8.

AUTHENTICATION AND KEY DISTRIBUTION

Bassam Tork Dr. Yanqing Zhang

Outline
Concepts
Authentication Protocols Design of Authentication Protocols Needham-Schroeder Protocol Kerberos Protocol Version V

Research
Case Study: Key Distribution Framework for a Mobile Agent Platform

References

Overview [Randy Chow & et al,1997]

Authentication is the process of verifying the identity of an object entity. one-way verification:Password verification. Two way authentication: both communicating entities verify each others identity. This type of mutual authentication is important for communication between autonomous principals in a client/server or peer-to-peer distributed environment.

Orvveiew [George Coulouris & et al,2001]

Cryptography is used for authenticating communication between pairs of principals. If keys are held in private, a successful decryption authenticates the decrypted message as coming from a particular sender.

Authentication Protocols [Randy Chow & et al,1997]

Authentication protocols are all about distribution and management of secret keys.
Key distribution in a distributed environment is an implementation of distributed authentication protocols.

Design of Authentication Protocols

[Randy Chow & et al,1997]

Many authentication protocols have been proposed: All protocols assume that some secret information is held initially by each principal. Authentication is achieved by one principal demonstrating the other that it holds that secret information. All protocols assume that system environment is very insecure and is open for attack. So any message received by a principal must have its origin authenticity, integrity and freshness verified.

Design of Authentication Protocols

[Randy Chow & et al,1997 ]

To achieve these goals, most protocols need to rely on an authentication server.

Capable: Authentication server delivers good-quality session keys and distribute them to the requesting principals securely. Trustworthy: Authentication server maintains a table containing a name and a secret key for each principal. The secret key is used only to authenticate client processes to the authentication server and to transmit messages securely between client processes and the authentication server.

Design of Authentication Protocols

[Randy Chow & et al,1997]

Protocols are divided into two categories to verify the freshness of a message. First category uses nonce and challenge/ response handshake to verify freshness. Second category uses timestamps and assumes that all machines in distributed system are clocksynchronized.

The Evolution of Authentication Protocols

[Randy Chow & et al,1997]

Needham-Schroeder Protocol. Kerberos protocol.

Needham-Schroeder Protocol
[George Coulouris & et al,2001]

This original work includes secret-key protocol and public key protocol Public-key protocol does not depend on the existence of authentication server and is hence more suitable for use in networks with many independent management domains. Secret-key protocol provides a solution to authentication and key distribution based on an authentication server.

Needham-Schroeder Secret-key Protocol

[http://en.wikipedia.org/wiki/Needham-Schroeder_protocol, May 2008]

The protocol is based on the generation and transmission of ticket by the authentication server. A ticket is an encrypted message containing a secret key for use in communication between A and B. The protocol consists of 5 steps.

Needham-Schroeder Secret-key Protocol

1. 2. A->S : A, B, NA A requests S to supply a key for communication with B S->A: {NA, B, KAB, {A, KAB} KB } KA S returns a message encrypted in As secret key, containing a newly generated key KAB, and a ticket encrypted in Bs secret key A->B: {A, KAB} KB A sends the ticket to B B->A: {NB} KAB B decrypts the ticket and uses the new key KAB to encrypt another nonce NB A->B: {NB - 1} KAB A demonstrates to B that it was the sender of the previous message by returning an agreed transformation of NB

3. 4. 5.

Weakness
If session key between A and B is compromised, and the ticket to B is recorded, an intruder can impersonate A by carrying out last 3 steps.
The weakness can be remedied by adding a timestamp to message3, so that it becomes. A->B: {A, t, KAB} KB B decrypts this message and checks that t is recent. This is the solution adopted in Kerberos

Kerberos Protocol V
[George Coulouris & et al,2001]

Based on Needham-Schroeder but uses timestamps It is included in the Distributed Computing Environment (DCE) and in the windows 2000 as the default authentication service. A Kerberos server is known as a Key Distribution Centre (KDC). Each KDC has an authentication service (AS) and a Ticket Granting service (TGS).

Kerberos Protocol V
[George Coulouris & et al,2001]

Kerberos deals with three kinds of security object: Ticket: a token issued to a client by the Ticket-Granting Service for presentation to a particular server, verifying that the sender has recently been authenticated by Kerberos. Tickets include an expiry time and a newly generated session key for the use by the client and the server Authenticator: a token constructed by a client and sent to a server to prove the identity of the user. It contains clients name and a timestamp and is encrypted in the appropriate session key Session key: a secret key generated by Kerberos and issued to a client for use when communicating with a particular server.

Kerberos Protocol V
A Kerberos ticket has a fixed period of validity starting at time t1 and ending at time t2. A ticket for a client C to access a serve S takes the form: {C,S, t1, t2, Kcs} Ks, which we denote as {ticket(C,S)} Ks The clients name is included in the ticket to avoid possible use by impostors.
The protocol consists of 4 steps.

Kerberos Protocol V
Step A: obtain Kerberos session key and TGS ticket, once per login session
1. C->A: C,T, n Client C requests the Kerberos authentication server A to supply a ticket for communication with the TGS T A->C: {KcT, n, {ticket(C, T)} KT} Kc A returns a message containing a ticket encrypted in its secret key and a session key for C to use with T.

2.

Kerberos Protocol V
To obtain a ticket for any server S, C constructs an authenticator encrypted in KcT of the form: {C, t} KcT, which we denote as {auth(C)} KcT
Step B: obtain ticket for a server S, once per client-server session 3. C->T: {auth(C)}KcT, {ticket(C, T)} KT, S, n C requests the ticket-granting server T to supply a ticket for communication with another server S 4. T->C: {Kcs, n, {ticket(C,S)} Ks} KcT T checks the ticket. If it is valid T generates a new session key Kcs and returns it with a ticket for S (encrypted in the servers secret key Ks).

Kerberos Protocol V
Step C: issue a server request with a ticket 5. C->S: {auth(C)} Kcs, {ticket(C, S)} Ks, request, n C sends the ticket to S with a generated authenticator for C and a request.

Step D: Authenticate server (optional) S->C: {n} Kcs

Drawbacks
[http://en.wikipedia.org/wiki/Kerberos_(protocol), October 2009]

Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart.

Research

 Case Study: Key Distribution Framework for a Mobile Agent Platform[Leila Ismail & et al, 2008]

Outline[Leila Ismail & et al, 2008]

1-Definition 2-Security threats in a mobile agent system. 3-The rationale beyond authentication for mobile agents. 4-Present the requirements for key distribution in a mobile agent system. 5- Describe key distribution mechanisms. 6-Describe the key distribution protocol for a mobile agent platform and for the mobile agents. 7- comparison with related works, conclusion. 8-Future Work

Definition
A Mobile Agent is a process with its own code and data that can migrate in the network from one host (called agent server) to another to perform a specific task on behalf of their users.
Mainly intended to address efficiency problems of Distributed applications. They reduce communication costs by moving computation to or close to the host on which the target data reside. Can move closer to potential resources for access. In addition agents communicate with each others either locally or remotely. In these scenarios, protection becomes an urgent need.

Example

The agent moves from one travel agency to another. At each travel agency, the agent compares the prices of the flights got from the current agency with those got from the previous agencies, selects the flight with the best price and moves to the next agency

Security Threats
Spying and intercepting the agent (Man in the Middle Attacks).
A competitor travel agency can modify to its interest the intermediate results of the cheapest price obtained by the mobile agent (agents integrity). An attacker can also modify the agents data causing an error leading to a Denial of Service attack (DOS). This type of attack can be mounted through vulnerable communication channels of the system. An attack of this nature can happen during an agents migration.

Security Threats-cont.
Spying and intercepting the agents itinerary.
The itinerary of an agent is the list of agents servers to visit. Knowing the agents itinerary, a DOS attack can be mounted against the agent itself. A competitor travel agency for instance can modify an agents itinerary so that the agent would not visit other competitors. The agents itinerary can be also be maliciously modified so that to deviate the agent from its destination. Thus forcing the agent to move to an unknown agent server or to skip certain agents server.

Security Threats-cont.
Masquerading. This type of attack consists of bypassing the authentication mechanisms.
An agent pretends to be some other uthenticated agent to obtain access rights. Gaining access, the agent would then compromise the confidentiality and the integrity of accessed resources. For example, an agent can pretend to be an administrative agent so that to gain access to flights prices and modify the prices to its interest.

Security Threats-cont.
DOS attack against an agent server by the mobile agent.
An agent executing on an agents server can clone itself to an unlimited number of agents. It can consume a huge number of CPU cycles, create a huge number of processors, etc.

Security Threats-cont.
Repudiation: The repudiation is the refusal to admit responsibility of an action. For instance, an agent (representing a user) can refuse to admit a banking transaction which involves fund transfer. In case of collaboration between 2 agents, the sender of the message can refuse to admit sending the message and the receiver of the message can refuse to admit of receiving a message.

Security Threats-cont.
Based on the above threats, we need to achieve theses security issues : Protecting an agent server from a mobile agent. This consists of protecting the receiving hosts resources, such as file system, memory, CPU cycles, and I/O channels. In particular an agent must not be able to access files ,memory for which it does not have access rights. Also, an agent must not be able to run forever on a receiving host.

Security Threats-cont.
Protecting cooperating agents. Agents can communicate locally within an agents server or remotely. Agents must authenticate each others before communication takes place. Protecting an agent from an agent server. This problem consists of protecting an agent from an malicious agents server that is executing it.

Mobile Agents Authentication

Authentication is the process of verifying the identity of a principal for an eventual access control. In a mobile agent system, authentication is used for 2 main reasons:
Authenticating agent servers. This consists of authenticating both the sender and the receiver, so that to establish a mutual trust at the platform level.

Mobile Agents Authentication-cont.

Authenticating mobile agents. It is necessary to authenticate mobile agents so that to establish a trust at the application level.

Key Distribution Requirements.

In designing the key distribution protocol, the authors took into consideration the following requirements: Security domain change: The Certifiction Authority (CA) of the receiving security domain must be able to authenticate the agent which comes from another security domain.

Key Distribution Requirements-cont.

Trust establishment: The key distribution process should start with a very high trust relationship with the Certifiction Authority (CA) . Secure key distribution: The key distribution process should be conducted in a secure manner (e.g., trusted path). Efficiency: The key distribution process should not consume a lot of resources, such as machines CPUs and network bandwidth.

Key Distribution Requirements-cont.

Scalability: The key distribution process must be scalable enough, so that the mobile agent can have the ability to roam widely. Transparency: The mobile agents should not include a code which is proper to key distribution. This will ease programming as agents programmers will concentrate on the programming logic rather than the key obtaining issues.

Key Distribution Requirements-cont.

Portability: The protocol should not be platform specific and should be ported to any mobile agent platform. Ease of administration: The key distribution protocol should not be a burden on the administrator. The protocol is an automated infrastructure that should require minimum administrators intervention.

Key Distribution Mechanisms.

A. System Components: A key distribution system for mobile agents includes the following components: Agent: An agent is a software component which executes on behalf of a particular user who is the user of the agent. An agent can be mobile and move from one host server to another under its own control to achieve tasks on these hosts servers.

Key Distribution Mechanisms.

Architecture of Key Distribution System in a Mobile Agent Transform

Key Distribution Mechanisms - cont. -System Components Agent Server: Each host, as part of the mobile agent platform, runs an execution environment, the agent server. Messaging System. A messaging system is part of an agent execution environment. It provides facilities for agents to communicate both locally and remotely

Key Distribution Mechanisms - cont. -System Components The CA. It is a trusted third party which provides digital certificates for mobile agents, users and agent servers. All digital certificates are signed by the CA for further verification of their authenticity and validity.

Key Distribution Mechanisms - cont. -System Components Keystore: Each agent server has a local database which is used to store and retrieve its own private/public key pair and the digital certificate. It also stores the digital certificate of the trusted CA and other agent severs, mobile agents, and CAs with which the agent server has prior communication. Similarly, each CA has a local keystore .

Key Distribution Mechanisms - cont. -System Components Security Domain: A security domain consists of a group of agent servers which are under one common CA. In the security domain, the agent servers have the digital certificate of their local CA stored in their local keystores. When a mobile agent moves, it can move within the same security domain or changes a security domain.

Key Distribution Mechanisms - cont. - Key Authentication Examples of entity impersonation threat: Ex1: when a user agent assumes the identity of another already authenticated user agent to gain benefit from the communication. Ex2: when an agent server assumes the identity of another very credible agent server in order to gain advantage over it.

Key Distribution Mechanisms - cont. - Key AuthenticationTo protect against such threat, public keys of both user agents and agent servers must be authenticated. The most widely approaches, for solving the key authentication problem : 1-ones based on the certifying authority model (e.g. Secure Socket Layer/Transport layer Security(SSL/TLS)) . 2-The web-of-trust (e.g. pretty Good Privacy(PGP). The researchers adopted the certifying authority model as a key authentication method for trust establishment. They believe that this approach has an advantage over the web of trust
because the web of trust relies on one to one trust establishment between entities, which cannot be achieved in a mobile agent environment where prior knowledge between communicating entities may not exist.

Key Distribution Mechanisms - cont. - Key AuthenticationFor key authentication, the authers made the following assumptions: Trust must be established between different CAs. Every mobile agent server must be preconfigured with the digital certificate of the local CA within the same security domain.

Key Distribution protocol

Key Distribution Protocol for a Mobile Agent Platform

Key Distribution protocol

The proposed key distribution protocol is composed of the following phases: Pre-configuration Phase: A domain administrator reconfigures the local keystore of the agent server with the digital certificate of the local CA. Initialization Phase: An administrator starts a mobile agent server which leads to the following actions: 1) An agent server generates a private/public key pair locally. 2) An agent server sends a request which include the public key to the local CA for certification. 3) The local CA sends a response to the agent server including the agent server digital certificate, signed by the local CA.

Key Distribution protocol cont.

User Registration Phase: An agent user can register to an agent platform to be able to configure and use its agents. The following actions occur: 1) A private/public key pair is generated locally for the user. 2) The agent server on which the user is registered sends a request which includes the user public key to the local CA for certification. 3) The local CA sends a response to the agent server including the agent user digital certificate, signed by the local CA.

Key Distribution protocol cont.

Agent Mobility Phase: This phase details the actions that the system takes when an agent moves according to two scenarios: mobility within the same security domain mobility across domains as follows.

Key Distribution protocol cont.

- Agent Mobility within Same Security DomainAgent Mobility within Same Security Domain. In this scenario, all the agent servers are under the authority of the same CA. 1) Sender agent server sends a SYNC request which includes its identify and certificate to the receiver agent server. 2) Receiver agent server verifies the certificate (VERIFY operation) using the certificate of the CA in the local keystore. 3) Receiver agent server sends an ACK response to the sender agent server which includes the receiver agent server identity and certificate. 4) Sender agent server verifies the certificate (VERIFY operation) using the certificate of the CA in the local keystore. 5) Sender agent server sends a message which includes the agent, the agent identity and certificate, signed by the local CA. 6) Receiver agent server verifies the certificate of the agent using the certificate of the CA in the local keystore. 7) Receiver agent server accepts or reject the agent and informs the sender agent server of the acceptance or rejection.

Key Distribution protocol cont.

- Agent Mobility Across Security DomainAgent Mobility across Security Domains. In this scenario, agent servers are under the authorities of different CAs: 1) Sender agent server sends a SYNC request which includes its identify and certificate to the receiver agent server. 2) VERIFY operation (receiver side) works as follows:

- If the receiver agent server does not have the certificate of the CA of the sender agent server, then the receiver agent server sends a request to its local CA. That message includes the sender agent server identity and certificate.
-The Local CA of the receiver agent server sends a response to the receiver agent server which includes the sender certificate signed by the receiver CA. -If the receiver local CA does not have the certificate of the sender local CA, then the receiver local CA forwards the VERIFY request to a higher authority CA and so on.

Key Distribution protocol cont.

- Agent Mobility Across Security Domain3) Receiver agent server sends an ACK response which includes its identity and certificate. 4) VERIFY operation (sender side) works as follows: -If the sender agent server does not have the certificate of the CA of the receiver agent server, then the sender agent server sends a request to its local CA. That message includes the receiver agent server certificate. -The Local CA of the sender agent server sends a response to the sender which includes the receiver certificate signed by the sender CA. -If the sender local CA does not have the certificate of the receiver local CA, then the sender local CA forwards the VERIFY request to a higher authority CA and so on.

Key Distribution protocol cont.

- Agent Mobility Across Security Domain 5) Sender agent server sends to the receiver agent server a message which includes the user agent, the agent identity and certificate, signed by the local CA. 6) VERIFY operation (receiver side) works as follows: -If the receiver agent server does not have the certificate of the CA of the user agent server in its local keystore, then the receiver agent server sends a request to its local CA. That message includes the agent certificate. -The local CA of the receiver agent server sends a response to it which includes the agent certificate signed by the receiver CA. -If the receiver local CA does not have the certificate of the home agent local CA, then the receiver local CA forwards the VERIFY request to a higher authority CA and so on. 7) Receiver agent server accepts or reject the agent and informs the sender agent server of the acceptance or rejection.

Related Works
Literature shows that many proposals have been made, to handle how keys are named and bound to individuals, and how servers manage key distributions: Examples:

1) Secure Shell(SSH): -Transmits the necessary key information during connection setup. -Key exchange is automatically done between a client and a server. - The administrator manually generates the private/public key pair on the client machine -and manually copy the client public key to all the server with which the client will communicate.

Related Works-cont.
2)EX2: Secure Socket Layer/Transport Layer Security SSL/TLS) : -Transmits the necessary key information during connection setup. -Key exchange is automatically done between a client and a server. - The SSL/TLS uses the Diffie-Hellman key exchange that allows 2 peers to exchange a communication session (shared secret key) using certificates already distributed to clients and servers.

Related Works-cont.
Pretty Good Privacy (PGP) Simple Distributed Security Infrastructure/Simple Public Key Infrastructure (SDSI/SPKI) . These mentioned proposals assume that the clients have a prior knowledge of the servers. This approach is not applicable to a mobile agent system where agents Because agent servers have no prior knowledge of each others or their certification authorities. Therefore, the authors believe that the hierarchy CA model is a natural choice for a key distribution framework for a mobile agent platform. This is due to the the scalable nature of the hierarchy CA model which makes no assumption about the system communicating entities.

Conclusion.
The proposed a framework for key distribution in a mobile agent platform, took into account: the dynamic nature of a mobile agent platform. 2-way authentication between the agent, (running on behalf of its user) and the host. the ease of use for both administrators and agents users as it is automatically executed by the underlying platform.

Future Works.
Considering the number of mobile agents, agent servers, CAs, and the keystore performance based on the the number and the sizes of the private keys, public keys and certificates in the system, for performance metrics.

References
*1+ Randy Chow ,Theodore Johnson,Distributed Operating Systems and Algorithms, addison-wesley, 1997 *2+ George Coulouris, Jean Dollimore, Tim Kindberg,DISTRIBUTED SYSTEMS CONCEPTS AND DESIGN, addison-wesley, 2001 [3] http://en.wikipedia.org/wiki/Needham-Schroeder_protocol, October 2009 [4] http://web.mit.edu/kerberos/, 2007/10 [5] http://en.wikipedia.org/wiki/Kerberos_(protocol), October 2009 *6+ Leila Ismail, Ezedin Barka, Next Generation Mobile Applications, Services and Technologies, 2008. NGMAST '08. The Second International Conference on 16-19 Sept. 2008 Page(s):281 287 .