Download - ISA 662 Internet Security Protocols Kerberos
![Page 1: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/1.jpg)
ISA 662Internet Security Protocols
Kerberos
Prof. Ravi Sandhu
![Page 2: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/2.jpg)
2© Ravi Sandhu 2000-2004
SYSTEM MODEL
NETWORK
WORK-STATIONS SERVERS
WS
WS
WS
WS
NFS
GOPHER
LIBRARY
KERBEROS
![Page 3: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/3.jpg)
3© Ravi Sandhu 2000-2004
PHYSICAL SECURITY
CLIENT WORKSTATIONS None, so cannot be trusted
SERVERS Moderately secure rooms, with moderately
diligent system administration
KERBEROS Highly secure room, with extremely diligent
system administration
![Page 4: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/4.jpg)
4© Ravi Sandhu 2000-2004
KERBEROS OBJECTIVES
provide authentication between any pair of entities
primarily used to authenticate user-at-workstation to server
in general, can be used to authenticate two or more secure hosts to each other on an insecure network
servers can build authorization and access control services on top of Kerberos
![Page 5: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/5.jpg)
5© Ravi Sandhu 2000-2004
TRUST:BILATERAL RHOSTS MODEL
A
B C
E
G
F
A B
A trusts BA will allow userslogged onto B tolog onto A withouta password
![Page 6: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/6.jpg)
6© Ravi Sandhu 2000-2004
TRUST:CONSOLIDATED KERBEROS MODEL
A B C D E F
KERBEROS
![Page 7: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/7.jpg)
7© Ravi Sandhu 2000-2004
TRUST:CONSOLIDATED KERBEROS MODEL
breaking into one host provides a cracker no advantage in breaking into other hosts
authentication systems can be viewed as trust propagation systems the Kerberos model is a centralized star model the rhosts model is a tangled web model
![Page 8: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/8.jpg)
8© Ravi Sandhu 2000-2004
WHAT KERBEROS DOES NOT DO
makes no sense on an isolated system
does not mean that host security can be allowed to slip
does not protect against Trojan horses
does not protect against viruses/worms
![Page 9: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/9.jpg)
9© Ravi Sandhu 2000-2004
KERBEROS DESIGN GOALS
IMPECCABILITY no cleartext passwords on the network no client passwords on servers (server must store
secret server key) minimum exposure of client key on workstation
(smartcard solution would eliminate this need) CONTAINMENT
compromise affects only one client (or server) limited authentication lifetime (8 hours, 24 hours, more)
TRANSPARENCY password required only at login minimum modification to existing applications
![Page 10: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/10.jpg)
10© Ravi Sandhu 2000-2004
KERBEROS DESIGN DECISIONS
Uses timestamps to avoid replay. Requires time synchronized within a small window (5 minutes)
Uses DES-based symmetric key cryptography
stateless
![Page 11: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/11.jpg)
11© Ravi Sandhu 2000-2004
KERBEROS VERSIONS
We describe Kerberos version 4 as the base version
Kerberos version 5 fixes many shortcomings of version 4, and is described here by explaining major differences with respect to version 4
![Page 12: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/12.jpg)
12© Ravi Sandhu 2000-2004
NOTATION
c client principals server principal
Kx secret key of “x” (known to x and Kerberos)
Kc,s session key for “c” and “s” (generated by Kerberos and distributed to c and s)
{P}Kq P encrypted with Kq
Tc,s ticket for “c” to use “s”(given by Kerberos to c and verified by s)
Ac,s authenticator for “c” to use “s” (generated by c and verified by s)
![Page 13: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/13.jpg)
13© Ravi Sandhu 2000-2004
TICKETS AND AUTHENTICATORS
Tc,s = {s, c, addr, timeo, life, Kc,s}Ks
Ac,s= {c, addr, timea}Kc,s
addr is the IP address, adds littleremoved in version 5
![Page 14: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/14.jpg)
14© Ravi Sandhu 2000-2004
SESSION KEY DISTRIBUTION
Kerberos
Client Server
c, s {Tc,s, Kc,s} Kc
Tc,s, Ac,s
1 2
3
![Page 15: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/15.jpg)
15© Ravi Sandhu 2000-2004
USER AUTHENTICATION
for user to server authentication, client key is the user’s password (converted to a DES key via a publicly known algorithm)
![Page 16: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/16.jpg)
16© Ravi Sandhu 2000-2004
TRUST IN WORKSTATION
untrusted client workstation has Kc
is expected to delete it after decrypting message in step 2
compromised workstation can compromise one user
compromise does not propagate to other users
![Page 17: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/17.jpg)
17© Ravi Sandhu 2000-2004
AUTHENTICATION FAILURES
Ticket decryption by server yields garbage
Ticket timed out Wrong source IP address Replay attempt
![Page 18: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/18.jpg)
18© Ravi Sandhu 2000-2004
KERBEROS IMPERSONATION
active intruder on the network can cause denial of service by impersonation of Kerberos IP address
network monitoring at multiple points can help detect such an attack by observing IP impersonation
![Page 19: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/19.jpg)
19© Ravi Sandhu 2000-2004
KERBEROS RELIABILITY
availability enhanced by keeping slave Kerberos servers with replicas of the Kerberos database
slave databases are read only simple propagation of updates from
master to slaves
![Page 20: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/20.jpg)
20© Ravi Sandhu 2000-2004
USE OF THE SESSION KEY
Kerberos establishes a session key Kc,s
session key can be used by the applications for client to server authentication (no additional
step required in the protocol) mutual authentication (requires fourth
message from server to client {f(Ac,s)}Kc,s, where f is some publicly known function)
message confidentiality using Kc,s
message integrity using Kc,s
![Page 21: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/21.jpg)
21© Ravi Sandhu 2000-2004
TICKET-GRANTING SERVICE
Problem: Transparency user should provide password once upon
initial login, and should not be asked for it on every service request
workstation should not store the password, except for the brief initial login
Solution: Ticket-Granting Service (TGS) store session key on workstation in lieu of
password TGS runs on same host as Kerberos (needs
access to Kc and Ks keys)
![Page 22: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/22.jpg)
22© Ravi Sandhu 2000-2004
TICKET-GRANTING SERVICE
Kerberos
Client
c, tgs {Tc,tgs, Kc,tgs} Kc
1 2
deleted fromworkstation afterthis exchange(have to trust theworkstation)
retained onthe workstation
![Page 23: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/23.jpg)
23© Ravi Sandhu 2000-2004
TICKET-GRANTING SERVICE
TGS
Client Server
{Tc,s, Kc,s} Kc,tgsTc,tgs, Ac,tgs, s
3 4
5
Tc,s, Ac,s
![Page 24: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/24.jpg)
24© Ravi Sandhu 2000-2004
TICKET LIFETIME
Life time is minimum of: requested life time max lifetime for requesting principal max lifetime for requesting service max lifetime of ticket granting ticket
Max lifetime is 21.5 hours
![Page 25: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/25.jpg)
25© Ravi Sandhu 2000-2004
NAMING
Users and servers have same name format: name.instance@realm
Example: [email protected] [email protected] [email protected] [email protected]
Mapping of Kerberos authentication names to local system names is left up to service provider
![Page 26: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/26.jpg)
26© Ravi Sandhu 2000-2004
KERBEROS V5 ENHANCEMENTS
Naming Kerberos V5 supports V4 names, but also provides for
other naming structures such as X.500 and DCE
Timestamps V4 timestamps are Unix timestamps (seconds since
1/1/1970). V5 timestamps are in OSI ASN.1 format.
Ticket lifetime V4 tickets valid from time of issue to expiry time, and
limited to 21.5 hours. V5 tickets have start and end timestamps. Maximum
lifetime can be set by realm.
![Page 27: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/27.jpg)
27© Ravi Sandhu 2000-2004
KERBEROS V5 ENHANCEMENTS
Kerberos V5 tickets are renewable, so service can be maintained beyond maximum ticket lifetime.
Ticket can be renewed until min of: requested end time start time + requesting principal’s max
renewable lifetime start time + requested server’s max renewable
lifetime start time + max renewable lifetime of realm
![Page 28: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/28.jpg)
28© Ravi Sandhu 2000-2004
KERBEROS INTER-REALM AUTHENTICATION
KerberosRealm 1
KerberosRealm 2
sharedsecret key
client server
![Page 29: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/29.jpg)
29© Ravi Sandhu 2000-2004
KERBEROS INTER-REALM AUTHENTICATION
Kerberos V4 limits inter-realm interaction to realms which have established a shared secret key
Kerberos V5 allows longer paths For scalability one may need public-
key technology for inter-realm interaction
![Page 30: ISA 662 Internet Security Protocols Kerberos](https://reader036.vdocuments.us/reader036/viewer/2022062421/56812b0a550346895d8eefbe/html5/thumbnails/30.jpg)
30© Ravi Sandhu 2000-2004
KERBEROS DICTIONARY ATTACK
First two messages reveal known-plaintext for dictionary attack
first message can be sent by anyone Kerberos v5 has pre-authentication
option to prevent this attack