Chapter

15用戶認(rèn)證《計(jì)算機(jī)與網(wǎng)絡(luò)安全》本章內(nèi)容?3/22/2020?2?華中農(nóng)業(yè)大學(xué)信息學(xué)院遠(yuǎn)程用戶認(rèn)證基于對(duì)稱加密的遠(yuǎn)程用戶認(rèn)證Kerberos基于非對(duì)稱加密的遠(yuǎn)程用戶認(rèn)證聯(lián)合身份管理Kerberos

is

an

authentication

service

developed

as

partof

Project

Athena

at

MIT,

and

is

one

of

the

best

known

and

most

widelyimplementedtrusted

third

party

keydistribution

systems.Kerberos

provides

a

centralized

authentication

server

whose

functionis

to

authenticate

users

to

servers

and

servers

to

users.

Unlike

most

otherauthenticationschemes,

Kerberos

relies

exclusively

on

symmetric

encryption,

makingno

use

of

public-keyencryption.

Two

versions

of

Kerberosare

in

common

use:

v4

&

v5.§15.1遠(yuǎn)程用戶認(rèn)證原理?3/22/2020?3?華中農(nóng)業(yè)大學(xué)信息學(xué)院鑒定階段核實(shí)階段認(rèn)證方式?知道什么?擁有什么?靜態(tài)生物特征?動(dòng)態(tài)生物特征基于網(wǎng)絡(luò)的最重要的認(rèn)證方式是?加密密鑰?用戶口令A(yù)uthentication

Protocols

are

used

to

convince

parties

of

each

others

identity

and

to

exchange

session

keys.

Theymay

be

one-way

or

mutual.Central

to

the

problemof

authenticated

key

exchange

are

two

issues:

confidentiality

and

timeliness.

To

prevent

masquerade

and

to

preventcompromise

of

session

keys,

essential

identification

and

session

key

information

must

be

communicated

in

encrypted

form.

This

requires

the

priorexistence

of

secret

orpublic

keys

that

can

be

used

for

this

purpose.

The

second

issue,

timeliness,

is

important

because

of

the

threat

of

messagereplays.Stallings

discussesa

number

of

protocols

that

appeared

secure

but

were

revised

after

additional

analysis.

These

examples

highlight

the

difficulty

ofgettingthings

right

in

the

area

of

authentication.§15.1.1認(rèn)證協(xié)議?3/22/2020?4?華中農(nóng)業(yè)大學(xué)信息學(xué)院用于確認(rèn)通信的參與者，并交換會(huì)話密鑰。認(rèn)證可以是單向的也可以是相互的。主密鑰應(yīng)該是?保密的–保護(hù)會(huì)話密鑰?有時(shí)間性–防止重放攻擊發(fā)布的協(xié)議往往發(fā)現(xiàn)有缺陷需要修訂Replay

Attacks

are

where

avalid

signed

message

is

copied

and

later

resent.

Such

replays,

at

worst,

could

allow

an

opponent

to

compromise

asession

key

or

successfullyimpersonate

another

party.

At

minimum,

a

successful

replay

can

disrupt

operations

bypresenting

parties

withmessages

that

appear

genuine

but

are

not.[GONG93]

lists

the

examples

above

of

replay

attacks.Possible

countermeasures

include

the

use

of:?

sequence

numbers

(generally

impractical

since

must

remember

last

number

used

with

every

communicating

party)?

timestamps

(needs

synchronized

clocks

amongst

all

parties

involved,

which

can

be

problematic)?

challenge/response

(using

unique,

random,

unpredictable

nonce,

but

not

suitable

for

connectionless

applications

because

of

handshakeoverhead)§15.1.1相互認(rèn)證?3/22/2020?5?華中農(nóng)業(yè)大學(xué)信息學(xué)院重放攻擊當(dāng)有效的簽名消息被拷貝，之后又重新被發(fā)送?簡(jiǎn)單重放?可檢測(cè)的重放?不可檢測(cè)的重放?不加修改的逆向重放（對(duì)稱密碼）解決辦法包括：?序列號(hào)(通常不可行)?時(shí)間戳(需要同步時(shí)鐘)?隨機(jī)數(shù)/響應(yīng)(目前的常用方法)Replay

Attacks

are

where

avalid

signed

message

is

copied

and

later

resent.

Such

replays,

at

worst,

could

allow

an

opponent

to

compromise

asession

key

or

successfullyimpersonate

another

party.

At

minimum,

a

successful

replay

can

disrupt

operations

bypresenting

parties

withmessages

that

appear

genuine

but

are

not.[GONG93]

lists

the

examples

above

of

replay

attacks.Possible

countermeasures

include

the

use

of:?

sequence

numbers

(generally

impractical

since

must

remember

last

number

used

with

every

communicating

party)?

timestamps

(needs

synchronized

clocks

amongst

all

parties

involved,

which

can

be

problematic)?

challenge/response

(using

unique,

random,

unpredictable

nonce,

but

not

suitable

for

connectionless

applications

because

of

handshakeoverhead)§15.1.2單向認(rèn)證?3/22/2020?6?華中農(nóng)業(yè)大學(xué)信息學(xué)院當(dāng)收發(fā)雙方不能在同一時(shí)間在線時(shí)(eg.email)有明確的頭信息以被郵件系統(tǒng)轉(zhuǎn)發(fā)希望對(duì)內(nèi)容進(jìn)行保護(hù)和認(rèn)證A

two-level

hierarchy

of

symmetric

encryption

keys

can

be

used

to

provide

confidentiality

for

communication

in

a

distributed

environment.Usually

involves

the

use

of

a

trustedkey

distribution

center

(KDC).

Each

party

in

the

network

shares

a

secret

master

key

with

the

KDC.

The

KDC

is

responsible

for

generating

session

keys,

and

for

distributing

those

keys

to

the

partiesinvolved,

using

the

master

keys

toprotectthese

session

keys.15.2

基于對(duì)稱加密的遠(yuǎn)程用戶認(rèn)證?3/22/2020?7?華中農(nóng)業(yè)大學(xué)信息學(xué)院如前所述，需要兩層密鑰?？尚诺腒DC,

Key

Distribution

Center?每個(gè)用戶與KDC共享一個(gè)主密鑰?KDC產(chǎn)生通信方之間所用的會(huì)話密鑰?主密鑰用于分發(fā)會(huì)話密鑰The

Needham-Schroeder

Protocol

is

the

original,

basic

key

exchange

protocol.

Used

by

2

parties

who

both

trusted

a

common

key

server,

itgives

one

party

the

info

needed

to

establish

a

session

key

with

the

other.

Note

that

since

the

key

server

chooses

the

session

key,

it

is

capable

ofreading/forging

any

messages

between

A&B,

which

is

why

they

need

to

trust

it

absolutely!Note

that

allcommunications

is

between

A&KDC

and

A&B,

B&KDC

don"t

talk

directly

(thoughindirectly

a

message

passes

from

KDC

via

A

to

B,

encrypted

in

B"s

key

so

that

A

is

unable

to

read

or

alter

it).

Other

variations

of

key

distribution

protocols

can

involve

direct

communicationsbetween

B&KDC.Needham-Schroeder協(xié)議?3/22/2020?8?華中農(nóng)業(yè)大學(xué)信息學(xué)院有第三方參與的密鑰分發(fā)協(xié)議KDC作為AB會(huì)話的中介協(xié)議:A

->

KDC:

IDA

||

IDB

||

N1KDC

->

A:

EKa

[Ks

||

IDB

||

N1

||

EKb

[Ks

||

IDA]

]A

->

B:

EKb

[Ks

||

IDA]B

->

A:

EKs[N2]A

->

B:

EKs[

f

(N2)

]There

is

acritical

flaw

in

the

protocol,

as

shown.

Itcan

be

corrected

by

either

using

timestamps,

or

an

additional

nonce,

with

respectiveadvantages

and

limitations.This

example

emphasises

the

need

to

be

extremelycareful

in

codifyingassumptions,

and

tracking

the

timeliness

of

the

flow

of

info

in

protocols.Designing

secure

protocols

is

not

easy,

and

should

not

be

done

lightly.

Great

care

and

analysis

is

needed.Needham-Schroeder協(xié)議?3/22/2020?9?華中農(nóng)業(yè)大學(xué)信息學(xué)院用于安全地分發(fā)AB之間通信所用的會(huì)話密鑰

存在重放攻擊的風(fēng)險(xiǎn)，如果一個(gè)過時(shí)的會(huì)話密鑰被掌握?則消息3可以被重放以欺騙B使用舊會(huì)話密鑰，使B遭到破壞解決的辦法:?時(shí)間戳(Denning

81)?使用一個(gè)額外的臨時(shí)會(huì)話號(hào)(Neuman

93)添加時(shí)間戳:A

->

KDC:

IDA

||

IDBKDC

->

A:

EKa

[Ks

||

IDB

||

T

||

Eb

[Ks

||

IDA||T]]A

->

B:

EKb

[Ks

||

IDA

||T]B

->

A:

EKs[N1]A

->

B:

EKs[

f

(N1)

]?3/22/2020?10?華中農(nóng)業(yè)大學(xué)信息學(xué)院防止壓制重放攻擊:A

->

B:

IDA

||

NaB->KDC:

IDB||Nb||E(Kb,[IDA||Na||Tb])KDC->A:

EKa

[IDB

||Na||Ks||

Tb]

||

EKb

[IDA||

Ks

||Tb]||NbA

->

B:

EKb

[IDA

||

Ks

||

Tb]||EKs[Nb]?3/22/2020?11?華中農(nóng)業(yè)大學(xué)信息學(xué)院Using

symmetric

encryption,

withsome

refinement,

the

KDC

strategy

isa

candidate

for

encrypted

electronic

mail.

Because

we

wishto

avoidrequiring

that

the

recipient

be

on

line

at

the

same

time

as

the

sender,

steps4

and

5

must

be

eliminated,

leaving

the

protocol

as

shown.Thisapproach

guaranteesthat

only

the

intended

recipient

of

a

message

will

be

able

toreadI,

and

also

provides

a

level

of

authentication

that

the

sender

is

A.

As

specified,

theprotocol

does

notprotect

against

replays.

You

could

rely

on

timestamp

in

the

message,

though

email

delays

make

this

problematic.對(duì)稱加密方法-單向認(rèn)證?3/22/2020?12?華中農(nóng)業(yè)大學(xué)信息學(xué)院可以變化對(duì)KDC的使用，但是不能使用臨時(shí)交互號(hào):A->KDC:

IDA

||

IDB

||

N1KDC

->

A:

EKa[Ks

||

IDB

||

N1

||

EKb[Ks||IDA]

]A

->

B:

EKb[Ks||IDA]

||

EKs[M]不能抗重放攻擊?可以引入時(shí)間戳到信息中但email的處理中存在大量延時(shí)，使得時(shí)間戳用途有限。Kerberos

is

an

authentication

service

developed

as

partof

Project

Athena

at

MIT,

and

is

one

of

the

best

known

and

most

widelyimplementedtrusted

third

party

keydistribution

systems.Kerberos

provides

a

centralized

authentication

server

whose

functionis

to

authenticate

users

to

servers

and

servers

to

users.

Unlike

most

otherauthenticationschemes,

Kerberos

relies

exclusively

on

symmetric

encryption,

makingno

use

of

public-keyencryption.

Two

versions

of

Kerberosare

in

common

use:

v4

&

v5.§15.3

Kerberos?3/22/2020?13?華中農(nóng)業(yè)大學(xué)信息學(xué)院由MIT開發(fā)在分布式網(wǎng)絡(luò)中提供有第三方參與的基于私鑰的認(rèn)證?允許用戶通過訪問分布在網(wǎng)絡(luò)中的服務(wù)?沒有必要相信所有工作站?然而都信任認(rèn)證中心服務(wù)器兩個(gè)版本:4

&

5The

first

published

report

on

Kerberos

[STEI88]

listed

the

requirements

shownabove.

To

support

these

requirements,

Kerberos

is

a

trustedthird-party

authentication

service

that

uses

a

protocol

based

on

that

proposed

by

Needhamand

Schroeder

[NEED78],

whichwas

discussed

inChapter

7.Kerberos要求?3/22/2020?14?華中農(nóng)業(yè)大學(xué)信息學(xué)院第一份Kerberos的需求報(bào)告:?安全性?可靠性?透明性?可伸縮性用基于Needham-Schroeder的認(rèn)證協(xié)議實(shí)現(xiàn)The

core

of

Kerberos

is

the

Authentication

and

Ticket

GrantingServers

–

these

are

trusted

by

all

users

and

servers

and

must

be

securelyadministered.

The

protocol

includes

a

sequence

of

interactions

between

the

client,

AS,

TGT

and

desired

server.Kerberos

v4概覽?3/22/2020?15?華中農(nóng)業(yè)大學(xué)信息學(xué)院基于第三方的認(rèn)證方案認(rèn)證服務(wù)器(AS)?用戶初始與AS對(duì)話以標(biāo)識(shí)自身?AS發(fā)放一個(gè)高度可信的認(rèn)證證書(ticket

grantingticket,TGT)票據(jù)授權(quán)服務(wù)器(TGS)?用戶接著從TGS以TGT為依據(jù)得到其它訪問服務(wù)The

full

Kerberos

v4

authentication

dialogue

is

shownin

Stallings

Table

14.1,

divided

into

the

3

phases

shown

above.

The

justification

for

eachitem

in

the

messages

is

given

in

Stallings

Table

14.2.Kerberos

v4對(duì)話從AS得到授權(quán)票據(jù)(TGT)每個(gè)會(huì)話進(jìn)行一次從TGT獲得服務(wù)授權(quán)票據(jù)對(duì)每個(gè)不同的服務(wù)請(qǐng)求一次客戶/服務(wù)器交換信息以獲得服務(wù)每次服務(wù)時(shí)?3/22/2020?16?華中農(nóng)業(yè)大學(xué)信息學(xué)院Stallings

Figure

14.1

diagrammatically

summarizes

the

Kerberos

v4

authenticationdialogue,

with

3

pairs

of

messages,

for

each

phase

listedpreviously.Kerberos

4概覽?3/22/2020?17?華中農(nóng)業(yè)大學(xué)信息學(xué)院A

full-service

Kerberos

environment

consisting

of

aKerberos

server,

a

number

of

clients,

and

anumberof

application

servers

is

referred

to

as

aKerberos

realm.

A

Kerberos

realm

is

aset

of

managed

nodes

that

share

the

same

Kerberos

database,

and

are

partof

the

same

administrativedomain.

If

have

multiple

realms,

their

Kerberos

servers

must

share

keys

and

trust

each

other.Kerberos域?3/22/2020?18?華中農(nóng)業(yè)大學(xué)信息學(xué)院一個(gè)Kerberos環(huán)境的構(gòu)成:?一個(gè)Kerberos服務(wù)器?客戶，都在AS中已經(jīng)注冊(cè)?應(yīng)用服務(wù)器，與AS共享密鑰環(huán)境術(shù)語稱為：域，realm?典型地都是一個(gè)單一的行政區(qū)域

如果有多個(gè)域，Kerberos服務(wù)器之間必須相互信任且共享密鑰Stallings

Figure

14.2

shows

the

authenticationmessages

where

service

is

beingrequested

fromanother

domain.

The

ticket

presented

to

theremote

server

indicates

the

realm

in

which

the

user

was

originally

authenticated.

The

server

chooses

whether

to

honor

the

remote

request.Oneproblempresented

by

the

foregoing

approach

is

that

it

does

not

scale

well

to

many

realms,

as

each

pair

of

realms

need

to

shareakey.Kerberos域?3/22/2020?19?華中農(nóng)業(yè)大學(xué)信息學(xué)院Kerberos

Version

5

is

specified

in

RFC

1510

and

providesanumber

ofimprovements

over

version

4

in

the

areas

of

environmental

shortcomingsand

technical

deficiencies,

in

areas

as

noted.

See

Stallings

Table

14.3

for

details

of

the

Kerberos

v5

authenticationdialogue.Kerberos版本5?3/22/2020?20?華中農(nóng)業(yè)大學(xué)信息學(xué)院制定于20世紀(jì)90年代中期作為RFC

1510對(duì)v4作了改進(jìn)?環(huán)境缺陷

對(duì)加密系統(tǒng)的依賴性,網(wǎng)絡(luò)協(xié)議,字節(jié)序,票據(jù)生命期,向前認(rèn)證,域間認(rèn)證?技術(shù)不足兩次加密,非標(biāo)準(zhǔn)模式PCBC,會(huì)話密鑰,口令攻擊Kerberos小結(jié)條件--過程--總結(jié)條件：Client與KDC，KDC與Service在協(xié)議工作前已經(jīng)有了各自的共享密鑰，并且由于協(xié)議中的消息無法穿透防火墻，這些條件就限制了Kerberos協(xié)議往往用于一個(gè)組織的內(nèi)部，使其應(yīng)用場(chǎng)景不同于X.509

PKI。?3/22/2020?21?華中農(nóng)業(yè)大學(xué)信息學(xué)院Kerberos

過程?3/22/2020?22?華中農(nóng)業(yè)大學(xué)信息學(xué)院1.Client向KDC發(fā)送自己的身份信息，KDC從TicketGranting

Service得到TGT(ticket-granting

ticket)，并用協(xié)議開始前Client與KDC之間的密鑰將TGT加密回復(fù)給Client。此時(shí)只有真正的Client才能利用它與KDC之間的密鑰將加密后的TGT解密，從而獲得TGT。（此過程避免了Client直接向KDC發(fā)送密碼，以求通過驗(yàn)證的不安全方式）2.Client利用之前獲得的TGT向KDC請(qǐng)求其他Service的Ticket，從而通過其他Service的身份鑒別。Kerberos

過程Kerberos協(xié)議的重點(diǎn)在于第二部分，簡(jiǎn)介如下：?3/22/2020?23?華中農(nóng)業(yè)大學(xué)信息學(xué)院Kerberos

過程?3/22/2020?24?華中農(nóng)業(yè)大學(xué)信息學(xué)院1.Client將之前獲得TGT和要請(qǐng)求的服務(wù)信息(服務(wù)名等)發(fā)送給KDC，KDC中的Ticket

Granting

Service將為Client

和Service之間生成一個(gè)Session

Key用于Service對(duì)Client的身份鑒別。然后KDC將這個(gè)Session

Key和用戶名，用戶地址（IP），服務(wù)名，有效期,時(shí)間戳一起包裝成一個(gè)Ticket(這些信息最終用于Service對(duì)Client的身份鑒別)發(fā)送給Service，不過Kerberos協(xié)議并沒有直接將Ticket發(fā)送給Service，而是通過Client轉(zhuǎn)發(fā)給Service.所以有了第二步。Kerberos

過程?3/22/2020?25?華中農(nóng)業(yè)大學(xué)信息學(xué)院2.此時(shí)KDC將剛才的Ticket轉(zhuǎn)發(fā)給Client。由于這個(gè)Ticket是要給Service的，不能讓Client看到，所以KDC用協(xié)議開始前KDC與Service之間的密鑰將Ticket加密后再發(fā)送給Client。同時(shí)為了讓Client和Service之間共享那個(gè)秘密(KDC在第一步為它們創(chuàng)建的Session

Key)，KDC用Client與它之間的密鑰將SessionKey加密隨加密的Ticket一起返回給Client。3．為了完成Ticket的傳遞，Client將剛才收到的Ticket轉(zhuǎn)發(fā)到Service.由于Client不知道KDC與Service之間的密鑰，所以它無法篡改Ticket中的信息。同時(shí)Client將收到的Session

Key解密出來，然后將自己的用戶名，用戶地址（IP）打包成Authenticator用SessionKey加密也發(fā)送給Service。?3/22/2020?26?華中農(nóng)業(yè)大學(xué)信息學(xué)院Kerberos過程□4．Service收到Ticket后利用它與KDC之間的密鑰將Ticket中的信息解密出來，從而獲得SessionKey和用戶名，用戶地址（IP），服務(wù)名，有效期。然后再用SessionKey將Authenticator解密從而獲得用戶名，用戶地址（IP）將其與之前Ticket中解密出來的用戶名，用戶地址（IP）

做比較從而驗(yàn)證Client的身份。5.如果Service有返回結(jié)果，將其返回給Client。?3/22/2020?27?華中農(nóng)業(yè)大學(xué)信息學(xué)院Kerberos過程概括起來說Kerberos協(xié)議主要做了兩件事1．Ticket的安全傳遞。2．Session

Key的安全發(fā)布。再加上時(shí)間戳的使用就很大程度上的保證了用戶鑒別的安全性。并且利用Session

Key，在通過鑒別之后Client和Service之間傳遞的消息也可以獲得Confidentiality(機(jī)密性

Integrity(完整性)的保證。不過由于沒有使用非對(duì)稱密鑰自然也就無法具有抗否認(rèn)性，這也限制了它的應(yīng)用。相對(duì)而言它比X.509

PKI的身份鑒別方式實(shí)施起來簡(jiǎn)單。?3/22/2020?28?華中農(nóng)業(yè)大學(xué)信息學(xué)院Kerberos

總結(jié)Havearange

of

approaches

based

on

the

use

of

public-key

encryption,

which

generallyassume

that

each

of

the

two

parties

is

in

possession

ofthe

current

public

key

of

the

other.

The

central

system

is

knownas

anAuthentication

Server

(AS).

Have

various

protocols

using

timestamps

ornonces,

and

again

flaws

were

found

in

anumberof

the

original

proposals.

See

text

for

details.15.4

基于公鑰加密的遠(yuǎn)程認(rèn)證?3/22/2020?29?華中農(nóng)業(yè)大學(xué)信息學(xué)院需要確保彼此的公鑰提前已經(jīng)獲知

采用一個(gè)中心認(rèn)證服務(wù)器Authentication

Server(AS)用時(shí)間戳或臨時(shí)交互號(hào)的變形協(xié)議A

protocolusing

timestamps

is

provided

in[DENN81]

is

shown

above.

The

central

authentication

server

(AS)

only

provides

public-keycertificates.

The

session

key

is

chosen

and

encrypted

by

A;

hence,

there

is

no

risk

of

exposure

by

the

AS.

The

timestamps

protect

against

replaysof

compromised

keys.

This

protocol

is

compact

but,

as

before,

requires

synchronization

of

clocks.15.4.1雙向認(rèn)證：Denning

AS協(xié)議?3/22/2020?30?華中農(nóng)業(yè)大學(xué)信息學(xué)院Denning

81協(xié)議描述如下:A

->

AS:

IDA

||

IDBAS

->

A:

EPRas[IDA||PUa||T]

||

EPRas[IDB||PUb||T]A

->

B:

EPRas[IDA||PUa||T]

||

EPRas[IDB||PUb||T]

||EPUb[EPRas[Ks||T]]會(huì)話密鑰由A選擇，所以不存在會(huì)話密鑰被AS泄密的危險(xiǎn)時(shí)間戳可用于防止重放攻擊，但需要時(shí)鐘同步。?改用臨時(shí)交互號(hào)Denning

AS協(xié)議的改進(jìn)（1）?3/22/2020?31?華中農(nóng)業(yè)大學(xué)信息學(xué)院Denning

AS協(xié)議的改進(jìn)（2）?3/22/2020?32?華中農(nóng)業(yè)大學(xué)信息學(xué)院Have

already

presented

public-key

encryption

approaches

that

are

suited

to

electronic

mail,

including

the

straight

forward

encryption

of

the

entiremessage

for

confidentiality,

authentication,

or

both.