Authentication of Kerberos and Wireless Communication
description
Transcript of Authentication of Kerberos and Wireless Communication
![Page 1: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/1.jpg)
Authentication of Kerberos and
Wireless Communication
• Kerberos• AMPS• IS-95 : A-Key• GSM• DECT• Bluetooth• 802.11b
![Page 2: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/2.jpg)
KerberosKerberos
![Page 3: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/3.jpg)
Abbreviation of Kerberos andTwo Simple Types of Authentication Dialogue
• C = client TGS = ticket-granting server• AS = authentication server IDtgs = identifier of TGS• V = server • IDC = identifier of user on C
• IDV = identifier of V
• PC = password of user on C
• ADC = network address of C
• KV = secret encryption key shared by AS and V
C AS : IDC , PC , IDV
AS C : Ticket
C V : IDC , Ticket
Abbreviation :
A Simple Authentication Dialogue
Ticket = Ekv [ IDC , ADC , IDV ]C
AS
V
shared KV
C AS : IDC , IDtgs
AS C : Ekc [Tickettgs]
C TGS : IDC , IDV , Tickettgs
TGS C : TicketV
C V : IDC , TicketV
A More Secure Authentication Dialogue
C
TGS
V
shared KV
1. Pc : plaintext2. Replay attack3: Pc : each time
Tickettgs = EKtgs [ IDC , ADC , IDtgs , TS1 , Lifetime1]TicketV = EKv [ IDC , ADC , IDV , TS2 , Lifetime2]
AS
shared KC
shared Ktgslifetime : short(user)long(replay) {
{
Once per userlogon session
Once per typeof service
Once per service session
![Page 4: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/4.jpg)
![Page 5: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/5.jpg)
Overview of Kerberos
Kerberos Server
Authentication Server Ticket Granted Server
AS TGS
1 2 3 4
5
Client C Server D
6
1 IDc,IDtgs,TS1
2 Ekc[Kc,tgs,IDtgs,TS2,Lifetime2,Tickettgs]
Tickettgs=Ektgs[Kc,tgs,IDc,ADc,IDtgs,TS2,Lifetime2]
3 IDv,Tickettgs,Authenticatorc
4 Ekc,tgs[Kc,v,IDv,TS4,Ticketv]
Ticketv =Ekv[Kc,v,IDc,ADc,IDv,TS4,Lifetime4]
Authenticatorc=Ekc,tgs[IDc,ADc,TS3]
5 Ticketv,Authenticatorc
6 Ekc,v [TS5+1 ]
Authenticatorc=Ekc,v[IDc,ADc,TS5]
![Page 6: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/6.jpg)
How To Request for Service In Another Realm
AS
TGS
Kerberos
Client
AS
TGS
Kerberos
Server
Realm A
Realm B
1. Request ticket for local TGS.
2. Ticket for local TGS.
3. Request ticket for remote TGS
4. Ticket for remote TGS
5. Request ticket for remote server.
6. Ticket for remote server.
7. Request for rem
ote service
NOTE : If there are N realms then there must be N(N-1)/2 secure key exchanges so that each Kerberos realm can interoperate with all other Kerberos realms.
![Page 7: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/7.jpg)
![Page 8: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/8.jpg)
![Page 9: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/9.jpg)
我國電子化政府公開金鑰基礎建設之整體架構
NationalRoot
CA1 CA2 CA3
CA11 CA21 CA22 CA31 CA32
使用者 ( 含自然人 , 法人 )
研考會 經濟部 交通部
憑證授與 ( 階層式 )
交互憑證
外國政府 PKI Root
PAA
PCA
SCA
PCA PCA
外國企業 PKI Root
PCA
PCA
( 設於台灣之外國政府 PKI 所屬 CA)
NNCA
PAA : Policy Approval AuthorityPCA : Policy Certificate AuthoritySCA : Subordinate Certificate AuthorityNNCA : National Network Certificate Authority
![Page 10: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/10.jpg)
![Page 11: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/11.jpg)
![Page 12: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/12.jpg)
AMPS 類比行動電話系統的安全與識別
• 手機識別碼 (Mobile Identification Number; MIN) : 34 位元
• 手機序號 (Serial Number) : 32 位元 (1) 唯一且不可變更 (2) 製造廠碼由 FCC 指配
手機號碼 (10 進位 ) 34 位元手機識別碼
製造廠碼 (8) 製造序號碼序號 (18)保留備用碼 (6)
31 24 23 18 17 0
MSC手機
Radio Path
建立呼叫時送出手機識別碼 + 手機序號
截收並解碼出手機識別碼和手機序號 製造拷貝機
MSC 核對手機識別碼與手機序號對照表
甲機
乙機
![Page 13: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/13.jpg)
AMPS 一號多機 (拷貝機 )現況及防治 : IS-95 A-KEY 認證功能
SSD_Generation Procedure
RANDSSD A-Key
Auth_Signature Procedure
SSD_B_NEW
SSD_A_NEWRANDBS
AUTHBS = AUTHBS?
SSD_Generation Procedure
RANDSSDA-Key
Auth_Signature Procedure
SSD_B_NEW
SSD_A_NEW
SSD Update Message(RANDSSD)
Base Station Challenge Order(RANDBS)
Base Station Challenge Confirmation Order(RANDBS)
SSD Update Confirmation Order (success)SSD Update Rejection Order (failure)
A-Key : 64 bits 存在用戶手機永久安全識別記憶體及系統認證中心SSD(Shared Secret Data) : SSD_A(64 bits) + SSD_B(64 bits), SSD_A : 認證 / SSD_B : 保密 CAVE(Cellular Authentication and Voice Encryption algorithm) 函數 : 認證運算法則 , 受美國的國際運輸及武器條例及輸出許可條例所管制
![Page 14: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/14.jpg)
GSM 數位行動電話系統的安全與識別(GSM Rec. 02.09)
HLR/AUC
Network SideMS
Radio Path
VLR/MSCBSS MS
SIM+ME
安全與識別
( 密語 )
( 明語 )
![Page 15: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/15.jpg)
Cryptographic Functions A3, A8 and A5in GSM Protocol
The components A3 , A8 , and A5.
• A3 : one-way function.
• A8 : one-way function.
• A5 : one-way encryption/decryption algorithm using Kc. A5/1: Western Europe, A5/2: other countries (GSM MoU is attempting to establish A5/2 as the global standard)
A3
A8
A5/2
SRES(32 bits)
RAND(128 bits)
Ki
(128 bits)
Kc(64 bits)
Authentication
PrivacyTDMA Frame No. (22 bits)
+
Data Stream(114 bits)
Ciphertext114 bits
• The repeated cycle of TDMA Frame No. is 3 hrs 28 min 53 sec 760 msec (Range: 0~2,715,647).
![Page 16: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/16.jpg)
GSM 數位行動電話系統的安全與識別詳細步驟
HLR/AUC
VLR/MSC
MSSIM+ME
TMSIIMSI
(RAND,SRES,Kc )..
(RAND,SRES,Kc )IMSI 2 Ki 2
IMSI 1 Ki 1
....
AUC Database
AUC RAND Gen.
RAND
A3
A8
RAND
Ki
} 5
RAND
RAND
Ki
A3
A8
SIMCard
SRES
A5密語Kc
識別
加 / 解密
?=SRES SRES
A5明語Kc
明語
![Page 17: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/17.jpg)
Mobile Equipment(ME) Identity Procedure in GSM System
EIRVLR/MSC
MSSIM+ME
TMSI
IMEI Request
IMEI
IMEI
Access/Barring
![Page 18: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/18.jpg)
Eavesdropping and Unauthorized Use are Impossible with DECT : Privacy and Authentication
Network SidePP
Radio Path
FP VLR HLR
ID
RS, RAND_F
RES
A11
A12
K
RS
KS
RAND_F
Ciphertext
Authentication
Privacy
?=RES RES
Encryption Key
RS, RAND_F, RES, KS
RS, KS
K
• easy• security problem• VLR : A11, A12
• similar as GSM• VLR does not know K• VLR : No need of A11 and A12
• VLR choose RAND_F• RS and KS can be reused• VLR : A12• Traffic between HLR and VLR can be reduced
![Page 19: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/19.jpg)
Security Scheme of Bluetooth
Generation of Unit Key
Generation of Initialization Key
Authentication (Kinit)
Link Key Exchange
Authentication (KAB)
Generation of Encryption Key
Encrypted communication
Generation of Unit Key
Unit – Unit First Handshake
Unit – Unit following handshakes
Unit A First Startup Unit B First Startup
Generation of Unit Key
Generation of Initialization Key
Authentication (Kinit)
Link Key Exchange
Authentication (KAB)
Generation of Encryption Key
Encrypted communication
Generation of Unit Key
Unit – Unit First Handshake
Unit – Unit following handshakes
Unit A First Startup Unit B First Startup
![Page 20: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/20.jpg)
Generation of Bluetooth Unit Key
E21
BD_ADDRA
RANDA
KA
This happens only the first time a unit is used (i.e. turned on), and the unit key is then saved into its non-volatile memory
E21
BD_ADDRB
RANDB
KB
E21
BD_ADDRA
RANDARANDA
KAKA
This happens only the first time a unit is used (i.e. turned on), and the unit key is then saved into its non-volatile memory
E21
BD_ADDRB
RANDBRANDB
KBKB
![Page 21: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/21.jpg)
Generation of Bluetooth Initialization Key
K’initKinit
E22PIN
L
IN_RAND
E22PIN’
L’
IN_RANDIN_RAND
Unit A sends a random number IN_RAND to unit B, for both to generate the initialization key. Success of this step depends on
PIN’ = PIN
A B
K’initKinit
E22PIN
L
IN_RAND
E22PIN’
L’
IN_RANDIN_RAND
Unit A sends a random number IN_RAND to unit B, for both to generate the initialization key. Success of this step depends on
PIN’ = PIN
A B
L=Length (PIN)L’=Length (PIN’)
![Page 22: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/22.jpg)
Authentication of Bluetooth
E1
BD_ADDRBKlink
AU_RAND
SRES
AU_RAND
SRES’
BD_ADDRB
ACO
E1
BD_ADDRBK’link
AU_RAND
SRES’ ACO’
Klink could be either Kinit or KAB, i.e. the temporary initialization key or the effective link key between A and B. Success of this step
depends on K’link=Klink.
A B
E1
BD_ADDRBKlink
AU_RAND
SRES
AU_RANDAU_RAND
SRES’
BD_ADDRBBD_ADDRB
ACO
E1
BD_ADDRBK’link
AU_RAND
SRES’ ACO’
Klink could be either Kinit or KAB, i.e. the temporary initialization key or the effective link key between A and B. Success of this step
depends on K’link=Klink.
A B
![Page 23: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/23.jpg)
Link Key Exchange (Unit Key)
Kinit
KA K
K
Kinit
K KA=KAB
This step happens only when one of the two units is going to provide its own unit key as the link key between A-B. When a more secure authentication is required, the link key will be built upon both A and B’s unit keys (Combination Key). After the link key has been exchanged, the initialization key is discarded and a new authentication procedure (using the new semi-permanent link key) is required. The new link key will also be the base on which to build the encryption key.
A B
Kinit
KA K
KK
Kinit
K KA=KAB
This step happens only when one of the two units is going to provide its own unit key as the link key between A-B. When a more secure authentication is required, the link key will be built upon both A and B’s unit keys (Combination Key). After the link key has been exchanged, the initialization key is discarded and a new authentication procedure (using the new semi-permanent link key) is required. The new link key will also be the base on which to build the encryption key.
A B
![Page 24: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/24.jpg)
Link Key Exchange (Combination Key)
BD_ADDRA
E21
LK_RANDA
LK_RANDA
LK_RANDB
E21
BD_ADDRB
LK_RANDB
LK_KB
LK_KA
KAB
BD_ADDRB
E21
LK_RANDB
E21
BD_ADDRA
LK_RANDA
LK_KA
LK_KB
KAB
A B
BD_ADDRA
E21
LK_RANDA
LK_RANDALK_RANDA
LK_RANDBLK_RANDB
E21
BD_ADDRB
LK_RANDB
LK_KB
LK_KA
KAB
BD_ADDRB
E21
LK_RANDB
E21
BD_ADDRA
LK_RANDA
LK_KA
LK_KB
KAB
A B
![Page 25: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/25.jpg)
Generation of Bluetooth Encryption Key
E3
EN_RANDA
Klink
COFEN_RANDA
KC
RED
KC’
E3
EN_RANDA
Klink
COF
K’C
RED
K’C’
The encryption key KC is generated on the link key and a random number produced by A. If necessary, a length-reduced key Kc’ is generated.
A B
E3
EN_RANDA
Klink
COFEN_RANDAEN_RANDA
KC
RED
KC’
E3
EN_RANDA
Klink
COF
K’C
RED
K’C’
The encryption key KC is generated on the link key and a random number produced by A. If necessary, a length-reduced key Kc’ is generated.
A B
![Page 26: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/26.jpg)
Encrypted Communication of Bluetooth
E 0
BD_ADDR A clock A
K C’
K cipher
K cipher
K cipher
data A - B
data B - A
E 0
BD_ADDR A clock A
K’ C’
K’ cipher
K’ cipher
K’ cipher
data A - B
data B - A
data
A B
E 0
BD_ADDR A clock A
K C’
K cipher
K cipher
K cipher
data A - B
data B - A
E 0
BD_ADDR A clock A
K’ C’
K’ cipher
K’ cipher
K’ cipher
data A - B
data B - A
data
A B
![Page 27: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/27.jpg)
Unit Key Stealing
A B
C
A
BC
AB and AC Link Keys are A’s Unit Key
B pretends to be C by simply using C’s address
(a) (b)
KAB
KACKAC=KAB
A B
C
A B
C
A
BC
AB and AC Link Keys are A’s Unit Key
B pretends to be C by simply using C’s address
(a) (b)
KAB
KACKAC=KAB
![Page 28: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/28.jpg)
IEEE 802.11b Security Wired Equivalent Privacy (WEP)
Encryption
![Page 29: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/29.jpg)
WEP Decryption
C RC4(IV,k)
=( P RC4(IV,k) ) RC4(IV,k)
= P
= <M,c(M)>
Check c(M)
Ciphertext
IV
Message
||
Secret Key
RC4
Seed
Integrity Check Value (ICV)
Key Sequence
Integrity AlgorithmICV’
Plaintext
ICV-ICV’?
![Page 30: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/30.jpg)
Authentication of 802.11b
There are two types of authentication
1. Open system authentication. This is the default authentication service that does not has any authentication.
2. Shared key authentication. This involves a shared secret key to authenticate the station to the AP(access point).
![Page 31: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/31.jpg)
Shared key authentication
The challenge text(128bytes) is generated by using the WEP pseudo-random number generator(PRNG) with the shared secret and a random initialization vector(IV).
![Page 32: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/32.jpg)
Security Flaws
The risks of keystream reuse
If C1= P1RC4(IV,k)
and C2= P2RC4(IV,k)
then
C1 C2 = ( P1RC4(IV,k)) ( P2RC4(IV,k))
= P1 P2
The WEP standard recommends(but does not require) that the IV be changed after every packet.
![Page 33: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/33.jpg)
Reuse Initialization Vector
• The IV field used bye WEP is only 24 bits wide, nearly guaranteeing that the same IV will be reused for multiple messages.
packet size 2000-byte
at average 5Mbps bandwidth
( ( (2000 8)/(5 106)) 224)/3600=14 hours
• PCMCIA cards that they tested reset the IV to 0 each time it’s re-initialized, and the IV is incremented by one for each packet.
![Page 34: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/34.jpg)
Decryption Dictionaries
• Some access points transmit broadcast messages in plaintext and encrypted form when access control is disabled.
• The attacker can build a table of the keystream corresponding to each IV.
It does not matter if 40 bits or 104 bits shared secret key use as the attack centers on the IV collision.
![Page 35: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/35.jpg)
Message Modification
The WEP checksum is a linear function of the message. may be chosen arbitrarily bye the attacker• A(B) : <IV, C>• (A)B : <IV, C’>• C’= C < ,c()> = RC4(IV,k) <M, c(M)> < ,c()> = RC4(IV,k) <M , c(M) c()> = RC4(IV,k) <M , c(M )> = RC4(IV,k) <M’, c(M’)> M’=M
![Page 36: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/36.jpg)
Message Injection
It is possible to reuse old IV values without triggering any alarms at the receiver.
• That is, if attacker ever learns the complete plaintext P of any given ciphertext packet C, he can recover keystream used to encrypt the packet.
P C = P (PRC4(IV,k))= RC4(IV,k)
(A)B : <IV,C’>
where C’= <M’, c(M’) > RC4(IV,k)
![Page 37: Authentication of Kerberos and Wireless Communication](https://reader035.fdocuments.net/reader035/viewer/2022062221/5681487c550346895db585aa/html5/thumbnails/37.jpg)
Authentication Spoofing
• The message injection attack can be used to defeat the shared-key authentication mechanism used by WEP.
• The attacker learns both the plaintext challenge sent by the access point and the encrypted version sent by the mobile station.