Mutual Trust

Question 1

Key Hierarchy

Answer 1

Session Key-Temporary encryption of data between users during session; delivered with cryptographic protection
Master Key-Encrypts session keys; shared by two endpoints exchanging keys; delivered with no cryptographic protection

Question 2

KDC

Answer 2

Key Distribution Center
Reduces amount of master keys needed
Gives multiple keys per session for a specific task

Question 3

Needham-Schroeder

Answer 3

A->KDC: IDA || IDB || NA
KDC->A: Eka( KS || IDB || NA || Ekb( KS || IDA ))
A->B: EKb( KS || IDB ) || N2A )
B->A: Eks( f(N2A) || NB)
A->B: Eks( f(NB) )

Question 4

Key Distribution - Public Announcement

Answer 4

Each user sends his or her public key to everyone

Easy to forge a key claimng to be someone else

Question 5

Distribution using Asymmetric encryption

Answer 5

A makes PUA and PRA for this exchange only, then discards them
A sends PUA and IDA to B, who verifies then sends KS encrypted by PUA
A decrypts using PRA

Question 6

Key Distribution - Publicly Available Directory

Answer 6

Contains {name: public key} entries
Replace key anytime
Published periodically
Accessed using secure channel
Participants register securely

Question 7

Key Distribution - Public-Key Certificates

Answer 7

Binds identity to public key
All contents signed by public key or CA
Contents can be read/verified from anyone with PUauth

Question 8

X.509 Authentication Service

Answer 8

Create unsigned certificate, hash it, then encrypt with PRca and send to recipient, who verifies with PUca

Question 9

Kerberos

Answer 9

KDC system from MIT

Access to services distributed from network

Question 10

Kerberos - Credentials

Answer 10

Ticket-Granting ticket-Granted by AS (judge) to get access to service ticket from TGS (box office)
Service-Granting ticket-Granted by TGS to get access to service

Question 11

Kerberos - Getting TG Ticket

Answer 11

Client enters username
If client is a valid user…
creates Kc (client identity, client password)
creates Kc-tgs for client-tgs communication
creates Tc-tgs = Ektgs( TGS, Client, Addr, TS2, Life2, Kc-tgs ) GOLDEN TICKET
sends Ekc( Kc-tgs, TGS, TS2, Life2, Tc-tgs )

Question 12

Kerberos - Getting TG Ticket 2

Answer 12

Client enters password
if password correct…
computer stores Tc-tgs and Kc-tgs for later use and erases password from memory

Question 13

Kerberos - Getting SG Ticket

Answer 13

Client sends Service, Tc-tgs, Ac-tgs to TGS
Ac-tgs = Ekc-tgs( Client, Addr, TS3 )
TGS checks authenticator and ticket
If client can use the service…
creates Kc-s for client-service communication
creates Tc-s = Eks( Service, Client, Addr, TS4, Life4, Kc-s)
sends Ekc-tgs( Kc-s, Service, TS4, Life4, Tc-s )

Question 14

Kerberos - Requesting a Service

Answer 14

Client makes Ac-s
Ac-s = Ekc-s( Client, Addr, TS5 )
Client sends Tc-s and Ac-s to service, who checks it and optionally increments TS5 by 1, and sends it back