Cryptography Reference
In-Depth Information
a KDC, which is named the “authentication sever” in Kerberos terminology. Let's
first look at a simplified version of the protocol.
Key Establishment Using a Simplified Version of Kerberos
Alice
KDC
Bob
KEK:
k
A
KEK:
k
A
,
k
B
KEK:
k
B
generate nonce
r
A
RQST
(
ID
A
,
ID
B
,
r
A
)
−−−−−−−−−−−−→
generate random
k
ses
generate lifetime
T
y
A
=
e
k
A
(
k
ses
,
r
A
,
T
,
ID
B
)
y
B
=
e
k
B
(
k
ses
,
ID
A
,
T
)
y
A
,
y
B
←−−−−−−−−−−−
k
ses
,
r
'
A
,
T
,
ID
B
=
e
−
1
k
A
(
y
A
)
verify
r
A
=
r
A
verify
ID
B
verify lifetime
T
generate time stamp
T
S
y
AB
=
e
k
ses
(
ID
A
,
T
S
)
y
AB
,
y
B
−−−−−−−−−−−→
k
ses
,
ID
A
,
T
=
e
−
1
k
B
(
y
B
)
ID
A
'
,
T
S
=
e
−
1
k
ses
(
y
AB
)
verify
ID
A
' =
ID
A
verify lifetime
T
verify time stamp
T
S
y
−−−−−−−−−−−→
x
=
e
−
1
y
=
e
k
ses
(
x
)
k
ses
(
y
)
Kerberos assures the
timeliness
of the protocol through two measures. First, the
KDC specifies a lifetime
T
for the session key. The lifetime is encrypted with both
session keys, i.e., it is included in
y
A
and
y
B
. Hence, both Alice and Bob are aware
of the period during which they can use the session key. Second, Alice uses a time
stamp
T
S
, through which Bob can be assured that Alice's messages are recent and
are not the result of a replay attack. For this, Alice's and Bob's system clocks must
be synchronized, but not with a very high accuracy. Typical values are in the range
of a few minutes. The usage of the lifetime parameter
T
and the time stamp
T
S
prevent replay attacks by Oscar.
Equally important is that Kerberos provides key confirmation and user authenti-
cation. In the beginning, Alice sends a random nonce
r
A
to the KDC. This can be
considered as a
challenge
because she challenges the KDC to encrypt it with their
joint KEK
k
A
. If the returned challenge
r
A
matches the sent one, Alice is assured that
the message
y
A
was actually sent by the KDC. This method to authenticate users is
known as
challenge-response protocol
and is widely used, e.g., for authentication of
smart cards.
Through the inclusion of Bob's identity
ID
B
in
y
A
Alice is assured that the session
key is actually meant for a session between herself and Bob. With the inclusion of
Alice's identity
ID
A
in both
y
B
and
y
AB
, Bob can verify that (i) the KDC included
a session key for a connection between him and Alice and (ii) that he is currently
actually talking to Alice.