kerberized handover keying a a kerberized handover keying
play

Kerberized Handover Keying: A A Kerberized Handover Keying: Media- - PowerPoint PPT Presentation

Mar 16, 2023 •413 likes •620 views

Kerberized Handover Keying: A A Kerberized Handover Keying: Media- -Independent Handover Key Independent Handover Key Media Management Architecture Management Architecture Yoshihiro Ohba (yohba@tari.toshiba.com yohba@tari.toshiba.com) )

  1. Kerberized Handover Keying: A A Kerberized Handover Keying: Media- -Independent Handover Key Independent Handover Key Media Management Architecture Management Architecture Yoshihiro Ohba (yohba@tari.toshiba.com yohba@tari.toshiba.com) ) Yoshihiro Ohba ( Toshiba America Research, Inc. (USA) Toshiba America Research, Inc. (USA) Subir Das Das ( (subir@research.telcordia.com subir@research.telcordia.com) ) Subir Ashutosh Dutta Dutta ( (adutta@research.telcordia.com adutta@research.telcordia.com) ) Ashutosh Telcordia Technologies (USA) Technologies (USA) Telcordia Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 1 1

  2. Problem description (1/2) Problem description (1/2) • • Wireless access networks require cryptographic data protection at link t link- -layer layer Wireless access networks require cryptographic data protection a • • Enabling cryptographic data protection requires security signaling ng Enabling cryptographic data protection requires security signali • • Security signaling takes time, especially for peer- -entity authentication in a entity authentication in a Security signaling takes time, especially for peer roaming environment where authentication credentials are stored roaming environment where authentication credentials are stored in a AAA in a AAA server server – – AAA servers are typically located away from access networks AAA servers are typically located away from access networks • • IETF HOKEY WG is working on EAP (Extensible Authentication Protocol) col) IETF HOKEY WG is working on EAP (Extensible Authentication Proto signaling optimization based on two approaches signaling optimization based on two approaches – Pre- -authentication: authentication: a proactive handover optimization technique by which a peer – Pre runs EAP for a candidate target authenticator from the serving access network – Low- -latency Re latency Re- -authentication: authentication: an extension to EAP to minimize message – Low roundtrips by utilizing keying material generated by a previous EAP session Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 2 2

  3. Problem description (2/2) Problem description (2/2) • • Pre- -authentication applicability is limited to environments authentication applicability is limited to environments Pre where proactive signaling can take effect proactive signaling can take effect where – Optimization for reactive operation is missing – Optimization for reactive operation is missing • • Low- -latency re latency re- -authentication still requires authentication still requires Low communication to an AAA server (in home or visited communication to an AAA server (in home or visited network) after handover network) after handover – Difficult to support real Difficult to support real- -time applications time applications – We propose another approach using Kerberos to address We propose another approach using Kerberos to address these issues these issues Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 3 3

  4. Kerberos overview Kerberos overview • • Kerberos is a three- -party authentication and key party authentication and key Kerberos is a three management protocol based on symmetric keys management protocol based on symmetric keys • • There are three principals in Kerberos; a client, a server, There are three principals in Kerberos; a client, a server, and a key distribution center (KDC) and a key distribution center (KDC) • • KDC provides two special servers: an Authentication KDC provides two special servers: an Authentication Server (AS) and a Ticket Granting Server (TGS) Server (AS) and a Ticket Granting Server (TGS) • • It is assumed that each client and server has a pre- - It is assumed that each client and server has a pre established trust relationship with KDC based on a secret established trust relationship with KDC based on a secret key key Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 4 4

  5. Kerberos overview (cont’ ’d) d) Kerberos overview (cont • • In Kerberos, a session key is is generated by the KDC and distributed to the generated by the KDC and distributed to the In Kerberos, a session key client client – The session key is used by the client and server to securely establish a is used by the client and server to securely establish an n – The session key application session session application • • The client then distributes the session key to the server using a a ticket ticket, , or a or a The client then distributes the session key to the server using record generated by the KDC to help a client authenticate itself to a server to a server record generated by the KDC to help a client authenticate itself • • The ticket contains the identity of the client, a session key, a he ticket contains the identity of the client, a session key, a timestamp timestamp T and other information and other information – – The session key is encrypted using the server's secret key shared only with the The session key is encrypted using the server's secret key shared only with the KDC KDC • • The Kerberos protocol consists of three exchanges where the initial The Kerberos protocol consists of three exchanges where the init ial exchange is performed only once exchange is performed only once – – AS- AS -REQ/AS REQ/AS- -REP exchange for acquisition of a TGT (Ticket Granting Ticket) REP exchange for acquisition of a TGT (Ticket Granting Ticket) – TGS- -REQ/TGS REQ/TGS- -REP exchange for acquisition of a ticket used for the server REP exchange for acquisition of a ticket used for the server – TGS – AP- -REQ/AS REQ/AS- -REP exchange for installation of the ticket to the server REP exchange for installation of the ticket to the server – AP Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 5 5

  6. Kerberos sequence Kerberos sequence C S KDC AS_REQ TGT acquisition AS_REP TGS_REQ TGS_REP Per-server ticket acquisition AP_REQ AP_REP Present Ticket and get access to S S: Application Server C: Application Client KDC: Key Distribution Center Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 6 6

  7. KHK in a nutshell KHK in a nutshell • A mobile node and an authenticator act as a client or a server of Kerberos • The roles of client and server can be reversed depending on the timing when a ticket is delivered to the authenticator (role reversing) • Two modes of operation Proactive mode is the case in which ticket delivery to the MN happens before – the handover – Reactive mode is the case in which ticket delivery to the MN happens after the handover • Proactive mode is more optimized than reactive mode since it does not require for a mobile node to communicate with KDC after handover • In proactive mode, the signaling latency after handover is expected to be less than 20msec (comparable to IEEE 802.11i 4-way handshake) • KHK does not require an authenticator to create any state for a mobile node before handover even in proactive mode (i.e., more efficient than pre- authentication) Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 7 7

  8. Proactive mode Proactive mode MN (Client) KDC AS-REQ AS-REP D1,D2 TGS-REQ (A1), TGS-REQ (A2) TGS-REP (T1), TGS-REP (T2) A1 (Server) H1 AP-REQ (T1) A2 (Server) AP-REP KRB-SAFE or SAP Ai: Authenticator H2 Ti : Ticket for Ai AP-REQ (T2) Di: Event “Discovered Ai” AP-REP Hi: Event “Switched to Ai” KRB-SAFE or SAP Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 8 8

  9. Reactive mode Reactive mode MN (Server) Authenticator (Client) KDC H Trigger (MN) TGS-REQ (MN) TGS-REP (T) AP-REQ AP-REP KRB-SAFE or SAP T : Ticket for MN H: Event “Switched to Authenticator” Kerberos role is reversed between MN and Authenticator (Role Reversing) Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 9 9

  10. Authorization and accounting Authorization and accounting • Kerberos tickets also carry authorization • Kerberos tickets also carry authorization information information • The authorization information must come from • The authorization information must come from AAA AAA – KDC needs to be an AAA client KDC needs to be an AAA client for authorization for authorization – • Accounting is still performed at each • Accounting is still performed at each authenticator authenticator – Authenticators are an AAA client Authenticators are an AAA client for accounting for accounting (as (as – well as initial authentication) well as initial authentication) Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 10 10

  11. Authorization and accounting Authorization and accounting (cont’ ’d) d) (cont Authorization Authorization Authorization information over AAA Authorization information over AAA information over information over protocol protocol Kerberos (proactive Kerberos (proactive KDC mode) mode) AAA infrastructure AAA Infrastructure Mobile Node Authorization information Authorization information over Kerberos (reactive over Kerberos (reactive Authenticator Accounting information over AAA Accounting information over AAA mode) mode) protocol protocol Aug 27, 2007 Aug 27, 2007 MobiArch07 MobiArch07 11 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying

Extensions to EAP Keying hierarchy for Efficient Re-authentication and Visited domain Keying Vidya Narayanan , vidyan@qualcomm.com Lakshminath Dondeti , ldondeti@qualcomm.com IETF-67 San Diego, CA November 2006 Contents EAP keying

614 views • 15 slides
LTE X2 Handover (Successful Handover) LTE Mobile eNodeB Network Core Network EventStudio System

LTE X2 Handover (Successful Handover) LTE Mobile eNodeB Network Core Network EventStudio System

LTE X2 Handover (Successful Handover) LTE Mobile eNodeB Network Core Network EventStudio System Designer 6 UE Target eNodeB Source MME SGW PGW 20-Apr-13 22:03 (Page 1) eNodeB This sequence diagram was generated with EventStudio Sytem

174 views • 6 slides
lecture 20 Image Compositing - chroma keying - alpha - F over B - OpenGL blending -

lecture 20 Image Compositing - chroma keying - alpha - F over B - OpenGL blending -

lecture 20 Image Compositing - chroma keying - alpha - F over B - OpenGL blending - chroma keying revisited: "pulling a matte" Organization of Course 1: Viewing transformations 2: Visibility, geometry modelling 3:

685 views • 41 slides
2 RFC 4650 - HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) RFC

2 RFC 4650 - HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) RFC

2 RFC 4650 - HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY) RFC 4738 - MIKEY-RSA-R: An Additional Mode of Key Distribution in Multimedia Internet KEYing (MIKEY) 3 4 5 Based on an Identity Based asymmetric

472 views • 12 slides
Shift Keying by Erol Seke For the course Communications OSMANGAZI UNIVERSITY Basic PCM

Shift Keying by Erol Seke For the course Communications OSMANGAZI UNIVERSITY Basic PCM

Shift Keying by Erol Seke For the course Communications OSMANGAZI UNIVERSITY Basic PCM Binary 1 is represented by voltage A Binary 0 is represented by voltage B Amplitude Shift Keying (ASK) Binary - ASK case carrier If A and B has

592 views • 19 slides
Modulation Techniques Signal Encoding Techniques Digital Data, Analog Signals Amplitude

Modulation Techniques Signal Encoding Techniques Digital Data, Analog Signals Amplitude

CMPE 477 Wireless and Mobile Networks Modulation Techniques Signal Encoding Techniques Digital Data, Analog Signals Amplitude Shift Keying Frequency Shift Keying Phase Shift Keying CMPE 477 Analog and Digital Signaling

504 views • 14 slides
802.1X & EAP & Keying State Machines and Interfaces Jim Burns Paul Congdon Nick

802.1X & EAP & Keying State Machines and Interfaces Jim Burns Paul Congdon Nick

802.1X & EAP & Keying State Machines and Interfaces Jim Burns Paul Congdon Nick Petroni John Vollbrecht March 2003 IEEE 802 Plenary, Dallas TX 1 The Working Groups Several specifications MUST align to enable a working

436 views • 21 slides
Key Agreement Protocols Key Agreement Two people want symmetric-key keying material to have a

Key Agreement Protocols Key Agreement Two people want symmetric-key keying material to have a

Key Agreement Protocols Key Agreement Two people want symmetric-key keying material to have a fast, secure conversation How can they agree on a shared symmetric key without it being transmitted in the clear? How can they be sure who

767 views • 27 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Agenda for IETF 55 - IPSECKEY (BOF) IPSEC KEYing information resource record BOF AGENDA: 1.

Agenda for IETF 55 - IPSECKEY (BOF) IPSEC KEYing information resource record BOF AGENDA: 1.

Agenda for IETF 55 - IPSECKEY (BOF) IPSEC KEYing information resource record BOF AGENDA: 1. Open meeting and welcome 2. Scribe and blue sheetOlafur Gudmundsson 3. IntroductionMichael Richardson 4. Documents 4.1 Why the KEY

308 views • 15 slides
FRESH approach to functional assessment Consider how we handover our patients in clinical

FRESH approach to functional assessment Consider how we handover our patients in clinical

FRESH approach to functional assessment Consider how we handover our patients in clinical environments. Consider how including additional information about the person can go a long way to impact on outcomes and their future care journey When

218 views • 11 slides
MIKEYv2 ldondeti@qualcomm.com Why MIKEYv2? MIKEY is an efficient key management protocol

MIKEYv2 ldondeti@qualcomm.com Why MIKEYv2? MIKEY is an efficient key management protocol

MIKEYv2 ldondeti@qualcomm.com Why MIKEYv2? MIKEY is an efficient key management protocol designed for SRTP keying Used for broadcast keying in 3GPP and OMA Easy to add crypto algorithm and mode negotiation MIKEYv2 finishes in 1 RT

586 views • 9 slides
HIGHLIGHTS OF 2015/16 AND HANDOVER, 3 rd May 2016 Dr. Peter Ngategize, Chairman, EDBI Steering

HIGHLIGHTS OF 2015/16 AND HANDOVER, 3 rd May 2016 Dr. Peter Ngategize, Chairman, EDBI Steering

HIGHLIGHTS OF 2015/16 AND HANDOVER, 3 rd May 2016 Dr. Peter Ngategize, Chairman, EDBI Steering Committee, 2015/16. 2015 EDBI Kampala Conference 04/05/2016 HIGHLIGHTS OF 2015/16 AND HANDOVER, 3rd May 2016 2 Welc lcome to 2016 EDBI Nairobi

423 views • 16 slides
Key Management Lifecycle Key Management Lifecycle Cryptographic key management encompasses the

Key Management Lifecycle Key Management Lifecycle Cryptographic key management encompasses the

Key Management Lifecycle Key Management Lifecycle Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management guidance is provided in [SP800-21]. A single item of keying

522 views • 18 slides
AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid

AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid

AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid Nakhjiri (Huawei USA/Motorola Labs) Mohan Parthasarathy (Nokia) Julien Bournelle (GET/INT/FT) Hannes Tschofenig (Siemens) R. Marin Lopez (TARI)

294 views • 16 slides
SPORT Handover Conference 08/03/18 A NEW VISION FOR SPORT We are committed to providing

SPORT Handover Conference 08/03/18 A NEW VISION FOR SPORT We are committed to providing

SPORT Handover Conference 08/03/18 A NEW VISION FOR SPORT We are committed to providing University of Portsmouth students with the best possible sports package. We are exploring a new partnership between Sport & Recreation and the

89 views • 8 slides
Louis DiNardo President and CEO COMPANY CONFIDENTIAL Disclaimer This presenta;on is not a

Louis DiNardo President and CEO COMPANY CONFIDENTIAL Disclaimer This presenta;on is not a

Louis DiNardo President and CEO COMPANY CONFIDENTIAL Disclaimer This presenta;on is not a prospectus nor an offer for securi;es in any jurisdic;on nor a securi;es recommenda;on. The informa;on in this presenta;on is an overview and does not

424 views • 16 slides
DESIGN CRITERIA FOR SOLAR PV RURAL MICRO GRIDS FOR VILLAGE ELECTRIFICATION Xavier Vallv -

DESIGN CRITERIA FOR SOLAR PV RURAL MICRO GRIDS FOR VILLAGE ELECTRIFICATION Xavier Vallv -

IOREC conference Session7: I nnovative off-grid renew able energy system design Accra, Ghana 1-2 November 2012 1 2 November 2012 DESIGN CRITERIA FOR SOLAR PV RURAL MICRO GRIDS FOR VILLAGE ELECTRIFICATION Xavier Vallv - Trama

706 views • 41 slides
Mini Monitoring Station (MMS) A Low-cost , S calable Remot e Monit oring S yst em for

Mini Monitoring Station (MMS) A Low-cost , S calable Remot e Monit oring S yst em for

Mini Monitoring Station (MMS) A Low-cost , S calable Remot e Monit oring S yst em for Environment al Applicat ions Thaweesak Koanant akool, Boonchai Kingrungped, Chumphol Kroot kaew and S ornt hep Vannarat Nat ional Elect ronics and Comput

368 views • 26 slides
1H20 Results Presentation Outline I. Overview II. Financial Highlights III. Ownership, Board

1H20 Results Presentation Outline I. Overview II. Financial Highlights III. Ownership, Board

August 2020 Investor Presentation 1H20 Results Presentation Outline I. Overview II. Financial Highlights III. Ownership, Board and Management IV. Sustainability V. Awards and Citations About BDO The Philippines largest bank

878 views • 40 slides
Construction Project Soo-Youl Oh, Young-Ki Kim, and Sangik Wu Talking Points Reporting the

Construction Project Soo-Youl Oh, Young-Ki Kim, and Sangik Wu Talking Points Reporting the

18 th IGORR, 3-7 Dec. 2017, Sydney, Australia Completion of Jordan Research and Training Reactor Construction Project Soo-Youl Oh, Young-Ki Kim, and Sangik Wu Talking Points Reporting the completion of JRTR construction Chronology of

787 views • 15 slides
CFA Conference 2019 13 June 2019. Mission, BC Presentation by: Khowutzun Forest Services Joey

CFA Conference 2019 13 June 2019. Mission, BC Presentation by: Khowutzun Forest Services Joey

CFA Conference 2019 13 June 2019. Mission, BC Presentation by: Khowutzun Forest Services Joey Sampson, Cedar Elliott, Margaret Symon The 4 Pillars of Disaster Management: Community Forest Leadership & Innovation Response from KFS: The

515 views • 24 slides
KDC FUNDING PROPOSAL WAIOPUKA MARKED SITE - KAIKURA Matt Moriarty Ph 021 880 848 192 Bay Paddock

KDC FUNDING PROPOSAL WAIOPUKA MARKED SITE - KAIKURA Matt Moriarty Ph 021 880 848 192 Bay Paddock

KDC FUNDING PROPOSAL WAIOPUKA MARKED SITE - KAIKURA Matt Moriarty Ph 021 880 848 192 Bay Paddock Rd matt@mattmoriarty.com KAIKURA EARTHQUAKE COMMEMORATIVE PROJECT RD1 Kaikoura 7371 www.mattmoriarty.com W A A L . K N I N G G T R

249 views • 7 slides
Audi's journey to an enterprise big data platform Strata Data 2018 - London Matthias Graunitz

Audi's journey to an enterprise big data platform Strata Data 2018 - London Matthias Graunitz

Audi's journey to an enterprise big data platform Strata Data 2018 - London Matthias Graunitz (AUDI AG, Germany) Carsten Herbe (Audi Business Innovation GmbH, Germany) 2 AUDI AG Strata Data London 2018 - Audi's journey to an enterprise big

652 views • 28 slides

More recommend