Information

Security
(3170720)
UNIT 9: REMOTE USER AUTHENTICATION WITH SYMMETRIC
AND ASYMMETRIC ENCRYPTION, KERBEROS
REFERENCE BOOK- CRYPTOGRAPHY AND NETWORK
SECURITY, PRINCIPLES AND PRACTICE SIXTH EDITION,
WILLIAM STALLINGS, PEARSON
CHAPTER -15
 Road Map

 Remote user authentication with symmetric

encryption
 Remote user authentication with asymmetric
encryption
 Kerberos
 Remote user authentication principle
 User authentication is the fundamental security building block.
 User authentication is the basis for most types of access control
and for user accountability.
 It is the process of verifying an identity claimed by or for a
system entity.
 It has two steps:
 identification - specify identifier
 verification - bind entity (person) and identifier
 User authentication is distinct from message authentication-
message authentication is a procedure that allows
communicating parties to verify that the contents of a received
message have not been altered and that the source is authentic.
 Means of user authentication
Something the individual knows Something the individual possesses
• Examples include a password, a • Examples include cryptographic keys,
personal identification number (PIN), electronic keycards, smart cards, and
or answers to a prearranged set of physical keys
questions • This is referred to as a token
There are four general
means of authenticating a
user’s identity, which can
be used alone or in
combination
Something the individual is (static Something the individual does
biometrics) (dynamic biometrics)
• Examples include recognition by • Examples include recognition by
fingerprint, retina, and face voice pattern, handwriting
characteristics, and typing rhythm

For network-based user authentication, the most important methods involve

cryptographic keys and something the individual knows, such as a password
 Mutual Authentication
 Protocols which enable communicating parties to satisfy
themselves mutually about each other’s identity and to
exchange session keys.
 key issues are
 confidentiality – to protect session keys
 timeliness – to prevent replay attacks
 Replay Attack
 A valid signed message is copied and later resent.
Examples
 Simple Replay: one in which the opponent simply copies a
message and replays it later
 An opponent can replay a timestamped message within the valid
time window.
 Replay Attack
 A valid signed message is copied and later resent.
Examples
 An opponent can replay a timestamped message within the
valid time window, but in addition, the opponent suppresses
the original message; thus, the repetition cannot be detected
original message replaced with a new message
 Another attack involves a backward replay without
modification and is possible if symmetric encryption is used and
the sender cannot easily recognize the difference between
messages sent and messages received on the basis of content
 Approaches to Coping With Replay Attacks
 Attach a sequence number to each message used in an
authentication exchange (Generally impractical)
 A new message is accepted only if its sequence number is in
the proper order
 Difficulty with this approach is that it requires each party to
keep track of the last sequence number for each claimant it
has dealt with
 Generally not used for authentication and key exchange
because of overhead.
 Approaches to Coping With Replay Attacks
 Timestamps  (needs synchronized clocks)
 Requires that clocks among the various participants be
synchronized
 Party A accepts a message as fresh only if the message contains
a timestamp that, in A’s judgment, is close enough to A’s
knowledge of current time.
 Challenge/response (using unique nonce)
 Party A, expecting a fresh message from B, first sends B a nonce
(challenge) and requires that the subsequent message
(response) received from B contain the correct nonce value.
 One way Authentication
 It required when sender & receiver are not in communications
at same time (eg. email)
 Header of the e-mail message must be in the clear so that the
message can be handled by the store-and-forward e-mail
protocol, such as SMTP or X.400.
 It may want contents of body protected & sender authenticated.
Remote user authentication with
symmetric encryption
 Mutual Authentication
 A two-level hierarchy of symmetric keys can be used to provide
confidentiality for communication in a distributed environment
 Strategy involves the use of a trusted key distribution center
(KDC)
 Each party shares a secret key, known as a master key, with
the KDC
 KDC is responsible for generating keys to be used for a short
time over a connection between two parties and for
distributing those keys using the master keys to protect the
distribution
 Mutual Authentication
 Despite the handshake of steps 4 and 5, the protocol is still
vulnerable to a form of replay attack.
 Denning [DENN81, DENN82] proposes to overcome this
weakness by a modification to protocol that includes the
addition of a timestamp to steps 2 and 3.
 Her proposal assumes that the master keys, Ka and Kb, are
secure, and it consists of the following steps.

T is a timestamp that assures A and B

that the session key has only just been
generated.
 Suppress Replay Attack
 The Denning protocol requires reliance on clocks that are
synchronized throughout the network.
 A risk involved is based on the fact that the distributed clocks
can become unsynchronized as a result of sabotage on or faults
in the clocks or the synchronization mechanism
 The problem occurs when a sender’s clock is ahead of the
intended recipient’s clock.
 An opponent can intercept a message from the sender and
replay it later when the timestamp in the message becomes
current at the recipient’s site
 Such attacks are referred to as suppress-replay attacks
Approaches to coping with Suppress Replay Attack

 One way to counter suppress-replay attacks is to enforce the

requirement that parties regularly check their clocks against
the KDC’s clock.
 The other alternative, which avoids the need for clock
synchronization, is to rely on handshaking protocols using
nonces.
 This latter alternative is not vulnerable to a suppress-replay
attack, because the nonces the recipient will choose in the
future are unpredictable to the sender.
Approaches to coping with Suppress Replay Attack

 An attempt is made to respond to the concerns about suppress

replay attacks and at the same time fix the replay problems.
Approaches to coping with Suppress Replay Attack

 This protocol provides an effective, secure means for A and B to

establish a session with a secure session key.
 Furthermore, the protocol leaves A in possession of a key that
can be used for subsequent authentication to B, avoiding the
need to contact the authentication server repeatedly.
 Suppose that A and B establish a session using the
aforementioned protocol and then conclude that session.
 Subsequently, but within the time limit established by the
protocol, A desires a new session with B.
When B receives the message in step 1, it
verifies that the ticket has not expired.
The newly generated nonces Na and Nb
assure each party that there is no replay
attack.
In all the foregoing, the time specified in Tb
is a time relative to B’s clock.
 One Way Authentication

 We wish to avoid requiring that the recipient (B) be on line at

the same time as the sender (A), steps 4 and 5 must be
eliminated. For a message with content M, the sequence is as
follows:

Modified Version

Old Version
Remote user authentication with
Asymmetric encryption
 Mutual Authentication
 Public-key encryption for session key distribution
• Assumes each of the two parties is in possession of the
current public key of the other
• May not be practical to require this assumption
 Denning protocol using timestamps
• Uses an authentication server (AS) to provide public-key
certificates
• Requires the synchronization of clocks
 Mutual Authentication
 Denning protocol using timestamps
• The central system is referred to as an authentication server
(AS), because it is not actually responsible for secret-key
distribution.  the AS provides public-key certificates.
• The session key is chosen and encrypted by A; hence, there is
no risk of exposure by the AS.
• The timestamps protect against replays of compromised keys.
• This protocol is compact but, as before, requires the
synchronization of clocks
 Mutual Authentication
Woo and Lam makes use of nonces
 Step 1: A informs the KDC of its intention to establish a secure
connection with B.

 Step 2: The KDC returns to A a copy of B’s public-key certificate

 Step 3: Using B’s public key, A informs B of its desire to

communicate and sends a nonce Na.
 Mutual Authentication
Woo and Lam makes use of nonces
 Step 4: B asks the KDC for A’s public-key certificate and requests a
session key; B includes A’s nonce so that the KDC can stamp the
session key with that nonce. The nonce is protected using the KDC’s
public key.

 Step 5: the KDC returns to B a copy of A’s public-key certificate, plus

the information {Na, Ks, IDB}. Ks is a secret key generated by the KDC on
behalf of B and tied to Na; the binding of Ks and Na will assure A that Ks
is fresh. This triple is encrypted using the KDC’s private key to allow B
to verify that the triple is in fact from the KDC. It is also encrypted
using B’s public key so that no other entity may use the triple in an
attempt to establish a fraudulent connection with A.
 Mutual Authentication
Woo and Lam makes use of nonces
 Step 6: the triple {Na, Ks, IDB}, still encrypted with the KDC’s private
key, is relayed to A, together with a nonce Nb generated by B. All the
foregoing are encrypted using A’s public key

 Step 7: A retrieves the session key Ks, uses it to encrypt Nb, and
returns it to B. This last message assures B of A’s knowledge of the
session key.
 Mutual Authentication
 This seems to be a secure protocol that takes into account the various
attacks. However, the authors themselves spotted a flaw and
submitted a revised version of the algorithm. In steps 5 and 6 The
identifier of A, IDA, is added
Revised Version to the set of items encrypted
with the KDC’s private key
This binds the session key
Ks to the identities of the two
parties that will be engaged
in the session.
This inclusion of IDA
accounts for the fact that the
Old Version nonce value Na is considered
unique only among all
nonces generated by A, not
among all nonces generated
by all parties. Thus, it is the
pair {IDA, Na}that uniquely
identifies the connection
Care needed to ensure no protocol flaws request of A
 One Way Authentication
 Have public-key approaches for e-mail
• Encryption of message for confidentiality, authentication, or
both.
• These approaches require that either the sender know the
recipient’s public key (confidentiality), the recipient know the
sender’s public key (authentication), or both (confidentiality
plus authentication).
• The public-key algorithm must be applied once or twice to
what may be a long message
 One Way Authentication
 For confidentiality, encrypt message with one-time secret key,
and encrypt one-time secret key using public-key

• Only B will be able to use the corresponding private key to

recover the one-time key and then use that key to decrypt
the message.
 One Way Authentication
If authentication is the primary concern, a digital signature may suffice

 This method guarantees that A cannot later deny having sent the message.
 However, this technique is open to another kind of fraud. Bob composes a message to
his boss Alice that contains an idea that will save the company money.
 He appends his digital signature and sends it into the e-mail system. Eventually, the
message will get delivered to Alice’s mailbox.
 But suppose that Max has heard of Bob’s idea and gains access to the mail queue
before delivery. He finds Bob’s message, strips off his signature, appends his, and
requeues the message to be delivered to Alice.
 Max gets credit for Bob’s idea.
 To counter such a scheme, both the message and signature can be encrypted with the
recipient’s public key:
 One Way Authentication
 The previous two schemes require that B know A’s public key and be
convinced that it is timely.
 An effective way to provide this assurance is the digital certificate,

 In addition to the message, A sends B the signature encrypted with A’s

private key and A’s certificate encrypted with the private key of the
authentication server.
 The recipient of the message first uses the certificate to obtain the sender’s
public key and verify that it is authentic and then uses the public key to verify
the message itself.
 If confidentiality is required, then the entire message can be encrypted with
B’s public key.
 Alternatively, the entire message can be encrypted with a one-time secret
key; the secret key is also transmitted, encrypted with B’s public key.
 KERBEROS
In Greek mythology, kerberos is a multi-headed
dog (usually three) which guards the entrance
of Hades.
 Kerberos
 Authentication Protocol (implemented on Project Athena at MIT)
 Kerberos is a authentication protocol that provides strong
authentication for client/server applications by using symmetric key
cryptography and third party Key distribution center (KDC).
 Kerberos provides a centralized authentication server whose
function is to authenticate users to servers and servers to users.
 The authentication is based on tickets used as credentials, allowing
communication and proving identity in a secure manner even over a
non-secure network.
 First 3 versions are no longer in use.
 Two versions of Kerberos are in common use: Version 4 and Version 5.
 Version 4 use DES algorithm as symmetric encryption.
 Why Kerberos?
 Want to be able to access all my resources from anywhere on the
network.
 Don’t want to be entering password to authenticate myself for
each access to a network service.
 Time consuming
 Insecure
 Solution
A centralized authentication server (Kerberos)
 Authentication Protocol

How Kerberos works? (Version 4)

 Authentication Protocol

How Kerberos works?

Initial Authentication
1. Authenticate
2. Receive TGT

Using TGT
3. Request Service
Ticket
4. Receive Service
Ticket
5. Get Service

Service Server
Authentication Protocol
 Authentication Protocol

Kerberos – Version 4: Step -1

 The client sends a plain message to the AS asking for the ticket it
can use to talk with TGS.
 The message does not include the client’s password, nor its
secret key based on the password.
 Request: (User id (IDc), TGS name (IDtgs) and Time stamp (TS1)
 TS1  Allows AS to verify that client’s clock is synchronized with
that of AS.

C AS : IDC | IDtgs | TS1

 Authentication Protocol

Kerberos – Version 4: Step -2

 The AS checks if the client is in the user database, and if found,
generates the secret key (Kc)for the client by hashing the client’s
password.
 Then AS responds with a message, encrypted with a key derived
from the user’s password (Kc), that contains the ticket (Tickettgs),
session key (Kc,tgs) for client and TGS only, same session key is
included in the ticket, which can be read only by the TGS. Thus,
the session key has been securely delivered to both C and the
TGS.

AS  C : E(KC, [Kc,tgs | IDtgs | TS2 | Lifetime 2 | Ticket tgs])

Tickettgs = E(Ktgs, [Kc, tgs | IDC | ADC | IDtgs | TS2 | Lifetime2])
 Authentication Protocol

Kerberos – Version 4: Step -1 & Step -2

TS2 Informs client of time this ticket was issued.

Lifetime2 Informs client of the lifetime of this ticket.
 Authentication Protocol

Kerberos – Version 4: Step -3

 Client’s decrypt the message using user’s password secret key.
 Client now has a session key and ticket that can be used to
contact the TGS.
 The client can not see inside the ticket, since client does not
know the TGS secret key.
 To get ticket to access server, client sends TGS a message
including ticket, id of requested service and authenticatorc, which
includes the ID and address of C’s user and a timestamp (the
authenticator is intended for use only once and has a very short
lifetime.
C  TGS : IDv | Tickettgs | Authenticatorc
Authenticatorc = E(Kc, tgs, [IDC | ADC | TS3])
 Authentication Protocol

Kerberos – Version 4: Step -4

 The TGS decrypt the ticket with the key that it shares with the AS (ktgs).
 This ticket indicates that user C has been provided with the session key
Kc,tgs.
 The TGS uses the session key to decrypt the authenticator.
 The TGS can then check the name and address from the authenticator
with that of the ticket and with the network address of the incoming
message. If all match, then the TGS is assured that the sender of the
ticket is indeed the ticket’s real owner.
 Then TGS sends a message encrypted with session key shared by the
TGS and C and includes session key (Kc,v) , the ID of V (IDV), and the
timestamp of the ticket (TS4).
 The ticket itself includes the same session key.
TGS C : E(Kc, tgs, [Kc, v | IDv | TS4 | Ticketv])
Ticketv = E(Kv, [Kc, v | IDC | ADC | IDv | TS4 | Lifetime4])
 Authentication Protocol

Kerberos – Version 4: Step -3 & Step -4

 Authentication Protocol

Kerberos – Version 4: Step -5

 The Client now decrypt the TGS response with TGS session key.
 The client now has a session key for use with the new server, and ticket
to use with that server.
 Client can contact server with Ticketv and Authenticator same way as it
contact with TGS.

C  V : TicketV | Authenticatorc
Authenticatorc = E(Kc, v, [IDC | ADC | TS5])
 Authentication Protocol

Kerberos – Version 4: Step -6

 If mutual authentication is required, the server can reply a message
which includes the value of the timestamp from the authenticator,
incremented by 1 and encrypted with session key Kc,v.
 The server uses the server's secret key (KV)to decrypt the service ticket
and extract the session key Kc,v.

V C : E(Kc,v, [TS5 + 1]) (for mutual authentication)

 C can decrypt this message to recover the incremented timestamp.

Because the message was encrypted by the session key, C is assured
that it could have been created only by V. The contents of the message
assure C that this is not a replay of an old reply.
 Finally, at the conclusion of this process, the client and server share a
secret key. This key can be used to encrypt future messages between
the two or to exchange a new random session key for that purpose.
 Authentication Protocol

Kerberos – Version 4: Step -5 & Step -6

 Authentication Protocol

Kerberos – Version 4: Message Exchange

 Kerberos Realms and multiple realms
 A Kerberos environment consisting of a
 Kerberos server (AS and TGS)
 Number of clients
 Number of application servers
 Such an environment is referred to as a Kerberos realm.
 A Kerberos realm is a set of managed nodes that share the same
Kerberos database.
 Networks of clients and servers under different administrative
organizations typically constitute different realms.
 Users in one realm may need access to servers in other realms,
and some servers may be willing to provide service to users
from other realms, provided that those users are authenticated
 Kerberos Realms and multiple realms
 For two realms to support inter-realm authentication
 The Kerberos server in each interoperating realm shares a
secret key with the server in the other realm.
 The two Kerberos servers are registered with each other.
 A user wishing service on a server in another realm needs a ticket
for that server.
 The user’s client follows the usual procedures to gain access
to the local TGS and then requests a ticket-granting ticket for
a remote TGS.
 The client can then apply to the remote TGS for a service-
granting ticket for the desired server in the realm of the
remote TGS.
Kerberos Realms and multiple realms
• The ticket presented to the remote
server (Vrem) indicates the realm in
which the user was originally
authenticated.
• The server chooses whether to
honor the remote request.
 Kerberos Realms and multiple realms
 One problem with the approach
 It does not scale well to many realms.
 If there are N realms, then there must be N(N - 1)/2 secure
key exchanges so that each Kerberos realm can interoperate
with all other Kerberos realms.
 Kerberos Version 5 Versus Version 4
 Environmental shortcomings of Version 4:
 Encryption system dependence: DES
 Message byte ordering
 Internet protocol dependence
 Ticket lifetime
 Authentication forwarding
 Inter-realm authentication
 Kerberos Version 5 Versus Version 4
 Technical deficiencies of Version 4:
 Double encryption
 Session Keys
 Password attack
 Mode of Encryption
 New Elements in Kerberos Version 5
 Realm
 Indicates realm of the user
 Options
 Times
 From: the desired start time for the ticket
 Till: the requested expiration time
 Rtime: requested renew-till time
 Nonce
 A random value to assure the response is fresh
 Kerberos Version 5: Message Exchange 1
 To obtain ticket-granting ticket
 Kerberos Version 5: Message Exchange 2
 To obtain service-granting ticket
 Kerberos Version 5: Message Exchange 3
 To obtain service