Upload
phoebe-lickey
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Authentication andKey Distribution
Suman K Reddy BurjukindiCSC - 8320
Outline
• Part 1 – Motivation Needham-Schroeder Protocol Kerberos • Part 2 – Current Research• Part 3 – Future Work• References
Part 1: Motivation
Introduction:
• Reliable authentication of communicating entities and network users across an insecure network
• Secure key establishment.• Protect the privacy and integrity of
communication
Alice
Bob
How Securely?
Motivation
• Key establishment: a shared secret becomes available to two or more parties, for subsequent cryptographic use.– key transport protocol
• one party creates, and securely transfers it to the other(s).
– key agreement protocol: key establishment technique in which• a shared secret is derived by two (or more) parties
– key pre-distribution vs. dynamic(session) key establishment
• Use of trusted servers– trusted third party, trusted server, authentication server, key distribution center (KDC), key translation center (KTC) and certification authority (CA).
Needham-Schroeder Protocol (1978)
• First to use the encryption techniques for authentication and key distribution.
KDC
Alice
Bob’sServer
1. A,B,NA 2. {k,NA,B, {k,A}KB}KA
A,B: identities of hosts, KDC: Key Distribution CenterNA, NB : nonce
KA, KB: host keys shared by KDC and hostsk: session key for the host A and B{}k: Encryption with a key k
3. {k,A}KB
4. {NB}k5. {NB-1}k
Needham-Schroeder Protocol (1978)
1. A->S : A, B, NA
A requests S to supply a key for communication with B 2. S->A: {NA, B, k, {A, k} KB } KA
S returns a message encrypted in A’s secret key, containing a newly generated key k, and a ticket encrypted in B’s secret key
3. A->B: {A, k} KB
A sends the ticket to B4. B->A: {NB} k
B decrypts the ticket and uses the new key k to encrypt the nonce NB
5. A->B: {NB - 1} kA demonstrates to B that it was the sender of the previous message by returning an agreed transformation of NB
Needham-Schroeder Protocol (1978)
• Properties– Protocol provides A and B with a shared key k with key
authentication– (4) and (5) provide entity authentication of A to B.– If acceptable for A to re-use key k with B, A may securely cache
(3) with k• To prevent replay of (4), {NA’}k should be appended to
message (3), and (4) should be replaced by {NA’-1, NB }k allowing A to verify B’s knowledge of k.
Needham-Schroeder Protocol (1978)
Drawback:• Denning and Sacco found a drawback that if session key between A
and B is compromised, an intruder can impersonate A by carrying out last 3 steps.
• Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.
• Denning and Sacco found a protocol named as Denning – Sacco Protocol in the year 1981 which uses timestamps rather than nonce to guarantee message freshness.
• Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake but drawback is that all machines must be clock-synchronized with authentication server.
Kerberos• Enable network application to securely identify their peers
– Host A provides its identity by presenting a ticket to host B– Tickets are issued by a trusted third party Key Distribution Center
(KDC)– There is a shared key between KDC and any host– Ticket is valid for a finite interval called its lifetime
• Ticket contains session key, host’s identity and lifetime of the session key
KerberosInitial Ticket Exchanging
KDC
1. A,B,NA2. {k,NA,L,B}KA, {k,A,L}KB
A,B: identities of hostsNA: nonce, L: Life time
KA, KB: host keys shared by KDC and hostsk: session key for the host A and B{k,A,L}KB: Ticket
3. {A,TA,L,B}k, {k,A,L}KB
Alice
Bob’sServer
Kerberos• Getting a Service Ticket
1. A,TGS,NA
2. {KA,TGS,NA}KA,{KA,TGS,A,L}KTGS
5. {AA}KA,B, {TA,B}KB
TGS
3. B, NA’, {A,L,TGS,TA}KA,TGS,{KA,TGS,A,L}KTGS 4. {KA,B,NA’}KA,TGS ,
{TA,B}KB
AA: A, L, B,TA
TA: Timestamp made by ATA,B: KA,B,A, L
KDC
Alice
Bob’sServer
UsuallyCo-located
Kerberos
• Since timestamps are used, the hosts must provide both secure and synchronized clocks
• If initial shared keys are password-derived, protocol is no more secure than secrecy of such password or their resistance to password-guessing attack
• Lifetime is intended to allow A to re-use the ticket– A creates new authenticator with new timestamp and
same session key k
Kerberos
Drawbacks:• Single point of failure. Requires continuous availability of a central
server.• Kerberos requires the clocks of the involved hosts to be
synchronized.• All authentication being controlled by a centralized KDC server,
compromising of this infrastructure allows an attacker to impersonate any user.
Part 2 – Current Research
• EAP-Sens: a security architecture for wireless sensor networks….M. Abdul Alim, Behcet Sarikaya…..November, 2008
Why EAP- Sens ???• Deployment of WSN’s – more common – wide variety of
applications – collecting and disseminating sensitive information.• Security and reliability – major concerns, WSN’s count on proper
operation of forwarders – entity authentication required.• Recent years – many security protocols – SPINS, Tinysec , LiSP, LEAP
provide data confidentiality, message integrity and data encryption but none of them provide authentication or key management functions.
• Extensible Authentication Protocol [EAP] , an authentication framework supporting multiple authentication mechanisms.
EAP-Sens• A security protocol based on Extensible Authentication Protocol for
IEEE 802.15.4 networks. [ Design, implementation and simulation]• IEEE 802.15.4 networks ??• It uses the Generalized Pre-Shared Key authentication method for
entity authentication and key establishment preventing unauthorized devices from joining the network.
• EAP uses four messages – a)EAP-Requestb)EAP-Responsec)EAP-Successd)EAP-Failure
EAP-Sens• The actual authentication messages are exchanged between EAP
server and EAP peer in EAP-Request and EAP-Response messages until successful completion of authentication or authentication fails.
• If authentication fails EAP server sends EAP-Failure to EAP peer otherwise sends EAP-Success.
• On successful authentication EAP server and EAP peer establish a Master Session Key.
• EAP server then sends the MSK to authenticator to be used as shared secret key between authenticator and EAP peer .
GPSK EAP Authentication
Figure shows the EAP procedure of the authentication of messages.
EAP-Sens
EAP-Sens operation:• In EAP-Sens, each node shares a secret key (PSK) with the
authentication server which is loaded into the sensor node when it is programmed before deployment.
• Functions1) Authenticating PAN Coordinator’s Neighbors2) Authenticating Distant Nodes
EAP – Sens Key HierarchyPSK- Pre Shared Key KEK- Key Encryption KeyMSK- Master Session Key TK – Temporal KeyAMSK- Auxiliary MSK Kmac – Authentication key
EAP-Sens• EAP-Sens Authentication time: - For a supplicant to complete EAP-Sens authentication successfully
and get access to the network in a N-node network, with d average degree of neighbors, time required
t = (10 × logd(N)) × tx + (12 + 10 × logd(N)) × tmic
Total authentication time t increases logarithmically with the increase in the number of nodes in the network.
EAP-Sens takes very less time to authenticate when compared to other protocols on IEEE 802.15.4 compliant sensor nodes.
Comparison of Authentication Times forDifferent ProtocolsThe picture clearly shows that EAP-Sens requires least time to authenticate when compared to other protocols.
EAP-Sens
Summary:• On simulating EAP-Sens using NS-2 for performance evaluation
showed that EAP-Sens performs better than all other existing WSN security protocols.
• Implementing a prototype version of EAP-Sens in TinyOS to estimate code size and memory requirements indicates that EAP-Sens can be implemented on sensor devices like Mica2, Telos and Tmote.
• EAP-Sens can also be used in medical monitoring and meter readings for utility services.
Part 3: Future Research
• EAP-Sens has been very good in the static environments. It is important to also study its performance in mobile environments.
• IETF Kerberos is working on the Encryption and Checksum specifications and AES Encryption for Kerberos 5 to solve security issues.
References• “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore
Johnson• Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet
Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999• The KryptoKnight family of light-weight protocols for authentication and key
distribution Bird, R. Gopal, I. Herzberg, A. Janson, P. Kutten, S. Molva, R. Yung, M.IBM Corp., Research Triangle Park, NC; Feb, 1995
• EAP-Sens: a security architecture for wireless sensor networksM. Abdul Alim, Behcet Sarikaya, Nov 2008
• http://en.wikipedia.org/wiki/Needham-Schroeder [March 29, 2007]
• http://web.mit.edu/Kerberos/ [April 2, 2007]
• http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 [April 8, 2007]