Internet security and privacyjohanmon/attic/2g1704/lectures/kerberos.pdf · Kerberos • A dog with...

Post on 05-Aug-2020

3 views 0 download

Transcript of Internet security and privacyjohanmon/attic/2g1704/lectures/kerberos.pdf · Kerberos • A dog with...

1Internet security and privacy 2G1704 Johan Montelius

Internet security and privacy

Key Distribution Center / Kerberos

2Internet security and privacy 2G1704 Johan Montelius

The problem

3Internet security and privacy 2G1704 Johan Montelius

KDC key distribution center

• If we have a network of nodes and each node needs to have complete knowledge of all other nodes and all other users the administration of the network would cause a problem.

• Use one centrally managed node to store information about all users in the network. Let this node distribute keys, for secure communication, on request by a user.

4Internet security and privacy 2G1704 Johan Montelius

KDC problems

• How can Alice authenticate to the KDC?

• How can the KDC ensure Bob that Alice is trustworthy?

• How can Alice and Bob communicate in privacy?

5Internet security and privacy 2G1704 Johan Montelius

KDC first try

Alice KDC BobAlice to Bob

KBob{Alice / KAB}KAlice{use KAB}

I'm Alice

KAB shared secret

6Internet security and privacy 2G1704 Johan Montelius

KDC second try

Alice KDC BobAlice to Bob

I'm Alice , KBob{Alice / KAB}

KAlice{use KAB}, KBob{Alice / KAB}

KAB shared secret

A ticket to Bob

How does Alice know who she's talking to?

7Internet security and privacy 2G1704 Johan Montelius

KDC Needham-Schroeder

Alice KDC BobN1 , Alice to Bob

I'm Alice , ticket, KAB{N2}

KAlice{N1, “Bob”, KAB , ticket}

KAB shared secret

KAB{N2-1, N3}

KAB{N3-1}

8Internet security and privacy 2G1704 Johan Montelius

What if....

• Trudy records a session and stores the reply from the KDC:

< KAlice{N1, “Bob”, KAB , ticket} >.

• At a later point she captures KAlice , Alice changes her key, the KDC is updated, but Bob is of course not informed.

I'm Alice , KBob{Alice/KAB}, KAB{N2}

BobTrudy

9Internet security and privacy 2G1704 Johan Montelius

KDC Extended Needham-Schroeder

Alice KDC Bob

N1 , Alice to Bob, KBob{NB}

I'm Alice , ticket, KAB{N2}

KAlice{N1, “Bob”, KAB , ticket}ticket = KBob{KAB, Alice, NB}

KBob{NB}

I'm Alice

etc

10Internet security and privacy 2G1704 Johan Montelius

Extended Needham-Schroeder

• Solves the replay problem by forcing Alice to prove that she has access to the most recent key.

• The price is two extra messages where Alice receives a nonce from Bob before contacting the KDC.

• Can we replace the challenge response with something else?

11Internet security and privacy 2G1704 Johan Montelius

KDC KerberosAlice KDC Bob

N1 , Alice to Bob

I'm Alice , ticket, KAB{timestamp}

KAlice{N1, Bob, KAB , ticket}ticket = KBob{KAB, Alice, exp. time }

KAB{timestamp+1}

12Internet security and privacy 2G1704 Johan Montelius

Kerberos

• A dog with three heads guarding the entrance to Hades.

• Developed by MIT

– v4 standardized in late -80

– v5 in -92. (v4 still in use)

• Widely used not only in the Unix world:

– Windows 2000/XP

– Web single-sign-on such as Passport

13Internet security and privacy 2G1704 Johan Montelius

The dog

14Internet security and privacy 2G1704 Johan Montelius

Kerberos v4

• The KDC (Kerberos server, Authentication server, Ticket granting Server) holds a database with entries:

– principal (user) name

– master key (encrypted with KDC master key)

• There is no runtime state that has to be updated so the database can be distributed to other KDC servers.

• All encryption is done using DES (v4).

15Internet security and privacy 2G1704 Johan Montelius

Kerberos v4 TGT (ticket granting ticket)Alice KDC

AS-REQ: Alice

AS-REP: KAlice{SAlice, TGT}

TGT = KKDC{Alice, SAlice, exp. ...} The ticket granting ticket (TGT) holds the new session key. The KDC need therefore not store this information locally e.g. no state!

The password of Alice is only needed to decrypt the AS-REP reply.

16Internet security and privacy 2G1704 Johan Montelius

After initial handshake

• Alice has received the session key that she will use in all communication with the KDC during this session.

• The ticket granting ticket (TGT) must be used when communicating with the KDC since the KDC does not have a copy of the session key.

• Did you notice how easy it was to get information from the KDC?

17Internet security and privacy 2G1704 Johan Montelius

Kerberos v4 remote accessAlice KDC Bob

TGS-REQ:Alice to Bob, TGT, SA{T}

I'm Alice , ticket, KAB{T}

TGS-REP: SA{Bob, KAB , ticket}

KAB{T+1}

ticket = KBob{KAB, Alice, exp. time }

18Internet security and privacy 2G1704 Johan Montelius

Kerberos Realms

• A network of nodes (principals) constitute a realm. Each realm has one (possibly distributed) KDC with one database of principals and master keys.

• How can we make two realms collaborate? Could we let a user in one realm be authenticated in another realm?

19Internet security and privacy 2G1704 Johan Montelius

Inter-realm authenticationAlice Wndl KDC Oz KDC

Alice@Wndl Oz@Wndl TGT, SA{T}

Alice@Wndl Doroty@Oz, ticket, KAO{T}

SA{Oz@Wndl, KAO , ticket}ticket = KOz{KAO, Alice@Wndl, exp. time }

KAO{Doroty@Oz, KAD , ticket}ticket = KDoroty{KAD, Alice@Wndl, exp. time }

20Internet security and privacy 2G1704 Johan Montelius

Cipher Block Chaining

c1 c2 c3 c4

E(k) E(k) E(k) E(k) E(k)

cnc5

E(k)

m1 m2 m3 m4 mnm5

+IV + + + + +

21Internet security and privacy 2G1704 Johan Montelius

Plaintext Cipher Block Chaining

c1 c2 c3 c4

E(k) E(k) E(k) E(k) E(k)

cnc5

E(k)

m1 m2 m3 m4 mnm5

+IV + + + + +

22Internet security and privacy 2G1704 Johan Montelius

PCBC

• If the cipher text is modified the decrypted plaintext will be garbage.

• A recognizable end is added to each message so that the receiver can identify correct messages.

• Offers weak integrity.

• Method was replaced in v5.

23Internet security and privacy 2G1704 Johan Montelius

Integrity only

• Kerberos v4 offers a weak mode of integrity only.

• A checksum is computed using the session key concatenated with the plaintext.

• In a known plaintext attack Eve can possibly work backwards and retrieve the session key.

• Method replaced in v5.

24Internet security and privacy 2G1704 Johan Montelius

Network address

• Each message will contain the address (4 bytes e.g. IP address) of the sender. This way the receiver can check that the message comes from the right network node.

• Small address space.

• Problems with NAT.

• Problems when delegating rights.

• Why mix the network layer into the encryption layer?

25Internet security and privacy 2G1704 Johan Montelius

Kerberos v5

• Solves many of the problems with v4.

• More flexible as it comes to

– addressing,

– selection of cipher algorithms,

– delegation of rights

• Message format is based on ASN.1 (Abstract Syntax Notation One).

• Still Kerberos v4 is widely used.

26Internet security and privacy 2G1704 Johan Montelius

ASN.1 Abstract Syntax Notation

HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING

}

Clear specification of the message structure without going into details of how things are coded.

The ASN.1 specification is translatedto a message using Basic Encoding Rules (BER).

27Internet security and privacy 2G1704 Johan Montelius

ASN.1 Abstract Syntax Notation

HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING

}

One byte is needed to encode that it is a sequence and one byte to encode the length, addr_type requires 5 bytes to code one byte of type information and address requires 4 bytes overhead

HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING

}

a 4 byte IP address requires 15 bytes!

28Internet security and privacy 2G1704 Johan Montelius

ASN.1 Abstract Syntax Notation

HostAddress ::= SEQUENCE {addr-type[0] IMPLICIT INTEGER,address[1] IMPLICIT OCTET

STRING}

HostAddress ::= CHOICE {ip_address[0] IMPLICIT OCTET STRING,ipx_address[1] IMPLICIT OCTET STRING,

:}

29Internet security and privacy 2G1704 Johan Montelius

Delegation of rights

• Alice can not delegate rights to Bob by sending him her session key (not very smart) or sending him TGTs (will not work since they contain the network address).

• Alice can ask for a TGT with another (or no) network address. This TGT can be used by Bob.

• Alice can ask for individual tickets to specific services and send them to Bob.

• How about expiration time?

30Internet security and privacy 2G1704 Johan Montelius

expiration time

• Expiration time in Kerberos v4 is limited to 21h (four bytes, 5min resolution).

• In Kerberos v5 this is almost without limit.

• Not a good idea to give tickets with very long expiration time:

– start time

– end time

– authentication time (when was ticket issued)

– renew till (for how long can we renew)

31Internet security and privacy 2G1704 Johan Montelius

Cipher algorithms

• Encryption uses one of several algorithms indicated by a type field. If one algorithm is broken then this can be removed from the system.

• Integrity-only provided by message digest functions: MD5-DES

32Internet security and privacy 2G1704 Johan Montelius

Integrity MD5/DES

confounder 64b message

confounder 64b MD5 digest 128b

MD5

MAC 192b

DES in CBC mode, IV = 0, using modified shared secret

33Internet security and privacy 2G1704 Johan Montelius

Privacy and Integrity

confounder 64b 000..place for MD message

confounder 64b MD message

MD5/4 or CRC32

confounder 64b MD message padding

DES in CBC mode IV = 0