Slide 1

Kerberos Guilin Wang School of Computer Science 03 Dec. 2007 Slide 2 Outline Password-based key agreement protocols (Continuing our last lecture). Kerberos authentication protocol. Slide 3 0. Password-based Protocols In the NS protocol, both parties need to share long- term secrets with the server. For humans, long secret keys are not easy to memorize. One nave approach is to set long-term secrets as passwords. For example, let K bs =P bs, a password shared btw B and S in the NS protocol. Slide 4 0. Password-based Protocols However, this approach suffers off-line dictionary attack. That is, an attacker can try each possible P to decrypt E P-bs (K, A). If P is likely the correct password. Slide 5 0. Password-based Protocols Off-line dictionary attack works since passwords are short strings with low entropy. Countermeasures: - Enhance the strength of passwords by requiring certain length, format, and randomness. - Combine the password with a security token. Slide 6 0. Password-based Protocols The following Encrypted Key Exchange (EKE) protocol can resist the off-line dictionary attack: PK is an ephemeral public key generated by A. B transfers K to A by using double encryptions. Why EKE protocol is immune to the off-line dictionary attack? Slide 7 1. Authentication & Key Exchange The purpose of entity authentication is to prevent impersonation attack. Authentication is important in key exchange. E.g, the DH protocol suffers the MITM attack. Actually, key exchange techniques can also be used to realize authentication. Kerberos is such an example. In the literature, the differences btw authentication and key exchange are not very clear sometimes. Slide 8 1. Authentication & Key Exchange Key exchange usually requires authentication. Otherwise, you are not sure with whom you are agreeing on a session key. However, authentication does not necessarily involve key exchange. For example, a successful authentication can enable a client to enjoy a service without encryption. Slide 9 2. Kerberos: What is it? In Greek mythology, Kerberos is the guardian of Hades, a dog with three heads. In security community, Kerberos denotes the distributed authentication protocol developed from MIT's project Athena in 1980s. Slide 10 2. Kerberos: What is it? Kerberos has been widely accepted in industry. Kerberos has been integrated into Windows and many many versions of Unix systems. Full specification of Kerberos Version 5 is given by a draft Internet Standard RFC 1510. Free source codes for different releases of Kerberos are available at the Kerberos website: http://web.mit.edu/Kerberos/ Slide 11 2. Kerberos: Motivations In this scenario of distributed networks, there exist at least three threats: User impersonation: A dishonest user may pretend to be another user from the same workstation. Network address impersonation: A dishonest user can changes the network address of his/her workstation to impersonate another workstation. Eavesdropping, replay attack, and so on. Attackers may try their best to access network service by mounting different attacks. Slide 12 2.1 Kerberos: Basic Ideas Kerberos uses symmetric mechanisms to realize entity authentication and key exchange. Basically, Kerberos uses two kinds of credentials: Tickets: Issued by a trusted administration server that shows who is granted to access a specific service. Authenticators: Used to prove the identity of a communicating client. Slide 13 2.1 Kerberos: Basic Ideas This is similar to the following immigration policy, which allows a foreigner to enter a country: Visa (=tickets in Kerberos): Specifies who is allowed to entry this country for how many days. Passport (=Authenticators in Kerberos): Shows your identity, i.e., who are you. Slide 14 2.1 Kerberos: Basic Ideas In Kerberos system, there are three kinds of servers: Kerberos authentication server (AS): A centralized trusted authentication server for the whole system, who issues long lifetime tickets. Ticket-granting servers (TGS): Issue short lifetime tickets. Service server S: Provide different service. Slide 15 2.1 Kerberos: Basic Ideas Slide 16 2.2 The Protocol Kerberos (Version 5) can be divided into three procedures from the view point of a client: obtaining ticket-granting ticket, obtaining service ticket, and obtaining a concrete service. We now discuss the details. Slide 17 2.2 The Protocol Slide 18 Here: K_c is derived from the clients password, which is shared with the AS. K_tgs is a secret key shared btw the AS and the TGS. K_1 is session key that enables the client to authenticate itself to the TGS server. Slide 19 2.2 The Protocol Here: A1 is an authenticator using K1. K2 is a session key that enables the client to authenticate itself to the server S. Ks is a secret key shared btw the TGS and a server S. Slide 20 2.2 The Protocol Here: A1 is an authenticator using K2. K3 is a session key for coming secure communications. The server S authenticates itself to the client in step 6. Slide 21 2.3 Kerberos: Its Limitations Single Failure Problem: If the AS is down, no user can access any resources. So Kerberos is prone to denial-of-service (DoS) attacks. - Duplicated AS? Possible, but not easy to maintain. Clock Synchronization is needed, since timestamps are used. Reasonable time interval for clock skew? - Too short: Rejecting many valid requests. - Too long: Suffering replay attack. Slide 22 2.3 Kerberos: Its Limitations Limited Scalability: Usually, the AS can support with hundreds of thousands users. Suitable for a university but not for the Internet, where PKIs with digital certificates are better. Off-line Password Attacks: Kerberos is vulnerable to this kind of attacks since a message is encrypted with a key derived from the client's password. Slide 23 3. Summary Introduced off-line dictionary attack. Briefly discussed the relation btw entity authentication and key exchange. Reviewed a practice-oriented authentication protocol: Kerberos. - Basic ideas - Technical mechanisms - Limitations Slide 24 Questions and Comments?