Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.

Similar presentations


Presentation on theme: "Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies."— Presentation transcript:

1 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation

2 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 2 Purpose Provide the background to understand and evaluate the Symbol/Intel proposal to base 802.11 security services on the GSS-API

3 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 3 Agenda What is the GSS-API? GSS-API Mechanisms

4 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 4 What is the GSS-API? (1) Generic Security Services Applications Programming Interface, defined by RFC 2743 –RFC 2744 gives standard ‘C’ bindings, RFC 2853 for Java bindings –but we will use it as an abstract service interface The GSS-API interface is implemented by GSS- API mechanisms –each mechanism is a security system –interface is independent of mechanisms

5 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 5 What is the GSS-API? (2) Credentials Management –GSS_Acquire_cred, GSS_Release_cred, GSS_Add_cred, etc. Context Management –GSS_Init_sec_context, GSS_Accept_sec_context, GSS_Delete_sec_context, GSS_Inquire_context, GSS_Context_time, etc. Per-Message Calls –GSS_Wrap, GSS_Unwrap, etc. Support Calls –GSS_Import_name, GSS_Export_name, GSS_Display_status, etc.

6 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 6 The GSS-API Model Step 1: Establish a security context Step 2: Use established security context to secure message exchanges

7 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 7 Establishing a Security Context InitiatorResponder GSS_Init_sec_context Peer ID GSS_Accept_sec_context GSS_Init_sec_context Authentication Token + Continue OK Authentication Token + OK

8 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 8 Using a Security Context Peer 1Peer 2 GSS_Wrap GSS_Unwrap DataWrapped DataData

9 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 9 Agenda What is the GSS-API? GSS-API Mechanisms

10 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 10 Some GSS-API Mechanisms SPNEGO (RFC 2478) - negotiate the other mechanisms Kerberos (RFC 1510, RFC 1964) - centralized key server based on shared secrets SPKM (RFC 2025) - 1- and 2-way public key based authentication LIPKEY (RFC 2847) - one-way authentication a la SSL; a species of SPKM SRP (draft-ietf-cat-srpgm-xx.txt) - secure remote password; a species of SPKM SASL (draft-ietf-cat-sasl-gssapi-xx.txt) - one time password PKINIT (draft-ietf-cat-kerberos-pk-init-xx.txt) - use public key to register secret with Kerberos KDC

11 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 11 SPNEGO InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context GSS_Init_sec_context Kerberos, SRP, SPKM + Continue OK Kerberos + OK

12 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 12 What is Kerberos? Authentication and Key Distribution Protocol Developed in late 1980s, latest version is Rev 5 RFC 1510; RFC 1964 fits it into GSS-API framework Default authentication protocol in Windows 2000 Domain Login Widely deployed in UNIX shops

13 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 13 How does Kerberos work? Three major elements: –Principal: a user or system (username, password) –Services (FTP, email, telnet, RF services) –Key Distribution Center - maps principals to keys Three step model: –user mutually authenticates with KDC (KRB_AP_REQ/KRB_AP_REP exchange) –KDC issues user authorization to access a service (KRB_TGT_REQ/KRB_TGT_REP exchange) –user gains access to service by presenting authorization

14 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 14 User Authentication KRB_AP_REQ message asks the KDC for access to the Ticket Granting Service KDC creates a unique authentication key for authenticating self with Ticket Granting Service, encrypts it under the user’s password, and sends it back to the user in the KRB_AP_REQ message The user decrypts the message and gains access to the authentication key. Password is never sent over the airwaves

15 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 15 Issuing Authorization KRB_TGT_REQ asks for authorization to a particular service –message is protected with authentication key returned by KDC in KRB_AP_REP message KDC decrypts message and examines request. If request is OK, KDC creates a session key to be use between the user and the service. KRB_TGT_REP from KDC contains two copies of the session key, one encrypted under user’s authentication key, and other under service’s

16 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 16 Gaining Access to the Service User decrypts the KRB_TGT_REP message to get session key and a “ticket” for the server User prepares and sends token to server containing “ticket”, other info, encrypted under session key Service decrypts “ticket” using its own authentication key received from KDC and gains access to session key Decrypts rest of request and processes request Service sends reply to user to authenticate

17 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 17 Kerberos as used by GSS-API InitiatorResponderKDC GSS_Init_sec_context KRB_AP_REQ KRB_AP_REP KRB_TGT_REQ KRB_TGT_REP GSS_Accept_sec_context Ticket, Authenticator + Continue GSS_Init_sec_context Authenticator + OK OK

18 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 18 PKINIT + Kerberos InitiatorResponderKDC GSS_Init_sec_context KRB_TGT_REQ KRB_TGT_REP GSS_Accept_sec_context Ticket, Authenticator + Continue GSS_Init_sec_context Authenticator + OK OK

19 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 19 SPKM InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context SPKM parameters, n + Continue GSS_Init_sec_context Sig, SigCert, CryptCert + Continue GSS_Accept_sec_context Crypt(K) + OK OK

20 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 20 SRP InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context username, g a + Continue GSS_Init_sec_context g b + x, s, n + Continue database: username, x = g h(s,password), s GSS_Accept_sec_context Hash1(K) + Continue K = g ab x nb K = ((g b + x) - x) (a+nh(s, password) GSS_Init_sec_context Hash2(K) + OK OK

21 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 21 Conclusions GSS-API is –simple, well-defined interface –widely deployed and well-tested Kerberos is –simple to implement –a GSS-API mechanism providing mutual authentication and key distribution –widely deployed and well-tested

22 doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 22 Feedback?


Download ppt "Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies."

Similar presentations


Ads by Google