internet security and privacyjohanmon/attic/2g1704/lectures/kerberos.pdf · kerberos • a dog with...

1Internet security and privacy 2G1704 Johan Montelius

Internet security and privacy

Key Distribution Center / Kerberos


The problem


KDC key distribution center

• If we have a network of nodes and each node needs to have complete knowledge of all other nodes and all other users the administration of the network would cause a problem.

• Use one centrally managed node to store information about all users in the network. Let this node distribute keys, for secure communication, on request by a user.


KDC problems

• How can Alice authenticate to the KDC?

• How can the KDC ensure Bob that Alice is trustworthy?

• How can Alice and Bob communicate in privacy?


KDC first try

Alice KDC BobAlice to Bob

KBob{Alice / KAB}KAlice{use KAB}

I'm Alice

KAB shared secret


KDC second try

Alice KDC BobAlice to Bob

I'm Alice , KBob{Alice / KAB}

KAlice{use KAB}, KBob{Alice / KAB}

KAB shared secret

A ticket to Bob

How does Alice know who she's talking to?


KDC Needham-Schroeder

Alice KDC BobN1 , Alice to Bob

I'm Alice , ticket, KAB{N2}

KAlice{N1, “Bob”, KAB , ticket}

KAB shared secret

KAB{N2-1, N3}

KAB{N3-1}


What if....

• Trudy records a session and stores the reply from the KDC:

< KAlice{N1, “Bob”, KAB , ticket} >.

• At a later point she captures KAlice , Alice changes her key, the KDC is updated, but Bob is of course not informed.

I'm Alice , KBob{Alice/KAB}, KAB{N2}

BobTrudy


KDC Extended Needham-Schroeder

Alice KDC Bob

N1 , Alice to Bob, KBob{NB}

I'm Alice , ticket, KAB{N2}

KAlice{N1, “Bob”, KAB , ticket}ticket = KBob{KAB, Alice, NB}

KBob{NB}

I'm Alice

etc


Extended Needham-Schroeder

• Solves the replay problem by forcing Alice to prove that she has access to the most recent key.

• The price is two extra messages where Alice receives a nonce from Bob before contacting the KDC.

• Can we replace the challenge response with something else?


KDC KerberosAlice KDC Bob

N1 , Alice to Bob

I'm Alice , ticket, KAB{timestamp}

KAlice{N1, Bob, KAB , ticket}ticket = KBob{KAB, Alice, exp. time }

KAB{timestamp+1}


Kerberos

• A dog with three heads guarding the entrance to Hades.

• Developed by MIT

– v4 standardized in late -80

– v5 in -92. (v4 still in use)

• Widely used not only in the Unix world:

– Windows 2000/XP

– Web single-sign-on such as Passport


The dog


Kerberos v4

• The KDC (Kerberos server, Authentication server, Ticket granting Server) holds a database with entries:

– principal (user) name

– master key (encrypted with KDC master key)

• There is no runtime state that has to be updated so the database can be distributed to other KDC servers.

• All encryption is done using DES (v4).


Kerberos v4 TGT (ticket granting ticket)Alice KDC

AS-REQ: Alice

AS-REP: KAlice{SAlice, TGT}

TGT = KKDC{Alice, SAlice, exp. ...} The ticket granting ticket (TGT) holds the new session key. The KDC need therefore not store this information locally e.g. no state!

The password of Alice is only needed to decrypt the AS-REP reply.


After initial handshake

• Alice has received the session key that she will use in all communication with the KDC during this session.

• The ticket granting ticket (TGT) must be used when communicating with the KDC since the KDC does not have a copy of the session key.

• Did you notice how easy it was to get information from the KDC?


Kerberos v4 remote accessAlice KDC Bob

TGS-REQ:Alice to Bob, TGT, SA{T}

I'm Alice , ticket, KAB{T}

TGS-REP: SA{Bob, KAB , ticket}

KAB{T+1}

ticket = KBob{KAB, Alice, exp. time }


Kerberos Realms

• A network of nodes (principals) constitute a realm. Each realm has one (possibly distributed) KDC with one database of principals and master keys.

• How can we make two realms collaborate? Could we let a user in one realm be authenticated in another realm?


Inter-realm authenticationAlice Wndl KDC Oz KDC

Alice@Wndl Oz@Wndl TGT, SA{T}

Alice@Wndl Doroty@Oz, ticket, KAO{T}

SA{Oz@Wndl, KAO , ticket}ticket = KOz{KAO, Alice@Wndl, exp. time }

KAO{Doroty@Oz, KAD , ticket}ticket = KDoroty{KAD, Alice@Wndl, exp. time }


Cipher Block Chaining

c1 c2 c3 c4

E(k) E(k) E(k) E(k) E(k)

cnc5

E(k)

m1 m2 m3 m4 mnm5

+IV + + + + +


Plaintext Cipher Block Chaining

c1 c2 c3 c4

E(k) E(k) E(k) E(k) E(k)

cnc5

E(k)

m1 m2 m3 m4 mnm5

+IV + + + + +


PCBC

• If the cipher text is modified the decrypted plaintext will be garbage.

• A recognizable end is added to each message so that the receiver can identify correct messages.

• Offers weak integrity.

• Method was replaced in v5.


Integrity only

• Kerberos v4 offers a weak mode of integrity only.

• A checksum is computed using the session key concatenated with the plaintext.

• In a known plaintext attack Eve can possibly work backwards and retrieve the session key.

• Method replaced in v5.


Network address

• Each message will contain the address (4 bytes e.g. IP address) of the sender. This way the receiver can check that the message comes from the right network node.

• Small address space.

• Problems with NAT.

• Problems when delegating rights.

• Why mix the network layer into the encryption layer?


Kerberos v5

• Solves many of the problems with v4.

• More flexible as it comes to

– addressing,

– selection of cipher algorithms,

– delegation of rights

• Message format is based on ASN.1 (Abstract Syntax Notation One).

• Still Kerberos v4 is widely used.


ASN.1 Abstract Syntax Notation

HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING

}

Clear specification of the message structure without going into details of how things are coded.

The ASN.1 specification is translatedto a message using Basic Encoding Rules (BER).




}

One byte is needed to encode that it is a sequence and one byte to encode the length, addr_type requires 5 bytes to code one byte of type information and address requires 4 bytes overhead


}

a 4 byte IP address requires 15 bytes!



HostAddress ::= SEQUENCE {addr-type[0] IMPLICIT INTEGER,address[1] IMPLICIT OCTET

STRING}

HostAddress ::= CHOICE {ip_address[0] IMPLICIT OCTET STRING,ipx_address[1] IMPLICIT OCTET STRING,

:}


Delegation of rights

• Alice can not delegate rights to Bob by sending him her session key (not very smart) or sending him TGTs (will not work since they contain the network address).

• Alice can ask for a TGT with another (or no) network address. This TGT can be used by Bob.

• Alice can ask for individual tickets to specific services and send them to Bob.

• How about expiration time?


expiration time

• Expiration time in Kerberos v4 is limited to 21h (four bytes, 5min resolution).

• In Kerberos v5 this is almost without limit.

• Not a good idea to give tickets with very long expiration time:

– start time

– end time

– authentication time (when was ticket issued)

– renew till (for how long can we renew)


Cipher algorithms

• Encryption uses one of several algorithms indicated by a type field. If one algorithm is broken then this can be removed from the system.

• Integrity-only provided by message digest functions: MD5-DES


Integrity MD5/DES

confounder 64b message

confounder 64b MD5 digest 128b

MD5

MAC 192b

DES in CBC mode, IV = 0, using modified shared secret


Privacy and Integrity

confounder 64b 000..place for MD message

confounder 64b MD message

MD5/4 or CRC32

confounder 64b MD message padding

DES in CBC mode IV = 0

internet security and privacyjohanmon/attic/2g1704/lectures/kerberos.pdf · kerberos • a dog with...

Documents