Q1 DiffieHellman a Describe how DiffieHellman key exchange

Q1) Diffie-Hellman :-
a. Describe how Diffie-Hellman key exchange scheme works.
b. Using the keys in (a) give an example of how a shared key is generated

Q2) Kerberos :-
a. Describe how kerberos can achieve authentication of the user
b. Describe how a server authenticates a user through kerberos
c. Describe the role of a TGS. How can it trust a user?
d. How is Kerberos version 5 an improvement over version 4?

Solution

Q1)Diffie-Hellman key exchange scheme:

a)Answer:
In the Diffie-Hellman key exchange algorithm scheme , there are two publicly known numbers : a prime number q and an integer that is a primitive root of q.

q - prime number

    - < q and is a primitive root of q.

Suppose the users A and B wish to exchange a key. User A selects a random integer X_A < q and computes Y_A = ^XA mod q

user A key generation

select private X_A                      X_A < q

calculate public Y_A                   Y_A = ^XA mod q

the user B independtly selcts a random integer X_B < q and computes

Y_B = ^XB mod q

user B key generation

select private X_B                      X_B < q

calculate public Y_B                   Y_B = ^XB mod q

Each side keep the X value private and makes the Y value available to the other side.

Calculation of secret key by user A

K_A = (Y_B)^XA mod q

Calculation of secret key by user B

K_B = (Y_A)^XB mod q

K_A = (Y_B)^XA mod q

= (^XB mod q)^XA mod q

= (^XB )^XA mod q

= ^{XB XA} mod q

= (^XA)^XB mod q

= (^XA mod q)^XB mod q

= (Y_A)^XB mod q

= K_B

It shows that the two sides have exchanged a secret value.

b)Answer :

key exchange is based on the use of the prime number q=11 , for q primitive root = 2.

A and B select secret keys

user A key generation

select private X_A = 9

calculate public Y_A                   Y_A = 2⁹ mod 11 = 6

the user B independtly selcts a random integer X_B < q and computes

Y_B = ^XB mod q

user B key generation

select private X_B = 4                X_B < q

calculate public Y_B                   Y_B = 2⁴ mod 11 = 5

Each side keep the X value private and makes the Y value available to the other side.

Calculation of secret key by user A

K_A = (Y_B)^XA mod q

   = (5)⁹ mod 11 = 9

Calculation of secret key by user B

K_B = (Y_A)^XB mod q

   = (6)⁴ mod 11 = 9

Therefore K_A = K_B

Q2) Kerberos :-
a : Kerberos can achieve authentication of the user:

b. Server authenticates a user through Kerberos:

Answer:

C à AS:    ID_C || P_C || ID_V

AS à C:    Ticket

C à V:      ID_C || Ticket

Ticket = E(K_V , [ID_C || AD_C || ID_V])

Where C = client

AS = Authentication server

V = sever

ID_C = identifier of user on C

ID_V = identifier of V

P_C = password of user on C

AD_C = network address of C

K_V = secret encryption key shared by AS and V

In this , the user logs on to a workstation and requests access to server V. the client C sends request to workstation requests the users password and then send a message to the AS that includes the user’s ID , the server’s ID , and the user’s password.

Now the AS checks its database to see if the user has supplied the proper password for the corresponding user ID and whether this user is permitted access to server V. If both test are passed, the AS accepts the user as authentic and must now convince the server that this user is authentic . for this , the AS creates a ticket that contains the user’s ID and network address and the server’s ID. This ticket is encrypted using the secret key shared by the AS and this server. This ticket is sent back to C. Because the ticket is encrypted ,it cannot be altered by C or by an opponent.

                      

c)The role of a TGS.

Answer :

The (Ticket-granting server)TGS issues tickets to users who have been authenticated to AS. The user first requests a ticket-granting ticket(Ticket_tgs) from the AS. The client in the workstation saves the ticket. Each time the user requests access to a new service , the client applies to the TGS , using the ticket to authenticate itself. The TGS then grants a ticket for the particular service. The client saves each service-granting ticket and uses it to authenticate its user to a server each time a particular service.

d) Answer:

version 4 requires the use of DES.

Version 5 , cipher text is tagged with an encryption-type identifier.

Version 4 requires the use of IP addresses.

Version 5 network addresses are tagged with type and length, allowing any network address type to be used.

In V4 the sender of a message employs a byte ordering.

In v5 all messages structures are defined using (ASN.1)

Lifetime values in v4 are encoded in an 8-bit quantity in units of five minutes. Maximum life time is 1280 minutes.

In v5 , tickets include an explicit start time and end time ,allowing tickets with arbitrary lifetimes.

v4 does not allow credentials issued to one client to be forwarded to some other host and used by some other client. V5 provides this capability.

In v4 , interoperability among N realms requires on the order N² Kerberos-to-Kerberos relationships. V5 supports a method that requires fewer relationships.