chapter 8 5 authentication and key distribution l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION PowerPoint Presentation
Download Presentation
Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION

Loading in 2 Seconds...

play fullscreen
1 / 22

Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION - PowerPoint PPT Presentation


  • 319 Views
  • Uploaded on

Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION. Prepared by: Karthik V Puttaparthi kputtaparthi1@student.gsu.edu. OUTLINE. Overview Protocols and Communication Services Design of Authentication Protocols Needham-Schroeder Protocol

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 8.5 AUTHENTICATION AND KEY DISTRIBUTION' - Antony


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 8 5 authentication and key distribution

Chapter 8.5AUTHENTICATION AND KEY DISTRIBUTION

Prepared by:

Karthik V Puttaparthi

kputtaparthi1@student.gsu.edu

outline
OUTLINE
  • Overview
  • Protocols and Communication Services
  • Design of Authentication Protocols
  • Needham-Schroeder Protocol
  • Denning-Sacco Protocol
  • Kerberos Protocol
  • Kerberos Protocol Version V
  • References
protocols and communication services
PROTOCOLS AND COMMUNICATION SERVICES
  • Authentication is the process of verifying the identity of an object entity.
  • Password verification is a simple example of one-way user identification.
  • In a distributed environment, there is a greater need to authenticate the machine the user connects to as well.
  • This type of mutual authentication is even more important for communication between autonomous principals under different administrative authorities in a client/server distributed environment.
protocols and communication services4
PROTOCOLS AND COMMUNICATION SERVICES

Messages being exchanged must also be authenticated such that they are free of forgery, counterfeiting and repudiation.

  • Forgery could occur when a communication key is compromised.
  • A counterfeit is the replay of a secret message in the context of communication.
  • Repudiation is the denial of sending what seems to be an authenticated message.
protocols and communication services5
PROTOCOLS AND COMMUNICATION SERVICES
  • For message authenticity, an irreproducible secret message digest can be used to sign the message.
  • Secrecy of information can be accomplished by encryption using secret keys.
design of authentication protocols
Design of Authentication Protocols

ConnectionConnectionless

Peer processes

Client / Server

  • Authentication protocols are all about distribution and management of secret keys.
  • Key distribution in a distributed environment is an implementation of distributed authentication protocols.
design of authentication protocols7
Design of Authentication Protocols
  • Design of distributed authentication protocols depends on underlying communication service, i.e. connectionless or connection-oriented.
  • Most distributed applications follow Client/Server programming paradigm and Client/Server interaction is viewed as request / reply communication.
  • Session key can also be used for Client / Server communication. Conceptually similar with tickets.
  • A ticket is a signed certificate that contains information for authenticating the client.
  • Kerberos Protocol was the first one to use the ticket notion.
design of authentication protocols8
Design of Authentication Protocols
  • All protocols assume that some secret information is held initially by each principal.
  • Authentication is achieved by one principal demonstrating the other that it holds that secret information.
  • All protocols assume that system environment is very insecure and is open for attack.
design of authentication protocols9
Design of Authentication Protocols
  • Message received by a principal must have its origin authenticity, integrity and freshness verified.
  • To achieve these goals, most protocols need to rely on an authentication server.
  • Authentication server delivers good quality session keys to requesting principals securely.
design of authentication protocols10
Design of Authentication Protocols
  • Protocol are divided into two categories to verify the freshness of a message.
  • First category uses nonce and challenge/ response handshake to verify freshness.
  • Second category uses timestamps and assumes that all machines in distributed system are clock-synchronized.
needham schroeder protocol 1978
Needham-Schroeder Protocol (1978)
  • First to use the encryption techniques for authentication and key distribution.
  • Five Steps…
  • A->S : A, B, Na
  • S->A: {Na, B, Kab, {A, Kab}Kbs}Kas
  • A->B: {A, Kab}Kbs
  • B->A: {Nb}Kab
  • A->B: {Nb - 1}Kab
  • A contacts S which returns a session key and certificate encrypted with Kbs.
  • B decrypts it and does a nonce handshake with A assure the freshness.
  • Subtracting 1 from Nb in last message ensures that its not a replay of the previous message from B to A.
needham schroeder protocol 197812
Needham-Schroeder Protocol (1978)
  • Five Steps…
  • A->S : A, B, Na
  • S->A: {Na, B, Kab, {A, Kab}Kbs}Kas
  • A->B: {A, Kab}Kbs
  • B->A: {Nb}Kab
  • A->B: {Nb - 1}Kab
  • Denning and Sacco found a drawback.
  • If session key between A and B is compromised, an intruder can impersonate A by carrying out last 3 steps.
  • Needham-Schroeder responded by requiring A to obtain another nonce from B before it contacts S and requiring S to put this nonce into certificate to be forwarded to B.
denning sacco protocol 1981
Denning-Sacco Protocol (1981)
  • Uses timestamps rather than nonce to guarantee message freshness.
  • A->S: A, B
  • S->A: {B, Kab,Ts{A, Kab, Ts}Kbs}Kas
  • A->B: {A, Kab, Ts}Kbs

A and B can verify the message freshness by checking:

Clock–T < Δt1 + Δt2

denning sacco protocol 198114
Denning-Sacco Protocol (1981)
  • Clock is the local clock time. Δt1 is normal discrepancy between server’s clock and local clock. Δt2 is expected network delay.
  • So long Δt1 + Δt2 is less than the interval between two contiguous authentication sessions, message freshness is guaranteed.
  • Denning-Sacco has better performance than Needham-Schroeder as it eliminates message handshake.
  • But drawback is that all machines must be clock-synchronized with authentication server.
kerberos protocol 1980
Kerberos Protocol (1980)
  • As a part of project Athena at MIT, Kerberos is one of the most promising implementation of authentication service.
  • Based on Needham-Schroeder but also uses timestamps suggested by Denning-Sacco.
  • Authentication service is divided on two servers: Kerberos Server and Ticket Granting Server (TGS).
kerberos protocol 198016
Kerberos Protocol (1980)
  • Simplified version of Kerberos that treats Kerberos server and TGS as single entity S.

1. A->S: A, B

2. S->A: {Kab, Ticketab}Kas

Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs

3. A->B: Authenticatorab, Ticketab

Where Authenticatorab = {A, addr, Ta}Kab

4. B->A: {Ta + 1}Kab

  • A sends its own identity to S before it connect to B.
  • S responds with session key Kab and a ticket for B.
kerberos protocol 198017
Kerberos Protocol (1980)

1. A->S: A, B

2. S->A: {Kab, Ticketab}Kas

Where Ticketab = {B, A, addr, Ts, L, Kab}Kbs

3. A->B: Authenticatorab, Ticketab

Where Authenticatorab = {A, addr, Ta}Kab

4. B->A: {Ta + 1}Kab

  • Ticket contains identities of B and A, IP of A, timestamp Ts, lifetime L and a session key to identify A.
  • A now creates its own authenticator containing A’s identity, its IP and timestamp and sends it to B along with the B’s ticket.
  • B decrypts the ticket and authenticator, and compares two pieces of information.
kerberos protocol 198018
Kerberos Protocol (1980)
  • First, their identity and address information must match.
  • Second, discrepancy between time in authenticator and current local time must not exceed a predetermined value.
  • If these match, B authenticates the A’s identity and allows the service request to proceed.
  • Drawbacks of Kerberos were identified by Bellovin and Merritt.
  • Drawback includes difficulty in adapting to all environments, and the need for special purpose hardware.
  • To fix some of these problems, Kerberos has been upgraded to version V.
kerberos protocol version v cont
Kerberos Protocol Version V (cont…)
  • This protocol separates the authentication server S into Kerberos server (K) for authentication and Ticket Granting Server (G).
  • Client (C) first sends identity for itself and TGS to Authentication Server K. (Message 1)
  • Authentication Server K does the initial login and grants ticket for TGS. (Message 2)
  • Client (C) sends authenticator to TGS to identify itself (like simplified Kerberos). (Message 3)
kerberos protocol version v 199321
Kerberos Protocol Version V 1993
  • Message 4 and 5 are similar to Message 2 and 3 respectively.
  • Most widely implemented protocol.
  • Implemented in Distributed Computing Environment (DCE) security service and SESAME (A Secure European System for Application in a Multi-vendor Environment).
references
References
  • “Distributed Operating Systems and Algorithms” by Randy Chow and Theodore Johnson
  • On the design of authentication protocols for third generationieeexplore.ieee.org/iel5/8635/27371/01217358.pdf
  • Clifford Neumann. The Kerberos Network Authentication Service (V5). Internet Draft ietf-cat-kerb-kerberos-revision-04.txt, June 1999
  • http://en.wikipedia.org/wiki/Needham-Schroeder [March 29, 2007]
  • http://web.mit.edu/Kerberos/ [April 2, 2007]
  • http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 [April 8, 2007]