Analyzing the Performance of Authentication Protocols

1

A Methodology for Analyzing the performance of Authentication

Protocols

Alan HarbitterDaniel A. Menasce

Presented byRob Elkind

Analyzing the Performance of Authentication Protocols

2

Outline

• Introduction

• Kerberos – and extensions

• Kerberos with Proxy

• Methodology

• Simulations – Multiple Realm and Mobile with proxy

• Conclusion

Analyzing the Performance of Authentication Protocols

3

Introduction

• Use of new modeling methodology for analyzing authentication protocols – Closed queuing network model

• Two Kerberos examples will be tested

• Designed to explicitly model performance new protocol design including asymmetric and symmetric encryption

Analyzing the Performance of Authentication Protocols

4

Kerberos Overview

Analyzing the Performance of Authentication Protocols

5

Kerberos Realms

• Kerberos realms - networked collection of workstations, servers, and a single master KDC which must:

• 1. maintain a database of matching user IDs and hashed passwords for registered Kerberos users

• 2. maintain shared secret keys with each registered application server

• 3. maintain shared secret keys with remote KDCs in other realms

• 4. propagate new or changed secret keys and database updates to slave KDCs.

Analyzing the Performance of Authentication Protocols

6

Public Key Cryptography

• Increase scalability• Smaller key shared space ~ n2 vs. n for n

users• Improved Security• Proposals:

– PKINIT (core specification)– PKCROSS– PKTAPP

Analyzing the Performance of Authentication Protocols

7

PKINIT Overview

Analyzing the Performance of Authentication Protocols

8

PKCROSS Overview

Analyzing the Performance of Authentication Protocols

9

PKDA Overview (PKTAPP)

Analyzing the Performance of Authentication Protocols

10

Proxy server with Kerberos

• Isolate client and server for security purposes

• Offload processing from mobile host or network

• IAKERB

• Charon

Analyzing the Performance of Authentication Protocols

11

Methodology

• Build model

• Validate

• Change parameters

• Analyze results

• Add “What ifs”

Analyzing the Performance of Authentication Protocols

12

Modeling Topology multiple-realm

Analyzing the Performance of Authentication Protocols

13

Validation of Model

Analyzing the Performance of Authentication Protocols

14

“What-If” Analyses

• Vary input parameters to reflect various real world conditions

• Reflects sensitivity to various operational environments

• Gives insight into general performance characteristics of the protocol design

Analyzing the Performance of Authentication Protocols

15

Analysis of Public-Key-Enabled Kerberos in Large Networks

• Compare PKTAPP and PKCROSS• Simulate using closed queuing network

model• Use skeleton software to model real world

protocol• When is it more efficient to authenticate to

a central KDC than to individual application servers?

Analyzing the Performance of Authentication Protocols

16

Analyzing the Performance of Authentication Protocols

17

Analyzing the Performance of Authentication Protocols

18

PKCROSS vs. PKTAPP

Analyzing the Performance of Authentication Protocols

19

“What-Ifs” Results

Analyzing the Performance of Authentication Protocols

20

Analysis Of Public-key-enabled Kerberos InMobile Computing Environments

• Reduce the number of public/private key operations performed on the mobile platform.

• When a proxy is used, maintain the option to preserve the encrypted data stream through the proxy.

• Retain the standard Kerberos formats for messages sent to the KDC and application server.

• Preserve the semantics of Kerberos.

Analyzing the Performance of Authentication Protocols

21

M-PKINIT

Analyzing the Performance of Authentication Protocols

22

MP-PKINIT

Analyzing the Performance of Authentication Protocols

23

Modeling Topology M&MP-PKINIT

• Can use same model as before – Substitute a mobile client for client– Wireless network for LAN– Proxy server for local KDC

• Adjust branching probabilities to reflect new model paths

Analyzing the Performance of Authentication Protocols

24

Model Results

Analyzing the Performance of Authentication Protocols

25

Model vs. Simulation

Analyzing the Performance of Authentication Protocols

26

“What-If” Analysis

Analyzing the Performance of Authentication Protocols

27

More “What-Ifs”

Analyzing the Performance of Authentication Protocols

28

Conclusions

• Closed queuing model with class switching is a useful tool for analyzing performance in security protocols – supports wide range of operating conditions

• Skeleton implementation is a good way to work with new ideas that may not be operational yet

• PKCROSS outperforms PKTAPP for authenticating to more than one server

• Proxy server benefits 2G speeds but not 3G speeds

Analyzing the Performance of Authentication Protocols

29

Thoughts

• Well written and presented, clear and detailed

• Good procedural methodology• Would be nice to see “What-Ifs” done on

the test bed and compared to model as well• Skeleton makes assumptions that may alter

results when performed with real implementation

Analyzing the Performance of Authentication Protocols

30

Questions?