3. 1.2: In Figure 1, say True or False to the following statement: “AS knows the
ID: 3624562 • Letter: 3
Question
3.
1.2: In Figure 1, say True or False to the following statement: “AS knows the long term key of the Server”.
4.
1.3: In Step (2), AS will send the TGT to the client. Say True or False to the following statement: “To enable the client to see what is inside the TGT, the TGT will be encrypted by the client user’s long term key, which is a transformation of the user’s password.”
5.
1.4: In Step (3), the client needs to send two things to TGS: the authenticator and the TGT. Since the TGT contains the user’s identity information, it seems that the authenticator is useless. However, without the authenticator, Mallory (the attacker) may launch a serious attack. What can this attack do?
6.
1.5: With the authenticator, the attack mentioned in Question 1.4 will be defeated. Why?
7.
1.6: To prevent attacks, the authenticator must be encrypted in Step (3). However, the client does NOT know the long term key of the TGS. How can Kerberos let the TGS know the authenticator encryption key? Please give a complete answer.
8.
1.7: After TGS verifies the client’s identity, TGS will issue a ticket to the client. What information items are included in this ticket?
9.
1.8: After a while, the client will receive the ticket. Then the client will send the ticket to the server. However, this ticket itself is NOT sufficient for the server to offer the service to the client because Mallory may launch a serious attack. What can this person do to fool the server?
10.
1.9: Because of the problem mentioned in Question 1.8, the client also needs to send another authenticator to the server. The authenticator will be encrypted by which key?
11.
1.10: When the Server receives the authenticator and the ticket from the client. The server will compare the information items contained in the authenticator and the ticket to authenticate the client user’s identity. Please give a detailed answer on how such comparison will be done?
12.
2. To avoid letting every server know every user’s password, Kerberos wants to enforce the ticket-based service access idea. However, this idea is facing three security threats. What are they?
Explanation / Answer
Please find the solution as per your requirements.
If you have any doubt, please get back to me.
Any explanations needed, please get back to me. Thank You!
2.
1.1:
Answer:
From the figure 1, the figure shows that the authentication scenario of the system.
· The message containing the encrypted service with the other components to have the access to know the long-term key.
· Here, the secrecy of the long-term keys in the standards with over the privacy descriptions.
· Depends on the secrecy of long-term keys, the secrecy of session keys generated by the Kerberos Authentication Server (KAS).
· The access encrypted with the long-term key shared with the KAS between the system authentication.
· For example, the client processes a request.
· It will be accessed and sends a valid reply from the KAS, if the long-term key is secret.
Therefore, only one machine knows the long-term key of the TGS besides the TGS is Kerberos Authentication Server (KAS).
3.
1.2:
Answer:
From the reference to the answer 1.1, the machine knows the long-term key of the TGS besides the TGS is Kerberos Authentication Server (KAS).
AS is nothing but an Authentication server of Kerberos.
Therefore, the statement “AS knows the long-term key of the Server” is True.
4.
1.3:
Answer:
It comes under the section of the analysis, “Authentication of KAS to client”.
· Depends on the secrecy of long-term keys, the secrecy of session keys generated by the Kerberos Authentication Server (KAS).
· The access encrypted with the long-term key shared with the KAS between the system authentication.
· From the above, the AS will send the TGT to the client. Assume that the client is processing the request.
· If the client waits for the valid reply, the Authentication Server (AS) authenticates it.
· The client sees what appears to be a valid reply from the AS, whether it depends on the secret of the long-term key.
· If it is valid and the long-term key is secret, it generates a reply to the request named by the client.
Therefore, the statement: “To enable the client to see what is inside the TGT, the TGT will be encrypted by the client user’s long-term key, which is a transformation of the user’s password” is True.
5.
1.4:
Answer:
The client needs to send two things to TGS:
· the authenticator and the TGT. Since the TGT contains the user’s identity information, it seems that the authenticator is useless.
· However, without the authenticator, Mallory (the attacker) may launch a serious attack.
Kerberos depends on the servers that must be secure and protected.
· Where the servers need to be secure and software’s are protected as being non-malicious.
· The attacks may be non-trivial, it is carried out on the local network.
· The attacks should be done by password guessing and replay attacks.
· Password guessing attacks may be done by encryption of texts or the password could be a plain text, it relies upon the attack.
· Replay attacks will result to know the user’s identity by recovering it.
Due to these attacks, an attacker can make a copy of the ticket. The attacker may listen to the ticket sent to the user, makes a copy and may replay it.
6.
1.5:
Answer:
With the authenticator, the attack can be defeated:
· The access encrypted with the long-term key shared with the KAS between the system authentication.
· For example, the client processes a request.
· It will be accessed and sends a valid reply from the KAS, if the long-term key is secret.
· With the authenticator, the attack can be defeated because the authenticator ensures that every ticket request packet is unique.
· It also proves that the client has the knowledge of the shared session key established.
The attack can be defeated by making the Kerberos authentication servers (KAS) must be secured and protected.
7.
1.6:
Answer:
With the reference to the answer 1.3,
· Depends on the secrecy of long-term keys, the secrecy of session keys generated by the Kerberos Authentication Server (KAS).
· The access encrypted with the long-term key shared with the KAS between the system authentication.
Can Kerberos let the TGS know the authenticator encryption key?
· If a TGS processes a request for a ticket, neither it can be done in two ways.
· One is, the access encrypted with the long-term key, it will be encrypting the ticket.
· Another one is, the key shared between the client and the KAS or TGS would have proceeded with the user accepts the request of the ticket, states that it is the valid ticket generated by the KAS or TGS.
· They only generate and share the long-term key.
Therefore, Kerberos allows the TGS to know the authenticator encryption key.
The authenticator included in the TGT ticket generates the request by the client named in the ticket.
8.
1.7:
Answer:
With the reference to the answer 1.6, the authenticator included in the TGT ticket generates the request by the client named in the ticket.
The ticket includes information such as the credentials, ticket name, and an encrypted part which contains various flags.
9.
1.8:
Answer:
The client will receive the ticket.
· Then the client will send the ticket to the server.
· However, this ticket itself is NOT sufficient for the server to offer the service to the client because Mallory may launch a serious attack.
Here, the client-server exchange will take place.
· The client-server exchange gives the condition to use the Session Key (SK) will be shared between the client and server.
· It is not known to the intruder (the person who launch the serious key Mallory).
· Suppose, if the intruder (Mallory) came to know the long-term key in TGS, the new session key (SK) will be used by the client to make a request.
Therefore, the intruder (Mallory) cannot know the Session Key (SK), it fools the person who launches the serious attack.
10.
1.9:
Answer:
With the reference to the answer 1.8,
· The client-server exchange gives the condition to use the Session Key (SK) will be shared between the client and server.
· It is not known to the intruder (the person who launch the serious key Mallory).
· Suppose, if the intruder (Mallory) came to know the long-term key in TGS, the new session key (SK) will be used by the client to make a request
· So, the intruder (Mallory) cannot know the Session Key (SK), it fools the person who launches the serious attack.
Therefore, the authenticator will be encrypted by using the Session Key.
11.
1.10:
Answer:
When the Server receives the authenticator and the ticket from the client,
· The server will compare the information items contained in the authenticator and the ticket to authenticate the client user’s identity.
· If the server processes a request from the client, the set of information realms will be encoded by TRANSITED field in the server in terms of the request.
· TGS creates the ticket in the request where the information between the keys has been compromised with some sort of sequence.
· Then, the set of information realms with TGS will be authenticated in the comparison of items contained in the authenticator and the ticket to authenticate the client’s user identity.
Therefore, the authentication will be done.
12.
2.
Answer:
To avoid letting every server know every user’s password, Kerberos wants to enforce the ticket-based service access idea.
There are three security threats would be faced, they are:
o Password guessing attacks may be done by encryption of texts or the password could be plain text, it relies upon the attack.
o Replay attacks will result to know the user’s identity by recovering it.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.