Title: Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION
1Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION
- Prepared by
- Karthik V Puttaparthi
- kputtaparthi1_at_student.gs
u.edu
2OUTLINE
- Overview
- Protocols and Communication Services
- Design of Authentication Protocols
- Needham-Schroeder Protocol
- Denning-Sacco Protocol
- Kerberos Protocol
- Kerberos Protocol Version V
- References
3PROTOCOLS AND COMMUNICATION SERVICES
- Authentication is the process of verifying the
identity of an object entity. - Password verification is a simple example of
one-way user identification. - In a distributed environment, there is a greater
need to authenticate the machine the user
connects to as well. -
- This type of mutual authentication is even more
important for communication between autonomous
principals under different administrative
authorities in a client/server distributed
environment.
4PROTOCOLS AND COMMUNICATION SERVICES
- Messages being exchanged must also be
authenticated such that they are free of forgery,
counterfeiting and repudiation. - Forgery could occur when a communication key is
compromised. - A counterfeit is the replay of a secret message
in the context of communication. - Repudiation is the denial of sending what seems
to be an authenticated message.
5PROTOCOLS AND COMMUNICATION SERVICES
- For message authenticity, an irreproducible
secret message digest can be used to sign the
message. - Secrecy of information can be accomplished by
encryption using secret keys.
6Design of Authentication Protocols
-
- Connection
Connectionless - Peer processes
- Client / Server
- Authentication protocols are all about
distribution and management of secret keys. - Key distribution in a distributed environment is
an implementation of distributed authentication
protocols.
Interactive One-way
Session Request / Response
7Design of Authentication Protocols
- Design of distributed authentication protocols
depends on underlying communication service, i.e.
connectionless or connection-oriented. - Most distributed applications follow
Client/Server programming paradigm and
Client/Server interaction is viewed as request /
reply communication. - Session key can also be used for Client / Server
communication. Conceptually similar with
tickets. - A ticket is a signed certificate that contains
information for authenticating the client. - Kerberos Protocol was the first one to use the
ticket notion.
8Design of Authentication Protocols
- All protocols assume that some secret information
is held initially by each principal. - Authentication is achieved by one principal
demonstrating the other that it holds that secret
information. - All protocols assume that system environment is
very insecure and is open for attack.
9Design of Authentication Protocols
- Message received by a principal must have its
origin authenticity, integrity and freshness
verified. - To achieve these goals, most protocols need to
rely on an authentication server. - Authentication server delivers good quality
session keys to requesting principals securely.
10Design of Authentication Protocols
- Protocol are divided into two categories to
verify the freshness of a message. - First category uses nonce and challenge/ response
handshake to verify freshness. - Second category uses timestamps and assumes that
all machines in distributed system are
clock-synchronized.
11Needham-Schroeder Protocol (1978)
- First to use the encryption techniques for
authentication and key distribution. - Five Steps
- A-gtS A, B, Na
- S-gtA Na, B, Kab, A, KabKbsKas
- A-gtB A, KabKbs
- B-gtA NbKab
- A-gtB Nb - 1Kab
- A contacts S which returns a session key and
certificate encrypted with Kbs. - B decrypts it and does a nonce handshake with A
assure the freshness. - Subtracting 1 from Nb in last message ensures
that its not a replay of the previous message
from B to A.
12Needham-Schroeder Protocol (1978)
- Five Steps
- A-gtS A, B, Na
- S-gtA Na, B, Kab, A, KabKbsKas
- A-gtB A, KabKbs
- B-gtA NbKab
- A-gtB Nb - 1Kab
- Denning and Sacco found a drawback.
- If session key between A and B is compromised, an
intruder can impersonate A by carrying out last 3
steps. - Needham-Schroeder responded by requiring A to
obtain another nonce from B before it contacts S
and requiring S to put this nonce into
certificate to be forwarded to B.
13Denning-Sacco Protocol (1981)
- Uses timestamps rather than nonce to guarantee
message freshness. - A-gtS A, B
- S-gtA B, Kab,TsA, Kab, TsKbsKas
- A-gtB A, Kab, TsKbs
- A and B can verify the message freshness by
checking - Clock T lt ?t1 ?t2
14Denning-Sacco Protocol (1981)
- Clock is the local clock time. ?t1 is normal
discrepancy between servers clock and local
clock. ?t2 is expected network delay. - So long ?t1 ?t2 is less than the interval
between two contiguous authentication sessions,
message freshness is guaranteed. - Denning-Sacco has better performance than
Needham-Schroeder as it eliminates message
handshake. - But drawback is that all machines must be
clock-synchronized with authentication server.
15Kerberos Protocol (1980)
- As a part of project Athena at MIT, Kerberos is
one of the most promising implementation of
authentication service. - Based on Needham-Schroeder but also uses
timestamps suggested by Denning-Sacco. - Authentication service is divided on two servers
Kerberos Server and Ticket Granting Server (TGS).
16Kerberos Protocol (1980)
- Simplified version of Kerberos that treats
Kerberos server and TGS as single entity S. - 1. A-gtS A, B
- 2. S-gtA Kab, TicketabKas
- Where Ticketab B, A, addr, Ts, L, KabKbs
- 3. A-gtB Authenticatorab, Ticketab
- Where Authenticatorab A, addr, TaKab
- 4. B-gtA Ta 1Kab
- A sends its own identity to S before it connect
to B. - S responds with session key Kab and a ticket for
B.
17Kerberos Protocol (1980)
- 1. A-gtS A, B
- 2. S-gtA Kab, TicketabKas
- Where Ticketab B, A, addr, Ts, L, KabKbs
- 3. A-gtB Authenticatorab, Ticketab
- Where Authenticatorab A, addr, TaKab
- 4. B-gtA Ta 1Kab
- Ticket contains identities of B and A, IP of A,
timestamp Ts, lifetime L and a session key to
identify A. - A now creates its own authenticator containing
As identity, its IP and timestamp and sends it
to B along with the Bs ticket. - B decrypts the ticket and authenticator, and
compares two pieces of information.
18Kerberos Protocol (1980)
- First, their identity and address information
must match. - Second, discrepancy between time in authenticator
and current local time must not exceed a
predetermined value. - If these match, B authenticates the As identity
and allows the service request to proceed. - Drawbacks of Kerberos were identified by Bellovin
and Merritt. - Drawback includes difficulty in adapting to all
environments, and the need for special purpose
hardware. - To fix some of these problems, Kerberos has been
upgraded to version V.
19 Kerberos Protocol Version V
1993
Authentication Server Ticket Granting Server
1 Client 2 3 4
Server 5
K
C
S
G
C-gtK C, G, N K-gtC Kcg, NKc, Ticketcg C-gtG Authenticatorcg, Ticketcg G-gtC Kcs, NKcg, Ticketcs C-gtS Authenticatorcs, Ticketcs
20Kerberos Protocol Version V (cont)
- This protocol separates the authentication server
S into Kerberos server (K) for authentication and
Ticket Granting Server (G). - Client (C) first sends identity for itself and
TGS to Authentication Server K. (Message 1) - Authentication Server K does the initial login
and grants ticket for TGS. (Message 2) - Client (C) sends authenticator to TGS to identify
itself (like simplified Kerberos). (Message 3)
21Kerberos Protocol Version V
1993
- Message 4 and 5 are similar to Message 2 and 3
respectively. - Most widely implemented protocol.
- Implemented in Distributed Computing Environment
(DCE) security service and SESAME (A Secure
European System for Application in a Multi-vendor
Environment).
22References
- Distributed Operating Systems and Algorithms by
Randy Chow and Theodore Johnson - On the design of authentication protocols for
third generation ieeexplore.ieee.org/iel5/8635/273
71/01217358.pdf - Clifford Neumann. The Kerberos Network
Authentication Service (V5). Internet Draft
ietf-cat-kerb-kerberos-revision-04.txt, June 1999 - http//en.wikipedia.org/wiki/Needham-Schroeder
March 29, 2007 - http//web.mit.edu/Kerberos/ April 2, 2007
- http//en.wikipedia.org/wiki/Kerberos_28protocol
29 April 8, 2007 -