Authentication andKey Distribution

Suman K Reddy BurjukindiCSC - 8320

Outline

• Part 1 – Motivation Needham-Schroeder Protocol Kerberos • Part 2 – Current Research• Part 3 – Future Work• References

Part 1: Motivation

Introduction:

• Reliable authentication of communicating entities and network users across an insecure network

• Secure key establishment.• Protect the privacy and integrity of

communication

Alice

Bob

How Securely?

Motivation

• Key establishment: a shared secret becomes available to two or more parties, for subsequent cryptographic use.– key transport protocol

• one party creates, and securely transfers it to the other(s).

– key agreement protocol: key establishment technique in which• a shared secret is derived by two (or more) parties

– key pre-distribution vs. dynamic(session) key establishment

• Use of trusted servers– trusted third party, trusted server, authentication server, key distribution center (KDC), key translation center (KTC) and certification authority (CA).

Needham-Schroeder Protocol (1978)

• First to use the encryption techniques for authentication and key distribution.

KDC

Alice

Bob’sServer

1. A,B,NA 2. {k,NA,B, {k,A}KB}KA

A,B: identities of hosts, KDC: Key Distribution CenterNA, NB : nonce

KA, KB: host keys shared by KDC and hostsk: session key for the host A and B{}k: Encryption with a key k

3. {k,A}KB

4. {NB}k5. {NB-1}k

Needham-Schroeder Protocol (1978)

1. A->S : A, B, NA

A requests S to supply a key for communication with B 2. S->A: {NA, B, k, {A, k} KB } KA

S returns a message encrypted in A’s secret key, containing a newly generated key k, and a ticket encrypted in B’s secret key

3. A->B: {A, k} KB

A sends the ticket to B4. B->A: {NB} k

B decrypts the ticket and uses the new key k to encrypt the nonce NB

5. A->B: {NB - 1} kA demonstrates to B that it was the sender of the previous message by returning an agreed transformation of NB

Needham-Schroeder Protocol (1978)

• Properties– Protocol provides A and B with a shared key k with key

authentication– (4) and (5) provide entity authentication of A to B.– If acceptable for A to re-use key k with B, A may securely cache

(3) with k• To prevent replay of (4), {NA’}k should be appended to

message (3), and (4) should be replaced by {NA’-1, NB }k allowing A to verify B’s knowledge of k.

Needham-Schroeder Protocol (1978)

Drawback:• Denning and Sacco found a drawback that if session key between A

and B is compromised, an intruder can impersonate A by carrying out last 3 steps.

• Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.

• Denning and Sacco found a protocol named as Denning – Sacco Protocol in the year 1981 which uses timestamps rather than nonce to guarantee message freshness.

• Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake but drawback is that all machines must be clock-synchronized with authentication server.

Kerberos• Enable network application to securely identify their peers

– Host A provides its identity by presenting a ticket to host B– Tickets are issued by a trusted third party Key Distribution Center

(KDC)– There is a shared key between KDC and any host– Ticket is valid for a finite interval called its lifetime

• Ticket contains session key, host’s identity and lifetime of the session key

KerberosInitial Ticket Exchanging

KDC

1. A,B,NA2. {k,NA,L,B}KA, {k,A,L}KB

A,B: identities of hostsNA: nonce, L: Life time

KA, KB: host keys shared by KDC and hostsk: session key for the host A and B{k,A,L}KB: Ticket

3. {A,TA,L,B}k, {k,A,L}KB

Alice

Bob’sServer

Kerberos• Getting a Service Ticket

1. A,TGS,NA

2. {KA,TGS,NA}KA,{KA,TGS,A,L}KTGS

5. {AA}KA,B, {TA,B}KB

TGS

3. B, NA’, {A,L,TGS,TA}KA,TGS,{KA,TGS,A,L}KTGS 4. {KA,B,NA’}KA,TGS ,

{TA,B}KB

AA: A, L, B,TA

TA: Timestamp made by ATA,B: KA,B,A, L

KDC

Alice

Bob’sServer

UsuallyCo-located

Kerberos

• Since timestamps are used, the hosts must provide both secure and synchronized clocks

• If initial shared keys are password-derived, protocol is no more secure than secrecy of such password or their resistance to password-guessing attack

• Lifetime is intended to allow A to re-use the ticket– A creates new authenticator with new timestamp and

same session key k

Kerberos

Drawbacks:• Single point of failure. Requires continuous availability of a central

server.• Kerberos requires the clocks of the involved hosts to be

synchronized.• All authentication being controlled by a centralized KDC server,

compromising of this infrastructure allows an attacker to impersonate any user.

Part 2 – Current Research

• EAP-Sens: a security architecture for wireless sensor networks….M. Abdul Alim, Behcet Sarikaya…..November, 2008

Why EAP- Sens ???• Deployment of WSN’s – more common – wide variety of

applications – collecting and disseminating sensitive information.• Security and reliability – major concerns, WSN’s count on proper

operation of forwarders – entity authentication required.• Recent years – many security protocols – SPINS, Tinysec , LiSP, LEAP

provide data confidentiality, message integrity and data encryption but none of them provide authentication or key management functions.

• Extensible Authentication Protocol [EAP] , an authentication framework supporting multiple authentication mechanisms.

EAP-Sens• A security protocol based on Extensible Authentication Protocol for

IEEE 802.15.4 networks. [ Design, implementation and simulation]• IEEE 802.15.4 networks ??• It uses the Generalized Pre-Shared Key authentication method for

entity authentication and key establishment preventing unauthorized devices from joining the network.

• EAP uses four messages – a)EAP-Requestb)EAP-Responsec)EAP-Successd)EAP-Failure

EAP-Sens• The actual authentication messages are exchanged between EAP

server and EAP peer in EAP-Request and EAP-Response messages until successful completion of authentication or authentication fails.

• If authentication fails EAP server sends EAP-Failure to EAP peer otherwise sends EAP-Success.

• On successful authentication EAP server and EAP peer establish a Master Session Key.

• EAP server then sends the MSK to authenticator to be used as shared secret key between authenticator and EAP peer .

GPSK EAP Authentication

Figure shows the EAP procedure of the authentication of messages.

EAP-Sens

EAP-Sens operation:• In EAP-Sens, each node shares a secret key (PSK) with the

authentication server which is loaded into the sensor node when it is programmed before deployment.

• Functions1) Authenticating PAN Coordinator’s Neighbors2) Authenticating Distant Nodes

EAP – Sens Key HierarchyPSK- Pre Shared Key KEK- Key Encryption KeyMSK- Master Session Key TK – Temporal KeyAMSK- Auxiliary MSK Kmac – Authentication key

EAP-Sens• EAP-Sens Authentication time: - For a supplicant to complete EAP-Sens authentication successfully

and get access to the network in a N-node network, with d average degree of neighbors, time required

t = (10 × logd(N)) × tx + (12 + 10 × logd(N)) × tmic

Total authentication time t increases logarithmically with the increase in the number of nodes in the network.

EAP-Sens takes very less time to authenticate when compared to other protocols on IEEE 802.15.4 compliant sensor nodes.

Comparison of Authentication Times forDifferent ProtocolsThe picture clearly shows that EAP-Sens requires least time to authenticate when compared to other protocols.

EAP-Sens

Summary:• On simulating EAP-Sens using NS-2 for performance evaluation

showed that EAP-Sens performs better than all other existing WSN security protocols.

• Implementing a prototype version of EAP-Sens in TinyOS to estimate code size and memory requirements indicates that EAP-Sens can be implemented on sensor devices like Mica2, Telos and Tmote.

• EAP-Sens can also be used in medical monitoring and meter readings for utility services.

Part 3: Future Research

• EAP-Sens has been very good in the static environments. It is important to also study its performance in mobile environments.

• IETF Kerberos is working on the Encryption and Checksum specifications and AES Encryption for Kerberos 5 to solve security issues.

References• “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore

Johnson• Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet

Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999• The KryptoKnight family of light-weight protocols for authentication and key

distribution Bird, R. Gopal, I. Herzberg, A. Janson, P. Kutten, S. Molva, R. Yung, M.IBM Corp., Research Triangle Park, NC; Feb, 1995

• EAP-Sens: a security architecture for wireless sensor networksM. Abdul Alim, Behcet Sarikaya, Nov 2008

• http://en.wikipedia.org/wiki/Needham-Schroeder [March 29, 2007]

• http://web.mit.edu/Kerberos/ [April 2, 2007]

• http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 [April 8, 2007]