Key Terms
authentication
authentication server Kerberos
Kerberos realm lifetime
nonce
propagating cipher block chaining (PCBC) mode public-key certificate
realm
sequence number subkey
ticket
ticket-granting server (TGS) X.509 certificate
Review Questions
14.1 What problem was Kerberos designed to address?
14.2 What are three threats associated with user authentication over a network or Internet?
14.3 List three approaches to secure user authentication in a distributed environment.
14.4 What four requirements were defined for Kerberos?
[Page 432]
14.5 What entities constitute a full-service Kerberos environment?
14.6 In the context of Kerberos, what is a realm?
14.7 What are the principal differences between version 4 and version 5 of Kerberos?
14.8 What is the purpose of the X.509 standard?
14.9 What is a chain of certificates?
14.10 How is an X.509 certificate revoked?
Problems
14.1 Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode (Figure 14.9).
14.2 Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.
14.3 The original three-way authentication procedure for X.509 illustrated in Figure 14.6c contains a security flaw. The essence of the protocol is as follows:
A B: A{tA, rA, IDB} B A: B{tB, rB, IDA, rA} A B: A{rB}
The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that
opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B:
C B: A{0, rA, IDB}
B responds, thinking it is talking to A but is actually talking to C:
B C: B{0, r'B, IDA, rA}
C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following:
A C: A{0, r'A, IDC}
C responds to A using the same nonce provided to C by B.
C A: C{0,r'B, IDA, r'A}
A responds with A C: A{r'B}
This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B.
C B: A{r'B}
So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.
14.4 The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure, given current knowledge about the difficulty of factoring large numbers.
The discussion concludes with a constraint on the public exponent and the modulus n:
It must be ensured that e > log2(n) to prevent attack by taking thee th root mod n to disclose the plaintext.
Although the constraint is correct, the reason given for requiring it is incorrect.
What is wrong with the reason given and what is the correct reason?
[Page 433]
Appendix 14A Kerberos Encryption Techniques
Kerberos includes an encryption library that supports various encryption-related operations.
These were included in the Kerberos 5 specification and are common in commercial implementations. In February 2005, IETF issued RFCs 3961 and 3962, which expand the options of cryptographic techniques. In this appendix, we describe the RFC 1510 techniques.
Password-to-Key Transformation
In Kerberos, passwords are limited to the use of the characters that can be represented in a 7-bit ASCII format. This password, of arbitrary length, is converted into an encryption key that is stored in the Kerberos database. Figure 14.8 illustrates the procedure.
Figure 14.8. Generation of Encryption Key from Password
[View full size image]
[Page 434]
First, the character string, s, is packed into a bit string, b, such that the first character is stored in the first 7 bits, the second character in the second 7 bits, and so on. This can be expressed as
b[0] = bit 0 of s[0]
...
b[6] = bit 6 of s[0]
b[7] = bit 0 of s[1]
...
b[7i + m] = bit m of s[i] 0 m 6
Next, the bit string is compacted to 56 bits by aligning the bits in "fanfold" fashion and performing a bitwise XOR. For example, if the bit string is of length 59, then
b[55] = b[55] b[56]
b[54] = b[54] b[57]
b[53] = b[53] b[58]
This creates a 56-bit DES key. To conform to the expected 64-bit key format, the string is treated as a sequence of eight 7-bit blocks and is mapped into eight 8-bit blocks to form an input key Kpw
Finally, the original password is encrypted using the cipher block chaining (CBC) mode of DES with key Kpw The last 64-bit block returned from this process, known as the CBC checksum, is the output key associated with this password.
The entire algorithm can be viewed as a hash function that maps an arbitrary password into a 64-bit hash code.
Propagating Cipher Block Chaining Mode
Recall from Chapter 6 that, in the CBC mode of DES, the input to the DES algorithm at each stage consists of the XOR of the current plaintext block and the preceding ciphertext block, with the same key used for each block (Figure 6.4). The advantage of this mode over the electronic codebook (ECB) mode, in which each plaintext block is independently encrypted, is this: With CBC, the same plaintext block, if repeated, produces different ciphertext blocks.
CBC has the property that if an error occurs in transmission of ciphertext block CI then this error propagates to the recovered plaintext blocks PI and PI + 1.
Version 4 of Kerberos uses an extension to CBC, called the propagating CBC (PCBC) mode [ MEYE82]. This mode has the property that an error in one ciphertext block is propagated to all subsequent decrypted blocks of the message, rendering each block useless. Thus, data
encryption and integrity are combined in one operation. (For an exception, see Problem 14.2).
PCBC is illustrated in Figure 14.9. In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block, the preceding cipher text block, and the preceding
plaintext block:
Cn = E(K,[Cn-1 Pn-1 Pn])
Figure 14.9. Propagating Cipher Block Chaining (PCBC) Mode
(This item is displayed on page 435 in the print version) [View full size image]
On decryption, each ciphertext block is passed through the decryption algorithm. Then the output is XORed with the preceding ciphertext block and the preceding plaintext block. We can demonstrate that this scheme works, as follows:
[Page 435]
D(K, Cn) = D(K, E(K, [Cn-1 Pn-1 Pn])) D(K, Cn) = Cn-1 Pn-1 Pn
Cn-1 Pn-1 D(K, Cn) = Pn
[Page 436]