Key Distribution and User Authentication

Question 1

What is a KDC?

Answer 1

A Key Distribution Centre is a trusted third party who will help us to distribute symmetric keys. There will usually be a permanent key between the KDC and individual users.

Question 2

Why is key distribution necessary?

Answer 2

We need to be able to make sure that both participants are using the same symmetric key, but also ensure that nobody else knows this key.

Question 3

What is authentication by nonce?

Answer 3

This is used to prevent replay attacks. Essentially, when Alice introduces herself to Bob, he sends back a challenge nonce. Alice will encrypt this nonce with the shared secret key and send it back. Bob can then decrypt this and prove that Alice knows the secret key.
Note that a current timestamp could be used instead of a nonce, meaning only Alice would need to send.

Question 4

What is a reflection attack?

Answer 4

The attacker sends a nonce RA, and gets a reply back with RB, K(RA). The attacker then pretends to be Alice, and sends RB to Bob. Bob will reply with RC,K(RB). Then, the attacker can resume the initial handshake, by sending K(RB) back to Bob.

Question 5

What is mutual authentication via nonce?

Answer 5

Alice sends RA, Bob replies with RB, K(RA), Alice replies with K(RB).

Question 6

True or false, Alice has a shared secret key with her KDC, and so does Bob?

Answer 6

True, if they both use the same KDC.

Question 7

How does a KDC request work?

Answer 7

Alice to KDC: Ka-k(A, B)
KDC generates ticket: Kb-k(A, Ka-b)
KDC to Alice: Ka-k(Ka-b, ticket)
Alice to Bob: ticket

Question 8

How does Needham-Schroeder protect against replay attacks?

Answer 8

It uses nonces.

Question 9

What problem does Kerberos address?

Answer 9

How do we restrict access to servers on a distributed system?

Question 10

True or false, Kerberos uses symmetric encryption for bulk data transfer, and asymmetric encryption for the exchange of keys?

Answer 10

False, it only uses symmetric encryption.

Question 11

What are the different servers involved in Kerberos?

Answer 11

Authentication Server, Ticket Granting Server, Server which we are trying to access.

Question 12

How many times do you need to log in with Kerberos?

Answer 12

Only once. The Ticket Granting Ticket provided by the authentication server will last a day usually.

Question 13

How does the Authentication Server in Kerberos send the user’s password?

Answer 13

It does not. The authentication server will use the user’s password to encrypt a session key for the TGS, the ID of the TGS, the TGS ticket itself, and a few other bits of information.

Question 14

In Kerberos, what is an authenticator?

Answer 14

An authenticator contains the ID of the user, their address, and a timestamp, encrypted with the session key given by the Authentication server or TGS.

Question 15

What is the purpose of the authentication server?

Answer 15

To provide users with Ticket Granting Tickets.

Question 16

What is the purpose of the ticket granting server?

Answer 16

To grant tickets.

Question 17

Describe roughly, what happens in a Kerberos exchange.

Answer 17

User requests a ticket granting ticket from authentication server. Authentication server gives them one (as well as a session key for TGS) encrypted with their password. The user then establishes a connection with the TGS using their session key, and requests a ticket, while also providing an authenticator. The TGS will respond with a new session key, encrypted with the old session key. Using the new session key, the user can then communicate with the intended server.