Kerberos

♦ Kerberos Architecture

Kerberos Key Distribution Centre

Authentication
Step A database Ticket-
Authen- granting
1. Request for tication
service A service T
TGS ticket
2. TGS
ticket
Step B
3. Request for
server ticket
Login 4. Server ticket Step C
session setup 5. Service
Server request
Client session setup Service Server
C Request encrypted with session key function
S
DoOperation
Reply encrypted with session key

© Addison-Wesley Publishers 2000

Distributed Systems - Fall 2001 VII - 44 © Stefan Leue 2002 tele

 Kerberos
♦ Kerberos Protocol

challenge

© Addison-Wesley Publishers 2000

♦ Notation
8 A: authentication service
8 T: ticket-granting service
8 C: client
8 n: a nonce
8 t: a timestamp
8 t1/t2: start/ending time for ticket

Distributed Systems - Fall 2001 VII - 45 © Stefan Leue 2002 tele

 Kerberos
♦ Kerberos Protocol

challenge

© Addison-Wesley Publishers 2000

♦ Note
8 use of KC
– if principal is user, KC is a scrambled (transformed) version of password
– upon receipt of message 2, client will prompt user for password
– client will use user password to decode challenge

Distributed Systems - Fall 2001 VII - 46 © Stefan Leue 2002 tele

 Kerberos
♦ Kerberos Protocol
8 when client has obtained ticket for ticket-granting server, it can obtain an
arbitrary number of server tickets until ticket for ticket-granting server expires
8 protocol to obtain ticket for server
– note: {auth(C)}KCT = {C, t}KCT

© Addison-Wesley Publishers 2000

Distributed Systems - Fall 2001 VII - 47 © Stefan Leue 2002 tele

 Kerberos
♦ Kerberos Protocol
8 client issues request to server
– server returns nonce to assure client of its authenticity

© Addison-Wesley Publishers 2000

Distributed Systems - Fall 2001 VII - 48 © Stefan Leue 2002 tele

 Kerberos
♦ Application of Kerberos
8 authentication in an insecure network environment
– only Kerberos servers are assumed to be operated in a secure manner
8 possible application areas: any type of client-server interactions
– user login
iclient sends user name to Kerberos server
ireturns session key, nonce encoded in user’s password, ticket for
TGS
ilogin client decrypts session key, nonce, using user’s password
iclient checks nonce, stores session key and ticket for further use
ilogin client can erase user pw from memory (no longer needed)
iclient can now start login session with login server
inote: password never revealed on network
– network file access (e.g., NFS or Andrew FS)
– email (access to smtp server/imap server)
– rlogin
– printing

Distributed Systems - Fall 2001 VII - 49 © Stefan Leue 2002 tele

 Kerberos
♦ Critique of Kerberos
8 Kerberos 4 uses timestamps for freshness nonces
– requires at least loose clock synchronization
isynchronization protocol itself must be secured against attacks
– Kerberos 5 allows nonces to be implemented as sequence numbers
ineed to be unique
iservers need to keep memory of recently used nonces to detect
replay
* inconvenient implementation constraint
– Kerberos variant that does not rely on timestamps has been suggested
8 Kerberos security depends on session lifetime
– choice of life span
itoo short: may cause inconvenient interruptions of service
itoo long: users no longer authenticated may continue to use service

Distributed Systems - Fall 2001 VII - 50 © Stefan Leue 2002 tele

 Secure Socket Layer
♦ Objective
8 achieve secure channels
8 adjusted security
– in a heterogeneous environment like the Internet the cryptographic
capabilities and security needs of the prinicpals are highly varied
– cryptographic overkill may waster resources
– therefore: adjusted, negotiable levels of security
iswitches: from unencoded to public key to secret key
♦ History of SSL
8 originally developed by Netscape for use in Web Browser
8 Transport Layer Security (TSL)
– extended version of SSL
– Internet standard: RFC 2246 (1999)
♦ Use of SSL
8 secure HTTP interactions on Internet (https://...)
– e-commerce
8 basis for secure telnet, ftp, pop, remote login, etc
8 proprietary and public-domain implementations exist
– include Java and CORBA APIs

Distributed Systems - Fall 2001 VII - 51 © Stefan Leue 2002 tele

 Secure Socket Layer
SSL
Handshake SSL Change SSL Alert
Cipher Spec Protocol HTTP Telnet
protocol

SSL Record Protocol

Transport layer (usually TCP)

Network layer (usually IP)

© Addison-Wesley Publishers 2000

SSL protocols: Other protocols:

♦ SSL Protocol Architecture

8 session-level layer protocol implementing a secure channel
– above transport layer
– beneath application-level authentication mechanisms

Distributed Systems - Fall 2001 VII - 52 © Stefan Leue 2002 tele

 Secure Socket Layer
♦ SSL Protocol Handshake Phases

(VWDEOLVKSURWRFROYHUVLRQVHVVLRQ,'
&OLHQW+HOOR FLSKHUVXLWHFRPSUHVVLRQPHWKRG
6HUYHU+HOOR H[FKDQJHUDQGRPYDOXHV

&HUWLILFDWH
&HUWLILFDWH5HTXHVW
Optionally send server certificate and
request client certificate
6HUYHU+HOOR'RQH

&OLHQW &HUWLILFDWH 6HUYHU S end client certificate response if

&HUWLILFDWH9HULI\ requested

&KDQJH&LSKHU6SHF
Change cipher suite and finish
)LQLVKHG handshake

&KDQJH&LSKHU6SHF

)LQLVKHG

© Addison-Wesley Publishers 2000

Distributed Systems - Fall 2001 VII - 53 © Stefan Leue 2002 tele

 Secure Socket Layer
♦ Cipher Suites
8 particular choice for each of the follwoing components
8 facilitates negotiation of cryptographic mechanisms
– each cipher suite can be understood as a “cryptographic profile”
8 example cipher suite configuration:

Component Description Example

Key exchange the method to be used for RSA with public-key
method exchange of a session key certificates
Cipher for data the block or stream cipher to be IDEA
transfer used for data
Message digest for creating message SHA
function authentication codes (MACs)
© Addison-Wesley Publishers 2000

Distributed Systems - Fall 2001 VII - 54 © Stefan Leue 2002 tele

 Secure Socket Layer
♦ SSL Record Protocol

Application data abcdefghi

Fragment/combine

Record protocol units abc def ghi

Compress (opt.)
Compressed units

Hash
MAC
Encrypt

Encrypted
Transmit

TCP packet

Distributed Systems - Fall 2001 VII - 55 © Stefan Leue 2002 tele

 Security in Distributed Systems
♦ Kerberos-based Authentication in NFS
8 in standard NFS, there is no check whether the supplied user identity in each
request is correct
8 approach: use Kerberos authentication
– use full Kerberos tickets and authenticators as credentials
– problem
iNFS server is state less
inecessary to perform Kerberos authentication for every single
request
iconsidered too expensive
– solution
iwhen mounting root and home file systems supply NFS mount
server with
* full Kerberos user authentication credentials
* users numerical id
* address of client computer
iwhen serving accesses, compare numerical id and address of client
with data stored on server
iresistent against most attacks
iworks only if not more than one user logs on to one client computer
Distributed Systems - Fall 2001 VII - 56 © Stefan Leue 2002 tele
 Security in Distributed Systems
♦ Firewalls
8 used to protect intranets, in particular to control communication in and out of
an intranet
8 goals of firewall policies
– service control: limit allowed services on the intranet
idisallow http requests to certain machines
ireject non-secure remote login
– behaviour control: disallow behaviours that infringe on organization’s
policies
ispam detection
– user control: discriminate between user groups
iallow only system personnel to download and install software

Distributed Systems - Fall 2001 VII - 57 © Stefan Leue 2002 tele

 Security in Distributed Systems
♦ Firewall Mechanisms
8 IP packet filtering
– destination/source address inspection
– inspection of service type filed of IP packets
ie.g., prohibit use of NFS servers by external clients
– usually done by router
iensure that router runs securely
8 TCP gateway
– check all TCP connection requests
– check all TCP segment transmissions
iavoidance of denial-of-service attacks
8 application-level gateway
– check content of TCP segments
– often, implemented as a proxy for application process
ie.g.: telnet connection
* request starts telnet proxy
* connection application/telnet proxy and telnet proxy/external
user
8 bastion: separate secure computer for TCP gateway and application level
gateway
Distributed Systems - Fall 2001 VII - 58 © Stefan Leue 2002 tele
 Security in Distributed Systems
♦ Firewall Architectures
a) Filtering router
Protected intranet
Router/
filter

Internet

web/ftp
server

b) Filtering router and bastion

R/filter Bastion

Internet

web/ftp
server

c) Screened subnet for bastion R/filter Bastion R/filter

Internet

web/ftp
server

8 advantages of c)
– IP addresses of hosts on intranet need not be made public
– if first filter fails, second (inner) filter will step in
Distributed Systems - Fall 2001 VII - 59 © Stefan Leue 2002 tele
 Security in Distributed Systems
♦ Virtual Private Networks (VPNs)
8 extend the intranet security beyond intranet boundaries
8 requires establishing secure channels across internet links
– usually used: IPSec extensions of IPv4 (RFC 2411)
ivariant 1: transport mode
* client supports cryptography inside TCP/IP stack

ivariant 2: tunnel mode

* security is achieved only between gateways
* gateways encrypt IP packets and wrap new headers around
them

Distributed Systems - Fall 2001 VII - 60 © Stefan Leue 2002 tele

 Security in Distributed Systems
♦ Virtual Private Networks (VPNs)
8 IPSec services
– confidentiality through encryption
– authentication of sender
– integrity through detection of data tampering
– replay protection
– methodologies for key management: Internet Key Exchange (IKE)
8 Standardization
– IPSec and IKE developed by IETF and standardized as RFCs
8 Why not rely on application-level end-to-end cryptography and
authentication?
– avoids relying on correct handling of security mechanisms at application
program level
– avoids cryptographic overhead inside intranet
– disadvantage
ireliance on faithful handling of keys inside and by IP routers
8 IPv6
– implements secure channels using extension IP header types
iauthentication
iencrypted payload
Distributed Systems - Fall 2001 VII - 61 © Stefan Leue 2002 tele
 Security in Distributed Systems
♦ Access Control
8 objects encapsulate data that may need to be protected against unauthorized
accesses
8 objects often maintained by servers that provide methods for access to data
8 generic server request format
– <operation, principal, resource>
– steps
iauthenticate request message
iauthenticate principal's credentials
* evidence provided by principal when accessing a resource
iapply access control
8 protection domains
– execution environment shared by a number of processes
– contains list of <resource, rights> pairs
ispecifies rights on resources that all processes in protection domain
are entitled to
– often, protection domain corresponds to all rights that a user has
idefined by user id and group id in UNIX
8 access control schemes
– capabilities
– access control lists (ACLs)

Distributed Systems - Fall 2001 VII - 62 © Stefan Leue 2002 tele

 Security in Distributed Systems
♦ Access Control
8 capabilities: concept similar to certificates
– format
iresource identifier
ioperations
iauthentication code
* digital signature, rendering capability unforgeable
– capability will only be granted if grantee is authenticated by server as
belonging to the protection domain necessary to perform the requested
operation
– requests have format <operation, userid, capability>
iaccess control
* validation of the capability (authentication code)
* check that requested operation is in set of allowed operations
for that capability
– problems
ikey theft, e.g., through eavesdropping
* include information identifying holder of capability
irevocation of capabilities
* include timeouts
Distributed Systems - Fall 2001 VII - 63 © Stefan Leue 2002 tele
 Security in Distributed Systems
♦ Access Control
8 access control lists (ACLs)
– ACL stored with every resource
ientries <domain, operations>, one for each domain
idomain may be
* identifier
* expression, e.g., "owner of the file", "users in the same group as
file" (UNIX)
– requests
i<operation, principal, resource>
* authenticate principal
* check admissibility or operation for requested resource
♦ Implementation
8 digital signatures, credentials and public-key certificates used
8 Java
– allows objects to manage access control with ACL, Principal and Signer
classes
8 CORBA
– security service offering access control with credentials and ACLs for
ORBs
Distributed Systems - Fall 2001 VII - 64 © Stefan Leue 2002 tele
 Security in Distributed Systems
♦ CORBA Security Service
8 included services
– principal authentication
– generation of credentials for principals
idelegation of credentials, including restriction
– access control for remote invocations
iaccess rights can be specified using ACLs
– auditing of remote invocations
– facilities for non-repudiation
8 secure remote invocation
– client’s credentials included in request message
– server validates credentials and checks for freshness and whether they
are signed by an acceptable authority
– server makes access control decision
imade by contacting object holding access right mappings
* possibly using an ACL
– target server may log invocations and store non-repudiation credentials

Distributed Systems - Fall 2001 VII - 65 © Stefan Leue 2002 tele

 Security in Distributed Systems
♦ CORBA Security Service
8 security policies
– message-protection policy
iauthentication of client and/or server
iprotection of messages against corruption/disclosure
– autditing policy
– non-repudiation policy
– access-control policy
ione per domain, a group of object
iuser credentials are called privileges, and access control checks
whether user has credentials to access objects in a given domain
imethods are categorized into four classes
* get: return part of object state
* set: alter object state
* use: cause object to perform a task
* manage: functions not available for general use
iapplication programmer must use these attributes for any new
interface s/he defines
ialso application programmer’s task to: setting previlege attributes
and helping users to obtain necessary privileges
Distributed Systems - Fall 2001 VII - 66 © Stefan Leue 2002 tele
 Biographic References for Cryptography
♦ Generally, refer to the extensive bibliography in the [Coulouris]
textbook, or to the list of online reference available through
www.cdk3.net
♦ Specific references on cryptography
8 B. Schneier, Applied Cryptography, 2nd ed., John Wiley, 1996
8 A. Menezes et al., Handbook of Applied Cryptography, CRC Press, 1997

Distributed Systems - Fall 2001 VII - 67 © Stefan Leue 2002 tele