Problem statements on cross-realm authentication Shoichi Sakane - - PowerPoint PPT Presentation

problem statements on cross realm authentication
SMART_READER_LITE
LIVE PREVIEW

Problem statements on cross-realm authentication Shoichi Sakane - - PowerPoint PPT Presentation

Jun 04, 2023 121 likes •253 views

Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com The 66 th IETF meeting 07/06/06 Yokogawa Electric Corporation 1 Purpose of this presentation Not presentation of our extension.

slide-1
SLIDE 1

07/06/06 Yokogawa Electric Corporation 1

Problem statements

  • n cross-realm authentication

Shoichi Sakane

Shouichi.Sakane@jp.yokogawa.com The 66th IETF meeting

slide-2
SLIDE 2

07/06/06 Yokogawa Electric Corporation 2

Purpose of this presentation

  • Not presentation of our extension.

draft-zrelli-krb-xkdcp-00.txt

  • We would like to share the problems on cross-realm

authentication with everyone here.

  • Next step, we can discuss to solve the problems.

Our extension could be one of solutions.

slide-3
SLIDE 3

07/06/06 Yokogawa Electric Corporation 3

Problems

  • 1. Security
  • 2. Reliability
  • 3. Performance
  • 4. Applicability
slide-4
SLIDE 4

07/06/06 Yokogawa Electric Corporation 4

Exposure to DoS attack

Not easy to set up filters to protect KDC.

– KDC handles TGS exchanges with remote clients from different realms.

Client KDC Client Client Attacker Attacker

slide-5
SLIDE 5

07/06/06 Yokogawa Electric Corporation 5

No PFS

Intermediary KDCs can learn session keys.

  • ref. "Specifying Kerberos 5 Cross-Realm Authentication", Fifth Workshop on Issues in the

Theory of Security, Jan 2005. Client KDC KDC KDC Server KDC Home

Tainted Tainted

slide-6
SLIDE 6

07/06/06 Yokogawa Electric Corporation 6

Reliability of chain

Intermediary KDC down cause authentication failed.

Client KDC KDC KDC Server KDC

X X X

Home

slide-7
SLIDE 7

07/06/06 Yokogawa Electric Corporation 7

Client's performance

Client centralized exchanges causes unacceptable delay. – Client must perform TGS exchange with each KDC of the trust path. →Not scalable if number of realms increases especially for small/embedded devices.

slide-8
SLIDE 8

07/06/06 Yokogawa Electric Corporation 8

Processing time of Kerberos

  • n embedded devices

178ms 49ms 294ms 195ms 4579ms TGS 74ms 26ms 106ms 74ms 4650ms TGT Disable Enable Disable Enable Enable

Crypt H/W

Original MIT-1.2.4 MIT-1.2.4 Krb lib H8 (16-bit, 20MHz) + Crypt H/W (AES, 3DES, SHA1, MD5) DS5250 (8051 arch., 8-bit, 22MHz, w/ DES H/W) CPU Including waiting time Excluding waiting time

measured by Yokogawa Electric Corporation 04 through 06

slide-9
SLIDE 9

07/06/06 Yokogawa Electric Corporation 9

Applicability to roaming scenario

Roaming users can not access to home KDC from the visited realm. – due to the policy of the realms. – due to chiken-and-egg problem.

Client KDC KDC Client Home Visited OK NG

slide-10
SLIDE 10

07/06/06 Yokogawa Electric Corporation 10

Summary of problems

  • 1. Security issues

– KDC is exposured to DoS attack from the Internet. – Intermediary KDCs can learn session keys.

  • 2. Reliability of chain

– Interealm KDC down causes authentication fails.

  • 3. Client's Performance

– client centralized exchanges cause unaccesptable delay.

  • 4. Applicability to roaming scenario

– Roaming users can not access to her home KDC.

slide-11
SLIDE 11

07/06/06 Yokogawa Electric Corporation 11

Conclusion

  • There are some problems to be solved in

cross-realm environment.

  • Let's consider real environment to more

deploy Kerberos system.

– What are the problems ? – What problems should be solved ? – What technologies do we need ?

slide-12
SLIDE 12

07/06/06 Yokogawa Electric Corporation 12

End of presentaion