A Methodology for Analyzing the performance of Authentication Protocols
description
Transcript of A Methodology for Analyzing the performance of Authentication Protocols
Analyzing the Performance of Authentication Protocols
1
A Methodology for Analyzing the performance of Authentication
ProtocolsAlan HarbitterDaniel A. Menasce
Presented byRob Elkind
Analyzing the Performance of Authentication Protocols
2
Outline• Introduction• Kerberos – and extensions• Kerberos with Proxy• Methodology • Simulations – Multiple Realm and Mobile
with proxy• Conclusion
Analyzing the Performance of Authentication Protocols
3
Introduction
• Use of new modeling methodology for analyzing authentication protocols – Closed queuing network model
• Two Kerberos examples will be tested• Designed to explicitly model performance
new protocol design including asymmetric and symmetric encryption
Analyzing the Performance of Authentication Protocols
4
Kerberos Overview
Analyzing the Performance of Authentication Protocols
5
Kerberos Realms• Kerberos realms - networked collection of workstations,
servers, and a single master KDC which must: • 1. maintain a database of matching user IDs and hashed
passwords for registered Kerberos users• 2. maintain shared secret keys with each registered
application server• 3. maintain shared secret keys with remote KDCs in other
realms• 4. propagate new or changed secret keys and database
updates to slave KDCs.
Analyzing the Performance of Authentication Protocols
6
Public Key Cryptography
• Increase scalability• Smaller key shared space ~ n2 vs. n for n
users• Improved Security• Proposals:
– PKINIT (core specification)– PKCROSS– PKTAPP
Analyzing the Performance of Authentication Protocols
7
PKINIT Overview
Analyzing the Performance of Authentication Protocols
8
PKCROSS Overview
Analyzing the Performance of Authentication Protocols
9
PKDA Overview (PKTAPP)
Analyzing the Performance of Authentication Protocols
10
Proxy server with Kerberos
• Isolate client and server for security purposes
• Offload processing from mobile host or network
• IAKERB• Charon
Analyzing the Performance of Authentication Protocols
11
Methodology
• Build model• Validate• Change parameters• Analyze results• Add “What ifs”
Analyzing the Performance of Authentication Protocols
12
Modeling Topology multiple-realm
Analyzing the Performance of Authentication Protocols
13
Validation of Model
Analyzing the Performance of Authentication Protocols
14
“What-If” Analyses
• Vary input parameters to reflect various real world conditions
• Reflects sensitivity to various operational environments
• Gives insight into general performance characteristics of the protocol design
Analyzing the Performance of Authentication Protocols
15
Analysis of Public-Key-Enabled Kerberos in Large Networks
• Compare PKTAPP and PKCROSS• Simulate using closed queuing network
model• Use skeleton software to model real world
protocol• When is it more efficient to authenticate to
a central KDC than to individual application servers?
Analyzing the Performance of Authentication Protocols
16
Analyzing the Performance of Authentication Protocols
17
Analyzing the Performance of Authentication Protocols
18
PKCROSS vs. PKTAPP
Analyzing the Performance of Authentication Protocols
19
“What-Ifs” Results
Analyzing the Performance of Authentication Protocols
20
Analysis Of Public-key-enabled Kerberos InMobile Computing Environments
• Reduce the number of public/private key operations performed on the mobile platform.
• When a proxy is used, maintain the option to preserve the encrypted data stream through the proxy.
• Retain the standard Kerberos formats for messages sent to the KDC and application server.
• Preserve the semantics of Kerberos.
Analyzing the Performance of Authentication Protocols
21
M-PKINIT
Analyzing the Performance of Authentication Protocols
22
MP-PKINIT
Analyzing the Performance of Authentication Protocols
23
Modeling Topology M&MP-PKINIT
• Can use same model as before – Substitute a mobile client for client– Wireless network for LAN– Proxy server for local KDC
• Adjust branching probabilities to reflect new model paths
Analyzing the Performance of Authentication Protocols
24
Model Results
Analyzing the Performance of Authentication Protocols
25
Model vs. Simulation
Analyzing the Performance of Authentication Protocols
26
“What-If” Analysis
Analyzing the Performance of Authentication Protocols
27
More “What-Ifs”
Analyzing the Performance of Authentication Protocols
28
Conclusions
• Closed queuing model with class switching is a useful tool for analyzing performance in security protocols – supports wide range of operating conditions
• Skeleton implementation is a good way to work with new ideas that may not be operational yet
• PKCROSS outperforms PKTAPP for authenticating to more than one server
• Proxy server benefits 2G speeds but not 3G speeds
Analyzing the Performance of Authentication Protocols
29
Thoughts
• Well written and presented, clear and detailed
• Good procedural methodology• Would be nice to see “What-Ifs” done on
the test bed and compared to model as well• Skeleton makes assumptions that may alter
results when performed with real implementation
Analyzing the Performance of Authentication Protocols
30
Questions?