Administration Computer Security CS477 Homework 2 due Test 2 Lecture 10 Ching Hua Chuan October 6st 2008 Today s Outline Authentication Applications October 8th October 15th Project proposal due October 20th Kerberos Kerberos is an authentication service developed as part of Project Athena at MIT It is developed for a distributed environment where users wish to access servers through network Three threats Kerberos Chap 4 1 A user may pretend to be another user A user may alter network address A user may eavesdrop on exchanges and use a replay attack Kerberos A Distributed Environment Kerberos provides a centralized authentication server to authenticate users to servers and servers to users Kerberos relies on symmetric encryption Two versions version 4 and 5 Does this user have the right to access the workstation Does this user have the right to access services from server 1 those from server 2 Does this workstation have the right to access servers server 2 server 1 Kerberos Requirements Secure Reliable Always available Transparent Safe from eavesdropping Users are not aware of the existence troublesome of the authentication Scalable Capable of supporting a large number of clients Workstation assures the identify of the user Workstation needs to authenticate itself to server User provides identity for each service workstation Kerberos Version 4 Key terms C Client AS authentication server V server IDc identifier of user on C IDv identifier of V Pc password of user on C ADc network address of C Kv secret encryption key shared by AS an V A Simple Authentication Dialogue 1 C AS IDc Pc IDv 2 AS C Ticket 3 C V IDc Ticket Problems with the Simple Dialogue Problems with the simple dialogue Ticket can be used only once Password Pc is transmitted in plaintext Ticket E Kv IDc ADc IDv Recall 1 C AS Because Kv is the secrete key shared by AS and V no one else can create the ticket which shows the approval of C s access to V by AS IDc Pc IDv Are all components in the ticket necessary A More Secure Authentication Dialogue Where is Pc TGS server issues tickets to users who have been authenticated to AS Once per user logon session 1 C AS IDc IDtgs 2 AS C E Kc Tickettgs Problems with the More Secure Dialogue If to short repeatedly asked for password If to long greater opportunity to replay Servers may need to authenticate themselves to users Threats Tickettgs E Ktgs IDc ADc IDtgs TS1 Lifefime1 Ticketv E Kv IDc ADc IDv TS2 Lifetime2 Lifetime associated with the ticket granting ticket Once per type of service 3 C TGS IDc IDv Tickettgs 4 TGS C Ticketv Once per service session 5 C V IDc Ticketv Problems An opponent may steal the ticket and use it before it expires An opponent may sabotage servers Kerberos Version 4 Kerberos Version 4 Kerberos Realms and Multiple Kerberi Request for Service in Another Realm A full service Kerberos environment requires The Kerberos server must have the user ID and hash passwords of all participant users The Kerberos server must share a secrete key with each server Users and servers need to register at the Kerberos server The requirement for supporting interrealm authentication The Kerberos server in each realm shares a secrete key with the server in the other realm The Kerberos servers are registered with each other 1 2 3 4 5 6 7 Req ticket for local TGS Ticket for local TGS Req ticket for remote TGS Ticket for remote TGS Req ticket for remove server Ticket for remote server Req remote service Request for Service in Another Realm 1 C AS IDc IDtgs TS1 2 AS C E Kc Kc tgs IDtgs TS2 Lifetime2 Tickettgs 3 C TGS IDtgsrem Tickettgs AuthenticatorC 4 TGS C E Kc tgs Kc tgsrem IDtgsrem TS4 Tickettgsrem 5 C TGSrem IDvrem Tickettgsrem AuthenticatorC 6 TGSrem C E Kc tgsrem Kc vrem IDvrem TS6 Ticketvrem C Vrem Ticketvrem AuthenticatorC 7 Today s Summary Authentication Applications Kerberos Structure Requirements Several versions of dialogue Tickets Version 4 Authenticator Kerberos Realm Differences between Version 4 and 5 Encryption system dependence Version 4 DES Internet protocol dependence Version 4 IP address Message byte ordering Ticket lifetime Authentication forwarding Version 4 start time and lifetime 8bit maximum 1280 minutes Version 5 start and end time Version 5 allows credentials issued to one client to be forwarded to some other host client or server Interrealm authentication