Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION

Published byΧλόη Βούλγαρης Modified over 5 years ago

Similar presentations

Presentation on theme: "Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION"— Presentation transcript:

1 Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION
Prepared by: Karthik V Puttaparthi

2 OUTLINE Overview Protocols and Communication Services
Design of Authentication Protocols Needham-Schroeder Protocol Denning-Sacco Protocol Kerberos Protocol Kerberos Protocol Version V References

3 PROTOCOLS AND COMMUNICATION SERVICES
Authentication is the process of verifying the identity of an object entity. Password verification is a simple example of one-way user identification. In a distributed environment, there is a greater need to authenticate the machine the user connects to as well. This type of mutual authentication is even more important for communication between autonomous principals under different administrative authorities in a client/server distributed environment.

4 PROTOCOLS AND COMMUNICATION SERVICES
Messages being exchanged must also be authenticated such that they are free of forgery, counterfeiting and repudiation. Forgery could occur when a communication key is compromised. A counterfeit is the replay of a secret message in the context of communication. Repudiation is the denial of sending what seems to be an authenticated message.

5 PROTOCOLS AND COMMUNICATION SERVICES
For message authenticity, an irreproducible secret message digest can be used to sign the message. Secrecy of information can be accomplished by encryption using secret keys.

6 Design of Authentication Protocols
Connection Connectionless Peer processes Client / Server Authentication protocols are all about distribution and management of secret keys. Key distribution in a distributed environment is an implementation of distributed authentication protocols. Interactive One-way Session Request / Response

7 Design of Authentication Protocols
Design of distributed authentication protocols depends on underlying communication service, i.e. connectionless or connection-oriented. Most distributed applications follow Client/Server programming paradigm and Client/Server interaction is viewed as request / reply communication. Session key can also be used for Client / Server communication. Conceptually similar with tickets. A ticket is a signed certificate that contains information for authenticating the client. Kerberos Protocol was the first one to use the ticket notion.

8 Design of Authentication Protocols
All protocols assume that some secret information is held initially by each principal. Authentication is achieved by one principal demonstrating the other that it holds that secret information. All protocols assume that system environment is very insecure and is open for attack.

9 Design of Authentication Protocols
Message received by a principal must have its origin authenticity, integrity and freshness verified. To achieve these goals, most protocols need to rely on an authentication server. Authentication server delivers good quality session keys to requesting principals securely.

10 Design of Authentication Protocols
Protocol are divided into two categories to verify the freshness of a message. First category uses nonce and challenge/ response handshake to verify freshness. Second category uses timestamps and assumes that all machines in distributed system are clock-synchronized.

11 Needham-Schroeder Protocol (1978)
First to use the encryption techniques for authentication and key distribution. Five Steps… A->S : A, B, Na S->A: {Na, B, Kab, {A, Kab}Kbs}Kas A->B: {A, Kab}Kbs B->A: {Nb}Kab A->B: {Nb - 1}Kab A contacts S which returns a session key and certificate encrypted with Kbs. B decrypts it and does a nonce handshake with A assure the freshness. Subtracting 1 from Nb in last message ensures that its not a replay of the previous message from B to A.

12 Needham-Schroeder Protocol (1978)
Five Steps… A->S : A, B, Na S->A: {Na, B, Kab, {A, Kab}Kbs}Kas A->B: {A, Kab}Kbs B->A: {Nb}Kab A->B: {Nb - 1}Kab Denning and Sacco found a drawback. If session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps. Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.

13 Denning-Sacco Protocol (1981)
Uses timestamps rather than nonce to guarantee message freshness. A->S: A, B S->A: {B, Kab,Ts{A, Kab, Ts}Kbs}Kas A->B: {A, Kab, Ts}Kbs A and B can verify the message freshness by checking: Clock – T < Δt1 + Δt2

14 Denning-Sacco Protocol (1981)
Clock is the local clock time. Δt1 is normal discrepancy between server’s clock and local clock. Δt2 is expected network delay. So long Δt1 + Δt2 is less than the interval between two contiguous authentication sessions, message freshness is guaranteed. Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake. But drawback is that all machines must be clock-synchronized with authentication server.

15 Kerberos Protocol (1980) As a part of project Athena at MIT, Kerberos is one of the most promising implementation of authentication service. Based on Needham-Schroeder but also uses timestamps suggested by Denning-Sacco. Authentication service is divided on two servers: Kerberos Server and Ticket Granting Server (TGS).

16 Kerberos Protocol (1980) Simplified version of Kerberos that treats Kerberos server and TGS as single entity S. 1. A->S: A, B 2. S->A: {Kab, Ticketab}Kas Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs 3. A->B: Authenticatorab, Ticketab Where Authenticatorab = {A, addr, Ta}Kab 4. B->A: {Ta + 1}Kab A sends its own identity to S before it connect to B. S responds with session key Kab and a ticket for B.

17 Kerberos Protocol (1980) 1. A->S: A, B
2. S->A: {Kab, Ticketab}Kas Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs 3. A->B: Authenticatorab, Ticketab Where Authenticatorab = {A, addr, Ta}Kab 4. B->A: {Ta + 1}Kab Ticket contains identities of B and A, IP of A, timestamp Ts, lifetime L and a session key to identify A. A now creates its own authenticator containing A’s identity, its IP and timestamp and sends it to B along with the B’s ticket. B decrypts the ticket and authenticator, and compares two pieces of information.

18 Kerberos Protocol (1980) First, their identity and address information must match. Second, discrepancy between time in authenticator and current local time must not exceed a predetermined value. If these match, B authenticates the A’s identity and allows the service request to proceed. Drawbacks of Kerberos were identified by Bellovin and Merritt. Drawback includes difficulty in adapting to all environments, and the need for special purpose hardware. To fix some of these problems, Kerberos has been upgraded to version V.

19 Kerberos Protocol Version V 1993
Authentication Server Ticket Granting Server Client 2 3 4 Server 5 K C S G C->K: C, G, N K->C: {Kcg, N}Kc, Ticketcg C->G: Authenticatorcg, Ticketcg G->C: {Kcs, N}Kcg, Ticketcs C->S: Authenticatorcs, Ticketcs

20 Kerberos Protocol Version V (cont…)
This protocol separates the authentication server S into Kerberos server (K) for authentication and Ticket Granting Server (G). Client (C) first sends identity for itself and TGS to Authentication Server K. (Message 1) Authentication Server K does the initial login and grants ticket for TGS. (Message 2) Client (C) sends authenticator to TGS to identify itself (like simplified Kerberos). (Message 3)

21 Kerberos Protocol Version V 1993
Message 4 and 5 are similar to Message 2 and 3 respectively. Most widely implemented protocol. Implemented in Distributed Computing Environment (DCE) security service and SESAME (A Secure European System for Application in a Multi-vendor Environment).

22 References “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson On the design of authentication protocols for third generation ieeexplore.ieee.org/iel5/8635/27371/ pdf Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999 [March 29, 2007] [April 2, 2007] [April 8, 2007]

Download ppt "Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION"

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Similar presentations

Ads by Google