1Internet security and privacy 2G1704 Johan Montelius
Internet security and privacy
Key Distribution Center / Kerberos
2Internet security and privacy 2G1704 Johan Montelius
The problem
3Internet security and privacy 2G1704 Johan Montelius
KDC key distribution center
• If we have a network of nodes and each node needs to have complete knowledge of all other nodes and all other users the administration of the network would cause a problem.
• Use one centrally managed node to store information about all users in the network. Let this node distribute keys, for secure communication, on request by a user.
4Internet security and privacy 2G1704 Johan Montelius
KDC problems
• How can Alice authenticate to the KDC?
• How can the KDC ensure Bob that Alice is trustworthy?
• How can Alice and Bob communicate in privacy?
5Internet security and privacy 2G1704 Johan Montelius
KDC first try
Alice KDC BobAlice to Bob
KBob{Alice / KAB}KAlice{use KAB}
I'm Alice
KAB shared secret
6Internet security and privacy 2G1704 Johan Montelius
KDC second try
Alice KDC BobAlice to Bob
I'm Alice , KBob{Alice / KAB}
KAlice{use KAB}, KBob{Alice / KAB}
KAB shared secret
A ticket to Bob
How does Alice know who she's talking to?
7Internet security and privacy 2G1704 Johan Montelius
KDC Needham-Schroeder
Alice KDC BobN1 , Alice to Bob
I'm Alice , ticket, KAB{N2}
KAlice{N1, “Bob”, KAB , ticket}
KAB shared secret
KAB{N2-1, N3}
KAB{N3-1}
8Internet security and privacy 2G1704 Johan Montelius
What if....
• Trudy records a session and stores the reply from the KDC:
< KAlice{N1, “Bob”, KAB , ticket} >.
• At a later point she captures KAlice , Alice changes her key, the KDC is updated, but Bob is of course not informed.
I'm Alice , KBob{Alice/KAB}, KAB{N2}
BobTrudy
9Internet security and privacy 2G1704 Johan Montelius
KDC Extended Needham-Schroeder
Alice KDC Bob
N1 , Alice to Bob, KBob{NB}
I'm Alice , ticket, KAB{N2}
KAlice{N1, “Bob”, KAB , ticket}ticket = KBob{KAB, Alice, NB}
KBob{NB}
I'm Alice
etc
10Internet security and privacy 2G1704 Johan Montelius
Extended Needham-Schroeder
• Solves the replay problem by forcing Alice to prove that she has access to the most recent key.
• The price is two extra messages where Alice receives a nonce from Bob before contacting the KDC.
• Can we replace the challenge response with something else?
11Internet security and privacy 2G1704 Johan Montelius
KDC KerberosAlice KDC Bob
N1 , Alice to Bob
I'm Alice , ticket, KAB{timestamp}
KAlice{N1, Bob, KAB , ticket}ticket = KBob{KAB, Alice, exp. time }
KAB{timestamp+1}
12Internet security and privacy 2G1704 Johan Montelius
Kerberos
• A dog with three heads guarding the entrance to Hades.
• Developed by MIT
– v4 standardized in late -80
– v5 in -92. (v4 still in use)
• Widely used not only in the Unix world:
– Windows 2000/XP
– Web single-sign-on such as Passport
13Internet security and privacy 2G1704 Johan Montelius
The dog
14Internet security and privacy 2G1704 Johan Montelius
Kerberos v4
• The KDC (Kerberos server, Authentication server, Ticket granting Server) holds a database with entries:
– principal (user) name
– master key (encrypted with KDC master key)
• There is no runtime state that has to be updated so the database can be distributed to other KDC servers.
• All encryption is done using DES (v4).
15Internet security and privacy 2G1704 Johan Montelius
Kerberos v4 TGT (ticket granting ticket)Alice KDC
AS-REQ: Alice
AS-REP: KAlice{SAlice, TGT}
TGT = KKDC{Alice, SAlice, exp. ...} The ticket granting ticket (TGT) holds the new session key. The KDC need therefore not store this information locally e.g. no state!
The password of Alice is only needed to decrypt the AS-REP reply.
16Internet security and privacy 2G1704 Johan Montelius
After initial handshake
• Alice has received the session key that she will use in all communication with the KDC during this session.
• The ticket granting ticket (TGT) must be used when communicating with the KDC since the KDC does not have a copy of the session key.
• Did you notice how easy it was to get information from the KDC?
17Internet security and privacy 2G1704 Johan Montelius
Kerberos v4 remote accessAlice KDC Bob
TGS-REQ:Alice to Bob, TGT, SA{T}
I'm Alice , ticket, KAB{T}
TGS-REP: SA{Bob, KAB , ticket}
KAB{T+1}
ticket = KBob{KAB, Alice, exp. time }
18Internet security and privacy 2G1704 Johan Montelius
Kerberos Realms
• A network of nodes (principals) constitute a realm. Each realm has one (possibly distributed) KDC with one database of principals and master keys.
• How can we make two realms collaborate? Could we let a user in one realm be authenticated in another realm?
19Internet security and privacy 2G1704 Johan Montelius
Inter-realm authenticationAlice Wndl KDC Oz KDC
Alice@Wndl Oz@Wndl TGT, SA{T}
Alice@Wndl Doroty@Oz, ticket, KAO{T}
SA{Oz@Wndl, KAO , ticket}ticket = KOz{KAO, Alice@Wndl, exp. time }
KAO{Doroty@Oz, KAD , ticket}ticket = KDoroty{KAD, Alice@Wndl, exp. time }
20Internet security and privacy 2G1704 Johan Montelius
Cipher Block Chaining
c1 c2 c3 c4
E(k) E(k) E(k) E(k) E(k)
cnc5
E(k)
m1 m2 m3 m4 mnm5
+IV + + + + +
21Internet security and privacy 2G1704 Johan Montelius
Plaintext Cipher Block Chaining
c1 c2 c3 c4
E(k) E(k) E(k) E(k) E(k)
cnc5
E(k)
m1 m2 m3 m4 mnm5
+IV + + + + +
22Internet security and privacy 2G1704 Johan Montelius
PCBC
• If the cipher text is modified the decrypted plaintext will be garbage.
• A recognizable end is added to each message so that the receiver can identify correct messages.
• Offers weak integrity.
• Method was replaced in v5.
23Internet security and privacy 2G1704 Johan Montelius
Integrity only
• Kerberos v4 offers a weak mode of integrity only.
• A checksum is computed using the session key concatenated with the plaintext.
• In a known plaintext attack Eve can possibly work backwards and retrieve the session key.
• Method replaced in v5.
24Internet security and privacy 2G1704 Johan Montelius
Network address
• Each message will contain the address (4 bytes e.g. IP address) of the sender. This way the receiver can check that the message comes from the right network node.
• Small address space.
• Problems with NAT.
• Problems when delegating rights.
• Why mix the network layer into the encryption layer?
25Internet security and privacy 2G1704 Johan Montelius
Kerberos v5
• Solves many of the problems with v4.
• More flexible as it comes to
– addressing,
– selection of cipher algorithms,
– delegation of rights
• Message format is based on ASN.1 (Abstract Syntax Notation One).
• Still Kerberos v4 is widely used.
26Internet security and privacy 2G1704 Johan Montelius
ASN.1 Abstract Syntax Notation
HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING
}
Clear specification of the message structure without going into details of how things are coded.
The ASN.1 specification is translatedto a message using Basic Encoding Rules (BER).
27Internet security and privacy 2G1704 Johan Montelius
ASN.1 Abstract Syntax Notation
HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING
}
One byte is needed to encode that it is a sequence and one byte to encode the length, addr_type requires 5 bytes to code one byte of type information and address requires 4 bytes overhead
HostAddress ::= SEQUENCE {addr-type[0] INTEGER,address[1] OCTET STRING
}
a 4 byte IP address requires 15 bytes!
28Internet security and privacy 2G1704 Johan Montelius
ASN.1 Abstract Syntax Notation
HostAddress ::= SEQUENCE {addr-type[0] IMPLICIT INTEGER,address[1] IMPLICIT OCTET
STRING}
HostAddress ::= CHOICE {ip_address[0] IMPLICIT OCTET STRING,ipx_address[1] IMPLICIT OCTET STRING,
:}
29Internet security and privacy 2G1704 Johan Montelius
Delegation of rights
• Alice can not delegate rights to Bob by sending him her session key (not very smart) or sending him TGTs (will not work since they contain the network address).
• Alice can ask for a TGT with another (or no) network address. This TGT can be used by Bob.
• Alice can ask for individual tickets to specific services and send them to Bob.
• How about expiration time?
30Internet security and privacy 2G1704 Johan Montelius
expiration time
• Expiration time in Kerberos v4 is limited to 21h (four bytes, 5min resolution).
• In Kerberos v5 this is almost without limit.
• Not a good idea to give tickets with very long expiration time:
– start time
– end time
– authentication time (when was ticket issued)
– renew till (for how long can we renew)
31Internet security and privacy 2G1704 Johan Montelius
Cipher algorithms
• Encryption uses one of several algorithms indicated by a type field. If one algorithm is broken then this can be removed from the system.
• Integrity-only provided by message digest functions: MD5-DES
32Internet security and privacy 2G1704 Johan Montelius
Integrity MD5/DES
confounder 64b message
confounder 64b MD5 digest 128b
MD5
MAC 192b
DES in CBC mode, IV = 0, using modified shared secret
33Internet security and privacy 2G1704 Johan Montelius
Privacy and Integrity
confounder 64b 000..place for MD message
confounder 64b MD message
MD5/4 or CRC32
confounder 64b MD message padding
DES in CBC mode IV = 0
Top Related