ECE-8843 csc.gatech/copeland/jac/8843/ Prof. John A. Copeland
-
Upload
virginia-wiley -
Category
Documents
-
view
24 -
download
0
description
Transcript of ECE-8843 csc.gatech/copeland/jac/8843/ Prof. John A. Copeland
ECE-8843http://www.csc.gatech.edu/copeland/jac/8843/
Prof. John A. [email protected]
404 894-5177fax 404 894-0035
Office: GCATT Bldg 579email or call for office visit, or call Kathy Cheek, 404 894-5696
Chapter 4a - Kerberos
Kerberos, v4 and v5
Provides a complete protocol for authentication andsecure communications for hosts connected by a data
communications network
• Provides secure "tickets" to hosts that can be usedto initiate a secure message exchange
• Standard message formats for encrypted and signedmessages, or signed plaintext messages
• Formats for encoding expiration time, names, ...
• Allows "read-only" slave KDC's (distributed KDCs)
2
Keberos uses Mediated Authentication(with a Key Distribution Center, KDC)
Jack
Jip
KDCMary
Paul
Peter Harry
Dick
Tom
AliceBob
Trudi
KDC has unique Secret Keys with all legitimate hosts.
Kbob Kalice
3
Bob has
Shared
Secret Key
with KDC,
Kbob
Alice
{time; Kab},{Kab,Alice; Kbob} ="Ticket"
{time + 1, Kab}
After the 1st exchange with the KDC, Alice has asession key, Ka, and a "Ticket-Granting Ticket"that she can use to request "Tickets" from KDC
• PC erases Alice's password and Kak from disk and RAM.
• Time(stamp) is used as nonce (seconds after 1/1/1970)
Alice PChashesAlice's
passworkto get aDES Key,
Kalice=Ka
KeyDist.
Ctr
gen.s
Kab,hasKk
Alice(human)logs on
toAlice,(PC)
{Ka,{TGT;Kk};Kak}
Alice wantsBob,{TGT;Kk},
{time;Ka}
{Bob,Kab,Ticket-Bob; Ka}
4
5
MasterKDC Slave
KDC
{db;Kmaster}
SlaveKDC
SlaveKDC
SlaveKDC
SlaveKDC
Host
Host
Host
Host
Host
Host
Host
HostHost
Host
Host
Realm
• Replicated KDCs (slaves) are read only.
• Entire Host-KDC dasebase is downloaded periodically 6
RealmWonderland
KDC(Lion)
Lion
Lion can also be a"principal" in
Wonderland (with theQueen's OK)
RealmOz
KDC(Hatter)
DorothyAlice
1 2
3
Alice wants to talk to Dorothy7
Plaintext Cipher Block Chaining (PPCBC)
m1 m2 m3
IV (+) (+) (+)
E E E Key
c1 c2 c3
The 1st 64-bit message segment is XOR'ed withan initial vector (IV). Each following messagesegment is XOR'ed with the preceding ciphertextand plaintext segments-for privacy & integrity.
8
Kerberos Message Integrity Check
(Message Digest)
MIC is Hash(<Ksession,message>)
The Hash algorithm was never published (butsource code can be obtained)
It is based on a checksum algorithm designedby Juneman to use mod 2^31-1 (prime), butchanged to use 2^63-1 (not prime).
Cryptographers worry that it might bebreakable, or reversible (to get Ksession).
9
Network Layer (IP) Addresses in Tickets
Only 4 bytes available, so limited to InternetProtocol (Novel, IBM, Appletalk, IPv6... longer)
Makes "spoofing" harder, IP address must bestolen from network as well as Ticket from Alice.
Prevents delegation, giving the ticket to anotherhost to represent you (which is allowed by
Kerberos V5)
10
Why Study Kerberos v4
(Why doesn't everyone switch to v5)
Kerberos V4 is working well in many systems
Switching to V5 requires stopping the networkand upgrading every host at once before restart
Kerberos V5 is inefficient in some ways comparedto V4
• Specified in ASN.1 (abstraction good and bad)
• Example: 11 bytes required for 4-byte IP address.
11
Kerberos v5 Cryptographic Algorithms
Kerberos v4 used Plaintext Cipher Block Chainingand modified Juneman hash
Kerberos v5 can use a variety of encryptions(DES in practice) and hashes (MD4, MD5).
One primary MIC uses
• { confounder + MD5(confounder & message)}K'
• K' = Kalice-bob (+) F0F0F0F0F0F0F0F0
A more modern MIC that is not used is
• MD5(Kalice-bob & message)
12
Password security
• Do not send in clear except over short secure channels
• Choose had to guess passwords, enforce.
• Force changing passwords periodically
• Avoid keeping password in memory longer than
necessary to generate the user's master key (w KDC)
• Send hash of (key+nonce) to KDC for authentication
• Add salt before hashing passwords for pw database
• Add realm name to password before hashing for pw db
Originally UNIX stored a hash of each User’s password in a globally readable account. This can be attacked by hashingall common words for a reverse lookup table.
13
Message Security and Integrity
Only exchange messages with authenticated hosts
Develop a session key and separate MIC key
using initial password exchange
Encrypt Diffie-Hellman exchanges to preventBucket Brigade (man-in-middle) attacks.
Use MICs, especially with self-synchronizingencryptions (e.g., PCBC) which survivepermutations of message blocks.
Get "random" numbers from true sources
Protect Master KDC Key and hashed-key database14
BonusEntropy of Data, H
H = sum[i=1 to k]{Pi * log2(1/Pi)}
(bits of information per symbol)
Where: k = number of states (or symbols) Pi = probability of the i’th state (ni/N)
If the symbols are binary numbers with 8 bits:H = 8 -> complete disorder or randomnessH < 8 -> some order (ASCII text, H = 4 - 5 bits)
15
Bonus - Encoding Text as Binary - ASCII0 NULL 32 SPACE 64 @ 96 `1 SOH 33 ! 65 A 97 a2 STX 34 " 66 B 98 b3 ETX 35 # 67 C 99 c4 EOT 36 $ 68 D 100 d5 ENQ 37 % 69 E 101 e6 ACK 38 & 70 F 102 f7 BEL 39 ' 71 G 103 g8 BS 40 ( 72 H 104 h9 HT 41 ) 73 I 105 i
10 LF 42 * 74 J 106 j11 VT 43 + 75 K 107 k12 FF 44 , 76 L 108 l13 CR 45 - 77 M 109 m14 SO 46 . 78 N 110 n15 SI 47 / 79 O 111 o16 DLE 48 0 80 P 112 p17 DC1 49 1 81 Q 113 q18 DC2 50 2 82 R 114 r19 DC3 51 3 83 S 115 s20 DC4 52 4 84 T 116 t21 NAK 53 5 85 U 117 u22 SYN 54 6 86 V 118 v23 ETB 55 7 87 W 119 w24 CAN 56 8 88 X 120 x25 EM 57 9 89 Y 121 y26 SUB 58 : 90 Z 122 z27 ESC 59 ; 91 [ 123 {28 FS 60 < 92 \ 124 |29 GS 61 = 93 ] 125 }30 RS 62 > 94 ^ 126 ~31 US 63 ? 95 _ 127 DELETE
CONTROLS NUMBERS CAPITALS LOWER CASE
Examples: "A" = decimal 65 = 00100001, "z" =0111110116