kerberos n.
Skip this Video
Loading SlideShow in 5 Seconds..
Kerberos PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 24

Kerberos - PowerPoint PPT Presentation

  • Uploaded on

Kerberos. Guilin Wang School of Computer Science 03 Dec. 2007. Outline. ■ Password-based key agreement protocols ( Continuing our last lecture). ■ Kerberos authentication protocol. 0. Password-based Protocols.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Kerberos' - cera

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


Guilin Wang

School of Computer Science

03 Dec. 2007


■ Password-based key agreement protocols (Continuing our last lecture).

■ Kerberos authentication protocol.

0 password based protocols
0. Password-based Protocols

■ In the NS protocol, both parties need to share long-term secrets with the server. For humans, long secret keys are not easy to memorize.

■ One naïve approach is to set long-term secrets as passwords.

■ For example, let Kbs=Pbs, a password shared btw B and S in the NS protocol.

0 password based protocols1
0. Password-based Protocols

■ However, this approach suffers off-line dictionary attack.

■ That is, an attacker can try each possible P’ to decrypt EP-bs (K, A). If

P’ is likely the correct password.

0 password based protocols2
0. Password-based Protocols

■ Off-line dictionary attack works since passwords are short strings with low entropy.

■ Countermeasures:

- Enhance the strength of passwords by requiring certain length, format, and randomness.

- Combine the password with a security token.

0 password based protocols3
0. Password-based Protocols

The following Encrypted Key Exchange (EKE) protocol can resist the off-line dictionary attack:

■ PK is an ephemeral public key generated by A.

■ B transfers K to A by using double encryptions.

■ Why EKE protocol is immune to the off-line dictionary attack?

1 authentication key exchange
1. Authentication & Key Exchange

■ The purpose of entity authentication is to prevent impersonation attack.

■ Authentication is important in key exchange. E.g, the DH protocol suffers the MITM attack.

■ Actually, key exchange techniques can also be used to realize authentication. Kerberos is such an example.

■ In the literature, the differences btw authentication and key exchange are not very clear sometimes.

1 authentication key exchange1
1. Authentication & Key Exchange

■ Key exchange usually requires authentication. Otherwise, you are not sure with whom you are agreeing on a session key.

■ However, authentication does not necessarily involve key exchange.

■ For example, a successful authentication can enable a client to enjoy a service without encryption.

2 kerberos what is it
2. Kerberos: What is it?

■ In Greek mythology, Kerberos is the guardian of Hades, a dog with three heads.

■ In security community, Kerberos denotes the distributed authentication protocol developed from MIT's project Athena in 1980s.

2 kerberos what is it1
2. Kerberos: What is it?

■ Kerberos has been widely accepted in industry.

■ Kerberos has been integrated into Windows and many many versions of Unix systems.

■ Full specification of Kerberos Version 5 is given by a draft Internet Standard RFC 1510.

■ Free source codes for different releases of Kerberos are available at the Kerberos website:

2 kerberos motivations
2. Kerberos: Motivations

In this scenario of distributed networks, there exist at least three threats:

■ User impersonation:

A dishonest user may pretend to be another user from the same workstation.

■ Network address impersonation:

A dishonest user can changes the network address of his/her workstation to impersonate another workstation.

■ Eavesdropping, replay attack, and so on.

Attackers may try their best to access network service by mounting different attacks.

2 1 kerberos basic ideas
2.1 Kerberos: Basic Ideas

Kerberos uses symmetric mechanisms to realize entity authentication and key exchange. Basically, Kerberos uses two kinds of credentials:

■ Tickets:

Issued by a trusted administration server that shows who is granted to access a specific service.

■ Authenticators:

Used to prove the identity of a communicating client.

2 1 kerberos basic ideas1
2.1 Kerberos: Basic Ideas

This is similar to the following immigration policy, which allows a foreigner to enter a country:

■ Visa (=tickets in Kerberos):

Specifies who is allowed to entry this country for how many days.

■ Passport (=Authenticators in Kerberos):

Shows your identity, i.e., who are you.

2 1 kerberos basic ideas2
2.1 Kerberos: Basic Ideas

In Kerberos system, there are three kinds of servers:

■ Kerberos authentication server (AS):

A centralized trusted authentication server for the whole system, who issues long lifetime tickets.

■ Ticket-granting servers (TGS):

Issue short lifetime tickets.

■ Service server S:

Provide different service.

2 2 the protocol
2.2 The Protocol

Kerberos (Version 5) can be divided into three procedures from the view point of a client:

■ obtaining ticket-granting ticket,

■ obtaining service ticket, and

■ obtaining a concrete service.

We now discuss the details.

2 2 the protocol2
2.2 The Protocol


■ K_c is derived from the client’s password, which is shared with the AS.

■ K_tgs is a secret key shared btw the AS and the TGS.

■ K_1 is session key that enables the client to authenticate itself to the TGS server.

2 2 the protocol3
2.2 The Protocol


■ A1 is an authenticator using K1.

■ K2 is a session key that enables the client to authenticate itself to the server S.

■ Ks is a secret key shared btw the TGS and a server S.

2 2 the protocol4
2.2 The Protocol


■ A1 is an authenticator using K2.

■ K3 is a session key for coming secure communications.

■ The server S authenticates itself to the client in step 6.

2 3 kerberos its limitations
2.3 Kerberos: Its Limitations

■ Single Failure Problem: If the AS is down, no user can access any resources. So Kerberos is prone to denial-of-service (DoS) attacks.

- Duplicated AS? Possible, but not easy to maintain.

■ Clock Synchronizationis needed, since timestamps are used. Reasonable time interval for clock skew?

- Too short: Rejecting many valid requests.

- Too long: Suffering replay attack.

2 3 kerberos its limitations1
2.3 Kerberos: Its Limitations

■ Limited Scalability: Usually, the AS can support with hundreds of thousands users. Suitable for a university but not for the Internet, where PKIs with digital certificates are better.

■ Off-line Password Attacks: Kerberos is vulnerable to this kind of attacks since a message is encrypted with a key derived from the client's password.

3 summary
3. Summary

■ Introduced off-line dictionary attack.

■ Briefly discussed the relation btw entity authentication and key exchange.

■ Reviewed a practice-oriented authentication protocol: Kerberos.

- Basic ideas

- Technical mechanisms

- Limitations