Kerberos Security Enhancements Based on Intel SGX

Abstract

Abstract: Kerberos is an identity authentication system widely used in cloud computing, Internet of Things and other scenarios. The database of its key distribution center stores the clear key information. In the distributed environment, there are storage management, memory leakage and other security risks, which affect the security of the identity authentication system. Therefore, a Kerberos security enhancement scheme based on Intel SGX is proposed. The key using module in the process of key initialization and identity authentication is moved to the Enclave, and the key is protected dynamically by the memory isolation mechanism supported by hardware. Seals storage to a database in a secure area based on a sealing mechanism. Experiments show that the scheme can guarantee the confidentiality and integrity of the dynamic and static keys and reduce the range of the trusted computing basis. The performance evaluation shows that the proposed scheme can guarantee the security of key operation and storage while the extra cost of performance is also acceptable.

Key words: Intel SGX, Kerberos, identity authentication, key management, security

摘要： Kerberos是广泛应用于云计算，物联网等场景下的身份认证系统，其密钥分发中心（key distribution center, KDC）的数据库存储着明文的密钥信息，在分布式环境中具有存储管理、内存泄露等安全隐患，进而影响身份认证系统的安全.因此提出基于Intel SGX（software guard extensions）的Kerberos安全增强方案，将密钥的初始化和身份认证流程中涉及密钥使用模块迁移至SGX提供的安全隔离区域Enclave中，通过基于硬件支持的内存隔离机制动态保护密钥；在安全区内使用密封机制密封存储至数据库.通过实验证明了本方案能够保障密钥动态和静态的机密性和完整性，减小了可信计算基础的范围.而性能评估显示, 本文方案在保障密钥运行和存储安全的同时，性能的额外开销也在可接受范围之内.

关键词: Intel SGX, Kerberos, 身份认证, 密钥管理, 安全

王冠苗艺雪 . 基于Intel SGX的Kerberos安全增强方案[J]. 信息安全研究, 2021, 7(4): 374-383.

References

[1] Neuman B C, Ts'o T. Kerberos: An authentication service for computer networks[J]. IEEE Communications Magazine, 1994, 32(9): 33-38
[2] Shen Peng, Ding Xiaoming, Ren Wenjun. Research on Kerberos technology based on hadoop cluster security[C]// Proc of the 2nd Int Conf on Advances in Energy, Environment and Chemical Science (AEECS). Pairs:Atlantis Press, 2018: 228-233
[3] Jena S K, Tripathy B K, Gupta P, et al. A Kerberos based secure communication system in smart (internet of things) environment[J]. Journal of Computational and Theoretical Nanoscience, 2019, 16(5/6): 2381-2388
[4] Wang Chundong, Feng Chaoran. Security analysis and improvement for Kerberos based on dynamic password and Diffie-Hellman algorithm[C]//Proc of the 4th Int Conf on Emerging Intelligent Data and Web Technologies. Piscataway, NJ:IEEE, 2013: 256-260
[5] Sutradhar M R, Sultana N, Dey H, et al. A new version of kerberos authentication protocol using ECC and threshold cryptography for cloud security[C]//Proc of the 7th Joint Int Conf on Informatics, Electronics & Vision (ICIEV) and 2nd Int Conf on Imaging, Vision & Pattern Recognition (icIVPR). Piscataway, NJ: IEEE, 2018: 239-244
[6] Jindal S, Sharma M. Design and implementation of Kerberos using DES algorithm[C]//Proc of the ACM Symp on Women in Research. New York: ACM ,2016: 92-95
[7] Kadhim A, Mhaibes H I. A new initial authentication scheme for Kerberos 5 based on biometric data and virtual password[C]//Proc of Int Conf on Advanced Science and Engineering (ICOASE). Piscataway, NJ: IEEE, 2018: 280-285
[8] 刘亚敏,薛海洋,张道德.公钥密码的实际安全性发展研究[J].信息安全研究,2019,5(1):29-38
[9] Du Yunyun, Ning Hongyun, Yang Ping, et al. Improvement of Kerberos protocol based on dynamic password and “one-time public key”[C]// Proc of the 10th Int Conf on Natural Computation (ICNC). Piscataway, NJ: IEEE, 2014: 1020-1025
[10] 杨萍,宁红云.Kerberos协议的安全分析及对策研究[J].计算机工程,2015,41(5):144-148
[11] Costan V, Devadas S. Intel SGX Explained[J]. IACR Cryptology ePrint Archive, 2016, 2016(86): 1-118
[12] Zheng Wei,Wu Ying,Wu Xiaoxue, et al. A survey of Intel SGX and its applications[J]. Frontiers of Computer Science,2020,15(3):1-15
[13] McKeen F, Alexandrovich I, Berenzon A, et al. Innovative instructions and software model for isolated execution[C]//Proc of the 2nd Int Workshop on Hardware and Architectural Support for Security and Privacy. New York: ACM, 2013
[14] McKeen F, Alexandrovich I, Anati I, et al. Intel® software guard extensions (intel® sgx) support for dynamic memory management inside an enclave[C]//Proc of the Hardware and Architectural Support for Security and Privacy. New York: ACM, 2016: 1-9
[15] 涂山山,胡俊,宁振虎,王晓,刘国杰.可信计算:打造云安全新架构[J].信息安全研究,2017,3(5):440-450
[16] Hoekstra M, Lal R, Pappachan P, et al. Using innovative instructions to create trustworthy software solutions[J]. HASP@ISCA,2013, 11(10.1145): 2487726-2488370
[17] Anati I, Gueron S, Johnson S, et al. Innovative technology for CPU based attestation and sealing[C]//Proc of the 2nd Int Workshop on Hardware and Architectural Support for Security and Privacy. New York : ACM, 2013: 7
[18] Schwarz M, Weiser S, Gruss D, et al. Malware guard extension: Using SGX to conceal cache attacks[C]//Proc of the Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment. Cham: Springer, 2017: 3-24
[19] Richter L, Götzfried J, Müller T. Isolating operating system components with Intel SGX[C]//Proc of the 1st Workshop on System Software for Trusted Execution. New York: ACM,2016: 1-6
[20] Johnson S, Scarlata V, Rozas C, et al. Intel® software guard extensions: Epid provisioning and attestation services[J]. White Paper, 2016, 1(1-10): 119-129