Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION Prepared by: Karthik V Puttaparthi kputtaparthi1@student.gsu.edu

OUTLINE Overview Protocols and Communication Services Design of Authentication Protocols Needham-Schroeder Protocol Denning-Sacco Protocol Kerberos Protocol Kerberos Protocol Version V References

PROTOCOLS AND COMMUNICATION SERVICES Authentication is the process of verifying the identity of an object entity. Password verification is a simple example of one-way user identification. In a distributed environment, there is a greater need to authenticate the machine the user connects to as well. This type of mutual authentication is even more important for communication between autonomous principals under different administrative authorities in a client/server distributed environment.

PROTOCOLS AND COMMUNICATION SERVICES Messages being exchanged must also be authenticated such that they are free of forgery, counterfeiting and repudiation. Forgery could occur when a communication key is compromised. A counterfeit is the replay of a secret message in the context of communication. Repudiation is the denial of sending what seems to be an authenticated message.

PROTOCOLS AND COMMUNICATION SERVICES For message authenticity, an irreproducible secret message digest can be used to sign the message. Secrecy of information can be accomplished by encryption using secret keys.

Design of Authentication Protocols Connection Connectionless Peer processes Client / Server Authentication protocols are all about distribution and management of secret keys. Key distribution in a distributed environment is an implementation of distributed authentication protocols. Interactive One-way Session Request / Response

Design of Authentication Protocols Design of distributed authentication protocols depends on underlying communication service, i.e. connectionless or connection-oriented. Most distributed applications follow Client/Server programming paradigm and Client/Server interaction is viewed as request / reply communication. Session key can also be used for Client / Server communication. Conceptually similar with tickets. A ticket is a signed certificate that contains information for authenticating the client. Kerberos Protocol was the first one to use the ticket notion.

Design of Authentication Protocols All protocols assume that some secret information is held initially by each principal. Authentication is achieved by one principal demonstrating the other that it holds that secret information. All protocols assume that system environment is very insecure and is open for attack.

Design of Authentication Protocols Message received by a principal must have its origin authenticity, integrity and freshness verified. To achieve these goals, most protocols need to rely on an authentication server. Authentication server delivers good quality session keys to requesting principals securely.

Design of Authentication Protocols Protocol are divided into two categories to verify the freshness of a message. First category uses nonce and challenge/ response handshake to verify freshness. Second category uses timestamps and assumes that all machines in distributed system are clock-synchronized.

Needham-Schroeder Protocol (1978) First to use the encryption techniques for authentication and key distribution. Five Steps… A->S : A, B, Na S->A: {Na, B, Kab, {A, Kab}Kbs}Kas A->B: {A, Kab}Kbs B->A: {Nb}Kab A->B: {Nb - 1}Kab A contacts S which returns a session key and certificate encrypted with Kbs. B decrypts it and does a nonce handshake with A assure the freshness. Subtracting 1 from Nb in last message ensures that its not a replay of the previous message from B to A.

Needham-Schroeder Protocol (1978) Five Steps… A->S : A, B, Na S->A: {Na, B, Kab, {A, Kab}Kbs}Kas A->B: {A, Kab}Kbs B->A: {Nb}Kab A->B: {Nb - 1}Kab Denning and Sacco found a drawback. If session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps. Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.

Denning-Sacco Protocol (1981) Uses timestamps rather than nonce to guarantee message freshness. A->S: A, B S->A: {B, Kab,Ts{A, Kab, Ts}Kbs}Kas A->B: {A, Kab, Ts}Kbs A and B can verify the message freshness by checking: Clock – T < Δt1 + Δt2

Denning-Sacco Protocol (1981) Clock is the local clock time. Δt1 is normal discrepancy between server’s clock and local clock. Δt2 is expected network delay. So long Δt1 + Δt2 is less than the interval between two contiguous authentication sessions, message freshness is guaranteed. Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake. But drawback is that all machines must be clock-synchronized with authentication server.

Kerberos Protocol (1980) As a part of project Athena at MIT, Kerberos is one of the most promising implementation of authentication service. Based on Needham-Schroeder but also uses timestamps suggested by Denning-Sacco. Authentication service is divided on two servers: Kerberos Server and Ticket Granting Server (TGS).

Kerberos Protocol (1980) Simplified version of Kerberos that treats Kerberos server and TGS as single entity S. 1. A->S: A, B 2. S->A: {Kab, Ticketab}Kas Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs 3. A->B: Authenticatorab, Ticketab Where Authenticatorab = {A, addr, Ta}Kab 4. B->A: {Ta + 1}Kab A sends its own identity to S before it connect to B. S responds with session key Kab and a ticket for B.

Kerberos Protocol (1980) 1. A->S: A, B 2. S->A: {Kab, Ticketab}Kas Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs 3. A->B: Authenticatorab, Ticketab Where Authenticatorab = {A, addr, Ta}Kab 4. B->A: {Ta + 1}Kab Ticket contains identities of B and A, IP of A, timestamp Ts, lifetime L and a session key to identify A. A now creates its own authenticator containing A’s identity, its IP and timestamp and sends it to B along with the B’s ticket. B decrypts the ticket and authenticator, and compares two pieces of information.

Kerberos Protocol (1980) First, their identity and address information must match. Second, discrepancy between time in authenticator and current local time must not exceed a predetermined value. If these match, B authenticates the A’s identity and allows the service request to proceed. Drawbacks of Kerberos were identified by Bellovin and Merritt. Drawback includes difficulty in adapting to all environments, and the need for special purpose hardware. To fix some of these problems, Kerberos has been upgraded to version V.

Kerberos Protocol Version V 1993 Authentication Server Ticket Granting Server 1 Client 2 3 4 Server 5 K C S G C->K: C, G, N K->C: {Kcg, N}Kc, Ticketcg C->G: Authenticatorcg, Ticketcg G->C: {Kcs, N}Kcg, Ticketcs C->S: Authenticatorcs, Ticketcs

Kerberos Protocol Version V (cont…) This protocol separates the authentication server S into Kerberos server (K) for authentication and Ticket Granting Server (G). Client (C) first sends identity for itself and TGS to Authentication Server K. (Message 1) Authentication Server K does the initial login and grants ticket for TGS. (Message 2) Client (C) sends authenticator to TGS to identify itself (like simplified Kerberos). (Message 3)

Kerberos Protocol Version V 1993 Message 4 and 5 are similar to Message 2 and 3 respectively. Most widely implemented protocol. Implemented in Distributed Computing Environment (DCE) security service and SESAME (A Secure European System for Application in a Multi-vendor Environment).

References “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson On the design of authentication protocols for third generation ieeexplore.ieee.org/iel5/8635/27371/01217358.pdf Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999 http://en.wikipedia.org/wiki/Needham-Schroeder [March 29, 2007] http://web.mit.edu/Kerberos/ [April 2, 2007] http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 [April 8, 2007]