SSLVPN Two - Factor Authentication with Google Authenticator
Kerberos5 with Mobile Agent Service Authenticator (MASA)
-
Upload
virginia-mcknight -
Category
Documents
-
view
35 -
download
0
description
Transcript of Kerberos5 with Mobile Agent Service Authenticator (MASA)
![Page 1: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/1.jpg)
1
Kerberos5 with Mobile Agent Service Authenticator (MASA)
By: Poonam Gupta Sowmya Sugumaran
![Page 2: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/2.jpg)
2
Problem Statement
• Our goal is to ensure that authenticated mobile users receive the services without interruption and with less overhead and delay
![Page 3: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/3.jpg)
3
Mobility Services
• Network Layer Mobility– ensures connection for mobile users
• Service Layer Mobility– ensures services for mobile users
![Page 4: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/4.jpg)
4
Modification to Our Proposal
Proactively acquiring TGT and service tickets in realms to be visited
![Page 5: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/5.jpg)
5
Motivation and Example
• Realms- consists of clients, KDC, Server application
• Clients can get the service from different realm in cross-realm authentication without having an account to different realm
![Page 6: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/6.jpg)
6
Motivation and example continued
• Student wants to print a file from dept a to dept b
• Without cross-realm mechanism user will have to an account in each realm and transfer file between each realms to print a file
• With our scheme service ticket to print a file can be achieved proactively by exploiting the use of cross-realm mechanism and knowledge of mobility
![Page 7: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/7.jpg)
7
No-Cross-Realm(NCR) Message Exchange for Realm1 for Mobile Users
1) Client ---C, TGT--------------------------------> AS1
2) Client <------{TC ,tgs , Kc,tgs}Kc----------------AS1
3) Client -------Tc,tgs , S-------------------------> TGS1
4) Client <---------{Tc,s , Kc,s , }Kc,tgs ------------TGS1
5) Client-----------{Tc,s } Kcs, Ac ------------->Server1
![Page 8: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/8.jpg)
8
NCR Message Exchange for mobile users for Realm2
1) Client ---C, TGT--------------------------------> AS2
2) Client <------{TC ,tgs , Kc,tgs}Kc----------------AS2
3) Client -------Tc,tgs , S-------------------------> TGS2
4) Client <---------{Tc,s , Kc,s , }Kc,tgs ------------TGS2
5) Client-----------{Tc,s } Kcs, Ac ------------->Server2
![Page 9: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/9.jpg)
9
Message Exchange Steps for different realms service for mobile users with cross-realm
1) Client ---C, TGT or RTGT --------------------> AS2) Client <------send TGT or RTGT-----------AS3) Client -------send TGTorRTGT,Service----->TGS4) Client <---------Service Ticket ------------TGS5) Client---Service Ticket------------ ->Server
![Page 10: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/10.jpg)
10
Difference
With cross-realm mechanism • Exchange of messages are
same• Get the service ticket when
you need it
combining cross-realm mechanism and our scheme
• Exchange of messages are same
• Get the service ticket proactively
![Page 11: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/11.jpg)
11
Kerberos V4 Cross-Realm Authentication
Client's Realm
Server's Realm
TGTRequest/
Reply
Client Server
ServiceTicket
Request/Reply
ServiceRequest/Reply
lKDC
rKDCCross-Realm Ticket
Request/Reply
Rep
ly:
{Tic
ket}
k(ltg
s)
Rep
ly:
{Tic
ket}
k(rt
gs)
Reply: {Ticket}k(s)
inter-realm key
Request: {Ticket}k(s)
Ticket Flow
Tutorial Slide from Jourge Cuellar
![Page 12: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/12.jpg)
12
Kerberos 5
• Allows for trusted path• Hierarchical Realm• Non-hierarchical (shortcuts)
![Page 13: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/13.jpg)
13
Our Scheme: MASA• Mobile Agent Service Authenticator (MASA): A
software agent on the mobile client to assist with proactively acquiring authentication (TGTs) from to-be-visited realms.
• User App -> MASA -> Kerberos(AS, TGS)• MASA knows mobile user’s:
– profile (preferences)– mobility pattern
![Page 14: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/14.jpg)
14
Comparison (Handling Mobile Users)
• No Cross-Realm Scheme (NCRS): – Requires user account in each visited realm– User needs to be authenticated in each realm
• Reactive Cross-Realm Scheme (RCRS):– User can acquire TGT for to-be-visited realm from registered Realm – Reactive: acquires service ticket at the time of service
• MASA:– Uses Cross realm mechanism
• Reduces number of messages (overhead)– Proactive: acquires TGT and service ticket before the service
request • Reduces latency
![Page 15: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/15.jpg)
15
MASA Implementation: Basic Idea
• Event based• Assume network layer mobility events can be
mapped to Realm layer mobility events• Service Table: services needed by user in each Realm
he visits• Upon Move_to_Realm_Warning(Rnext)
– get TGT for Rnext using cross-realm mechanism in Rhome
– Get service ticket from TGT from Rnext for each service needed from Rnext
![Page 16: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/16.jpg)
16
MASA Implementation: Detail
Rhome
MASA Server
Mobile User
MASAClient
Initial log onGet ticket from home
RcurrentRnext
Cross-Realm
MobileUser
MASAClient
TGT_nextServicenext
Move toR_next
![Page 17: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/17.jpg)
17
MASA Implementation: Comments
• Client-Server Architecture• MASA – client is light weight• MASA – Server maintains user profile and
maintain mobility data• Reduce message generated by Mobile client
– Saves wireless bandwidth– Saves mobile energy
![Page 18: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/18.jpg)
18
MASA Cost Analysis
• fc : frequency service (call) request
• fm: frequency of moves (change of realm)• CMR (Call-to-Mobility Ratio): • Cost: Either Number of Messages or Latency• Normalized Cost = fc (cost of each service
request) + fm (cost incurred on each move)
• Find CMRs for which CostMASA < Costold_scheme
![Page 19: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/19.jpg)
19
MASA Cost Analysis Continued
• Consider Only message generated by mobile• a: cost of long distance message compared to local
message• Costncrs = 2fm + 3*fc
• Costmasa = 2afm + a*fc
• MASA is better if Costmasa < Costncrs – i.e. CMR > 2(a-1)/(3-a)– If a == 1 then for CMR >0 MASA better than NCRS– If a==2 then for CMR > 2 MASA better than NCRS
![Page 20: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/20.jpg)
20
Installing OpenAFS for Windows
• Select the 64-bit EXE installer for Windows• Select a location to install OpenAFS• In CellServdB, delete all other contents except
that of the required domains(eg:asu.edu)• In the Client cell name configuration window,
set the AFS cell name to asu.edu
![Page 21: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/21.jpg)
21
After Installation
• Ticket manager will start upon login and display a ticket initialization window
• Initialize the ticket using the Network ID• If successful, the ticket and tokens can be
viewed by clicking on the Kerberos icon.
![Page 22: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/22.jpg)
22
![Page 23: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/23.jpg)
23
![Page 24: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/24.jpg)
24
![Page 25: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/25.jpg)
25
MASA Emulation Using Java Kerberos 1.1
Running Java Kerberos toAcquire Service TicketRealm1: PNM.PG
Running Java Kerberos to AcquireService TicketRealm2:PNM2.PG
User used TGT to get Service Ticket For Realm2
Successfully authenticatedBy Realm2
![Page 26: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/26.jpg)
26
![Page 27: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/27.jpg)
27
![Page 28: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/28.jpg)
28
![Page 29: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/29.jpg)
29
![Page 30: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/30.jpg)
30
![Page 31: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/31.jpg)
31
![Page 32: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/32.jpg)
32
![Page 33: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/33.jpg)
33
![Page 34: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/34.jpg)
34
![Page 35: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/35.jpg)
35
![Page 36: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/36.jpg)
36
![Page 37: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/37.jpg)
37
Many thanks to
• Prof. Dijiang Huang• Wenzhe Jiao
![Page 38: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/38.jpg)
38
References:
• ftp://ftp.cis.upenn.edu/pub/papers/scedrov/k5cr.pdf
• http://www2.imm.dtu.dk/courses/02345/Lab4/krb5-UserGuide-1.1.pdf
• http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pdf
• http://kickjava.com/src/javax/security/auth/kerberos/KerberosPrincipal.java.html
![Page 39: Kerberos5 with Mobile Agent Service Authenticator (MASA)](https://reader036.fdocuments.net/reader036/viewer/2022062400/56812cc3550346895d917ebd/html5/thumbnails/39.jpg)
39
Thank You…!!!