[924] in Kerberos
Re: Authentication methods of Kerberos...
daemon@ATHENA.MIT.EDU (Bennet Yee)
Mon Apr 30 23:01:17 1990
Date: 1 May 90 02:41:40 GMT
From: o.gp.cs.cmu.edu!PLAY.MACH.CS.CMU.EDU!bsy@PT.CS.CMU.EDU (Bennet Yee)
To: kerberos@ATHENA.MIT.EDU
In article <1651@nixpbe.UUCP>, gla@nixpbe.UUCP (gla) writes:
|> wayner@SVAX.CS.CORNELL.EDU (Peter Wayner) writes:
|>
|> >Q: What system does Kerberos use to authenticate a user? Is it Public-Key
|> >algorithms or some Zero-Knowledge system? What algorithms are then
|> >used to encrypt everything else passing over the wires?
|>
|> Kerberos uses a special protocol using conventional (e.g. DES) encryption.
|> Please note that Zero-Knowledge means n o t more "secure" than without
|> Zero-Knowledge.
Kerberos uses the secret key version of the Needham Schoeder authentication
protocol. See _Using Encryption for Authentication for Large Networks of
Computers_, R. M. Needham, M. D. Schroeder, CACM Dec '78. Also, _A Logic of
Authenticaion_ by M. Burrows, M. Abadi, and R. Needham, Twelfth SOSP is
interesting; it describes and analyzes the modifications to the NS private
key protocol that was used in Kerberos.
I wonder about your claim that Zero Knowledge Protocols (ZKPs) are not more
``secure'' than non-ZKPs. What is your system model?
In NS authentication, the system relies upon the security of a central
authentication server. Each agent in the system shares a secret key with
the AS. If your AS is compromised, your entire system needs to be
reinitialized -- new keys must be passed out to everybody. And in the
interim availability is zilch. In contrast, ZKPs typically do not have this
problem. Agents in a ZKP system publish authentication puzzles widely in a
manner similar to that for public key systems. Directories can be
replicated, and we can leverage our system away from massive denial of
service problems by using quorum concensus so that an attacker must break
into k out of our n directory servers (undetected) before being able to
compromise the system. [ Of course, the authentication puzzles for the n
directory servers are local to every system. ] This is something that is
probably _undesirable_ in a NS-style authentication system: instead of
having to guard 1 AS, now you've got many to safeguard....
ZKPs have other advantages over conventional authentication systems: in
conventional authentication systems, breaking the system is (hopefully)
equivalent to guessing the secret key(s) -- _assuming_ that the underlying
secret key encryption system is secure; in the case of DES, there's no proof
that there isn't a simple algorithm for inverting it. Also, to prevent
replay attacks, nonce identifiers have to be used (if implemented correctly
[hem], generated using a cryptographically secure random number generator
[CSPRNG]), you have to keep track of them. In ZKPs, breaking the system is
_provably_ equivalent to guessing a sequence of random numbers (also from a
CSPRNG), as long as you believe that the underlying problem is intractible
-- usually factoring composites of large primes.
In what kind of system are these not security advantages?
Internet: bsy@cs.cmu.edu Bitnet: bsy%cs.cmu.edu@cmuccvma
CSnet: bsy%cs.cmu.edu@relay.cs.net Uucp: ...!seismo!cs.cmu.edu!bsy
USPS: Bennet Yee, c/o School of Comp Sci, CMU, Pittsburgh, PA 15213-3890
Phone: +1 412 268-7571
