1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.

Slides:



Advertisements
Similar presentations
1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
A less formal view of the Kerberos protocol J.-F. Pâris.
Chapter 10 Real world security protocols
KERBEROS LtCdr Samit Mehra (05IT 6018).
NETWORK SECURITY.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Authentication & Kerberos
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
1 Authentication Applications Digital Signatures Security Concerns X.509 Authentication Service Kerberos Based on slides by Dr. Lawrie Brown of the Australian.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
1 Authentication Applications Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Vitaly Shmatikov CS 361S Kerberos. slide 2 Reading Assignment uKaufman Chapters 13 and 14 u“Designing an Authentication System: A Dialogue in Four Scenes”
SSH Secure Login Connections over the Internet
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Authentication 3: On The Internet. 2 Readings URL attacks
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
Network Security Lecture 25 Presented by: Dr. Munam Ali Shah.
Kerberos Guilin Wang School of Computer Science 03 Dec
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
KERBEROS SYSTEM Kumar Madugula.
1 Example security systems n Kerberos n Secure shell.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
Tutorial on Creating Certificates SSH Kerberos
Tutorial on Creating Certificates SSH Kerberos
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
CS60002: Distributed Systems
CS 378 Kerberos Vitaly Shmatikov.
Network Security – Kerberos
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Kerberos Part of project Athena (MIT).
KERBEROS.
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT

2 AUTHENTICATION SERVERS (I) Their mission is: (a) To check identity of all users (b) To prevent unauthorized accesses Traditional solution is to use a pair (userid, password) –Very bad in a LAN environment –Too vulnerable to snooping

3 AUTHENTICATION SERVERS (II) Another bad solution is to trust the kernel of sender’s machine: –Solution used by rlogin, rsh, rcp –Like trusting a foreign passport –Only works in well-controlled networks –Suffers from domino effect : Gaining full access to one machine gives full access to whole network

4 CRYPTOGRAPHY (I) 1. Conventional Cryptography –Uses same key for coding and encoding Key could be a secret alphabet –We now use much more complex schemes and much bigger keys –Major problem is key distribution Very hard without a trusted channel

5 Example Assume we have a random stream of bits: r 0, r 1, r 2, r 3,... We convert our message into a bit stream: m 0, m 1, m 2, m 3,... Encode the message bitwise using XOR : c i = m i  r i for i = 1, 2, 3,... Impossible to break if random bit stream is truly random and never reused

6 CRYPTOGRAPHY (II) 2. Public-Key Cryptography –Uses two keys: (a) A public key to encode: K P (b) A secret key to decode: K S –It is not possible to compute K S knowing K P The function K P = f ( K S ) is said to be hard to invert :

7 CRYPTOGRAPHY (II) –We should have { { cleartext } K P } K S = cleartext { { cleartext } K S } K P = cleartext –Requires very long keys – Cannot pick an arbitrary secret key –Much slower than conventional cryptography

8 Example Assume A knows K P, B and B knows K P, A – A can send to B a secret message : { text } K P, B – A can send to B a message that is signed : A, { text } K S, A – A can send to B a signed secret message: { A, { text } K S, A } K P, B

9 Application Can combine conventional cryptography and public-key cryptography – A uses public-key cryptography to send to B a signed secret message containing a session key K S –A and B use this session key K S to continue their dialogue

10 KERBEROS Authentication server using conventional keys The Kerberos server has –The key of each user –The key of the ticket granting service (TGS) Authentication is a two-step process –Get from kerberos a ticket for the TGS –Get from TGS the ticket for a given server

11 WS K S TGS General Organization Ticket granting service KerberosServer Client c on workstation WS

12 General Assumptions (I) Cannot trust the network: –Intruders can listen to all messages and replay them later Can trust the time service –No intruder can reset any clock backward by more than a few minutes

13 General Assumptions (II) Client c can trust the workstation WS on which she is logged on: –Cannot do encryption without a safe place to encode and decode messages Assumes the workstation is controlled by the client –Not true for public workstations

14 Step 1 Client provides WS with its ID c : c  WS : c WS sends to Kerberos a request for a ticket for the TGS: WS  K : c, tgs

15 Step 2 Kerberos sends to WS a ticket T c,tgs and a random session key K c,tgs : K  WS : { K c,tgs, { T c,tgs } K tgs } K c Both items are encrypted with the client key K c Ticket is encrypted with the secret key of the ticket granting service to prevent tampering by client

16 The ticket (I) Note that the encrypted ticket is encrypted a second time by the client key K C –In more recent versions of Kerberos K  WS : { K c,tgs } K c, { T c,tgs } K tgs

17 The ticket (II) T c,tgs = c, tgs, addr, timestamp, life, K c,tgs It contains –The client's name c –The name of the ticket-granting service tgs –The IP address of the client addr –The current time timestamp –A ticket lifetime life –The random session key K c,tgs

18 Step 3 When WS receives Kerberos reply, it prompts the client c for her password and uses it to compute the user key K c = fn(password) and uses K c to decrypt the message

19 WS K S TGS Shared Secrets Server KcKc K tgs KsKs

20 Step 3 (continued) WS then sends to the TGS –The name of the service s the client wants to utilize –The encrypted ticket T c,tgs – An authenticator A c,tgs encrypted with K c,tgs WS  TGS : s, { T c,tgs } K tgs, { A c,tgs } K c,tgs

21 The authenticator (I) Any intruder could replay a ticket that has already be submitted to TGS Authenticator contains –The client name c –Its address addr –The current time timestamp A c,tgs = c, addr, timestamp Authenticator is encrypted with K c,tgs

22 The authenticator (II) Authenticator provides proof that WS was able to obtain the session key K c,tgs by decrypting message number 2 using the right client key K C To detect replays of authenticators, TGS –Rejects authenticators that are too old (say, by more than five minutes) –Keeps track of all recently received authenticators

23 Step 4 The TGS replies by sending to the workstation – A ticket T cs for the service s – A new random session key K c,s TGS  WS : { K c,s, { T c,s } K s } K c,tg s encrypted with the session key K c,tgs shared by the client and the ticket granting service

24 Step 4 (continued) T c,s contains –The user's name c –The name of the service s –The IP address of the client addr –The current time timestamp –A new lifetime life –A new random session key K c,s T c,s is encrypted with the secret key of server s

25 Step 5 WS then sends to server S –the encrypted ticket T c,s – an authenticator A c,s encrypted with K c,s WS  S : { T c,s } K s, { A c,s } K c,s

26 Step 5 (continued) Authenticator contains –the client name c –its address addr – the current time timestamp A c,s = c, addr, timestamp Authenticator is encrypted with the session key K c,s shared by client and server

27 Step 6 If client wanted to authenticate server, the server replies with the authenticator time stamp plus one: s  WS : { timestamp + 1 } K c,s encrypted with the session key K c,s This proves that s was able to obtain the session key K c,s by decrypting message number 5 using its server key K s

28 Picking ticket lifetimes There is a trade-off in determining the optimal ticket lifetime: – Short ticket lifetimes make the system more secure Less delay between password change and full effect of action –Short ticket lifetimes also make the system less convenient for its users.

29 The Kerberos server (I) Most critical part of the system –If it is compromised, all user passwords are lost –If it is unavailable, nobody will be able to log in A compromised TGS would only force all users to repeat the Kerberos login procedure

30 The Kerberos server (II)  The Kerberos server is normally replicated on several sites: –No single point of failure –More difficult to maintain key secrecy  There is a single primary site and it is the only than can accept key change requests –Changing passwords is not a critical task

31 LIMITATIONS Must maintain –secrecy of keys –integrity of time service Client must trust the workstation on which she is logged in Does not protect clients and servers against denial of service attacks

32 OTHER SOLUTIONS (I) Could use a pair public key / private key –private keys cannot be generated from an arbitrary password –impossible to memorize –must store them somewhere key ring of PGP is encrypted using a strong conventional encryption algorithm

33 OTHER SOLUTIONS (II) Could use one-time passwords –Use a different password at each log in –Passwords can be managed by a smart card –User must always carry it with her –Some systems also require a password to use the card and disable card after enough unsuccessful trials Must keep card in a rigid container

34 OTHER SOLUTIONS (III) SSH-2 uses –Diffie-Hellman key exchange Uses public keys and private keys Produces a symmetric session key –Strong integrity checking via message authentication codes.

35 OTHER SOLUTIONS (IV) Two-factor authentication –Must provide Something you know (a password) Something you have (a dongle or a phone) –Google two-factor authentication: Enter first name and password Google sends a six-digit code to your phone that you must then enter

36 CONCLUSIONS Kerberos offers one of the best solutions for authentication in distributed systems –Does not require any special equipment –Does not significantly alter the user interface Main drawback is that the user must trust the workstation on which she is logged in –Works best for personal workstations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.