1

Kerberos and X.509

Fourth Edition
by William Stallings

Lecture slides by Lawrie Brown
(Changed by Somesh Jha)
2
Authentication Applications
will consider authentication functions
developed to support application-level
authentication & digital signatures
will consider Kerberos a private-key
authentication service
then X.509 directory authentication
service
3
Kerberos
trusted key server system from MIT
provides centralised private-key third-
party authentication in a distributed
network
allows users access to services distributed
through out the network
without needing to trust all workstations
rather all trust a central authentication
server
two versions in use: 4 & 5
4
Kerberos Requirements
first published report identified its
requirements as:
security
reliability
transparency
scalability
implemented using an authentication
protocol based on Needham-Schroeder
5
Kerberos 4 Overview
a basic third-party authentication
scheme
have an Authentication Server (AS)
users initially negotiate with AS to identify
themselves
AS provides a non-corruptible
authentication credential (ticket granting
ticket TGT)
have a Ticket Granting server (TGS)
users subsequently request access to other
services from TGS on basis of users TGT
6
A Simple Authentication Dialogue
(1) C -> AS : ID
C
|| P
C
|| ID
V
C = client
AS = authentication server
ID
C
= identifier of user on C
P
C
= password of user on C
ID
V
= identifier of server V
C asks user for the password
AS checks that user supplied the right
password


7
Message 2
(2) AS -> C : Ticket
Ticket = E
K(V)
[ID
C
|| AD
C
|| ID
V
]
K(V) = secret encryption key shared by AS
and V
AD
C
= network address of C
Ticket cannot be altered by C or an
adversary
8
Message 3
(3) C -> V: ID
C
|| Ticket
Server V decrypts the ticket and checks
various fields
AD
C
in the ticket binds the ticket to the
network address of C
However this authentication scheme has
problems
9
Problems
Each time a user needs to access a
different service he/she needs to enter
their password
Read email several times
Print, mail, or file server
Assume that each ticket can be used only
once (otherwise open to replay attacks)
Password sent in the clear
10
Authentication Dialogue II
Once per user logon session
(1) C -> AS: ID
C
|| ID
TGS
(2) AS -> C: E
K(C)
[Ticket
TGS
]
Ticket
TGS
is equal to
E
K(TGS)
[ID
C
|| AD
C
|| ID
TGS

|| TS
1
|| Lifetime
1
]

11
Explaining the fields
TGS = Ticket-granting server
ID
TGS
= Identifier of the TGS
Ticket
TGS
= Ticket-granting ticket or
TGT
TS
1
= timestamp
Lifetime
1
= lifetime for the TGT
K
(C)
= key derived from users password

12
Messages (3) and (4)
Once per type of service
(3) C -> TGS: ID
C
|| ID
V
|| Ticket
TGS
(4) TGS -> C : Ticket
V
Ticket
V
is equal to
E
K(V)
[ ID
C
|| AD
C
|| ID
V
||
TS
2
|| Lifetime
2
]
K(V): key shared between V and TGS
Is called the service-granting ticket (SGT)
13
Message 5
Once per service session
(5) C -> V: ID
C
|| Ticket
V
C says to V I am ID
C
and have a ticket
from the TGS . Let me in!
Seems secure, but..
There are problems
14
Problems
Lifetime of the TGT
Short : user is repeatedly asked for their
password
Long : open to replay attack
Oscar captures TGT and waits for the user
to logoff
Sends message (3) with network address
ID
C
(network address is easy to forge)
Same problem with SGT
15
What should we do?
A network service (TGS or server) should be
able to verify that
person using the ticket is the same as the person
that the ticket was issued to
Remedy : use an authenticator
Server should also authenticate to user
Otherwise can setup a fake server
A fake tuition payment server and capture the
students credit card
Remedy : use a challenge-response protocol
16
Kerberos Realms
a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with
server
application servers, sharing keys with
server
this is termed a realm
typically a single administrative domain
if have multiple realms, their Kerberos
servers must share keys and trust
17
Kerberos Version 5
developed in mid 1990s
provides improvements over v4
addresses environmental shortcomings
encryption algorithm, network protocol, byte
order, ticket lifetime, authentication
forwarding, inter-realm authentication
and technical deficiencies
double encryption, non-standard mode of use,
session keys, password attacks
specified as Internet standard RFC
1510
18
Reading assignment
Inter-realm authentication in version 4
Pages 411-413
Version 5
Fixes some shortcomings of version 4
Page 413-419
19
X.509 Authentication Service
part of CCITT X.500 directory service
standards
distributed servers maintaining some info database
defines framework for authentication
services
directory may store public-key certificates
with public key of user
signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
algorithms not standardised, but RSA
recommended
20
X.509 Certificates
issued by a Certification Authority (CA), containing:
version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
notation CA<<A>> denotes certificate for A signed by
CA
21
Obtaining a Certificate
any user with access to CA can get any
certificate from it
only the CA can modify a certificate
because cannot be forged, certificates
can be placed in a public directory
22
CA Hierarchy
if both users share a common CA then they
are assumed to know its public key
otherwise CA's must form a hierarchy
use certificates linking members of hierarchy
to validate other CA's
each CA has certificates for clients (forward) and
parent (backward)
each client trusts parents certificates
enable verification of any certificate from
one CA by users of all other CAs in hierarchy
23
CA Hierarchy Use
24
Certificate Revocation
certificates have a period of validity
may need to revoke before expiry
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CAs maintain list of revoked
certificates
the Certificate Revocation List (CRL)
users should check certs with CAs CRL

25
Authentication Procedures
X.509 includes three alternative
authentication procedures:
One-Way Authentication
Two-Way Authentication
Three-Way Authentication
all use public-key signatures
26
One-Way Authentication
1 message ( A->B) used to establish
the identity of A and that message is from
A
message was intended for B
integrity & originality of message
message must include timestamp, nonce,
B's identity and is signed by A
27
Two-Way Authentication
2 messages (A->B, B->A) which also
establishes in addition:
the identity of B and that reply is from B
that reply is intended for A
integrity & originality of reply
reply includes original nonce from A,
also timestamp and nonce from B
28
Three-Way Authentication
3 messages (A->B, B->A, A->B) which
enables above authentication without
synchronized clocks
has reply from A back to B containing
signed copy of nonce from B
means that timestamps need not be
checked or relied upon
Reading assignment: pages 424-427
29
X.509 Version 3
has been recognised that additional
information is needed in a certificate
email/URL, policy details, usage constraints
rather than explicitly naming new fields
defined a general extension method
extensions consist of:
extension identifier
criticality indicator
extension value
30
Certificate Extensions
key and policy information
convey info about subject & issuer keys,
plus indicators of certificate policy
certificate subject and issuer
attributes
support alternative names, in alternative
formats for certificate subject and/or
issuer
certificate path constraints
allow constraints on use of certificates by
other CAs
31
Summary
have considered:
Kerberos trusted key server system
X.509 authentication and certificates