problem statements on cross realm authentication
play

Problem statements on cross-realm authentication Shoichi Sakane - PowerPoint PPT Presentation

Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com The 66 th IETF meeting 07/06/06 Yokogawa Electric Corporation 1 Purpose of this presentation Not presentation of our extension.


  1. Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com The 66 th IETF meeting 07/06/06 Yokogawa Electric Corporation 1

  2. Purpose of this presentation • Not presentation of our extension. draft-zrelli-krb-xkdcp-00.txt • We would like to share the problems on cross-realm authentication with everyone here. • Next step, we can discuss to solve the problems. Our extension could be one of solutions. 07/06/06 Yokogawa Electric Corporation 2

  3. Problems 1. Security 2. Reliability 3. Performance 4. Applicability 07/06/06 Yokogawa Electric Corporation 3

  4. Exposure to DoS attack Not easy to set up filters to protect KDC. – KDC handles TGS exchanges with remote clients from different realms. Client Attacker KDC Attacker Client Client 07/06/06 Yokogawa Electric Corporation 4

  5. No PFS Intermediary KDCs can learn session keys. ref. "Specifying Kerberos 5 Cross-Realm Authentication", Fifth Workshop on Issues in the Theory of Security, Jan 2005. Home KDC KDC KDC KDC Tainted Server Client Tainted 07/06/06 Yokogawa Electric Corporation 5

  6. Reliability of chain Intermediary KDC down cause authentication failed. Home KDC KDC KDC KDC X X Server Client X 07/06/06 Yokogawa Electric Corporation 6

  7. Client's performance Client centralized exchanges causes unacceptable delay. – Client must perform TGS exchange with each KDC of the trust path. →Not scalable if number of realms increases especially for small/embedded devices. 07/06/06 Yokogawa Electric Corporation 7

  8. Processing time of Kerberos on embedded devices measured by Yokogawa Electric Corporation 04 through 06 CPU DS5250 H8 (16-bit, 20MHz) + (8051 arch., Crypt H/W (AES, 3DES, SHA1, MD5) 8-bit, 22MHz, w/ DES H/W) Krb lib MIT-1.2.4 MIT-1.2.4 Original Crypt H/W Enable Enable Disable Enable Disable TGT 4650ms 74ms 106ms 26ms 74ms TGS 4579ms 195ms 294ms 49ms 178ms Including waiting time Excluding waiting time 07/06/06 Yokogawa Electric Corporation 8

  9. Applicability to roaming scenario Roaming users can not access to home KDC from the visited realm. – due to the policy of the realms. – due to chiken-and-egg problem. Home Visited KDC KDC NG OK Client Client 07/06/06 Yokogawa Electric Corporation 9

  10. Summary of problems 1. Security issues – KDC is exposured to DoS attack from the Internet. – Intermediary KDCs can learn session keys. 2. Reliability of chain – Interealm KDC down causes authentication fails. 3. Client's Performance – client centralized exchanges cause unaccesptable delay. 4. Applicability to roaming scenario – Roaming users can not access to her home KDC. 07/06/06 Yokogawa Electric Corporation 10

  11. Conclusion • There are some problems to be solved in cross-realm environment. • Let's consider real environment to more deploy Kerberos system. – What are the problems ? – What problems should be solved ? – What technologies do we need ? 07/06/06 Yokogawa Electric Corporation 11

  12. End of presentaion 07/06/06 Yokogawa Electric Corporation 12

Recommend


More recommend