Cryptography Reference
In-Depth Information
timestamp
t
C
, and computes
m
V
=
E
k
(
I
C
,t
C
)
,
called the
authenticator
, which she sends to Victor along with
m
V
.
3. Victor uses
E
−
1
k
V,T
to get
k
from the ticket,
m
V
. Then he uses
E
−
k
to decrypt
m
V
. He checks that the two copies of
I
C
from
m
V
and
m
V
match. He
checks that
t
C
is valid. Then he checks that his current time is within the
lifetime
L
specified by
m
V
. If these three facts hold, he declares Carol to
be authentic, and he computes
m
C
=
E
k
(
t
C
), which he sends to her.
4. Carol applies
E
−
k
to
m
C
, and checks that
t
C
matches the value she created
in step 2. If it does, she declares Victor to be authentic and now has a
session key
k
to communicate with him.
Analysis
Anytimestamp in the protocol must be within the
expiration window
, which
can be anyagreed fixed amount. Also, checking that a given time
t
is within
the expiration window can be accomplished bysubtracting
t
from the current
time, which must be within some mutuallyaccepted fixed time interval. The
role of the timestamp
t
and the lifetime
L
is to thwart Malloryfrom storing old
messages for retransmission at a later time (a replayattack).
5.1
If anyof the
checks against
t
in the above protocol fail, then the protocol terminates since
a
stale
timestamp has been discovered. The lifetime
L
also has the advantage
of allowing Carol to reuse Victor's ticket without contacting Trent, so step 1
can be eliminated over the lifetime of the ticket. However, each time Carol
reuses the ticket, she must create a new authenticator with a fresh timestamp,
but the same session key
k
. The use of timestamps means that there must
be synchronized clocks in the network. Cryptanalysts must be prevented from
modifying clocks to guarantee the security of the scheme.
In the full version of Kerberos, there is another entitywho grants the tick-
ets, and Trent's role is merelyto authenticate. Thus, in the full Kerberos
model, Trent is a trusted authority, called the
Kerberos authentication server
.
The Kerberos protocol is based upon predistribution protocols of Needham and
Schroeder (see [177] and [178]), full descriptions and analysis of which can be
found in [170, pages 167-169]).
In the above scheme, we used onlyan SKC and Trent to establish a shared
secret keyas well as mutual authentication. However, the scheme heavilyde-
pends upon synchronized clocks, which is diKcult to achieve. When synchro-
nized clocks are not available, the following scheme is required.
The next protocol uses a PKC and ensures both keyagreement and mu-
tual entityauthentication. The scheme involves what is known as a
challenge-
response
protocol, which we now describe.
5.1
A
replay attack
(alsocalleda
playback attack
)onaprotocolinvolvestheuseofinformation
gathered from a previous execution of the protocol in an attempt to deceive.
Search WWH ::
Custom Search