08 인증 (2)
정보보호
Kerberos
MIT Athena project에서 개발
그리스신화의 지옥 문을 지키는 머리 세 개 달린 개 이름에서 유래
3개의 머리는 3개의 A를 의미
Some Kerberos benefits
Standards based strong authentication system
Wide support in various operating systems
Make strong authentication readily available for use with campus computer systems
Prevents transmission of passwords over the network
Provides “single-sign-on” capability
Only 1 password to remember
Only need to enter it once per day (typically)
So, what is Authentication?
The act of verifying someone’s identity
The process by which users prove their identity to a service
Doesn’t specify what a user is allowed or not allowed to do (Authorization)
Password based Authentication
Transmit password in clear over the network to the server
Main Problem
Eavesdropping/Interception
Cryptographic Authentication
No password or secret is transferred over the network
Users prove their identity to a service by
performing a cryptographic operation,usually on a quantity supplied by the server
Crypto operation based on user’s secret key
Encryption and Decryption
Encryption
Process of scrambling data using a cipher and a key in such a way, that it’s intelligible only to the recipient
Decryption
Process of unscambling encrypted data using a cipher and key (possibly the same key used to encrypt the data)
Symmetric Key Cryptography
Aka, Secret Key cryptography
The same key is used for both encryption and decryption operations (symmetry)
Examples: DES, 3-DES, AES
Asymmetric Key Cryptography
Aka Public key cryptography
A pair of related keys are used:
Public and Private keys
Private key can’t be calculated from Public key
Data encrypted with one can only be decrypted with the other
Usually, a user publishes his public key widely
Others use it to encrypt data intended for the user
User decrypts using the private key (known only to him)
Examples: RSA
Communicating Parties
Alice and Bob
Alice: initiator of the communication
Think of her as the “client” or “user”
Bob: correspondent or 2nd participant
Think of him as the “server”
“Alice” wants to access service “Bob”
Baddies:
Eve, Trudy, Mallory
Simple shared-secret based
cryptographic authentication
Add mutual authentication
Problems with this scheme
Poor scaling properties
Generalizing the model for m users and n
services, requires a priori distribution of m x n shared keys
Possible improvement:
Use trusted 3rd party, with which each user and service shares a secret key: m + n keys
Also has important security advantages
Mediated Authentication
A trusted third party mediates the authentication process
Called the Key Distribution Center (KDC)
Each user and service shares a secret key with the KDC
KDC generates a session key, and securely distributes it to communicating parties
Communicating parties prove to each other that they know the session key
Mediated Authentication
Nomenclature:
Ka = Master key for “alice”, shared by alice and the KDC
Kab = Session key shared by “alice” and “bob”
Tb = Ticket to use “bob”
K{data} = “data” encrypted with key “K”
Mediated Authentication
Mediated Authentication
Kerberos uses timestamps
Timestamps as nonce’s are used in the mutual authentication phase of the protocol
This reduces the number of total messages in the protocol
But it means that Kerberos requires reasonably synchronized clocks amongst the users of the
system
Kerberos (almost)
Kerberos (roughly)
Needham-Schroeder Protocol
Kerberos (detailed)
Each user and service registers a secret key with the KDC
Everyone trusts the KDC
“Put all your eggs in one basket, and then watch that basket very carefully” - Anonymous Mark Twain
The user’s key is derived from a password, by applying a hash function
The service key is a large random number, and stored on the server
Kerberos “principal”
A client of the Kerberos authentication service
A user or a service
Format:
name/instance@REALM
Examples:
peggy@UPENN.EDU
ftp/pobox.upenn.edu@UPENN.EDU
Kerberos without TGS
A simplified description of Kerberos without the concept of a TGS (Ticket Granting Service)
Combining 2 previous diags
…
Review: Kerberos Credentials
Ticket
Allows user to use a service (actually authenticate to it)
Used to securely pass the identity of the user to which the ticket is issued between the KDC and the application server
Kb{“alice”, Kab, lifetime}
Authenticator
Proves that the user presenting the ticket is the user to which the ticket was issued
Proof that user knows the session key
Prevents ticket theft from being useful
Prevents replay attacks (timestamp encrypted with the session key): Kab{timestamp}, in combination with a replay cache on the server
Ticket Granting Service (TGS)
Kerberos with TGS
Ticket Granting Service (TGS):
A Kerberos authenticated service, that allows user to obtain tickets for other services
Co-located at the KDC
Ticket Granting Ticket (TGT):
Ticket used to access the TGS and obtain service tickets
Limited-lifetime session key: TGS sessionkey
Shared by user and the TGS
TGT and TGS session-key cached on Alice’s workstation
TGS Benefits
Single Sign-on (SSO) capability
Limits exposure of user’s password
Alice’s workstation can forget the password
immediately after using it in the early stages of the protocol
Less data encrypted with the user’s secret key
travels over the network, limiting attacker’s access to data that could be used in an offline dictionary attack
How does Kerberos work?
Instead of client sending password to application server:
Request Ticket from authentication server
Ticket and encrypted request sent to application server
How to request tickets without repeatedly sending credentials?
Ticket granting ticket (TGT)
How does Kerberos work?:
Ticket Granting Tickets
How does Kerberos Work?:
Ticket Granting Service
How does Kerberos work?:
Application Server
Levels of Session Protection
Initial Authentication only
Safe messages:
Authentication of every message
Keyed hashing with session key
Private messages:
+ Encryption of every message
With session key, or mutually negotiated subsession keys
Note: Application can choose other methods
Pre-authentication
Kerberos 5 added pre-authentication
Client is required to prove it’s identity to the Kerberos AS in the first step
By supplying an encrypted timestamp (encrypted with users secret key)
This prevents an active attacker being able to easily obtain data from the KDC encrypted with any user’s key
Then able to mount an offline dictionary attack
Kerberos & Two-factor auth
In addition to a secret password, user is required to present a physical item:
A small electronic device: h/w authentication token
Generates non-reusable numeric responses
Called 2-factor authentication, because it requires 2 things:
Something the user knows (password)
Something the user has (hardware token)
Cross Realm Authentication
Hierarchy/Chain of Realms
Kerberos and PubKey Crypto
Proposed enhancements
Public key crypto for Initial Authentication
“PKINIT”
Public key crypto for Cross-realm Authentication
“PKCROSS”
Kerberos: summary
Authentication method:
User’s enter password on local machine only
Authenticated via central KDC once per day
No passwords travel over the network
Single Sign-on (via TGS):
KDC gives you a special “ticket”, the TGT, usually good for rest of the day
TGT can be used to get other service tickets allowing user to access them (when presented along with
authenticators)
Advantages of Kerberos (1)
Passwords aren’t exposed to eavesdropping
Password is only typed to the local workstation
It never travels over the network
It is never transmitted to a remote server
Password guessing more difficult
Single Sign-on
More convenient: only one password, entered once
Users may be less likely to store passwords
Stolen tickets hard to reuse
Need authenticator as well, which can’t be reused
Much easier to effectively secure a small set of limited access machines (the KDC’s)
Advantages of Kerberos (2)
Easier to recover from host compromises
Centralized user account administration
Kerberos caveats
Kerberos server can impersonate anyone
KDC is a single point of failure
Can have replicated KDC’s
KDC could be a performance bottleneck
Everyone needs to communicate with it frequently
Not a practical concern these days
Having multiple KDC’s alleviates the problem
If local workstation is compromised, user’s password could be stolen by a trojan horse
Only use a desktop machine or laptop that you trust
Use hardware token pre-authentication
Kerberos caveats (2)
Kerberos vulnerable to password guessing attacks
Choose good passwords!
Use hardware pre-authentication
Hardware tokens, Smart cards etc