11Chapter 5: Authentication Protocols
22=====================================
33
4- So far we described how to encrypt messages, build authenticators,
5- predistribute the necessary keys. It might seem as if all we have to do
6- to make a protocol secure is append an authenticator to every message
7- and, if we want confidentiality, encrypt the message.
8-
9- There are two main reasons why it’s not that simple. First, there is the
10- problem of a *replay attack *: an adversary retransmitting a copy of a
11- message that was previously sent. If the message was an order you had
12- placed on a website, for example, then the replayed message would appear
13- to the website as though you had ordered more of the same. Even though
14- it wasn’t the original incarnation of the message, its authenticator
15- would still be valid; after all, the message was created by you, and it
16- wasn’t modified. Clearly, we need a solution that ensures *originality *.
4+ So far we described how to encrypt messages, build message
5+ authentication codes, and distribute keys. It might seem
6+ as if all we have to do to make a protocol secure is append an
7+ authentication code to every message and, if we want confidentiality,
8+ encrypt the message.
9+
10+ There are two main reasons why it’s not that simple. First, there is
11+ the problem of a *replay attack *: an adversary retransmitting a copy
12+ of a message that was previously sent. One could imagine, for example,
13+ that a message in which you place an order for some item on a website
14+ could be replayed, appearing to the website as though you had ordered
15+ more of the same. Even though it wasn’t the original incarnation of
16+ the message, its authentication code would still be valid; after all,
17+ the message was created by you, and it wasn’t modified. Clearly, we
18+ need a solution that ensures *originality *.
1719
1820In a variation of this attack called a *suppress-replay attack *, an
1921adversary might merely delay your message (by intercepting and later
@@ -31,7 +33,7 @@ used for just one session. This too involves a nontrivial protocol.
3133
3234What these two issues have in common is authentication. If a message is
3335not original and timely, then from a practical standpoint we want to
34- consider it as not being authentic, not being from whom it claims to be.
36+ consider it as not being authentic, i.e., not being from whom it claims to be.
3537And, obviously, when you are arranging to share a new session key with
3638someone, you want to know you are sharing it with the right person.
3739Usually, authentication protocols establish a session key at the same
@@ -40,9 +42,10 @@ authenticated each other and they have a new secret key to use. Without
4042a new session key, the protocol would just authenticate Alice and Bob at
4143one point in time; a session key allows them to efficiently authenticate
4244subsequent messages. Generally, session key establishment protocols
43- perform authentication. A notable exception is Diffie-Hellman, as
44- described below, so the terms *authentication protocol * and *session key
45- establishment protocol * are almost synonymous.
45+ perform authentication. As we noted in the last chapter,
46+ Diffie-Hellman key exchange in its simplest form does not provide
47+ authentication, but in practical usage it is almost always combined
48+ with an authentication protocol.
4649
4750There is a core set of techniques used to ensure originality and
4851timeliness in authentication protocols. We describe those techniques
@@ -51,10 +54,10 @@ before moving on to particular protocols.
51545.1 Originality and Timeliness Techniques
5255-------------------------------------------
5356
54- We have seen that authenticators alone do not enable us to detect
57+ We have seen that authentication codes alone do not enable us to detect
5558messages that are not original or timely. One approach is to include a
5659timestamp in the message. Obviously the timestamp itself must be
57- tamperproof, so it must be covered by the authenticator . The primary
60+ tamperproof, so it must be covered by the message authentication code . The primary
5861drawback to timestamps is that they require distributed clock
5962synchronization. Since our system would then depend on synchronization,
6063the clock synchronization itself would need to be defended against
@@ -66,23 +69,20 @@ degree of synchronization.
6669
6770Another approach is to include a *nonce *—a random number used only
6871once—in the message. Participants can then detect replay attacks by
69- checking whether a nonce has been used previously. Unfortunately, this
70- requires keeping track of past nonces, of which a great many could
71- accumulate. One solution is to combine the use of timestamps and nonces,
72- so that nonces are required to be unique only within a certain span of
73- time. That makes ensuring uniqueness of nonces manageable while
74- requiring only loose synchronization of clocks.
75-
76- Another solution to the shortcomings of timestamps and nonces is to
77- use one or both of them in a *challenge-response * protocol. Suppose we
78- use a timestamp. In a challenge-response protocol, Alice sends Bob a
72+ checking whether a nonce has been used previously. On its own, this
73+ would require keeping track of past nonces, of which a great many could
74+ accumulate.
75+
76+ A solution to the shortcomings of timestamps and nonces is to use one
77+ or both of them in a *challenge-response * protocol. Suppose we use a
78+ timestamp. In a challenge-response protocol, Alice sends Bob a
7979timestamp, challenging Bob to encrypt it in a response message (if
8080they share a secret key) or digitally sign it in a response message
8181(if Bob has a public key, as in :numref: `Figure %s
8282<fig-challenge-response>`). The encrypted timestamp is like an
83- authenticator that additionally proves timeliness. Alice can easily
84- check the timeliness of the timestamp in a response from Bob since
85- that timestamp comes from Alice’s own clock—no distributed clock
83+ authentication code that additionally proves timeliness. Alice can
84+ easily check the timeliness of the timestamp in a response from Bob
85+ since that timestamp comes from Alice’s own clock—no distributed clock
8686synchronization needed. Suppose instead that the protocol uses
8787nonces. Then Alice need only keep track of those nonces for which
8888responses are currently outstanding and haven’t been outstanding too
@@ -95,64 +95,50 @@ long; any purported response with an unrecognized nonce must be bogus.
9595
9696 A challenge-response protocol.
9797
98- The beauty of challenge-response, which might otherwise seem excessively
99- complex, is that it combines timeliness and authentication; after all,
100- only Bob (and possibly Alice, if it’s a secret-key cipher) knows the key
101- necessary to encrypt the never before seen timestamp or nonce.
102- Timestamps or nonces are used in most of the authentication protocols
103- that follow.
98+ The beauty of challenge-response is that it combines timeliness and
99+ authentication; after all, only Bob (and possibly Alice, if it’s a
100+ secret-key cipher) knows the key necessary to encrypt the
101+ never-before-seen timestamp or nonce. Timestamps or nonces are used
102+ in most of the authentication protocols that follow.
104103
1051045.2 Public-Key Authentication Protocols
106105-----------------------------------------
107106
108- In the following discussion, we assume that Alice and Bob’s public keys
109- have been predistributed to each other via some means such as a PKI. We
110- mean this to include the case where Alice includes her certificate in
111- her first message to Bob, and the case where Bob searches for a
112- certificate about Alice when he receives her first message.
113107
114- .. _fig-pKAuthSync :
115- .. figure :: figures/f08-08-9780123850591.png
116- :width: 600px
117- :align: center
118108
119- A public-key authentication protocol that depends on synchronization.
120-
121- This first protocol (:numref: `Figure %s <fig-pKAuthSync >`) relies on
122- Alice and Bob’s clocks being synchronized. Alice sends Bob a message
123- with a timestamp and her identity in plaintext plus her digital
124- signature. Bob uses the digital signature to authenticate the message
125- and the timestamp to verify its freshness. Bob sends back a message
126- with a timestamp and his identity in plaintext, as well as a new
127- session key encrypted (for confidentiality) using Alice’s public key,
128- all digitally signed. Alice can verify the authenticity and freshness
129- of the message, so she knows she can trust the new session key. To
130- deal with imperfect clock synchronization, the timestamps could be
131- augmented with nonces.
132-
133- The second protocol (:numref: `Figure %s <fig-pKAuthNoSync >`) is
134- similar but does not rely on clock synchronization. In this protocol,
135- Alice again sends Bob a digitally signed message with a timestamp and
136- her identity. Because their clocks aren’t synchronized, Bob cannot be
137- sure that the message is fresh. Bob sends back a digitally signed
138- message with Alice’s original timestamp, his own new timestamp, and
139- his identity. Alice can verify the freshness of Bob’s reply by
140- comparing her current time against the timestamp that originated with
141- her. She then sends Bob a digitally signed message with his original
142- timestamp and a new session key encrypted using Bob’s public key. Bob
143- can verify the freshness of the message because the timestamp came
144- from his clock, so he knows he can trust the new session key. The
145- timestamps essentially serve as convenient nonces, and indeed this
146- protocol could use nonces instead.
109+ In the following discussion, we assume that Alice and Bob’s public
110+ keys have been predistributed to each other via some means as
111+ described in the previous chapter. This could include the case where
112+ Alice includes her certificate in her first message to Bob, and the
113+ case where Bob searches some sort of public key infrastructure for a
114+ certificate about Alice when he receives her first message.
115+
116+ We describe here a simple authentication protocol that uses
117+ timestamps, illustrated in :numref: `Figure %s <fig-pKAuthNoSync >`. In
118+ this protocol, Alice sends Bob a digitally signed message with a
119+ timestamp from her local clock and her identity. Because their clocks
120+ aren’t synchronized, Bob cannot be sure that the message is fresh. Bob
121+ sends back a digitally signed message with Alice’s original timestamp,
122+ his own locally generated timestamp, and his identity. Alice can verify the
123+ freshness of Bob’s reply by comparing her current time against the
124+ timestamp that originated with her. She then sends Bob a digitally
125+ signed message with his original timestamp and a new session key
126+ encrypted using Bob’s public key. Bob can verify the freshness of the
127+ message because the timestamp came from his clock, so he knows he can
128+ trust the new session key.
129+
130+ The timestamps in this example essentially serve as convenient nonces, and indeed this
131+ protocol could use nonces instead. We will see some examples of this
132+ when we look at Transport Layer Security (TLS) in a later chapter.
147133
148134.. _fig-pKAuthNoSync :
149135.. figure :: figures/f08-09-9780123850591.png
150136 :width: 500px
151137 :align: center
152138
153- A public-key authentication protocol that does not depend on
154- synchronization. Alice checks her own timestamp against her own clock,
155- and likewise for Bob .
139+ A public-key authentication protocol. Alice checks her own
140+ timestamp, signed by Bob, against her own clock,
141+ and Bob does the same with his timestamp signed by Alice .
156142
157143
1581445.3 Secret-Key Authentication Protocols
174160
175161 The Needham-Schroeder authentication protocol.
176162
177- The Needham-Schroeder authentication protocol is illustrated in
163+ The Needham-Schroeder authentication protocol formed the basis for
164+ many future authentication systems, and is illustrated in
178165:numref: `Figure %s <fig-needhamSchroeder >`. Note that the KDC doesn’t
179166actually authenticate Alice’s initial message and doesn’t communicate
180167with Bob at all. Instead, the KDC uses its knowledge of Alice’s and
@@ -183,39 +170,51 @@ other than Alice (because only Alice can decrypt it) and contains the
183170necessary ingredients for Alice and Bob to perform the rest of the
184171authentication protocol themselves.
185172
186- The nonce in the first two messages is to assure Alice that the KDC’s
187- reply is fresh. The second and third messages include the new session
188- key and Alice’s identifier, encrypted together using Bob’s master key.
189- It is a sort of secret-key version of a public-key certificate; it is in
190- effect a signed statement by the KDC (because the KDC is the only entity
191- besides Bob who knows Bob’s master key) that the enclosed session key is
192- owned by Alice and Bob. Although the nonce in the last two messages is
193- intended to assure Bob that the third message was fresh, there is a flaw
194- in this reasoning.
173+ The process begins with Alice sending a message to the KDC that
174+ includes a nonce and the names of the two principals, A(lice) and
175+ B(ob). The KDC responds by creating a new session key, encrypting that
176+ with the key that the KDC shares with Bob (indicated by the small,
177+ inner envelope), and including that in a message sent back to Alice.
178+ This message is in turn encrypted using the key that is shared by the
179+ KDC and Alice (as indicated by the outer envelope). Thus, only Alice
180+ can decrypt this message, and now she has both the unencrypted session
181+ key and an encrypted copy of the session key to send to Bob. On receiving
182+ the message from Alice, Bob is able to decrypt it and obtain the
183+ session key. He now creates another nonce and encrypts it with the
184+ session key and replies to Alice. Finally, Alice decrypts the nonce,
185+ increments it, and replies to Bob with the encrypted result, proving
186+ that she has seen the nonce. Although the nonce created by Bob and
187+ used in the last two messages shows that the final message from Alice
188+ is fresh, it does not guarantee freshness of the initial message Bob
189+ received from Alice at step 3. Kerberos addresses this shortcoming.
195190
1961915.3.1 Kerberos
197192~~~~~~~~~~~~~~~~
198193
199194Kerberos is an authentication system based on the Needham-Schroeder
200195protocol and specialized for client/server environments. Originally
201196developed at MIT, it has been standardized by the IETF and is available
202- as both open source and commercial products. We will focus here on some
203- of Kerberos’s interesting innovations.
197+ as both open source and commercial products. We focus here on some
198+ of Kerberos’s interesting innovations. Notably, it addresses the
199+ freshness problem identified in Needham-Schroeder by using timestamps
200+ rather than nonces.
204201
205202Kerberos clients are generally human users, and users authenticate
206- themselves using passwords. Alice’s master key, shared with the KDC, is
207- derived from her password—if you know the password, you can compute the
208- key. Kerberos assumes anyone can physically access any client machine;
209- therefore, it is important to minimize the exposure of Alice’s password
210- or master key not just in the network but also on any machine where she
211- logs in. Kerberos takes advantage of Needham-Schroeder to accomplish
212- this. In Needham-Schroeder, the only time Alice needs to use her
213- password is when decrypting the reply from the KDC. Kerberos client-side
214- software waits until the KDC’s reply arrives, prompts Alice to enter her
215- password, computes the master key and decrypts the KDC’s reply, and then
216- erases all information about the password and master key to minimize its
217- exposure. Also note that the only sign a user sees of Kerberos is when
218- the user is prompted for a password.
203+ themselves using passwords. Alice’s master key, shared with the KDC,
204+ is derived from her password—if you know the password, you can compute
205+ the key. Kerberos assumes anyone can physically access any client
206+ machine; therefore, it is important to minimize the exposure of
207+ Alice’s password or master key not just in the network but also on any
208+ machine where she logs in. Kerberos takes advantage of an approach
209+ derived from Needham-Schroeder to accomplish this. In
210+ Needham-Schroeder, the only time Alice needs to use her password to
211+ access her master key is when decrypting the reply from the
212+ KDC. Kerberos client-side software waits until the KDC’s reply
213+ arrives, prompts Alice to enter her password, computes the master key
214+ and decrypts the KDC’s reply, and then erases all information about
215+ the password and master key to minimize its exposure. Also note that
216+ the only sign a user sees of Kerberos is when the user is prompted for
217+ a password.
219218
220219In Needham-Schroeder, the KDC’s reply to Alice plays two roles: It
221220gives her the means to prove her identity (only Alice can decrypt the
@@ -239,10 +238,25 @@ the TGS without going back to the AS.
239238
240239 Kerberos authentication.
241240
242- In the client/server application domain for which Kerberos is intended,
243- it is reasonable to assume a degree of clock synchronization. This
244- allows Kerberos to use timestamps and lifespans instead of
245- Needham-Shroeder’s nonces, and thereby eliminate the Needham-Schroeder
246- security weakness. Kerberos supports a choice of hash functions and
247- secret-key ciphers, allowing it to keep pace with the state-of-the-art
248- in cryptographic algorithms.
241+ Once Alice has received the ticket from the AS, she is able to
242+ communicate with the TGS. She provides the ticket, the identifier for
243+ Bob, and an encrypted timestamp (in place of the nonce used in
244+ Needham-Schroeder). The TGS replies with a ticket that will be
245+ readable by Bob, because it is encrypted with his master key, and a
246+ session key that is encrypted using the key shared by Alice and the
247+ TGS. Alice can now start communicating with Bob, sending the ticket
248+ and another encrypted timestamp using the newly provided session key.
249+
250+ In the client/server application domain for which Kerberos is
251+ intended, it is reasonable to assume a degree of clock
252+ synchronization. This allows Kerberos to use timestamps and lifespans
253+ instead of Needham-Shroeder’s nonces. This means that the TGS and Bob
254+ can both be assured that the messages that came from Alice are fresh
255+ and not replays, thereby eliminating the Needham-Schroeder security
256+ weakness noted above. The freshness of Bob's reply to Alice is assured
257+ because it is a response to the challenge from Alice.
258+
259+ Kerberos has undergone considerable development and standardization over
260+ the decades. It supports a choice of hash functions and secret-key
261+ ciphers, which has allowed it to evolve along with the standards for
262+ cryptographic algorithms.
0 commit comments