Chapter 8 5 authentication and key distribution
1 / 22


  • Updated On :

Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION. Prepared by: Karthik V Puttaparthi [email protected] OUTLINE. Overview Protocols and Communication Services Design of Authentication Protocols Needham-Schroeder Protocol

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION' - Antony

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 8 5 authentication and key distribution l.jpg


Prepared by:

Karthik V Puttaparthi

[email protected]

Outline l.jpg

  • Overview

  • Protocols and Communication Services

  • Design of Authentication Protocols

  • Needham-Schroeder Protocol

  • Denning-Sacco Protocol

  • Kerberos Protocol

  • Kerberos Protocol Version V

  • References

Protocols and communication services l.jpg

  • Authentication is the process of verifying the identity of an object entity.

  • Password verification is a simple example of one-way user identification.

  • In a distributed environment, there is a greater need to authenticate the machine the user connects to as well.

  • This type of mutual authentication is even more important for communication between autonomous principals under different administrative authorities in a client/server distributed environment.

Protocols and communication services4 l.jpg

Messages being exchanged must also be authenticated such that they are free of forgery, counterfeiting and repudiation.

  • Forgery could occur when a communication key is compromised.

  • A counterfeit is the replay of a secret message in the context of communication.

  • Repudiation is the denial of sending what seems to be an authenticated message.

Protocols and communication services5 l.jpg

  • For message authenticity, an irreproducible secret message digest can be used to sign the message.

  • Secrecy of information can be accomplished by encryption using secret keys.

Design of authentication protocols l.jpg
Design of Authentication Protocols


Peer processes

Client / Server

  • Authentication protocols are all about distribution and management of secret keys.

  • Key distribution in a distributed environment is an implementation of distributed authentication protocols.

Design of authentication protocols7 l.jpg
Design of Authentication Protocols

  • Design of distributed authentication protocols depends on underlying communication service, i.e. connectionless or connection-oriented.

  • Most distributed applications follow Client/Server programming paradigm and Client/Server interaction is viewed as request / reply communication.

  • Session key can also be used for Client / Server communication. Conceptually similar with tickets.

  • A ticket is a signed certificate that contains information for authenticating the client.

  • Kerberos Protocol was the first one to use the ticket notion.

Design of authentication protocols8 l.jpg
Design of Authentication Protocols

  • All protocols assume that some secret information is held initially by each principal.

  • Authentication is achieved by one principal demonstrating the other that it holds that secret information.

  • All protocols assume that system environment is very insecure and is open for attack.

Design of authentication protocols9 l.jpg
Design of Authentication Protocols

  • Message received by a principal must have its origin authenticity, integrity and freshness verified.

  • To achieve these goals, most protocols need to rely on an authentication server.

  • Authentication server delivers good quality session keys to requesting principals securely.

Design of authentication protocols10 l.jpg
Design of Authentication Protocols

  • Protocol are divided into two categories to verify the freshness of a message.

  • First category uses nonce and challenge/ response handshake to verify freshness.

  • Second category uses timestamps and assumes that all machines in distributed system are clock-synchronized.

Needham schroeder protocol 1978 l.jpg
Needham-Schroeder Protocol (1978)

  • First to use the encryption techniques for authentication and key distribution.

  • Five Steps…

  • A->S : A, B, Na

  • S->A: {Na, B, Kab, {A, Kab}Kbs}Kas

  • A->B: {A, Kab}Kbs

  • B->A: {Nb}Kab

  • A->B: {Nb - 1}Kab

  • A contacts S which returns a session key and certificate encrypted with Kbs.

  • B decrypts it and does a nonce handshake with A assure the freshness.

  • Subtracting 1 from Nb in last message ensures that its not a replay of the previous message from B to A.

Needham schroeder protocol 197812 l.jpg
Needham-Schroeder Protocol (1978)

  • Five Steps…

  • A->S : A, B, Na

  • S->A: {Na, B, Kab, {A, Kab}Kbs}Kas

  • A->B: {A, Kab}Kbs

  • B->A: {Nb}Kab

  • A->B: {Nb - 1}Kab

  • Denning and Sacco found a drawback.

  • If session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps.

  • Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.

Denning sacco protocol 1981 l.jpg
Denning-Sacco Protocol (1981)

  • Uses timestamps rather than nonce to guarantee message freshness.

  • A->S: A, B

  • S->A: {B, Kab,Ts{A, Kab, Ts}Kbs}Kas

  • A->B: {A, Kab, Ts}Kbs

    A and B can verify the message freshness by checking:

    Clock–T < Δt1 + Δt2

Denning sacco protocol 198114 l.jpg
Denning-Sacco Protocol (1981)

  • Clock is the local clock time. Δt1 is normal discrepancy between server’s clock and local clock. Δt2 is expected network delay.

  • So long Δt1 + Δt2 is less than the interval between two contiguous authentication sessions, message freshness is guaranteed.

  • Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake.

  • But drawback is that all machines must be clock-synchronized with authentication server.

Kerberos protocol 1980 l.jpg
Kerberos Protocol (1980)

  • As a part of project Athena at MIT, Kerberos is one of the most promising implementation of authentication service.

  • Based on Needham-Schroeder but also uses timestamps suggested by Denning-Sacco.

  • Authentication service is divided on two servers: Kerberos Server and Ticket Granting Server (TGS).

Kerberos protocol 198016 l.jpg
Kerberos Protocol (1980)

  • Simplified version of Kerberos that treats Kerberos server and TGS as single entity S.

    1. A->S: A, B

    2. S->A: {Kab, Ticketab}Kas

    Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs

    3. A->B: Authenticatorab, Ticketab

    Where Authenticatorab = {A, addr, Ta}Kab

    4. B->A: {Ta + 1}Kab

  • A sends its own identity to S before it connect to B.

  • S responds with session key Kab and a ticket for B.

Kerberos protocol 198017 l.jpg
Kerberos Protocol (1980)

1. A->S: A, B

2. S->A: {Kab, Ticketab}Kas

Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs

3. A->B: Authenticatorab, Ticketab

Where Authenticatorab = {A, addr, Ta}Kab

4. B->A: {Ta + 1}Kab

  • Ticket contains identities of B and A, IP of A, timestamp Ts, lifetime L and a session key to identify A.

  • A now creates its own authenticator containing A’s identity, its IP and timestamp and sends it to B along with the B’s ticket.

  • B decrypts the ticket and authenticator, and compares two pieces of information.

Kerberos protocol 198018 l.jpg
Kerberos Protocol (1980)

  • First, their identity and address information must match.

  • Second, discrepancy between time in authenticator and current local time must not exceed a predetermined value.

  • If these match, B authenticates the A’s identity and allows the service request to proceed.

  • Drawbacks of Kerberos were identified by Bellovin and Merritt.

  • Drawback includes difficulty in adapting to all environments, and the need for special purpose hardware.

  • To fix some of these problems, Kerberos has been upgraded to version V.

Kerberos protocol version v cont l.jpg
Kerberos Protocol Version V (cont…)

  • This protocol separates the authentication server S into Kerberos server (K) for authentication and Ticket Granting Server (G).

  • Client (C) first sends identity for itself and TGS to Authentication Server K. (Message 1)

  • Authentication Server K does the initial login and grants ticket for TGS. (Message 2)

  • Client (C) sends authenticator to TGS to identify itself (like simplified Kerberos). (Message 3)

Kerberos protocol version v 199321 l.jpg
Kerberos Protocol Version V 1993

  • Message 4 and 5 are similar to Message 2 and 3 respectively.

  • Most widely implemented protocol.

  • Implemented in Distributed Computing Environment (DCE) security service and SESAME (A Secure European System for Application in a Multi-vendor Environment).

References l.jpg

  • “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson

  • On the design of authentication protocols for third

  • Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999

  • [March 29, 2007]

  • [April 2, 2007]

  • [April 8, 2007]