Authentication of Kerberos and Wireless Communication - PowerPoint PPT Presentation

About This Presentation
Title:

Authentication of Kerberos and Wireless Communication

Description:

Authentication of Kerberos and Wireless Communication Kerberos AMPS IS-95 : A-Key GSM DECT Bluetooth 802.11b – PowerPoint PPT presentation

Number of Views:140
Avg rating:3.0/5.0
Slides: 38
Provided by: cny6
Category:

less

Transcript and Presenter's Notes

Title: Authentication of Kerberos and Wireless Communication


1
Authentication of Kerberos andWireless
Communication
  • Kerberos
  • AMPS
  • IS-95 A-Key
  • GSM
  • DECT
  • Bluetooth
  • 802.11b

2
Kerberos
3
Abbreviation of Kerberos andTwo Simple Types of
Authentication Dialogue
Abbreviation
  • C client TGS ticket-granting
    server
  • AS authentication server IDtgs
    identifier of TGS
  • V server
  • IDC identifier of user on C
  • IDV identifier of V
  • PC password of user on C
  • ADC network address of C
  • KV secret encryption key shared by AS and V

A Simple Authentication Dialogue
AS
shared KV
1. Pc plaintext 2. Replay attack 3 Pc each
time
  • C AS IDC , PC , IDV
  • AS C Ticket
  • C V IDC , Ticket

V
C

Ticket Ekv IDC , ADC , IDV
A More Secure Authentication Dialogue
shared Ktgs
lifetime short(user) long(replay)
  • C AS IDC , IDtgs
  • AS C Ekc Tickettgs
  • C TGS IDC , IDV , Tickettgs
  • TGS C TicketV
  • C V IDC , TicketV


Once per user logon session
AS
shared KV
TGS


Once per type of service

shared KC

Once per service session
V
C

Tickettgs EKtgs IDC , ADC , IDtgs , TS1 ,
Lifetime1 TicketV EKv IDC , ADC , IDV , TS2
, Lifetime2
4
(No Transcript)
5
Overview of Kerberos


























K
e
r
b
e
r
o
s

S
e
r
v
e
r
























A
u
t
h
e
n
t
i
c
a
t
i
o
n

S
e
r
v
e
r















T
i
c
k
e
t

G
r
a
n
t
e
d

S
e
r
v
e
r
















A
S




























T
G
S













1






2






3













4

































































































5














C
l
i
e
n
t

C

























S
e
r
v
e
r

D


































6















































































1


I
D
c
,
I
D
t
g
s
,
T
S































1
















2


E
k
c

K
c
,
t
g
s
,
I
D
t
g
s
,
T
S
,
L
i
f
e
t
i
m
e
,
T
i
c
k
e
t

2
2
t
g
s


















T
i
c
k
e
t

E
k

K
c
,
t
g
s
,
I
D
c
,
A
D
c
,
I
D
t
g
s
,
T
S
,
L
i
f
e
t
i
m
e



t
g
s
t
g
s
2
2
















3


I
D
v
,
T
i
c
k
e
t
,
A
u
t
h
e
n
t
i
c
a
t
o
r
t
g
s
c
















4


E
k
c
,
t
g
s

K
c
,
v
,
I
D
v
,
T
S
,
T
i
c
k
e
t
v

4



















T
i
c
k
e
t

E

K
c
,
v
,
I
D
c
,
A
D
c
,
I
D
v
,
T
S
,
L
i
f
e
t
i
m
e

v

k
v
4
4



















A
u
t
h
e
n
t
i
c
a
t
o
r

E
k
c
,
t
g
s

I
D
c
,
A
D
c
,
T
S

c
3
















5


T
i
c
k
e
t
,
A
u
t
h
e
n
t
i
c
a
t
o
r
v
c
















6


E
k
c
,

T
S

v

5

1




















A
u
t
h
e
n
t
i
c
a
t
o
r

E
k
c
,

I
D
c
,
A
D
c
,
T
S

c
v
5








































































































































































6
How To Request for Service In Another Realm
Kerberos
Client
1. Request ticket for local TGS.
AS
Realm A
2. Ticket for local TGS.
3. Request ticket for remote TGS
TGS
4. Ticket for remote TGS
7. Request for remote service
5. Request ticket for remote server.
Kerberos
6. Ticket for remote server.
AS
Realm B
TGS
Server
NOTE If there are N realms then there must be
N(N-1)/2 secure key exchanges so that each
Kerberos realm can interoperate with all
other Kerberos realms.
7
(No Transcript)
8
(No Transcript)
9
????????????????????
National Root
???? PKI Root
???? PKI Root
PAA
NNCA
???
???
???
PCA
PCA
PCA
CA1
CA2
CA3
PCA
CA11
CA21
CA22
CA31
CA32
SCA
PCA
???(????, ??)
(?????????PKI ??CA)
????(???)
????
PAA Policy Approval Authority PCA Policy
Certificate Authority SCA Subordinate
Certificate Authority NNCA National Network
Certificate Authority
10
(No Transcript)
11
(No Transcript)
12
AMPS??????????????
  • ????? (Mobile Identification Number MIN) 34??

????(10??)
34???????
  • ???? (Serial Number) 32??
  • (1) ??????? (2) ?????FCC??

????(8)
?????(6)
???????(18)
31 24 23 18 17
0
??
MSC???????????????
Radio Path
??????? ????? ????
??
MSC
?????? ??????????
?????
??
13
AMPS????(???)????? IS-95 A-KEY????
SSD Update Message (RANDSSD)
A-Key
A-Key
RANDSSD
RANDSSD
SSD_Generation Procedure
SSD_Generation Procedure
Base Station Challenge Order (RANDBS)
SSD_B_NEW
SSD_B_NEW
RANDBS
SSD_A_NEW
SSD_A_NEW
Auth_Signature Procedure
Auth_Signature Procedure
Base Station Challenge Confirmation Order (RANDBS)
?
AUTHBS AUTHBS
SSD Update Confirmation Order (success) SSD
Update Rejection Order (failure)
A-Key 64 bits?????????????????????? SSD(Shared
Secret Data) SSD_A(64 bits) SSD_B(64 bits),
SSD_A ?? / SSD_B ?? CAVE(Cellular
Authentication and Voice Encryption algorithm) ??
??????, ???????????????????????
14
GSM??????????????(GSM Rec. 02.09)
Radio Path
Network Side
MS
(??)
HLR/ AUC
VLR/ MSC
MS SIMME
BSS
(??)
?????
15
Cryptographic Functions A3, A8 and A5in GSM
Protocol
  • The components A3 , A8 , and A5.
  • A3 one-way function.
  • A8 one-way function.
  • A5 one-way encryption/decryption algorithm
    using Kc.
  • A5/1 Western Europe, A5/2 other
    countries (GSM MoU is attempting to establish
  • A5/2 as the global standard)

SRES (32 bits)
A3
Authentication
RAND (128 bits)
TDMA Frame No. (22 bits)
Privacy
Ki (128 bits)
114 bits
A5/2
Ciphertext
Data Stream (114 bits)
A8
Kc(64 bits)
  • The repeated cycle of TDMA Frame No. is 3 hrs 28
    min 53 sec 760 msec (Range 02,715,647).

16
GSM??????????????????
HLR/ AUC
VLR/ MSC
MS SIMME
TMSI
IMSI
RAND
RAND
AUC RAND Gen.
A3

(RAND,SRES,Kc ) . . (RAND,SRES,Kc )
5
A8
RAND
Ki
AUC Database
SRES
RAND
??
Ki
?/??
Kc
Kc
??
??
??
17
Mobile Equipment(ME) Identity Procedure in GSM
System
VLR/ MSC
MS SIMME
EIR
TMSI
IMEI Request
IMEI
IMEI
Access/Barring
18
Eavesdropping and Unauthorized Use are Impossible
with DECT Privacy and Authentication
Radio Path
VLR
HLR
FP
PP
Network Side
ID
K
?
K
  • easy
  • security problem
  • VLR A11, A12

RS, RAND_F
RS
RS, RAND_F, RES, KS
?
RAND_F
  • similar as GSM
  • VLR does not
  • know K
  • VLR No need of
  • A11 and A12

RES
A12
Authentication
RS, KS
?
KS
  • VLR choose
  • RAND_F
  • RS and KS can
  • be reused
  • VLR A12
  • Traffic between HLR
  • and VLR can be reduced

Privacy
Ciphertext
A11
Encryption Key
19
Security Scheme of Bluetooth
20
Generation of Bluetooth Unit Key
21
Generation of Bluetooth Initialization Key
LLength (PIN) LLength (PIN)
22
Authentication of Bluetooth
23
Link Key Exchange (Unit Key)
24
Link Key Exchange (Combination Key)
25
Generation of Bluetooth Encryption Key
26
Encrypted Communication of Bluetooth
27
Unit Key Stealing
28
IEEE 802.11b Security Wired Equivalent Privacy
(WEP)
  • Encryption

29
WEP Decryption
  • C ? RC4(IV,k)
  • ( P ? RC4(IV,k) ) ? RC4(IV,k)
  • P
  • ltM,c(M)gt
  • Check c(M)

30
Authentication of 802.11b
There are two types of authentication 1. Open
system authentication. This is the default
authentication service that does not has any
authentication. 2. Shared key authentication.
This involves a shared secret key to authenticate
the station to the AP(access point).
31
Shared key authentication
  • The challenge text(128bytes) is generated by
    using the
  • WEP pseudo-random number generator(PRNG) with
    the
  • shared secret and a random initialization
    vector(IV).

32
Security Flaws
  • The risks of keystream reuse
  • If C1 P1?RC4(IV,k)
  • and C2 P2?RC4(IV,k)
  • then
  • C1 ? C2 ( P1?RC4(IV,k)) ?(
    P2?RC4(IV,k))
  • P1 ? P2
  • The WEP standard recommends(but does not require)
    that the IV be changed after every packet.

33
Reuse Initialization Vector
  • The IV field used bye WEP is only 24 bits wide,
    nearly guaranteeing that the same IV will be
    reused for multiple messages.
  • packet size 2000-byte
  • at average 5Mbps bandwidth
  • ( ( (2000 ?8)/(5 ?106)) ? 224)/360014
    hours
  • PCMCIA cards that they tested reset the IV to 0
    each time its re-initialized, and the IV is
    incremented by one for each packet.

34
Decryption Dictionaries
  • Some access points transmit broadcast messages in
    plaintext and encrypted form when access control
    is disabled.
  • The attacker can build a table of the keystream
    corresponding to each IV.
  • It does not matter if 40 bits or 104 bits shared
    secret key use as the attack centers on the IV
    collision.

35
Message Modification
  • The WEP checksum is a linear function of the
    message.
  • ? may be chosen arbitrarily bye the attacker
  • A?(B) ltIV, Cgt
  • (A)?B ltIV, Cgt
  • C C ? lt ?,c(?)gt
  • RC4(IV,k) ? ltM, c(M)gt ? lt ?,c(?)gt
  • RC4(IV,k) ? ltM ? ?, c(M) ? c(?)gt
  • RC4(IV,k) ? ltM ? ?, c(M ? ?)gt
  • RC4(IV,k) ? ltM, c(M)gt
  • MM ? ?

36
Message Injection
  • It is possible to reuse old IV values without
    triggering any alarms at the receiver.
  • That is, if attacker ever learns the complete
    plaintext P of any given ciphertext packet C, he
    can recover keystream used to encrypt the packet.
  • P ? C P ? (P?RC4(IV,k)) RC4(IV,k)
  • (A)?B ltIV,Cgt
  • where C ltM, c(M) gt ?
    RC4(IV,k)

37
Authentication Spoofing
  • The message injection attack can be used to
    defeat the shared-key authentication mechanism
    used by WEP.
  • The attacker learns both the plaintext challenge
    sent by the access point and the encrypted
    version sent by the mobile station.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Authentication of Kerberos and Wireless Communication" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!