Cryptography Reference
In-Depth Information
13.2.3 Remaining Problems with Symmetric-Key Distribution
Even though Kerberos provides strong assurance that the correct keys are being
used and that users are authenticated, there are still drawbacks to the protocols dis-
cussed so far. We now describe remaining general problems that exist for KDC-
based schemes.
Communication requirements
One problem in practice is that the KDC needs to
be contacted if a new secure session is to be initiated between any two parties in the
network. Even though this is a performance rather than a security problem, it can be
a serious hindrance in a system with very many users. In Kerberos, one can alleviate
this potential problem by increasing the lifetime
T
of the key. In practice, Kerberos
can run with tens of thousands of users. However, it would be a problem to scale
such an approach to “all” Internet users.
Secure channel during initialization
As discussed earlier, all KDC-based proto-
cols require a secure channel at the time a new user joins the network for transmit-
ting that user's key encryption key.
Single point of failure
All KDC-based protocols, including Kerberos, have the
security drawback that they have a
single point of failure
, namely the database that
contains the key encryption keys, the KEKs. If the KDC becomes compromised,
all KEKs in the entire system become invalid and have to be re-established using
secure channels between the KDC and each user.
No perfect forward secrecy
If any of the KEKs becomes compromised, e.g.,
through a hacker or Trojan software running on a user's computer, the consequences
are serious. First, all future communication can be decrypted by the attacker who
eavesdrops. For instance, if Oscar got a hold of Alice's KEK
k
A
, he can recover the
session key from all messages
y
A
that the KDC sends out.
Even more dramatic
is the fact that Oscar can also decrypt past communications if he stored old
messages
y
A
and
y
.
Even if Alice immediately realizes that her KEK has been com-
promised and she stops using it right away, there is nothing she can do to prevent
Oscar from decrypting her
past
communication. Whether a system is vulnerable if
long-term keys are compromised is an important feature of a security system and
there is a special terminology used:
Definition 13.1.
A cryptographic protocol has
perfect forward secrecy
(PFS) if the
compromise of long-term keys does not allow an attacker to obtain past session
keys.
Neither Kerberos nor the simpler protocols shown earlier offer PFS. The main
mechanism to assure PFS is to employ public-key techniques, which we study in
the following sections.
