SlideShare a Scribd company logo

authentication u5.ppt

Download as PPT, PDF
R
RevathiMohan14

The document provides an overview of authentication protocols and cryptographic techniques. It discusses one-way and two-way authentication, including challenges and responses. Mediated authentication protocols like Needham-Schroeder and Otway-Rees are covered that use a trusted third party. Kerberos is also mentioned. Issues with passwords like guessing, storage and updating are summarized. Finally, the use of one-time passwords, public key cryptography, and key exchange protocols are outlined.

Education
1 of 85
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
Introduction to Practical Cryptography Protocols
Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
Authentication Prove continuity in relationship – Basis of trust – Identification Who you are (biometrics) What you have (tokens) What you know Password: snoopy1 Mother’s maiden name: jones Pets name: snoopy Physical authentication: where you are
Network Authentication • Password • One-time Passwords (ex. tokens) • Network address – Caller-id - credit card – IP address – MAC address – banks • Cryptographic protocols
Concerns • Impersonation • Malicious insiders • Eavesdropping – Keyboard sniffers – Shoulder-surfing – Network sniffers – Trojan horses
2-Way Authentication • Authentication often needed in both directions • Server trusting user is not only concern – User must trust server – Ex. User accessing online bank account • Variety of “solutions” in user applications
Password-based Authentication • Proof by sharing • Doesn’t prevent insider attacks (system admin) • What is an appropriate password – length? snoopy, snoopy1, snoopy12 – reusable ? snoppy1, snoopy2, …. snoopy10, snoopy1 – timeframe? • How to do initial password distribution? lastname123, employee# • Simple approach, works with humans … until user has too many to remember – reuse across systems – Variations of something common: dog’s name – post-it on monitor – inconvenient to update, varying rules on what is appropriately complex, how often to change snoopy1, Snoopy1, snoopy-1
Storing Passwords • Per-node • Central repository • Hashed passwords • Password encryption – Salted passwords
Password Guessing • Online – Limited tries, exponential delays, alarm – But attacker can temporarily disable a user’s account – ex. 3 tries and account locked until user calls help desk • Offline: “dictionary” attack – Must capture password file – Try "obvious" passwords: snoopy, snoopy1, 1snoopy – Significant dates, easy patterns, personal information – While most systems disallow “dictionary words”, complexity rules still give information – know need a digit, punctuation character … Snoopy-12
Passwords as Keys • Directly as the key • Convert to secret key – Transient, one-way transformation (hash) – Increase work of attacker • Seed to pseudo-random number generator
One-Time Passwords • List of passwords used once only • Need to re-initialize periodically
OTPs – List Based • Example: – Hash password 1000 times, store result on server – Client hashes 999 times, sends to server – Server verifies hash of received value matches stored – result – Store received hash • Must be re-initialized periodically - over secure channel
Lamport’s Hash • One-time passwords • Server stores n, hashn(password) • User sends x = hashn-1(password) • Server computes hash(x), if = stored value, replaces stored value with n-1 , x • Safe from eavesdropping, server compromise not a problem for user • No public key cryptography • Authentication not mutual • Add salt to password before hashing – In case Alice uses same password on multiple systems – Salt must be stored on Alice’s system – Server uses hashn(password | salt)
• Examples – RSA – VASCO Digipass • Use a block cipher – Repeatedly encrypt – Continuously update every x seconds – Update each time user presses button • Some work in both directions – Customer enters OTP – Server returns OTP, customer (manually) compares it to value on token OTP Generators (Tokens)
• Help desk required – Synchronization not perfect – Premature battery death • Cost – $15-$25 – banks with million customers • User still needs pin (something you know + something you have) • “Necklace of Tokens” issue – Only recently integrated with cell phones – Still rare to have multiple tokens on single device • Non-standard algorithms – OATH effort Tokens - Issues
Cryptographic Authentication • Tokens, smart cards use crypto • Use a password (or key) in a cryptographic protocol – Prove possession of key – Mutual authentication • Usually coupled with encryption of data after authentication • Certificates – PKI covered in another lecture
Pairwise Keying Bob:xyz Alice:abc Fey: ghj George: 123 Emily: mkl Dave: klj Bob:xyz Alice:who Fey: bin Carol: 123 Emily: dog Dave: cat
Trusted Intermediaries (KDC) Key Distribution Center George-Bob:xyz George-Alice:who George-Fey: bin … Bob:13 Carol: 31 Dave: 7 ….
KDC • Can impersonate any node • Single point of failure • Potential bottleneck
Certificate Authority • Central point for certificates • Signs cert for Alice containing her public key • Others need only CA’s public key • Revocation? – Real time with online KDC – Offline CA –expiration date, certificate revocation list
Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
Security Handshakes • Considerations when creating protocols – Attacks/Information leakage – One-way – Mutual Authentication
One-way Challenge-Response Problems? – Authentication not mutual – Connection hijacking after authentication – attacker spoofs Alice or Bob’s source address and send packets if conversation not encrypted – Off-line password/key attack – depends on length of K – Compromise of database/disk if K is stored, or temporary memory access Alice Bob I’m Alice challenge R f(K,R) K = shared key f: – encryption function – Bob just decrypts and verifies time in within allowed skew – hash – Bob needs to hash all times in allowable interval or Alice sends time
One-Way using Timestamp • Problems? – Impersonate Alice if intercept and send message – race condition – Keep list of used time stamps to prevent quick replay, but if use same K with multiple servers, could send message to another server and impersonate Alice – Clock skew/synchronization Alice Bob I’m Alice, f(K,timestamp)
One-way Using Public Key Alice Bob I’m Alice R [R]Apriv [R]Ax = R signed with Alice’s x key, where x is private (priv) or public (pub) key Alice Bob I’m Alice [R]Apub R Bob decrypts with Alice’s public key and verifies R was returned. Alice proves to Bob she has her private key by returning R
One-way Problems • First case: – Can send anything to Alice as R and get Alice to sign it • Second case: – Intercepted an encrypted message for Alice, send it and get Alice to decrypt it
Mutual Authentication
Mutual Authentication with Secret Key Alice Bob I’m Alice R1 f(K,R1) R2 f(K,R2)
Mutual Authentication with Secret Key Alice Bob I’m Alice, R2 f(K,R1) R1, f(K,R2) More efficient version:
Mutual Authentication with Secret Key Trudy Bob I’m Alice, R2 Doesn’t know K so can’t send f(K,R1) R1, f(K,R2) Trudy Bob I’m Alice, R1 Now use f(K,R1) in above attempt R3, f(K,R1) Reflection attack: Solutions: •Separate keys for each direction •Requirements on R values: odd in one direction, even in the other, concatenate with senders’ name
Password/Key Guessing • Also note, Trudy can get Bob to encrypt a value (or a several of values) and then try an offline attack to guess K • Have Bob return R1 value for Alice to encrypt Alice Bob I’m Alice f(K,R2) R2, f(K,R1) R1 Now Bob would have to reuse R1 in order for Trudy, who eavesdrops, to be able to use f(K,R1)
Timestamps • Same issues as before plus clock skew • Any modification to timestamp will work Alice Bob I’m Alice, f(K,timestamp) f(K,timestamp+1)
Mutual Authentication with Public Keys • how to obtains/store/validate Bob’s public key Alice Bob I’m Alice, [R2]Bpub R1 [R1]Apub, R2
Session Key • Once authentication occurs, want to encrypt data exchanged • Session key • If key to one session obtained, can’t decrypt all sessions • Don’t want known/easy to derive relationship among session keys
Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
Mediated Authentication • Needham-Schroeder • Otway-Rees
Needham-Schroeder • N1, N2, N3 are nonces ("number used once") N1, Alice wants to talk to Bob Alice KDC Bob EKa(N1, "Bob", Kab, ticket) N1 authenticates KDC to Alice ticket = EKb(Kab, "Alice") EKab(N2), ticket EKab(N2 - 1, N3) EKab(N3 - 1) Bob decrypts ticket to get Kab Nonces used to verify each end has Kab
Expanded Needham-Schroeder • Issue - ticket doesn’t expire • If Trudy obtains Alice’s key and ticket, Trudy can connect to Bob even if Alice changes key. N1, Alice wants to talk to Bob, Ekb(Nb) Alice KDC Bob EKa(N1, "Bob", Kab, ticket) ticket = EKb(Kab, "Alice", Ekb(Nb)) EKab(N2), ticket EKab(N2 - 1, N3) EKab(N3 - 1) Ekb(Nb) I want to talk to you Nb is unique per session so can’t reuse ticket
Needham-Schroeder • Reflection attack in last steps if ECB mode (and nonce size = block size) Trudy->Bob: EKab(N2), ticket Bob->Trudy: EKab(N2 - 1, N4) Trudy->Bob: EKab(N4), ticket Bob->Trudy: EKab(N4 - 1, N5) Extract EKab(N4 - 1) and use in response of first run • CBC solves this Trudy doesn’t have Kab to obtain N4, needs N4-1 in next step, so get Bob to encrypt N4-1 Extract 1st block of ciphertext
Otway-Rees Suspicious party should generate challenge Alice KDC Bob EKa(Na, Kab) EKab(something recognizable) Nc, "Alice", "Bob", EKa(Na, Nc, "Alice", "Bob") EKa(Na, Nc, "Alice", "Bob"), EKb(Nb, Nc, "Alice", "Bob") Nc, EKa(Na, Kab), EKb(Nb, Kab) •Bob can’t decipher most of first message – forwards it to KDC •KDC verifies Nc matches in messages from Alice and Bob •KDC gives Bob message to forward to Alice •Alice trusts KDC and Bob are real - KDC would not have continued process if Bob did not have Kb to encrypt Nc and KDC was able to encrypt Na in message containing Kab •Bob trusts KDC – was able to encrypt Nb in message containing Kab •Last message proves to Bob that Alice knows Kab
Encrypted Key Exchange (EKE) Alice Bob Shared weak secret W = hash(Alice’s password) “Alice”, EW(ga mod p) EW(gb mod p, C1) EK(C1,C2) EK(C2) Both compute K = gab mod p Diffie-Hellman key exchange with exchange encrypted – removes man in middle Mutual authentication If try offline password attack, can’t determine correct plaintext – what is valid plaintext of ga mod p, gb mod p ? Stores Alice, W Both compute K = gab mod p
Kerberos • Based on Needham-Schroeder • Uses time and includes ticket expiration • Later in lecture
Nonces • Random number – 128-bit value negligible chance of being repeated • Timestamp – Synchronization – Predictable • Sequence number – Maintain state – Predictable?
Random Numbers • Be careful with seed • Size • Easily known value: timestamp • Divulging seed – don’t use some value included unencrypted in message
Performance • Number of messages exchanged • Number of operations – using secret key algorithm – using public key algorithm – using hash • And number of bytes involved
Checklist • Eavesdropping • Initiation of conversation/partial conversations • Impersonation by accepting a connection • Access to disk/database at either end • Man-in-middle
Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
Needham-Schroeder • N1, N2, N3 are nonces ("number used once") N1, Alice wants to talk to Bob Alice KDC Bob EKa(N1, "Bob", Kab, ticket) N1 authenticates KDC to Alice ticket = EKb(Kab, "Alice") EKab(N2), ticket EKab(N2 - 1, N3) EKab(N3 - 1) Bob decrypts ticket to get Kab Nonces used to verify each end has Kab
Overview • Originally developed at MIT • An essential part of Windows servers • Authentication infrastructure – Designed to authenticate users to servers – Users must use their password as their initial key and must not be forced to retype it constantly • Based on Needham-Schroeder, with timestamps to limit key lifetime
Versions • MIT support: version 4 end-of-life in 2006 – DES – Protocol flaw • Original Needham-Schroeder protocol implicitly requires nonmalleable encryption: prevent an attacker, given a ciphertext, from producing a different ciphertext whose plaintext is meaningfully related to the plaintext of the original ciphertext. • Kerberos version 4 fails to provide by inadequately authenticating its messages. Nonmalleability concept was not well-developed at the time. – nonstandard propagating cipher block chaining (PCBC) mode. ciphertext block swaps being undetectable without additional integrity checking. – Implementation flaws • Version 5 – Fixes/improvements (delegation, ticket lifetime, key versions …) – Encoding changes – Optional, variable-length fields, types • Adds flexibility, but increases number of bytes per message and processing overhead
Design Goals • Users only have passwords to authenticate themselves • The network is completely insecure • It’s possible to protect the Kerberos server • The workstations have not been tampered with (not a safe assumption)
Resources Protected • Network access to home directory • Printer • IM system • Remote login • Anything else that requires authentication
Principals • A Kerberos entity is known as a principal • Could be a user or a system service • Principal names are tuples: V4: <primary name, instance, realm> V5: <primary name + variable fields, realm> • The realm identifies the Kerberos server
How Kerberos Works • Users present tickets — cryptographically sealed messages with session keys and identities — to obtain a service. • Use Needham-Schroeder (with password as Alice’s key) to get a Ticket-Granting Ticket (TGT); this ticket (and the associated key) are retained for future use during its lifetime. • Use the TGT (and TGT’s key) in a Needham- Schroeder dialog to obtain keys for each actual service
Shared Secret • Each principal (user, device) shares a secret (master key) with the Kerberos KDC • For users, this is their password (actually, a key derived from the password) • The KDC is assumed to be secure and trustworthy; anything it says can be believed
Kerberos Data Flow TGT is ticket granting ticket
Obtaining TGT Alice Workstation KDC AS_REQ Alice needs a TGT AS_REQ: authentication server request AS_REP: authentication server reply TGT: ticket granting ticket K_KDC is KDC’s master key AS_REP EKA(SA,TGT) Creates session key SA Looks up Alice’s master key KA Create TGT EK_KDC(Alice,SA,expire time) Alice, password KDC stateless – sends ticket, does not need to save a copy Workstation sends TGT when Alice needs to access remote resource
Ticket Request Alice Workstation KDC TGS_REQ Alice wants to talk to Bob TGT Authenticator = ESA(timestamp) TGS_REP ESA(Bob, KAB, ticket to Bob) Creates key KAB Decrypts TGT to get SA Decrypts authenticator to verify timestamp Looks up Bob’s key KB Creates ticket EKB(Alice, KAB) Login to Bob
Access Remote Resource Workstation (Alice) Bob AP_REQ Ticket to Bob = EKB(Alice, KAB) Authenticator = EKAB(timestamp) AP_REP EKAB(timestamp+1)
Messages • Message fields listed in text • Part of assigned readings • Know what they mean/are for • Don’t need to memorize list of fields for midterm
Service Tickets • Service tickets are almost identical to ticket-granting tickets • The differences is that they have the name of a different service — say, “email” — rather than the ticket-granting service • They’re encrypted in a key shared by the KDC and the service
Using Service Tickets • The client sends the service ticket and an authenticator to the service • The service decrypts the ticket, using its own key • The service knows it’s genuine, because only the KDC knows the key used to produce it • The service verifies that the ticket is for it and not some other service • It uses the enclosed key to decrypt and verify the authenticator • The net result is that the service knows the client’s principal name, extracted from the ticket
Authentication, Not Authorization • Kerberos is an authentication service • It does not (usually) provide authorization • The services know a genuine name for the client, vouched for by the KDC • They then make their own authorization decision based on this name
Bidirectional Authentication • Sometimes, the client wants to be sure of the server’s identity • It asks the server to prove that it, too, knows the session key • The server replies with EKAB(timestamp+1) using the same timestamp as was in the authenticator
Ticket Lifetime • TGTs typically last about 8–12 hours — the length of a login session • Service tickets can be long- or short-lived, but don’t outlive the TGT • Live tickets are cached by the client • When service tickets expire, they’re automatically and transparently renewed
Inter-Realm Tickets • A ticket from one realm can’t be used in another, since a KDC in one realm doesn’t share secrets with services in another realm • Realms can issue tickets to each other • A client can ask its KDC for a TGT to another realm’s KDC • The remote realm trusts the user’s KDC to vouch for the user’s identity • It then issues service tickets with the original realm’s name for the principal, not its own realm name
Putting Authorization in Tickets • Under certain circumstances, tickets can contain authorization information known or supplied to the KDC • Windows KDCs use this, to centralize authorization data • As a result, Windows and open source Kerberos KDCs don’t interoperate well. • Users can supply some authorization data, too, to restrict what other services do with proxy tickets
Proxy Tickets • Suppose a client wants to print a file • The print spooler doesn’t want to copy the user’s file; that’s expensive • The user obtains a proxy ticket granting the print spooler access to its files • The print spooler uses that ticket to read the user’s file
Restricting the Print Spooler • The client doesn’t want the spooler to have access to all of its files • It lists the appropriate file names in the proxy ticket request; the KDC puts that list of names into the proxy ticket • When the print spooler presents the proxy ticket to a file server, it will only be given those files • Note: the file server must verify that the client has access to those files.
Limitations of Kerberos • Ticket cache security • Password-guessing • Subverted login command
Ticket Cache Security • Where are cached tickets stored? • Often in /tmp — is the OS protection good enough? • Less of an issue on single-user workstations; often a threat on multi-user machines • Note: /tmp needs to be a local disk, and not something mounted via NFS. . .
Subverting Login • No great solutions. • Keystroke loggers are a real threat today • Some theoretical work on secure network booting
Version 5 Changes
Delegation • Delegation of rights – Alice wants Bob to access resource X on behalf of Alice for time t. • Example: Alice logs into host Bob then wants to log into host X from Bob – Alice can request ticket with Bob’s address or a list of addresses – Ticket can include application specific data – not used by Kerberos but used by host • Can set to not allow delegation
Ticket Lifetime • V4: 21 hours max • V5: up to Dec. 31, 9999 • Lifetime in seconds • Not revocable – be careful • Time ticket granted, start time and stop time • Renew until – instead of long lifetime, give option to keep renewing – If stop using/needing ticket, won’t remain open • Postdating • Grant ticket to run some process in future – Batch job at end of week but requested ticket at beginning of week
Key Version • Suppose Alice has ticket to Bob • Bob changes his key with KDC • KDC keeps versions both versions of Bob’s key (key, version) • Alice’s ticket keeps working until it expires • Any other renewable or post-dated ticket will work with old key
Master Keys and Realms • Master keys – key between entity (such as Alice) and KDC • Alice registered to realms R1, R2 – Uses same password • Hash password with realm name to get master key • If attacker gets Alice’s password, still can compute both master keys • But R1 and R2 don’t have the other’s master key for Alice. If attacker breaks into one, won’t get both keys.
Repairs • Insert new cipher (AES) to replace DES • Checksum fix for integrity – replaced by choice of algorithm • PCBC – replaced by choice (AES-CBC common)
Hierarchy of Realms B C D E G H F J I A H to D, go through E then B List transited realms in ticket, don’t give transited realms power to impersonate others If don’t trust one realm, all realms visited after that one are suspect
Hierarchy of Realms B C D E G H F J I A May have short cut links F talks directly to B instead of C then A then B
Password Guessing • V4: anyone can send ticket request to KDC Alice wants to talk to Bob Trudy KDC • V5: include encrypted timestamp Alice wants to talk to Bob, EKa(timestamp) Alice KDC
Password-Guessing • Kerberos tickets have verifiable plaintext • An attacker can run password-guessing programs on intercepted ticket-granting tickets (Merritt and Bellovin invented EKE while studying this problem with Kerberos.) • Kerberos uses passphrases instead of passwords • Does this make guessing harder? Not sure
Password Guessing • On many Kerberos systems, anyone can ask the KDC for a TGT • There’s no need to eavesdrop to get them — you can get all the TGTs you want over the Internet. • Solution: preauthentication • The initial request includes a timestamp encrypted with Kc • It’s still verifiable plaintext, but collecting TGTs becomes harder again
Multiple Sessions – Added Security • Alice opens two sessions to Bob • Don’t want Trudy swapping messages between sessions • Alice specifies different session key to use for each
Other Protocols in Practice • SSH • TLS • IPsec • Application aware – transport layer or above • Application not aware - IP layer

More Related Content

PPT
Cryptography and DNS-Computer network.ppt
Sheba56
 
PPT
authentication.ppt
AchinikeWinifred
 
PPTX
20 security
abiy2004
 
PPTX
SSL/TLS 101
Chul-Woong Yang
 
PDF
SSL/TLS 101
Chul-Woong Yang
 
PPT
Network Security.ppt
ChSheraz3
 
PPT
cryptography.ppt by karthika kumar hirehegaalla
hhjhona939
 
PPT
cryptography.pptcryptography.pptcryptography.ppt
ssuserc7a853
 
Cryptography and DNS-Computer network.ppt
Sheba56
 
authentication.ppt
AchinikeWinifred
 
20 security
abiy2004
 
SSL/TLS 101
Chul-Woong Yang
 
SSL/TLS 101
Chul-Woong Yang
 
Network Security.ppt
ChSheraz3
 
cryptography.ppt by karthika kumar hirehegaalla
hhjhona939
 
cryptography.pptcryptography.pptcryptography.ppt
ssuserc7a853
 

Similar to authentication u5.ppt (20)

PPTX
Part 5 : Sharing resources, security principles and protocols
Olivier Bonaventure
 
PPT
Introduction to cryptography and Network Security
DhanapalM8
 
PPTX
Cryptography
Sandip kumar
 
PDF
CyberSecurity_Cryptography and its fundamentals
Priyank974941
 
PDF
Applied cryptanalysis - stream ciphers
Vlad Garbuz
 
PPT
Cryptography & Digital certificate
Deepak Kumar (D3)
 
PPTX
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
0xdec0de
 
PPTX
Cryptography & Network Security By, Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
PPT
Authentication: keys, MAC
Shafaan Khaliq Bhatti
 
PPT
Security.ppt
SherefHesham
 
PPTX
Network security
Perfect Training Center
 
PPTX
Part2-Apps-Security.pptx
Olivier Bonaventure
 
PPT
Cryptography.ppt
PriyanshuGupta896141
 
PPTX
Part2-Apps-Security.pptx
Olivier Bonaventure
 
PDF
5.3. Undercover communications
defconmoscow
 
PPTX
Cryptography
Jens Patel
 
PPTX
Class 17
Dr. Ajith Sundaram
 
PPT
Computer systems security 7-cryptography.ppt
stephen972973
 
PPT
network security
SayantanRoy14
 
PPT
Crypt
Mir Majid
 
Part 5 : Sharing resources, security principles and protocols
Olivier Bonaventure
 
Introduction to cryptography and Network Security
DhanapalM8
 
Cryptography
Sandip kumar
 
CyberSecurity_Cryptography and its fundamentals
Priyank974941
 
Applied cryptanalysis - stream ciphers
Vlad Garbuz
 
Cryptography & Digital certificate
Deepak Kumar (D3)
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
0xdec0de
 
Cryptography & Network Security By, Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
Authentication: keys, MAC
Shafaan Khaliq Bhatti
 
Security.ppt
SherefHesham
 
Network security
Perfect Training Center
 
Part2-Apps-Security.pptx
Olivier Bonaventure
 
Cryptography.ppt
PriyanshuGupta896141
 
Part2-Apps-Security.pptx
Olivier Bonaventure
 
5.3. Undercover communications
defconmoscow
 
Cryptography
Jens Patel
 
Class 17
Dr. Ajith Sundaram
 
Computer systems security 7-cryptography.ppt
stephen972973
 
network security
SayantanRoy14
 
Crypt
Mir Majid
 

More from RevathiMohan14 (6)

PPT
unit5NtwManagement.ppt
RevathiMohan14
 
PPT
15757597 (1).ppt
RevathiMohan14
 
PDF
BJTu5.pdf
RevathiMohan14
 
PDF
Lec-4-Simulators.pdf
RevathiMohan14
 
PPT
RobertPresentation.ppt
RevathiMohan14
 
PPT
MOSFET_Scaling0803.ppt
RevathiMohan14
 
unit5NtwManagement.ppt
RevathiMohan14
 
15757597 (1).ppt
RevathiMohan14
 
BJTu5.pdf
RevathiMohan14
 
Lec-4-Simulators.pdf
RevathiMohan14
 
RobertPresentation.ppt
RevathiMohan14
 
MOSFET_Scaling0803.ppt
RevathiMohan14
 

Recently uploaded (20)

PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PPTX
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
PPTX
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
PPTX
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
PPTX
Gupta Art & Architecture Temple and Sculptures.pptx
Virag Sontakke
 
PDF
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
PPTX
Virus sequence retrieval from NCBI database
yamunaK13
 
PPTX
Information Texts_Infographic on Forgetting Curve.pptx
Tata Sevilla
 
PPTX
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
PPTX
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
PPTX
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
PPTX
An introduction to Dialogue writing.pptx
drsiddhantnagine
 
DOCX
Modul Ajar Deep Learning Bahasa Inggris Kelas 11 Terbaru 2025
wahyurestu63
 
PPTX
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
PPTX
PROTIEN ENERGY MALNUTRITION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PPTX
How to Apply for a Job From Odoo 18 Website
Celine George
 
DOCX
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
PPTX
Sonnet 130_ My Mistress’ Eyes Are Nothing Like the Sun By William Shakespear...
DhatriParmar
 
PPTX
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
CARE OF UNCONSCIOUS PATIENTS .pptx
AneetaSharma15
 
How to Track Skills & Contracts Using Odoo 18 Employee
Celine George
 
Gupta Art & Architecture Temple and Sculptures.pptx
Virag Sontakke
 
Module 2: Public Health History [Tutorial Slides]
JonathanHallett4
 
Virus sequence retrieval from NCBI database
yamunaK13
 
Information Texts_Infographic on Forgetting Curve.pptx
Tata Sevilla
 
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
An introduction to Dialogue writing.pptx
drsiddhantnagine
 
Modul Ajar Deep Learning Bahasa Inggris Kelas 11 Terbaru 2025
wahyurestu63
 
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
PROTIEN ENERGY MALNUTRITION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
How to Apply for a Job From Odoo 18 Website
Celine George
 
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
Sonnet 130_ My Mistress’ Eyes Are Nothing Like the Sun By William Shakespear...
DhatriParmar
 
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 

authentication u5.ppt

  • 2. Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
  • 3. Authentication Prove continuity in relationship – Basis of trust – Identification Who you are (biometrics) What you have (tokens) What you know Password: snoopy1 Mother’s maiden name: jones Pets name: snoopy Physical authentication: where you are
  • 4. Network Authentication • Password • One-time Passwords (ex. tokens) • Network address – Caller-id - credit card – IP address – MAC address – banks • Cryptographic protocols
  • 5. Concerns • Impersonation • Malicious insiders • Eavesdropping – Keyboard sniffers – Shoulder-surfing – Network sniffers – Trojan horses
  • 6. 2-Way Authentication • Authentication often needed in both directions • Server trusting user is not only concern – User must trust server – Ex. User accessing online bank account • Variety of “solutions” in user applications
  • 7. Password-based Authentication • Proof by sharing • Doesn’t prevent insider attacks (system admin) • What is an appropriate password – length? snoopy, snoopy1, snoopy12 – reusable ? snoppy1, snoopy2, …. snoopy10, snoopy1 – timeframe? • How to do initial password distribution? lastname123, employee# • Simple approach, works with humans … until user has too many to remember – reuse across systems – Variations of something common: dog’s name – post-it on monitor – inconvenient to update, varying rules on what is appropriately complex, how often to change snoopy1, Snoopy1, snoopy-1
  • 8. Storing Passwords • Per-node • Central repository • Hashed passwords • Password encryption – Salted passwords
  • 9. Password Guessing • Online – Limited tries, exponential delays, alarm – But attacker can temporarily disable a user’s account – ex. 3 tries and account locked until user calls help desk • Offline: “dictionary” attack – Must capture password file – Try "obvious" passwords: snoopy, snoopy1, 1snoopy – Significant dates, easy patterns, personal information – While most systems disallow “dictionary words”, complexity rules still give information – know need a digit, punctuation character … Snoopy-12
  • 10. Passwords as Keys • Directly as the key • Convert to secret key – Transient, one-way transformation (hash) – Increase work of attacker • Seed to pseudo-random number generator
  • 11. One-Time Passwords • List of passwords used once only • Need to re-initialize periodically
  • 12. OTPs – List Based • Example: – Hash password 1000 times, store result on server – Client hashes 999 times, sends to server – Server verifies hash of received value matches stored – result – Store received hash • Must be re-initialized periodically - over secure channel
  • 13. Lamport’s Hash • One-time passwords • Server stores n, hashn(password) • User sends x = hashn-1(password) • Server computes hash(x), if = stored value, replaces stored value with n-1 , x • Safe from eavesdropping, server compromise not a problem for user • No public key cryptography • Authentication not mutual • Add salt to password before hashing – In case Alice uses same password on multiple systems – Salt must be stored on Alice’s system – Server uses hashn(password | salt)
  • 14. • Examples – RSA – VASCO Digipass • Use a block cipher – Repeatedly encrypt – Continuously update every x seconds – Update each time user presses button • Some work in both directions – Customer enters OTP – Server returns OTP, customer (manually) compares it to value on token OTP Generators (Tokens)
  • 15. • Help desk required – Synchronization not perfect – Premature battery death • Cost – $15-$25 – banks with million customers • User still needs pin (something you know + something you have) • “Necklace of Tokens” issue – Only recently integrated with cell phones – Still rare to have multiple tokens on single device • Non-standard algorithms – OATH effort Tokens - Issues
  • 16. Cryptographic Authentication • Tokens, smart cards use crypto • Use a password (or key) in a cryptographic protocol – Prove possession of key – Mutual authentication • Usually coupled with encryption of data after authentication • Certificates – PKI covered in another lecture
  • 17. Pairwise Keying Bob:xyz Alice:abc Fey: ghj George: 123 Emily: mkl Dave: klj Bob:xyz Alice:who Fey: bin Carol: 123 Emily: dog Dave: cat
  • 18. Trusted Intermediaries (KDC) Key Distribution Center George-Bob:xyz George-Alice:who George-Fey: bin … Bob:13 Carol: 31 Dave: 7 ….
  • 19. KDC • Can impersonate any node • Single point of failure • Potential bottleneck
  • 20. Certificate Authority • Central point for certificates • Signs cert for Alice containing her public key • Others need only CA’s public key • Revocation? – Real time with online KDC – Offline CA –expiration date, certificate revocation list
  • 21. Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
  • 22. Security Handshakes • Considerations when creating protocols – Attacks/Information leakage – One-way – Mutual Authentication
  • 23. One-way Challenge-Response Problems? – Authentication not mutual – Connection hijacking after authentication – attacker spoofs Alice or Bob’s source address and send packets if conversation not encrypted – Off-line password/key attack – depends on length of K – Compromise of database/disk if K is stored, or temporary memory access Alice Bob I’m Alice challenge R f(K,R) K = shared key f: – encryption function – Bob just decrypts and verifies time in within allowed skew – hash – Bob needs to hash all times in allowable interval or Alice sends time
  • 24. One-Way using Timestamp • Problems? – Impersonate Alice if intercept and send message – race condition – Keep list of used time stamps to prevent quick replay, but if use same K with multiple servers, could send message to another server and impersonate Alice – Clock skew/synchronization Alice Bob I’m Alice, f(K,timestamp)
  • 25. One-way Using Public Key Alice Bob I’m Alice R [R]Apriv [R]Ax = R signed with Alice’s x key, where x is private (priv) or public (pub) key Alice Bob I’m Alice [R]Apub R Bob decrypts with Alice’s public key and verifies R was returned. Alice proves to Bob she has her private key by returning R
  • 26. One-way Problems • First case: – Can send anything to Alice as R and get Alice to sign it • Second case: – Intercepted an encrypted message for Alice, send it and get Alice to decrypt it
  • 28. Mutual Authentication with Secret Key Alice Bob I’m Alice R1 f(K,R1) R2 f(K,R2)
  • 29. Mutual Authentication with Secret Key Alice Bob I’m Alice, R2 f(K,R1) R1, f(K,R2) More efficient version:
  • 30. Mutual Authentication with Secret Key Trudy Bob I’m Alice, R2 Doesn’t know K so can’t send f(K,R1) R1, f(K,R2) Trudy Bob I’m Alice, R1 Now use f(K,R1) in above attempt R3, f(K,R1) Reflection attack: Solutions: •Separate keys for each direction •Requirements on R values: odd in one direction, even in the other, concatenate with senders’ name
  • 31. Password/Key Guessing • Also note, Trudy can get Bob to encrypt a value (or a several of values) and then try an offline attack to guess K • Have Bob return R1 value for Alice to encrypt Alice Bob I’m Alice f(K,R2) R2, f(K,R1) R1 Now Bob would have to reuse R1 in order for Trudy, who eavesdrops, to be able to use f(K,R1)
  • 32. Timestamps • Same issues as before plus clock skew • Any modification to timestamp will work Alice Bob I’m Alice, f(K,timestamp) f(K,timestamp+1)
  • 33. Mutual Authentication with Public Keys • how to obtains/store/validate Bob’s public key Alice Bob I’m Alice, [R2]Bpub R1 [R1]Apub, R2
  • 34. Session Key • Once authentication occurs, want to encrypt data exchanged • Session key • If key to one session obtained, can’t decrypt all sessions • Don’t want known/easy to derive relationship among session keys
  • 35. Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
  • 37. Needham-Schroeder • N1, N2, N3 are nonces ("number used once") N1, Alice wants to talk to Bob Alice KDC Bob EKa(N1, "Bob", Kab, ticket) N1 authenticates KDC to Alice ticket = EKb(Kab, "Alice") EKab(N2), ticket EKab(N2 - 1, N3) EKab(N3 - 1) Bob decrypts ticket to get Kab Nonces used to verify each end has Kab
  • 38. Expanded Needham-Schroeder • Issue - ticket doesn’t expire • If Trudy obtains Alice’s key and ticket, Trudy can connect to Bob even if Alice changes key. N1, Alice wants to talk to Bob, Ekb(Nb) Alice KDC Bob EKa(N1, "Bob", Kab, ticket) ticket = EKb(Kab, "Alice", Ekb(Nb)) EKab(N2), ticket EKab(N2 - 1, N3) EKab(N3 - 1) Ekb(Nb) I want to talk to you Nb is unique per session so can’t reuse ticket
  • 39. Needham-Schroeder • Reflection attack in last steps if ECB mode (and nonce size = block size) Trudy->Bob: EKab(N2), ticket Bob->Trudy: EKab(N2 - 1, N4) Trudy->Bob: EKab(N4), ticket Bob->Trudy: EKab(N4 - 1, N5) Extract EKab(N4 - 1) and use in response of first run • CBC solves this Trudy doesn’t have Kab to obtain N4, needs N4-1 in next step, so get Bob to encrypt N4-1 Extract 1st block of ciphertext
  • 40. Otway-Rees Suspicious party should generate challenge Alice KDC Bob EKa(Na, Kab) EKab(something recognizable) Nc, "Alice", "Bob", EKa(Na, Nc, "Alice", "Bob") EKa(Na, Nc, "Alice", "Bob"), EKb(Nb, Nc, "Alice", "Bob") Nc, EKa(Na, Kab), EKb(Nb, Kab) •Bob can’t decipher most of first message – forwards it to KDC •KDC verifies Nc matches in messages from Alice and Bob •KDC gives Bob message to forward to Alice •Alice trusts KDC and Bob are real - KDC would not have continued process if Bob did not have Kb to encrypt Nc and KDC was able to encrypt Na in message containing Kab •Bob trusts KDC – was able to encrypt Nb in message containing Kab •Last message proves to Bob that Alice knows Kab
  • 41. Encrypted Key Exchange (EKE) Alice Bob Shared weak secret W = hash(Alice’s password) “Alice”, EW(ga mod p) EW(gb mod p, C1) EK(C1,C2) EK(C2) Both compute K = gab mod p Diffie-Hellman key exchange with exchange encrypted – removes man in middle Mutual authentication If try offline password attack, can’t determine correct plaintext – what is valid plaintext of ga mod p, gb mod p ? Stores Alice, W Both compute K = gab mod p
  • 42. Kerberos • Based on Needham-Schroeder • Uses time and includes ticket expiration • Later in lecture
  • 43. Nonces • Random number – 128-bit value negligible chance of being repeated • Timestamp – Synchronization – Predictable • Sequence number – Maintain state – Predictable?
  • 44. Random Numbers • Be careful with seed • Size • Easily known value: timestamp • Divulging seed – don’t use some value included unencrypted in message
  • 45. Performance • Number of messages exchanged • Number of operations – using secret key algorithm – using public key algorithm – using hash • And number of bytes involved
  • 46. Checklist • Eavesdropping • Initiation of conversation/partial conversations • Impersonation by accepting a connection • Access to disk/database at either end • Man-in-middle
  • 47. Agenda • Authentication • Security Handshakes – One-way – Two-way • Mediated Authentication • Kerberos
  • 48. Needham-Schroeder • N1, N2, N3 are nonces ("number used once") N1, Alice wants to talk to Bob Alice KDC Bob EKa(N1, "Bob", Kab, ticket) N1 authenticates KDC to Alice ticket = EKb(Kab, "Alice") EKab(N2), ticket EKab(N2 - 1, N3) EKab(N3 - 1) Bob decrypts ticket to get Kab Nonces used to verify each end has Kab
  • 49. Overview • Originally developed at MIT • An essential part of Windows servers • Authentication infrastructure – Designed to authenticate users to servers – Users must use their password as their initial key and must not be forced to retype it constantly • Based on Needham-Schroeder, with timestamps to limit key lifetime
  • 50. Versions • MIT support: version 4 end-of-life in 2006 – DES – Protocol flaw • Original Needham-Schroeder protocol implicitly requires nonmalleable encryption: prevent an attacker, given a ciphertext, from producing a different ciphertext whose plaintext is meaningfully related to the plaintext of the original ciphertext. • Kerberos version 4 fails to provide by inadequately authenticating its messages. Nonmalleability concept was not well-developed at the time. – nonstandard propagating cipher block chaining (PCBC) mode. ciphertext block swaps being undetectable without additional integrity checking. – Implementation flaws • Version 5 – Fixes/improvements (delegation, ticket lifetime, key versions …) – Encoding changes – Optional, variable-length fields, types • Adds flexibility, but increases number of bytes per message and processing overhead
  • 51. Design Goals • Users only have passwords to authenticate themselves • The network is completely insecure • It’s possible to protect the Kerberos server • The workstations have not been tampered with (not a safe assumption)
  • 52. Resources Protected • Network access to home directory • Printer • IM system • Remote login • Anything else that requires authentication
  • 53. Principals • A Kerberos entity is known as a principal • Could be a user or a system service • Principal names are tuples: V4: <primary name, instance, realm> V5: <primary name + variable fields, realm> • The realm identifies the Kerberos server
  • 54. How Kerberos Works • Users present tickets — cryptographically sealed messages with session keys and identities — to obtain a service. • Use Needham-Schroeder (with password as Alice’s key) to get a Ticket-Granting Ticket (TGT); this ticket (and the associated key) are retained for future use during its lifetime. • Use the TGT (and TGT’s key) in a Needham- Schroeder dialog to obtain keys for each actual service
  • 55. Shared Secret • Each principal (user, device) shares a secret (master key) with the Kerberos KDC • For users, this is their password (actually, a key derived from the password) • The KDC is assumed to be secure and trustworthy; anything it says can be believed
  • 56. Kerberos Data Flow TGT is ticket granting ticket
  • 57. Obtaining TGT Alice Workstation KDC AS_REQ Alice needs a TGT AS_REQ: authentication server request AS_REP: authentication server reply TGT: ticket granting ticket K_KDC is KDC’s master key AS_REP EKA(SA,TGT) Creates session key SA Looks up Alice’s master key KA Create TGT EK_KDC(Alice,SA,expire time) Alice, password KDC stateless – sends ticket, does not need to save a copy Workstation sends TGT when Alice needs to access remote resource
  • 58. Ticket Request Alice Workstation KDC TGS_REQ Alice wants to talk to Bob TGT Authenticator = ESA(timestamp) TGS_REP ESA(Bob, KAB, ticket to Bob) Creates key KAB Decrypts TGT to get SA Decrypts authenticator to verify timestamp Looks up Bob’s key KB Creates ticket EKB(Alice, KAB) Login to Bob
  • 59. Access Remote Resource Workstation (Alice) Bob AP_REQ Ticket to Bob = EKB(Alice, KAB) Authenticator = EKAB(timestamp) AP_REP EKAB(timestamp+1)
  • 60. Messages • Message fields listed in text • Part of assigned readings • Know what they mean/are for • Don’t need to memorize list of fields for midterm
  • 61. Service Tickets • Service tickets are almost identical to ticket-granting tickets • The differences is that they have the name of a different service — say, “email” — rather than the ticket-granting service • They’re encrypted in a key shared by the KDC and the service
  • 62. Using Service Tickets • The client sends the service ticket and an authenticator to the service • The service decrypts the ticket, using its own key • The service knows it’s genuine, because only the KDC knows the key used to produce it • The service verifies that the ticket is for it and not some other service • It uses the enclosed key to decrypt and verify the authenticator • The net result is that the service knows the client’s principal name, extracted from the ticket
  • 63. Authentication, Not Authorization • Kerberos is an authentication service • It does not (usually) provide authorization • The services know a genuine name for the client, vouched for by the KDC • They then make their own authorization decision based on this name
  • 64. Bidirectional Authentication • Sometimes, the client wants to be sure of the server’s identity • It asks the server to prove that it, too, knows the session key • The server replies with EKAB(timestamp+1) using the same timestamp as was in the authenticator
  • 65. Ticket Lifetime • TGTs typically last about 8–12 hours — the length of a login session • Service tickets can be long- or short-lived, but don’t outlive the TGT • Live tickets are cached by the client • When service tickets expire, they’re automatically and transparently renewed
  • 66. Inter-Realm Tickets • A ticket from one realm can’t be used in another, since a KDC in one realm doesn’t share secrets with services in another realm • Realms can issue tickets to each other • A client can ask its KDC for a TGT to another realm’s KDC • The remote realm trusts the user’s KDC to vouch for the user’s identity • It then issues service tickets with the original realm’s name for the principal, not its own realm name
  • 67. Putting Authorization in Tickets • Under certain circumstances, tickets can contain authorization information known or supplied to the KDC • Windows KDCs use this, to centralize authorization data • As a result, Windows and open source Kerberos KDCs don’t interoperate well. • Users can supply some authorization data, too, to restrict what other services do with proxy tickets
  • 68. Proxy Tickets • Suppose a client wants to print a file • The print spooler doesn’t want to copy the user’s file; that’s expensive • The user obtains a proxy ticket granting the print spooler access to its files • The print spooler uses that ticket to read the user’s file
  • 69. Restricting the Print Spooler • The client doesn’t want the spooler to have access to all of its files • It lists the appropriate file names in the proxy ticket request; the KDC puts that list of names into the proxy ticket • When the print spooler presents the proxy ticket to a file server, it will only be given those files • Note: the file server must verify that the client has access to those files.
  • 70. Limitations of Kerberos • Ticket cache security • Password-guessing • Subverted login command
  • 71. Ticket Cache Security • Where are cached tickets stored? • Often in /tmp — is the OS protection good enough? • Less of an issue on single-user workstations; often a threat on multi-user machines • Note: /tmp needs to be a local disk, and not something mounted via NFS. . .
  • 72. Subverting Login • No great solutions. • Keystroke loggers are a real threat today • Some theoretical work on secure network booting
  • 74. Delegation • Delegation of rights – Alice wants Bob to access resource X on behalf of Alice for time t. • Example: Alice logs into host Bob then wants to log into host X from Bob – Alice can request ticket with Bob’s address or a list of addresses – Ticket can include application specific data – not used by Kerberos but used by host • Can set to not allow delegation
  • 75. Ticket Lifetime • V4: 21 hours max • V5: up to Dec. 31, 9999 • Lifetime in seconds • Not revocable – be careful • Time ticket granted, start time and stop time • Renew until – instead of long lifetime, give option to keep renewing – If stop using/needing ticket, won’t remain open • Postdating • Grant ticket to run some process in future – Batch job at end of week but requested ticket at beginning of week
  • 76. Key Version • Suppose Alice has ticket to Bob • Bob changes his key with KDC • KDC keeps versions both versions of Bob’s key (key, version) • Alice’s ticket keeps working until it expires • Any other renewable or post-dated ticket will work with old key
  • 77. Master Keys and Realms • Master keys – key between entity (such as Alice) and KDC • Alice registered to realms R1, R2 – Uses same password • Hash password with realm name to get master key • If attacker gets Alice’s password, still can compute both master keys • But R1 and R2 don’t have the other’s master key for Alice. If attacker breaks into one, won’t get both keys.
  • 78. Repairs • Insert new cipher (AES) to replace DES • Checksum fix for integrity – replaced by choice of algorithm • PCBC – replaced by choice (AES-CBC common)
  • 79. Hierarchy of Realms B C D E G H F J I A H to D, go through E then B List transited realms in ticket, don’t give transited realms power to impersonate others If don’t trust one realm, all realms visited after that one are suspect
  • 80. Hierarchy of Realms B C D E G H F J I A May have short cut links F talks directly to B instead of C then A then B
  • 81. Password Guessing • V4: anyone can send ticket request to KDC Alice wants to talk to Bob Trudy KDC • V5: include encrypted timestamp Alice wants to talk to Bob, EKa(timestamp) Alice KDC
  • 82. Password-Guessing • Kerberos tickets have verifiable plaintext • An attacker can run password-guessing programs on intercepted ticket-granting tickets (Merritt and Bellovin invented EKE while studying this problem with Kerberos.) • Kerberos uses passphrases instead of passwords • Does this make guessing harder? Not sure
  • 83. Password Guessing • On many Kerberos systems, anyone can ask the KDC for a TGT • There’s no need to eavesdrop to get them — you can get all the TGTs you want over the Internet. • Solution: preauthentication • The initial request includes a timestamp encrypted with Kc • It’s still verifiable plaintext, but collecting TGTs becomes harder again
  • 84. Multiple Sessions – Added Security • Alice opens two sessions to Bob • Don’t want Trudy swapping messages between sessions • Alice specifies different session key to use for each
  • 85. Other Protocols in Practice • SSH • TLS • IPsec • Application aware – transport layer or above • Application not aware - IP layer