3.1 The Needham-Schroeder Protocol

Roger Needham and Michael Schroeder of the Xerox Palo Alto Research Center published a paper in December of 1978 describing their framework for designing a secure network authentication system. The paper, entitled Using Encryption for Authentication in Large Networks of Computers, described two different protocols that could be implemented to provide a reliable, secure authentication service for a distributed network of computers. The first protocol described in the paper uses private key encryption, and it is this protocol that forms the basis of the Kerberos network authentication protocol. Needham and Schroeder outlined several assumptions around which they designed their protocol. One assumption, the ability for a malicious attacker to capture packets in-transit on the network, modify them, and send packets of his own design, was described by the authors as an extreme view, yet now is regarded as a routine requirement for any secure network protocol. Designing a protocol that is resistant to these types of attacks is difficult, and Ill point out the specific design decisions that were made to thwart them as I discuss the protocol. Other assumptions made by the authors, however, did not hold up as well in practice as they did on paper. The assumption that users secret keys are not readily available through an exhaustive search has not held up in the hostile environments in which Kerberos operates. No matter how much education you provide users, users will continue to choose poor passwords. The Needham and Schroeder protocol, and consequently the basic Kerberos protocol, provides no protection against an offline brute force or dictionary attack against a users secret key, as well see in Chapter 6 . The Needham-Schroeder protocol defines three participants in the protocol exchange: a client machine, a server that the client wishes to access, and an authentication server. The client is any machine that requests authentication; usually, its a users personal desktop. The server is any application server, say a mail server, which provides a service the client wishes to contact. Finally, the authentication server is a dedicated server that holds a copy of the encryption keys for all users and servers on the network the trusted third-party. This should sound familiar; these are the same three players involved with the Kerberos protocol. The concept behind the Needham-Schroeder protocol is not to authenticate the user directly by sending a password or password equivalent such as a hash of the password to the authentication server. Instead, the Needham-Schroeder protocol provides a mechanism to securely distribute a short-lived encryption key to two parties a client and a server so their communication can be secured with the encryption key. The verification of each endpoints identity happens to be a side effect of this key exchange process. Well see what this means as we discuss how the protocol works. The protocol begins with the client contacting the authentication server. The client sends the authentication server a message containing the its own identity and the identity of the application server that it wishes to contact. In addition, the client includes a nonce, or a random value, with its request. Well see why this random value is important in a moment. Figure 3-1 illustrates the information sent by the client to the authentication server. [ Team LiB ] [ Team LiB ]

3.2 Kerberos 4