Cryptography Reference
In-Depth Information
Kerberos
Kerberos was designed with a goal of authenticating clients who desire access
to servers in a network. We prepare for the formal, but simplified, description
bygiving a brief introductoryoverview. We will be describing a basic version of
Kerberos that provides both entityauthentication and keyestablishment using
an SKC, denoted by
E
, that we assume has built-in data integrityfeatures, and
Trent, as our trusted third party.
Preliminary Description
Carol sends a request to Trent to establish a session key(see page 163),
which she can use to communicate with Victor, and includes her identitydata
in the request. Using the keyhe shares (only) with Victor, Trent generates an
E-encrypted
ticket
,
t
, for Victor, which includes Carol's identitydata, certain
time constraints, and a copyof the session ke. He also uses the keyhe shares
(only) with Carol to encipher a message,
m
, containing a copyof the session
key, Victor's identity data, and some time constraints. He sends
t
and
m
to
Carol.
She cannot alter
t
, without being detected, since it is enciphered with a key
known onlyto Trent and Victor. Carol verifies time constraints, and decrypts
m
using the keyshe shares with Trent. Then she uses the copyof the session key
to E-encrypt an
authenticator
,
a
, which contains her identitydata, and some
fresh time constraints. She sends
a
and
t
to Victor.
He decrypts
t
with the keythat he shares with Trent. This gives him the
copyof the session ke, which he now uses to decrypt
a
, where he checks both
time constraints and the identitydata in
a
and
t
. If theymatch, and the time
constraints are valid, Carol is verified to Victor. He uses the session keyto
encipher the time data she sent in the authenticator and sends it to her.
Carol decrypts using the session key and if the time data matches, Victor is
authenticated to her. Hence, theyhave a established a session keywith which
to securelycommunicate.
Kerberos Authentication Protocol — Simplified
Basic Assumptions
: Trent selects a random key
k
, a timestamp
t
, and a
validityperiod
L
, called a
lifetime
. Carol and Trent share a secret symmetric key
k
C,T
, and Victor and Trent share one,
k
V,T
. Also,
I
C
,
I
V
, and
I
T
are identity
strings for Carol, Victor, and Trent, respectively. Moreover, at the outset, Carol
and Victor share no secrets.
Protocol Activities
:
1. Carol sends her request for a session keyto use with Victor, together with
her identitystring
I
C
to Trent, who computes
m
C
=
E
k
C,T
(
k, I
V
,t,L
).
He also computes
m
V
=
E
k
V,T
(
k, I
C
,t,L
)
,
called a
ticket
for Victor, and sends both
m
C
and
m
V
to Carol.
2. Carol uses
E
−
1
k
C,T
to retrieve
k, I
V
,t
, and
L
from
m
C
. She verifies that
t
and
L
are valid, and that
I
V
is the identityof Victor. She then creates a fresh
Search WWH ::
Custom Search