Kerberos protocol

Kerberos Authentication

Kerberos (protocol)

◦ Kerberos is a computer network authentication protocol

◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network

◦ Prove their identity to one another in a secure manner

◦ Aimed primarily at a client–server model and it provides mutual authentication

◦ Protected against eavesdropping and replay attacks

http://www.ifour-consultancy.com Offshore software development company India

http://www.ifour-consultancy.com/


Microsoft Windows, UNIX & Kerberos

◦ Windows 2000 and later uses Kerberos as its default authentication method◦ Documentation:

◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols"◦ RFC 4757 documents Microsoft's use of the RC4 cipher

◦ Include software for Kerberos authentication of users or services




Components

Principal Realm KDCAS TGS

Client Server




Mechanism• Client authenticates itself to the Authentication

Server (AS) which forwards the username to a Key distribution center (KDC)

• KDC issues a Ticket Granting Ticket (TGT), which is time stamped

• Encrypts it using the user's password and returns the encrypted result to the user's workstation

• TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in




MechanismWhen the client needs to communicate with another node

• Client sends the TGT to the Ticket Granting Service (TGS)

• After verifying the TGT is valid and the user is permitted to access the requested service

• TGS issues a Ticket and session keys, which are returned to the client

• Client then sends the Ticket to the service server (SS) along with its service request




User Client-based Logon

◦ User enters a username and password on the client machines

◦ Client transforms the password into the key of a symmetric cipher

◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used




Client Authentication

◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the user

◦ AS generates the secret key by hashing the password of the user found at the database

◦ AS checks to see if the client is in its database




Client Authentication

◦ If it is, the AS sends back the following two messages to the client:

◦ Message A: Client/TGS Session Key encrypted using the secret key of the client/user.

◦ Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.




Client Service Authorization◦ Client attempts to decrypt message A with the secret key generated from the password

entered by the user

◦ If the password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A

◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key

◦ Session key is used for further communications with the TGS




Client Service Authorization

When requesting services, the client sends the following two messages to the TGS

◦ Message C: Composed of the TGT from message B and the ID of the requested service.

◦ Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key.





◦ Upon receiving messages C and D, the TGS retrieves message B out of message C

◦ Decrypts message B using the TGS secret key

◦ Gives it the "client/TGS session key“





Using this "client/TGS session key“, the TGS decrypts message D

Sends the following two messages to the client:

◦ Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key.

◦ Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.




Client Service Request

Upon receiving messages E and F from TGS

◦ Client has enough information to authenticate itself to the SS

◦ Client connects to the SS and sends the following two messages

◦ Message E from the previous step (the client-to-server ticket, encrypted using service's secret key).

◦ Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.





◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key

◦ SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client

◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key.

◦ Client decrypts the confirmation using the Client/Server Session Key





◦ Checks whether the timestamp is correctly updated

◦ Client can trust the server and can start issuing service requests to the server

◦ Server provides the requested services to the client




Kerberos Authentication Process ( Cross Domain)

◦ Client in Domain 1 wishes to access a network resource in remote Domain 2

◦ The client has already been authenticated to KDC in Domain 1 and has received TGT

◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources




Kerberos Authentication Process ( Cross Domain)

◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in Domain 1 respond to the client with TGT for Domain 2

◦ The client presents the new TGT to KDC in domain 2

◦ The KDC in Domain 2 responds with TGS fro the network resource

◦ The client accesses the Network resource in Domain 2 using the new TGS




Drawbacks and Limitations

Single point of failure

Kerberos has strict time requirements

Administration protocol is not standardized

All authentications are controlled by a centralized KDC




Drawbacks and Limitations

Each network service which requires a different host name

Re

quires

user acc

ounts,

user clie

nts a

nd t

he services

on t

he server t

o all

have a tr

uste

d relati

ons

hi

p t

o t

he

Ker

ber

os t

oke

n server

Required client trust makes creating staged environments difficult




Weakness in Kerberos Protocol

Susceptible to offline password cracks

Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability

If TGT stolen, the attacker can access n/w until the session expires

Severe effects if KDC is compromised




References

http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

http://technet.microsoft.com/en-us/library/bb742516.aspx

http://www.kerberos.info

Symbiosis students◦ Deepak Aggarwal◦ Rohit Khadke◦ Sonali Solanki◦ Vineela Kanapala


http://en.wikipedia.org/wiki/Kerberos_(protocol)

http://en.wikipedia.org/wiki/Kerberos_(protocol)




http://www.kerberos.info/








Technology

Kerberos protocol