2550 Intro to cybersecurity
L5: Distributed Authentication
abhi shelat/Ran Cohen Agenda
• The problem of distributed authentication
• The Needham-Schroeder protocol • Kerberos protocol
• Oauth So far: authenticating to a server
Mallory
Alice Bob
Gen pw pw Authenticating to an organization
Mallory
Alice
Gen pw pw Authenticating to an organization
Mallory
Alice
Gen pw pw Distributed authentication
• Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption
Alice Bob
푚 푚
Eve Basic tool: symmetric encryption
• Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption
• Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice
Alice Bob
푘퐴퐵 푘퐴퐵
Eve Attempt #1
Alice Bob I am Alice
푘퐴퐵 푘퐴퐵
I am Alice
Eve Attempt #2: use the key
Alice Bob I am Alice 푘퐴퐵
푘퐴퐵 푘퐴퐵
I am Alice 푘퐴퐵 Replay attack
Eve Attempt #3: use nonce
Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵
푘퐴퐵 푘퐴퐵
Nonce: a random number for a one-time use Eve Attempt #3: use nonce
Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 I am Alice 푘 푘퐴퐵 퐴퐵 푁푎2 푘퐴퐵
푁푎2 − 1 푘퐴퐵
푁푎2 − 1 푘퐴퐵 Pay Bob 500$ 푘퐴퐵 Pay Eve 500$ Eve 푘퐴퐵 Man in the Middle attack Attempt #4
Alice I am Alice Bob 푁푎 푘퐴퐵
푁푎 − 1, Pay Eve 500$ 푘퐴퐵
푘퐴퐵 푘퐴퐵
Eve Key establishment
• The protocol worked because Alice and Bob shared a key • How do parties agree on a key? – Run a key agreement protocol (later in the semester) – Use a trusted third party (this lecture) • Key distribution center (KDC): – Shares a key with each entity – Single point of failure – Reasonable assumption for organizations – Not useful for open environments (e.g. the Internet) Naïve solution
• KDC generates a key for each pair 푛 푛−1 • Number of keys 푛 푛 − 1 , number of key pairs = 푛 2 2 • Drawbacks: – Quadratic number of keys – Adding new users is complex • May be useful for static small networks
푘퐴퐵 푘 퐴퐵 푘퐵퐶 푘 퐴퐶 푘퐵퐷 푘퐴퐷 KDC 푘 푘퐴퐷 퐴퐶 푘 푘퐵퐷 퐵퐶 푘 푘퐶퐷 퐶퐷 Desire: solution with linear keys
• KDC shares a key with each user • Number of keys 2푛 • Number of key pairs 푛 • These are long-term keys • Alice and Bob establish a fresh session key
푘 푘퐴푆 퐵푆
푘퐴푆 KDC 푘퐵푆 푘퐶푆 푘 푘 퐷푆 퐷푆 푘퐶푆 Needham-Schroeder Protocol (1978)
푘퐴퐵, 퐴 푘퐵푆
푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵
푘퐴퐵 푘퐴퐵 퐴, 퐵, 푁푎
Why do we need 푁푏?
푁푎, 푘퐴퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆
Why do we need 푁푎? Is Needham-Schroeder secure?
Can Mallory impersonate Alice to KDC? Mallory
푘퐴푆
푁푎, 푘퐴퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆
퐴, 퐵, 푁푎
KDC 푘퐴푆 푘퐵푆 Is Needham-Schroeder secure?
푘 푘퐴푆 Can Mallory impersonate 퐵푆 Alice to Bob?
KDC 푘퐴푆 푘퐵푆
Mallory Needham-Schroeder replay attack
푘퐴퐵, 퐴 푘퐵푆
푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵 푘 푘 퐴퐵 퐴퐵 푁 ′ 퐴, 퐵, 푁푎 푏 푘퐴퐵
푘퐴퐵, 퐴 푘퐵푆
푁푎, 푘퐴퐵, 퐵, 푘퐴퐵, 퐴 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 푁푏′ − 1 푘퐴퐵 1) Mallory observes 1st instance 2) Suppose Mallory breaks into Alice, Mallory obtains (old) 푘퐴퐵 푘 푘 푘 , 퐴 3) Alice updates 퐴푆 and erases 퐴퐵 퐴퐵 푘퐵푆 푘퐴퐵 Fixed Needham-Schroeder
푘퐴퐵, 퐴, 푻 푘퐵푆
푁푏 푘퐴퐵 푘 푘퐴푆 퐵푆 푁푏 − 1 푘퐴퐵
푘퐴퐵 푘퐴퐵 퐴, 퐵, 푁푎 Use time stamps
푁푎, 푘퐴퐵, 푘퐴퐵, 퐴, 푻 푘퐵푆 푘퐴푆 KDC 푘퐴푆 푘퐵푆 Kerberos
• Developed in MIT in the ‘80s • Based on Needham-Schroeder – Versions 1-3 not published – Version 4 not secure – Version 5 published in 1993 • Widely used nowadays: – The basis of Microsoft’s active directory – Many Unix versions Kerberos
KDC AC (Authentication server) Get TGT (ticketing granting ticket) Once per login session TGT (Ticketing granting server)
Get ticket for a service pw Once per service
푘퐵푆 Mutual authentication Kerberos
• Passwords are not sent over the network
• Alice’s key 푘퐴푆 is a hash of her password
• Kerberos weaknesses: – KDC is a single point of failure – DoS the KDC and the network ceases to function – Compromise the KDC leads to network-wide compromise – Time synchronization is a very hard problem Access delegation (valet key) “Single Sign on” Same problem as before
pw pw Internet Alice pw pw pw
pw
pw OAuth
“I want to use your service” Some resource Alice pw on the internet
Identity Provider
pw Recap
• Distributed authentication
• The Needham-Schroeder protocol • Kerberos protocol
• Oauth