csce 815 network security lecture 9 digital signatures & authentication applications kerberos...
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 9 Lecture 9CSCE 815 Network Security CSCE 815 Network Security Lecture 9 Lecture 9
Digital Signatures Digital Signatures
&&
Authentication ApplicationsAuthentication Applications
KerberosKerberos
February 13, 2003
– 2 – CSCE 815 Sp 03
ResourcesResources
Stallings Web Site: Stallings Web Site: http://williamstallings.com/http://williamstallings.com/
http://web.mit.edu/kerberos/www/http://web.mit.edu/kerberos/www/
http://web.mit.edu/kerberos/www/dialogue.htmlhttp://web.mit.edu/kerberos/www/dialogue.html
http://web.mit.edu/kerberos/www/papers.htmlhttp://web.mit.edu/kerberos/www/papers.html
Kohl’s paper “ The Evolution of Kerberos…”Kohl’s paper “ The Evolution of Kerberos…”
– 3 – CSCE 815 Sp 03
http://web.mit.edu/kerberos/www/http://web.mit.edu/kerberos/www/
What is Kerberos?What is Kerberos?
Security AdvisoriesSecurity Advisories
Kerberos ReleasesKerberos Releases Kerberos V5 Release 1.2 Historical releases of MIT krb5 Getting Kerberos Sources and Binaries from MIT (US and Canada only) Getting Kerberos Sources from the Crypto Publishing Project The krb5-current Snapshots (for developers; US, Canada only)
Documentation for the most recent release Documentation for the most recent release
Papers about the Kerberos protocolPapers about the Kerberos protocol Frequently Asked QuestionsFrequently Asked Questions
The comp.protocols.kerberos FAQ (at NRL; maintained by Ken Hornstein) How do the new US export regulations affect Kerberos?
Other ResourcesOther Resources Mailing lists comp.protocols.kerberos newsgroup USC/ISI Kerberos Page Oak Ridge National Laboratory's "How to Kerberize your Site"
– 4 – CSCE 815 Sp 03
Digital SignaturesDigital Signatures
have looked at have looked at message authentication message authentication but does not address issues of lack of trust
digital signatures provide the ability to: digital signatures provide the ability to: verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes
hence include authentication function with additional hence include authentication function with additional capabilitiescapabilities
– 5 – CSCE 815 Sp 03
Digital Signature PropertiesDigital Signature Properties
must depend on the message signedmust depend on the message signed
must use information unique to sendermust use information unique to sender to prevent both forgery and denial
must be relatively easy to producemust be relatively easy to produce
must be relatively easy to recognize & verifymust be relatively easy to recognize & verify
be computationally infeasible to forge be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message
be practical save digital signature in storagebe practical save digital signature in storage
– 6 – CSCE 815 Sp 03
Direct Digital SignaturesDirect Digital Signatures
involve only sender & receiverinvolve only sender & receiver
assumed receiver has sender’s public-keyassumed receiver has sender’s public-key
digital signature made by sender signing entire digital signature made by sender signing entire message or hash with private-keymessage or hash with private-key
can encrypt using receivers public-keycan encrypt using receivers public-key
important that sign first then encrypt message & important that sign first then encrypt message & signaturesignature
security depends on sender’s private-keysecurity depends on sender’s private-key
– 7 – CSCE 815 Sp 03
Replay AttacksReplay Attacks
where a valid signed message is copied and later resentwhere a valid signed message is copied and later resent simple replay repetition that can be logged repetition that cannot be detected backward replay without modification
countermeasures includecountermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)
– 8 – CSCE 815 Sp 03
Digital Signature Standard (DSS)Digital Signature Standard (DSS)
US Govt approved signature scheme FIPS 186US Govt approved signature scheme FIPS 186
uses the SHA hash algorithm uses the SHA hash algorithm
designed by NIST & NSA in early 90's designed by NIST & NSA in early 90's
DSS is the standard, DSA is the algorithmDSS is the standard, DSA is the algorithm
a variant on ElGamal and Schnorr schemes a variant on ElGamal and Schnorr schemes
creates a 320 bit signature, but with 512-1024 creates a 320 bit signature, but with 512-1024 bit security bit security
security depends on difficulty of computing security depends on difficulty of computing discrete logarithms discrete logarithms
– 9 – CSCE 815 Sp 03
DSA Key GenerationDSA Key Generation
have shared global public key values (p, q, g): have shared global public key values (p, q, g): a large prime p, with 2L-1 < p < 2L
where L= 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1 choose g = h(p-1)/q
where h is any integer 1<h<p-1, such that h(p-1)/q (mod p) > 1
users choose private & compute public key: users choose private & compute public key: choose a random number x with x<q Compute public key y = gx (mod p)
– 10 – CSCE 815 Sp 03
DSA Signature CreationDSA Signature Creation
to to signsign a message a message MM the sender: the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be
reused
then computes signature pair: then computes signature pair: r = (gk(mod p))(mod q)
s = (k-1.(SHA(M)+ x.r))(mod q)
sends signature sends signature (r,s)(r,s) with message with message MM
– 11 – CSCE 815 Sp 03
DSA Signature Verification DSA Signature Verification
having received M & having received M & signature signature (r,s)(r,s)
to to verifyverify a signature, recipient computes: a signature, recipient computes: w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
if if v=rv=r then signature is verified then signature is verified
see C&NS book web site for details of proof whysee C&NS book web site for details of proof why
– 12 – CSCE 815 Sp 03
DSS Signing And VerifyingDSS Signing And Verifying
– 13 – CSCE 815 Sp 03
Authentication ProtocolsAuthentication Protocols
We cannot enter into alliance with neighboring princes We cannot enter into alliance with neighboring princes until we are acquainted with their designs.until we are acquainted with their designs.
——The Art of WarThe Art of War, Sun Tzu, Sun Tzu
used to convince parties of each others identity and to used to convince parties of each others identity and to exchange session keysexchange session keys
may be one-way or mutualmay be one-way or mutual
key issues arekey issues are confidentiality – to protect session keys timeliness – to prevent replay attacks
– 14 – CSCE 815 Sp 03
Replay AttacksReplay Attacks
where a valid signed message is copied and later resentwhere a valid signed message is copied and later resent simple replay repetition that can be logged repetition that cannot be detected backward replay without modification
countermeasures includecountermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)
– 15 – CSCE 815 Sp 03
Authentication ApplicationsAuthentication Applications
will consider authentication functionswill consider authentication functions
developed to support application-level authentication & developed to support application-level authentication & digital signaturesdigital signatures
will consider Kerberos – a private-key authentication will consider Kerberos – a private-key authentication serviceservice
then X.509 directory authentication servicethen X.509 directory authentication service
– 16 – CSCE 815 Sp 03
KERBEROSKERBEROS
In Greek mythology, a many headed dog, the guardian of the In Greek mythology, a many headed dog, the guardian of the entrance of Hadesentrance of Hades
– 17 – CSCE 815 Sp 03
Threats In a Shared NetworkThreats In a Shared Network
Kerberos developed as part of Project Athena at MITKerberos developed as part of Project Athena at MIT
Athena – a network of workstations and distributed or Athena – a network of workstations and distributed or centralized serverscentralized servers
Threats in any network sharing resoucesThreats in any network sharing resouces
1.1. a user may pretend to be another usera user may pretend to be another user
2.2. A user may change an IP address of a workstationA user may change an IP address of a workstation
3.3. A user may eavesdrop and use a replay attack for …A user may eavesdrop and use a replay attack for …
– 18 – CSCE 815 Sp 03
Approaches to Security in a NetworkApproaches to Security in a Network
1.1. Rely on workstation to assure the identity of users. Rely on workstation to assure the identity of users. Rely on server to enforce security policy on users.Rely on server to enforce security policy on users.
2.2. Require workstations authenticate themselves to Require workstations authenticate themselves to servers, trust workstations authenticate users.servers, trust workstations authenticate users.
3.3. Require the user prove identity for each service Require the user prove identity for each service requested. Also servers prove identity to clients.requested. Also servers prove identity to clients.
– 19 – CSCE 815 Sp 03
KerberosKerberos
trusted key server system from MIT trusted key server system from MIT
provides centralised private-key third-party provides centralised private-key third-party authentication in a distributed networkauthentication in a distributed network allows users access to services distributed through
network without needing to trust all workstations rather all trust a central authentication server
two versions in use: 4 & 5two versions in use: 4 & 5
– 20 – CSCE 815 Sp 03
Kerberos RequirementsKerberos Requirements
first published report identified its requirements as:first published report identified its requirements as: security reliability transparency scalability
– 21 – CSCE 815 Sp 03
Kerberos 4 OverviewKerberos 4 Overview
a basic third-party authentication schemea basic third-party authentication scheme
have an Authentication Server (AS) have an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential
(ticket granting ticket TGT)
have a Ticket Granting server (TGS)have a Ticket Granting server (TGS) users subsequently request access to other services from
TGS on basis of users TGT
– 22 – CSCE 815 Sp 03
Kerberos Version 4Kerberos Version 4
Terms:Terms: C = Client AS = authentication server V = server IDc = identifier of user on C IDv = identifier of V Pc = password of user on C ADc = network address of C Kv = secret encryption key shared by AS an V TS = timestamp || = concatenation
– 23 – CSCE 815 Sp 03
A Simple Authentication DialogueA Simple Authentication Dialogue
C C AS: AS: IIDDc c |||| PPc c || || IIDDvv
AS AS C: C: TicketTicket
CC V: V: IIDDc c |||| Ticket Ticket
Ticket = ETicket = EKKvv[[IIDDc c |||| PPc c || || IIDDvv]]
– 24 – CSCE 815 Sp 03
Version 4 Authentication DialogueVersion 4 Authentication Dialogue
Problems:Problems: Lifetime associated with the ticket-granting ticket If too short repeatedly asked for password If too long greater opportunity to replay
The threat is that an opponent will steal the ticket and usThe threat is that an opponent will steal the ticket and usee i itt before it expiresbefore it expires
– 25 – CSCE 815 Sp 03
Version 4 Authentication DialogueVersion 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting TicketAuthentication Service Exhange: To obtain Ticket-Granting Ticket
C C AS: AS: IDc || IDtgs ||TS IDc || IDtgs ||TS11
AS AS C: C: E EKc Kc [K[Kc,tgsc,tgs|| ID|| IDtgstgs || TS || TS2 2 || Lifetime|| Lifetime2 2 || Ticket|| Tickettgstgs]]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]
– 26 – CSCE 815 Sp 03
Kerberos 4 Overview Fig 4.1Kerberos 4 Overview Fig 4.1
– 27 – CSCE 815 Sp 03
Kerberos RealmsKerberos Realms
a Kerberos environment consists of:a Kerberos environment consists of: a Kerberos server a number of clients, all registered with server application servers, sharing keys with server
this is termed a realmthis is termed a realm typically a single administrative domain
if have multiple realms, their Kerberos servers must if have multiple realms, their Kerberos servers must share keys and trust share keys and trust
– 28 – CSCE 815 Sp 03
Request for Service in Another RealmRequest for Service in Another Realm
– 29 – CSCE 815 Sp 03
Kerberos Version 5Kerberos Version 5
developed in mid 1990’sdeveloped in mid 1990’s
provides improvements over v4provides improvements over v4 addresses environmental shortcomings
encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm authorization
and technical deficienciesdouble encryption, non-std mode of use, session keys,
password attacks
specified as Internet standard RFC 1510specified as Internet standard RFC 1510
– 30 – CSCE 815 Sp 03
X.509 Authentication Service X.509 Authentication Service
part of CCITT X.500 directory service standardspart of CCITT X.500 directory service standards distributed servers maintaining some info database
defines framework for authentication services defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority
also defines authentication protocols also defines authentication protocols
uses public-key crypto & digital signatures uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended
– 31 – CSCE 815 Sp 03
X.509 CertificatesX.509 Certificates
issued by a Certification Authority (CA), containing: issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate)
notation notation CA<<A>>CA<<A>> denotes certificate for A signed by CA denotes certificate for A signed by CA
– 32 – CSCE 815 Sp 03
X.509 CertificatesX.509 Certificates
– 33 – CSCE 815 Sp 03
Obtaining a Certificate Obtaining a Certificate
any user with access to CA can get any certificate from any user with access to CA can get any certificate from it it
only the CA can modify a certificate only the CA can modify a certificate
because cannot be forged, certificates can be placed in because cannot be forged, certificates can be placed in a public directory a public directory
– 34 – CSCE 815 Sp 03
CA Hierarchy CA Hierarchy
if both users share a common CA then they are assumed to know if both users share a common CA then they are assumed to know its public key its public key
otherwise CA's must form a hierarchy otherwise CA's must form a hierarchy
use certificates linking members of hierarchy to validate other use certificates linking members of hierarchy to validate other CA's CA's each CA has certificates for clients (forward) and parent (backward)
each client trusts parents certificates each client trusts parents certificates
enable verification of any certificate from one CA by users of all enable verification of any certificate from one CA by users of all other CAs in hierarchy other CAs in hierarchy
– 35 – CSCE 815 Sp 03
CA Hierarchy UseCA Hierarchy Use
– 36 – CSCE 815 Sp 03
Certificate RevocationCertificate Revocation
certificates have a period of validitycertificates have a period of validity
may need to revoke before expiry, eg:may need to revoke before expiry, eg:1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CA’s maintain list of revoked certificatesCA’s maintain list of revoked certificates the Certificate Revocation List (CRL)
users should check certs with CA’s CRLusers should check certs with CA’s CRL
– 37 – CSCE 815 Sp 03
Authentication ProceduresAuthentication Procedures
X.509 includes three alternative authentication X.509 includes three alternative authentication procedures: procedures:
One-Way Authentication One-Way Authentication
Two-Way Authentication Two-Way Authentication
Three-Way Authentication Three-Way Authentication
all use public-key signaturesall use public-key signatures
– 38 – CSCE 815 Sp 03
One-Way AuthenticationOne-Way Authentication
1 message ( A->B) used to establish 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message
message must include timestamp, nonce, B's identity message must include timestamp, nonce, B's identity and is signed by A and is signed by A
– 39 – CSCE 815 Sp 03
Two-Way AuthenticationTwo-Way Authentication
2 messages (A->B, B->A) which also establishes in 2 messages (A->B, B->A) which also establishes in addition:addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply
reply includes original nonce from A, also timestamp reply includes original nonce from A, also timestamp and nonce from Band nonce from B
– 40 – CSCE 815 Sp 03
Three-Way AuthenticationThree-Way Authentication
3 messages (A->B, B->A, A->B) which enables above 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks authentication without synchronized clocks
has reply from A back to B containing signed copy of has reply from A back to B containing signed copy of nonce from B nonce from B
means that timestamps need not be checked or relied means that timestamps need not be checked or relied upon upon
– 41 – CSCE 815 Sp 03
X.509 Version 3X.509 Version 3
has been recognised that additional information is has been recognised that additional information is needed in a certificate needed in a certificate email/URL, policy details, usage constraints
rather than explicitly naming new fields defined a rather than explicitly naming new fields defined a general extension methodgeneral extension method
extensions consist of:extensions consist of: extension identifier criticality indicator extension value
– 42 – CSCE 815 Sp 03
Certificate ExtensionsCertificate Extensions
key and policy informationkey and policy information convey info about subject & issuer keys, plus indicators of
certificate policy
certificate subject and issuer attributescertificate subject and issuer attributes support alternative names, in alternative formats for
certificate subject and/or issuer
certificate path constraintscertificate path constraints allow constraints on use of certificates by other CA’s
– 43 – CSCE 815 Sp 03
SummarySummary
have considered:have considered: Kerberos trusted key server system X.509 authentication and certificates