1

KERBEROS:AN AUTHENTICATION SERVICE

FOR OPEN NETWORK SYSTEMS

J. G. Steiner, C. Neuman, J. I. Schiller

MIT

2

AUTHENTICATION SERVERS (I)

• Their mission is:

(a) To check identity of all users

(b) To prevent unauthorized accesses• Traditional solution is to use a pair

(userid, password)

– Very bad in a LAN environment– Too vulnerable to snooping

3

AUTHENTICATION SERVERS (II)

• Another bad solution is to trust the kernel of sender’s machine:– Solution used by rlogin, rsh, rcp– Like trusting a foreign passport – Only works in well-controlled networks– Suffers from domino effect :

• Gaining full access to one machine gives full access to whole network

4

CRYPTOGRAPHY (I)

1. Conventional Cryptography

– Uses same key for coding and encoding• Key could be a secret alphabet

– We now use much more complex schemes and much bigger keys

– Major problem is key distribution• Very hard without a trusted channel

5

Example

• Assume we have a random stream of bits:r0 , r1 , r2 , r3 , ...

• We convert our message into a bit stream:m0 , m1 , m2 , m3 , ...

• Encode the message bitwise using XOR:ci = mi ri for i = 1, 2, 3 , ...

• Impossible to break if random bit stream istruly random and never reused

6

CRYPTOGRAPHY (II)

2. Public-Key Cryptography

– Uses two keys:(a) A public key to encode: KP

(b) A secret key to decode: KS

– It is not possible to compute KS knowing KP

• The function KP = f ( KS ) is said to be hard to invert:

7

CRYPTOGRAPHY (II)

– We should have

• { { cleartext }KP }KS = cleartext

• { { cleartext }KS }KP = cleartext

– Requires very long keys– Cannot pick an arbitrary secret key– Much slower than conventional cryptography

8

Example

• Assume A knows KP, B and B knows KP, A

– A can send to B a secret message:

{ text } KP, B

– A can send to B a message that is signed:

A, { text } KS, A

– A can send to B a signed secret message:

{ A, { text }KS, A } KP, B

9

Application

• Can combine conventional cryptography and public-key cryptography– A uses public-key cryptography to send to B a

signed secret message containing a session key KS

– A and B use this session key KS to continue their dialogue

10

KERBEROS

• Authentication server using conventional keys• The Kerberos server has

– The key of each user– The key of the ticket granting service (TGS)

• Authentication is a two-step process– Get from kerberos a ticket for the TGS– Get from TGS the ticket for a given server

11

WSK S

TGS

General Organization

Ticket granting service

Kerberos Server

Client c on workstation WS

2

1

3 4

5

6

12

General Assumptions (I)

• Cannot trust the network:– Intruders can listen to all messages and

replay them later• Can trust the time service

– No intruder can reset any clock backward by more than a few minutes

13

General Assumptions (II)

• Client c can trust the workstation WS on which she is logged on:– Cannot do encryption without a safe place to

encode and decode messages• Assumes the workstation is controlled by the

client– Not true for public workstations

14

Step 1

• Client provides WS with its ID c:c WS: c

WS sends to Kerberos a request for a ticket for the TGS:

WS K: c, tgs

15

Step 2

• Kerberos sends to WS a ticket Tc,tgs and a random session key Kc,tgs:

K WS: { Kc,tgs, { Tc,tgs }Ktgs }Kc

Both items are encrypted with the client key Kc

Ticket is encrypted with the secret key of the ticket granting service to prevent tampering by client

16

The ticket (I)

• Note that the encrypted ticket is encrypted a second time by the client key KC

– In more recent versions of Kerberos

K WS: { Kc,tgs }Kc, { Tc,tgs}Ktgs

17

The ticket (II)

• Tc,tgs = c, tgs, addr, timestamp, life, Kc,tgs

• It contains– The client's name c– The name of the ticket-granting service tgs– The IP address of the client addr– The current time timestamp– A ticket lifetime life – The random session key K c,tgs

18

Step 3

• When WS receives Kerberos reply, it prompts the client c for her password and uses it to compute the user key

Kc = fn(password)

and uses Kc to decrypt the message

19

WSK S

TGS

Shared Secrets

ServerKc

KtgsKs

20

Step 3 (continued)

• WS then sends to the TGS – The name of the service s the client wants to

utilize– The encrypted ticket Tc,tgs

– An authenticator Ac,tgs encrypted with Kc,tgs

WS TGS: s, { Tc,tgs}Ktgs, { Ac,tgs }Kc,tgs

21

The authenticator (I)

• Any intruder could replay a ticket that has already be submitted to TGS

• Authenticator contains– The client name c– Its address addr – The current time timestamp

Ac,tgs = c, addr, timestamp• Authenticator is encrypted with Kc,tgs

22

The authenticator (II)

• Authenticator provides proof that WS was able to obtain the session key Kc,tgs by decrypting message number 2 using the right client key KC

• To detect replays of authenticators, TGS– Rejects authenticators that are too old

(say, by more than five minutes)– Keeps track of all recently received

authenticators

23

Step 4

• The TGS replies by sending to the workstation– A ticket T cs for the service s

– A new random session key Kc,s

TGS WS: { Kc,s, { Tc,s}Ks}Kc,tgs

encrypted with the session key Kc,tgs shared by the client and the ticket granting service

24

Step 4 (continued)

• Tc,s contains– The user's name c– The name of the service s – The IP address of the client addr– The current time timestamp– A new lifetime life – A new random session key Kc,s

• Tc,s is encrypted with the secret key of server s

25

Step 5

• WS then sends to server S – the encrypted ticket Tc,s

– an authenticator Ac,s encrypted with Kc,s

WS S: { Tc,s }Ks, { Ac,s }Kc,s

26

Step 5 (continued)

• Authenticator contains– the client name c– its address addr – the current time timestamp

Ac,s = c, addr, timestamp

• Authenticator is encrypted with the session key Kc,s shared by client and server

27

Step 6

• If client wanted to authenticate server, the server replies with the authenticator time stamp plus one:

sWS: { timestamp + 1 }Kc,s

encrypted with the session key Kc,s

• This proves that s was able to obtain the session key Kc,s by decrypting message number 5 using its server key Ks

28

Picking ticket lifetimes

• There is a trade-off in determining the optimal ticket lifetime:– Short ticket lifetimes make the system more

secure • Less delay between password change and

full effect of action– Short ticket lifetimes also make the system less

convenient for its users.

29

The Kerberos server (I)

• Most critical part of the system– If it is compromised, all user passwords are

lost– If it is unavailable, nobody will be able to log

in• A compromised TGS would only force all users

to repeat the Kerberos login procedure

30

The Kerberos server (II)

The Kerberos server is normally replicated on several sites:– No single point of failure– More difficult to maintain key secrecy

There is a single primary site and it is the only than can accept key change requests– Changing passwords is not a critical task

31

LIMITATIONS

• Must maintain– secrecy of keys– integrity of time service

• Client must trust the workstation on which she is logged in

• Does not protect clients and servers against denial of service attacks

32

OTHER SOLUTIONS (I)

• Could use a pair public key/private key– private keys cannot be generated from an

arbitrary password– impossible to memorize– must store them somewhere

• key ring of PGP is encrypted using a strong conventional encryption algorithm

33

OTHER SOLUTIONS (II)

• Could use one-time passwords– Use a different password at each log in– Passwords can be managed by a smart card– User must always carry it with her– Some systems also require a password to use

the card and disable card after enough unsuccessful trials• Must keep card in a rigid container

34

OTHER SOLUTIONS (III)

• SSH-2 uses– Diffie-Hellman key exchange

• Uses public keys and private keys• Produces a symmetric session key

– Strong integrity checking via message authentication codes.

35

OTHER SOLUTIONS (IV)

• Two-factor authentication– Must provide

• Something you know (a password)• Something you have (a dongle or a phone)

– Google two-factor authentication:• Enter first name and password• Google sends a six-digit code to your phone

that you must then enter

36

CONCLUSIONS

• Kerberos offers one of the best solutions for authentication in distributed systems– Does not require any special equipment– Does not significantly alter the user interface

• Main drawback is that the user must trust the workstation on which she is logged in– Works best for personal workstations