leendert@cs.vu.nl (Leendert van Doorn) (03/01/91)
The Kerberos authentication protocol is based on the Needham Schroeder protocol and uses timestamps as nonces. Time stamps are used to reduce the number of messages from the original protocol, and prevent (among other things) replay. In order to use timestamps, one ought to have the premise of synchronized clocks. Kerberos accommodates some deviation from this clock (in the magnitude of milliseconds), but on the whole it requires synchronized time for every participant in the authentication process. Its my opinion that this premise is very difficult to fulfill. There are two options here: the time server is un-authenticated, or is authenticated. In case of an un-authenticated time server it would be very simple to set the system clock back in time and resent, say, the message that increments my bank account by a (considerable:-) amount. The system on which the bank server operates wouldn't notice since its clock was reset to the time the message was originally sent (of course, this only works if you also resent the messages of the second half of the authentication protocol, i.e. exchanging the session key between client and server). It's possible to have an authenticated time server to circumvent the problem described above. This would work, except when a clock is running to far off it couldn't be synchronized (the authentication would fail). It depends on the synchronization rate of the time server and its time to respond to a sync request whether this would work. If the response time of sync rate exceeds the timestamp validity interval it becomes impossible to resync, and therefor all the authenticated requests made to the out-of-sync machine will fail. These are just some sunday morning thoughts, perhaps someone would like to comment on this ? For example, I don't see the point in using timestamps; using (unique:-) random numbers as nonces would do just as well. A lot of authentication protocols use random numbers as nonces, these seem to behave much cleaner (no hairy details like synchronized time). Although I'm referring to Kerberos other protocols that use timestamps are subject to this same problem as well. Is there any way out of this problem, while still using time stamps ? Leendert P.s. In the spring of this year Sape Mullender and I devised an authentication protocol for Amoeba which is rather similar to Kerberos but uses nonces instead of timestamps and is not redundant. For Amoeba we couldn't use timestamps since the concept of a synchronized clock per machine wasn't a valid one. -- Leendert van Doorn <leendert@cs.vu.nl> Vrije Universiteit / Dept. of Maths. & Comp. Sc. Amoeba project / De Boelelaan 1081 1081 HV Amsterdam / The Netherlands
paulf@shasta.Stanford.EDU (paulf) (03/01/91)
In article <9140@star.cs.vu.nl> leendert@cs.vu.nl (Leendert van Doorn) writes: >Its my opinion that this premise is very difficult to fulfill. There are >two options here: the time server is un-authenticated, or is authenticated. Actually, not so difficult. NTP accuracies of milliseconds are common, and NTP version 2 has a full encyption system for security (although some of the implementations are weak, leaving the DES keys out in the open) ("Nothing is so common as the incomplete execution of a Good Idea".). -=Paul Flaherty, N9FZX | "Think of it as evolution in action." ->paulf@shasta.Stanford.EDU | -- Larry Niven and Jerry Pournelle