1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007
2 Outline Overview Design of Authentication Protocols Needham-Schroeder Protocol Denning-Sacco Protocol Kerberos Protocol Kerberos Protocol Version V References
3 Overview Password verification is a simple example of one-way user identification. In a distributed environment, there is a greater need to authenticate the machine the user connects to as well. This type of mutual authentication is even more important for communication between autonomous principals under different administrative authorities in a client/server distributed environment.
4 Overview (cont…) Messages being exchanged must also be authenticated such that they are free of forgery, counterfeiting and repudiation. Forgery could occur when a communication key is compromised. A counterfeit is the replay of a secret message in the context of communication.
5 Overview (cont…) For message authenticity, an irreproducible secret message digest can be used to sign the message. Secrecy of information can be accomplished by encryption using secret keys.
6 Design of Authentication Protocols Authentication protocols are all about distribution and management of secret keys. Key distribution in a distributed environment is an implementation of distributed authentication protocols. Design of distributed authentication protocols depends on underlying communication service, i.e. connectionless or connection-oriented.
7 Design of Authentication Protocols (cont…) ConnectionConnectionless Peer processes Client / Server Most distributed applications follow Client/Server programming paradigm and Client/Server interaction is viewed as request / reply communication. InteractiveOne-way SessionRequest / Response
8 Design of Authentication Protocols (cont…) Session key can also be used for Client / Server communication. Conceptually similar with tickets. A ticket is a signed certificate that contains information for authenticating the client. Kerberos Protocol was the first one to use the ticket notion.
9 Design of Authentication Protocols (cont…) All protocols assume that some secret information is held initially by each principal. Authentication is achieved by one principal demonstrating the other that it holds that secret information. All protocols assume that system environment is very insecure and is open for attack.
10 Design of Authentication Protocols (cont…) Message received by a principal must have its origin authenticity, integrity and freshness verified. To achieve these goals, most protocols need to rely on an authentication server. Authentication server delivers good quality session keys to requesting principals securely.
11 Design of Authentication Protocols (cont…) Protocol are divided into two categories to verify the freshness of a message. First category uses nonce and challenge/ response handshake to verify freshness. Second category uses timestamps and assumes that all machines in distributed system are clock-synchronized.
12 Needham-Schroeder Protocol (1978) First to use the encryption techniques for authentication and key distribution. Five Steps… 1.A->S : A, B, N a 2.S->A: {N a, B, K ab, {A, K ab }K bs }K as 3.A->B: {A, K ab }K bs 4.B->A: {N b }K ab 5.A->B: {N b - 1}K ab
13 Needham-Schroeder Protocol (cont…) A contacts S which returns a session key and certificate encrypted with K bs. B decrypts it and does a nonce handshake with A assure the freshness. Subtracting 1 from N b in last message ensures that its not a replay of the previous message from B to A.
14 Needham-Schroeder Protocol (cont…) Denning and Sacco found a drawback. If session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps. Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.
15 Denning-Sacco Protocol (1981) Uses timestamps rather than nonce to guarantee message freshness. 1.A->S: A, B 2.S->A: {B, K ab,T s {A, K ab, T s }K bs }K as 3.A->B: {A, K ab, T s }K bs A and B can verify the message freshness by checking: Clock – T < Δt1 + Δt2
16 Denning-Sacco Protocol (cont…) Clock is the local clock time. Δt1 is normal discrepancy between server’s clock and local clock. Δt2 is expected network delay. So long Δt1 + Δt2 is less than the interval between two contiguous authentication sessions, message freshness is guaranteed.
17 Denning-Sacco Protocol (cont…) Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake. But drawback is that all machines must be clock-synchronized with authentication server.
18 Kerberos Protocol (1980s) As a part of project Athena at MIT, Kerberos is one of the most promising implementation of authentication service. Based on Needham-Schroeder but also uses timestamps suggested by Denning-Sacco. Authentication service is divided on two servers: Kerberos Server and Ticket Granting Server (TGS).
19 Kerberos Protocol (cont…) Simplified version of Kerberos that treats Kerberos server and TGS as single entity S. 1. A->S: A, B 2.S->A: {K ab, Ticket ab }K as Where Ticket ab = {B, A, addr, T s, L, K ab }K bs 3. A->B: Authenticator ab, Ticket ab Where Authenticator ab = {A, addr, T a }K ab 4. B->A: {T a + 1}K ab
20 Kerberos Protocol (cont…) A sends its own identity to S before it connect to B. S responds with session key Kab and a ticket for B. Ticket contains identities of B and A, IP of A, timestamp T s, lifetime L and a session key to identify A. A now creates its own authenticator containing A’s identity, its IP and timestamp and sends it to B along with the B’s ticket.
21 Kerberos Protocol (cont…) B decrypts the ticket and authenticator, and compares two pieces of information. First, their identity and address information must match. Second, discrepancy between time in authenticator and current local time must not exceed a predetermined value. If these match, B authenticates the A’s identity and allows the service request to proceed.
22 Kerberos Protocol (cont…) Drawbacks of Kerberos were identified by Bellovin and Merritt. Drawback includes difficulty in adapting to all environments, and the need for special purpose hardware. To fix some of these problems, Kerberos has been upgraded to version V.
23 Kerberos Protocol Version V (1993) Authentication Server Ticket Granting Server K G 1 Client Server 5 CS 1.C->K: C, G, N 2.K->C: {K cg, N}K c, Ticket cg 3.C->G: Authenticator cg, Ticket cg 4.G->C: {K cs, N}K cg, Ticket cs 5.C->S: Authenticator cs, Ticket cs
24 Kerberos Protocol Version V (cont…) This protocol separates the authentication server S into Kerberos server (K) for authentication and Ticket Granting Server (G). Client (C) first sends identity for itself and TGS to Authentication Server K. (Message 1) Authentication Server K does the initial login and grants ticket for TGS. (Message 2) Client (C) sends authenticator to TGS to identify itself (like simplified Kerberos). (Message 3)
25 Kerberos Protocol Version V (cont…) Message 4 and 5 are similar to Message 2 and 3 respectively. Most widely implemented protocol. Implemented in Distributed Computing Environment (DCE) security service and SESAME (A Secure European System for Application in a Multi-vendor Environment).
26 References “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson B. Clifford Neuman and Theodore Ts'o. Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9): September 1994 Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999 B. Clifford Neuman, Brian Tung, and John Wray. Public Key Cryptography for Initial Authentication in Kerberos, Internet Draft ietf-cat-kerberos-pk-init-09, July [Accessed: March 29, 2007] [Accessed: April 2, 2007] [Accessed: April 8, 2007]