KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMSAUTHENTICATION SERVERS (I)AUTHENTICATION SERVERS (II)CRYPTOGRAPHY (I)ExampleCRYPTOGRAPHY (II)Slide 7Slide 8ApplicationKERBEROSGeneral OrganizationGeneral Assumptions (I)General Assumptions (II)Step 1Step 2The ticket (I)The ticket (II)Step 3Shared SecretsStep 3 (continued)The authenticator (I)The authenticator (II)Step 4Step 4 (continued)Step 5Step 5 (continued)Step 6Picking ticket lifetimesThe Kerberos server (I)The Kerberos server (II)LIMITATIONSOTHER SOLUTIONS (I)OTHER SOLUTIONS (II)OTHER SOLUTIONS (III)OTHER SOLUTIONS (IV)CONCLUSIONS1KERBEROS:AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMSJ. G. Steiner, C. Neuman, J. I. SchillerMIT2AUTHENTICATION SERVERS (I)•Their mission is:(a) To check identity of all users(b) To prevent unauthorized accesses•Traditional solution is to use a pair(userid, password)–Very bad in a LAN environment–Too vulnerable to snooping3AUTHENTICATION SERVERS (II)•Another bad solution is to trust the kernel of sender’s machine:–Solution used by rlogin, rsh, rcp–Like trusting a foreign passport –Only works in well-controlled networks–Suffers from domino effect :•Gaining full access to one machine gives full access to whole network4CRYPTOGRAPHY (I)1. Conventional Cryptography–Uses same key for coding and encoding•Key could be a secret alphabet–We now use much more complex schemes and much bigger keys–Major problem is key distribution•Very hard without a trusted channel5Example•Assume we have a random stream of bits:r0 , r1 , r2 , r3 , ...•We convert our message into a bit stream:m0 , m1 , m2 , m3 , ... •Encode the message bitwise using XOR:ci = mi  ri for i = 1, 2, 3 , ...•Impossible to break if random bit stream istruly random and never reused6CRYPTOGRAPHY (II)2. Public-Key Cryptography–Uses two keys:(a) A public key to encode: KP(b) A secret key to decode: KS–It is not possible to compute KS knowing KP •The function KP = f ( KS ) is said to be hard to invert:7CRYPTOGRAPHY (II)–We should have •{ { cleartext }KP }KS = cleartext •{ { cleartext }KS }KP = cleartext –Requires very long keys– Cannot pick an arbitrary secret key–Much slower than conventional cryptography8Example•Assume A knows KP, B and B knows KP, A–A can send to B a secret message: { text } KP, B–A can send to B a message that is signed:A, { text } KS, A–A can send to B a signed secret message:{ A, { text }KS, A } KP, B9Application•Can combine conventional cryptography and public-key cryptography–A uses public-key cryptography to send to B a signed secret message containing a session key KS–A and B use this session key KS to continue their dialogue10KERBEROS•Authentication server using conventional keys•The Kerberos server has–The key of each user–The key of the ticket granting service (TGS)•Authentication is a two-step process–Get from kerberos a ticket for the TGS–Get from TGS the ticket for a given server11 WSKSTGSGeneral OrganizationTicket granting serviceKerberos ServerClient c on workstation WS213 45612General Assumptions (I)•Cannot trust the network:–Intruders can listen to all messages and replay them later•Can trust the time service–No intruder can reset any clock backward by more than a few minutes13General Assumptions (II)•Client c can trust the workstation WS on which she is logged on:–Cannot do encryption without a safe place to encode and decode messages•Assumes the workstation is controlled by the client–Not true for public workstations14Step 1•Client provides WS with its ID c:c  WS: cWS sends to Kerberos a request for a ticket for the TGS:WS  K: c, tgs15Step 2•Kerberos sends to WS a ticket Tc,tgs and a random session key Kc,tgs:K  WS: { Kc,tgs, { Tc,tgs }Ktgs }KcBoth items are encrypted with the client key KcTicket is encrypted with the secret key of the ticket granting service to prevent tampering by client16The ticket (I)•Note that the encrypted ticket is encrypted a second time by the client key KC–In more recent versions of Kerberos K  WS: { Kc,tgs }Kc, { Tc,tgs}Ktgs17The ticket (II)• Tc,tgs = c, tgs, addr, timestamp, life, Kc,tgs •It contains–The client's name c–The name of the ticket-granting service tgs–The IP address of the client addr–The current time timestamp–A ticket lifetime life –The random session key K c,tgs18Step 3•When WS receives Kerberos reply, it prompts the client c for her password and uses it to compute the user key Kc = fn(password)and uses Kc to decrypt the message19 WSKSTGSShared SecretsServerKcKtgsKs20Step 3 (continued) •WS then sends to the TGS –The name of the service s the client wants to utilize–The encrypted ticket Tc,tgs – An authenticator Ac,tgs encrypted with Kc,tgsWS  TGS: s, { Tc,tgs}Ktgs, { Ac,tgs }Kc,tgs21The authenticator (I)•Any intruder could replay a ticket that has already be submitted to TGS•Authenticator contains–The client name c–Its address addr –The current time timestampAc,tgs = c, addr, timestamp•Authenticator is encrypted with Kc,tgs22The authenticator (II)•Authenticator provides proof that WS was able to obtain the session key Kc,tgs by decrypting message number 2 using the right client key KC•To detect replays of authenticators, TGS–Rejects authenticators that are too old(say, by more than five minutes)–Keeps track of all recently received authenticators23Step 4•The TGS replies by sending to the workstation– A ticket T cs for the service s– A new random session key Kc,sTGS  WS: { Kc,s, { Tc,s}Ks}Kc,tgsencrypted with the session key Kc,tgs shared by the client and the ticket granting service24Step 4 (continued)•Tc,s contains–The user's name c–The name of the service s –The IP address of the client addr–The current time timestamp–A new lifetime life –A new random session key Kc,s•Tc,s is encrypted with the secret key of server s25Step 5 •WS then sends to server S –the encrypted ticket Tc,s – an authenticator Ac,s encrypted with Kc,sWS  S: { Tc,s }Ks, { Ac,s }Kc,s26Step 5 (continued) •Authenticator contains–the client name c–its address addr – the current time timestampAc,s = c, addr, timestamp•Authenticator is encrypted with the session key Kc,s shared by client and server27Step 6 •If client wanted to authenticate server, the server replies with the authenticator time stamp plus one:sWS: {