OK, &Demonstrate that Alice “knows” the secret
associated with the certificate.
21
Security of Schnorr Protocol
The Schnorr protocol (slightly modified) can be proved to be an ID Protocol, assuming that the discrete-logarithm problem is difficult:The probability that Marvin can successfully
masquerade Alice to an Honest verifier Bob is negligibly small, even if Marvin mounts all of the three types of attacks.
