VKSF 423 System Administration III Authentication Kerberos
Announcements Slight modification to the syllabus Office hours Tuesday Thursday 10-12, 2-3 Lab Three: Virtualized Storage Veritas Storage Central OpenAFS LVM or EVMS Dynamic Disks (MS DFS)
Syllabus Modifications Old Component WeightNew Component Due date Labs25%No changeAll sign offs and submission by the end of 10 th week Practical25%No changeDemonstrated before exam week begins Group Presentation 10%In labIn lab approximately 5 minutes Group Report 10%Site BookDue by end of 10 th week Homework10%Group Evaluation How did the individuals contribute to the completion of the labs Final Exam20%No changeDuring the final exam period
Definitions Identification- assertion of who you are Authentication-process of proving one’s identity Authorization-The privileges that accrue to an identity Access control-Provide the correct services to the correct users
Two Types of Authentication User authentication Machine to machine authentication Cryptographic Other (weak)
Identification Who are you? Who do you claim to be? Who are you acting as?
Authentication Can you prove who you say you are? How? Something you know Passwords Something you are Biometrics Something you have Access tokens
Access Control All of the above Allow the correct users Into a system Access to appropriate resources Disallow invalid users Entry to the systems Deny access to restricted resources
Something you Know Passwords Oxymoron: Large random string != easy to remember Password design/assignment Multiple words/syllables Mixed case/digits/punctuation Storage Weak/strong encryption Users perceive the risks as minimal vs. need to get work done
Passwords Myth: never write down a password Recovery Helps more complicated passwords Multiple passwords Clues/questions One time passwords
Something you are Biometrics Voice, retinal, DNA, body geometry, signature, finger prints Hard to change Easy to forge
Something you have Access Tokens Physical keys Smart cards Translators Problems Stolen Duplicated Spoofed
Authentication Protocols Cryptographic methods to authenticate over a network Multiple vulnerabilities
Network Authentication Options Do nothing- trust machine to prevent unauthorized user access (control physical access) Require machine to prove identity to network, then trust machine to authenticate users and provide access control Require identification and authentication at each resource
Authentication Requirements Must be Secure A.k.a. secure enough to push hackers elsewhere Must be reliable Manageable level of false negatives and false positives Transparent to users Scalable to enterprise networks
Simple Protocol Bob enters password on client Client sends password to server Server looks up id and password in database of ids and passwords If it matches, validation message sent to client & Bob is in
Problems with simple scenario Clear text password in database Clear text password in transfer Confirmation spoofing
Password Database Hide Encrypt Salt Multiple serial encryptions
Transfer Hashing Encryption
Confirmation spoofing Simple T/F Alternate hash of password/known key Encryption
Improved Protocol: Challenge Avoid clear text transfer of password Bob informs server of desire to access Server offers a phrase to Bob Bob encrypts phrase with Bob’s password and sends to server Server, who already knows Bob’s password, also encrypts phrase with Bob’s password and compares
Problems with improved version Server needs clear text copy of Bob’s password Given enough instances of a login the original password could be determined
Use of a “Trusted Third Party” The “Blind Date” protocol I don’t know Kathy She doesn’t know me We both know Loretta We both separately contact Loretta Loretta “vouches” for me to Kathy Loretta “vouches” for Kathy to me
Levels of Kerberos Protection Authentication at initiation of network session, assume future messages from same address come from same machine Authentication of each message, no encryption of message Private messages-each message is authenticated and encrypted
Kerberos Modules Applications library Encryption library Database library Database administration programs Administration server Authentication server Db propagation software User programs applications
Kerberos Misc. Model based on Needham and Schroeder key distribution protocol Encryption done with DES Extendable to DES Cypher Block Chaining Database Contains one record/principal Record contains name, private key, expiration date of principal Name-
Kerberos Ticket Used to securely pass the identity of the person to whom the ticket was issued between the authentication server and the end server. Authenticator Contains additional information which when compared against the ticket proves that the client presenting the ticket is the same one to which the ticket was issued.
Kerberos Keeps database of clients and private keys If client is user, key is encrypted password Generates temporary private keys (session keys) Session keys are given to two clients to encrypt messages between them.
Kerberos Ticket Ticket is good for a single server and a single client Contains name of the server Name of the client IP address of the client Timestamp Lifetime Random session key Encrypted using the private key of the server for which the ticket will be used May be used until lifetime expires
Kerberos Authenticator Contains Name of the client Client’s IP address Client’s current time Can only be used once, must be regenerated each time a client wants to use a service Can be regenerated by the client (without going to the server) Encrypted in the session key that is part of the ticket
Enhanced protocol: Kerberos Bob asks K-server to access Mary’s server K-server checks to see if Bob has access permissions K-server sends Bob a ticket and a session key Bob uses session key to create an authenticator to prove to Mary he is Bob Bob send ticket and authenticator to Mary Mary checks both
Main Problem Authentication of user or device given zero prior information Does Kerberos do this?