Title: An Introduction to Kerberos
1An Introduction to Kerberos
- Shumon Huque
- ISC Networking Telecommunications
- University of Pennsylvania
- March 19th 2003
2What this talk is about
- A high-level view of how Kerberos works
- How Kerberos differs from some other
authentication systems - SSH password auth, SSH public key auth, SSL
- Target audience
- LSPs, computing staff, others?
3What this talk is not about
- Details of Penns Kerberos deployment plans
- How to get PennKeys, which Kerberos enabled
applications do I need to use - Writing Kerberized applications
- In-depth protocol details and packet formats
- Number Theory Cryptography
4What is Kerberos?
- Developed at M.I.T.
- A secret key based service for providing
authentication in open networks - Authentication mediated by a trusted 3rd party on
the network - Key Distribution Center (KDC)
5Kerberos etymology
- The 3-headed dog that guards the entrance to
Hades - Originally, the 3 heads represented the 3 As
- But one A was work enough!
6(No Transcript)
7Fluffy, the 3 headed dog, fromHarry Potter and
the Sorcerers Stone
8Some Kerberos benefits
- Standards based strong authentication system
- Wide support in various operating systems
- Make strong authentication readily available for
use with campus computer systems - Prevents transmission of passwords over the
network - Provides single-sign-on capability
- Only 1 password to remember
- Only need to enter it once per day (typically)
9So, what is Authentication?
- The act of verifying someones identity
- The process by which users prove their identity
to a service - Doesnt specify what a user is allowed or not
allowed to do (Authorization)
10Password based Authentication
- Transmit password in clear over the network to
the server - Main Problem
- Eavesdropping/Interception
11Cryptographic Authentication
- No password or secret is transferred over the
network - Users prove their identity to a service by
performing a cryptographic operation,usually on a
quantity supplied by the server - Crypto operation based on users secret key
12Encryption and Decryption
- Encryption
- Process of scrambling data using a cipher and a
key in such a way, that its intelligible only to
the recipient - Decryption
- Process of unscambling encrypted data using a
cipher and key (possibly the same key used to
encrypt the data)
13Symmetric Key Cryptography
- Aka, Secret Key cryptography
- The same key is used for both encryption and
decryption operations (symmetry) - Examples DES, 3-DES, AES
14Asymmetric Key Cryptography
- Aka Public key cryptography
- A pair of related keys are used
- Public and Private keys
- Private key cant be calculated from Public key
- Data encrypted with one can only be decrypted
with the other - Usually, a user publishes his public key widely
- Others use it to encrypt data intended for the
user - User decrypts using the private key (known only
to him) - Examples RSA
15Communicating Parties
- Alice and Bob
- Alice initiator of the communication
- Think of her as the client or user
- Bob correspondent or 2nd participant
- Think of him as the server
- Alice wants to access service Bob
- Baddies
- Eve, Trudy, Mallory
16Simple shared-secret based cryptographic
authentication
17Add mutual authentication
18Problems with this scheme
- Poor scaling properties
- Generalizing the model for m users and n
services, requires a priori distribution of m x n
shared keys - Possible improvement
- Use trusted 3rd party, with which each user and
service shares a secret key m n keys - Also has important security advantages
19Mediated Authentication
- A trusted third party mediates the authentication
process - Called the Key Distribution Center (KDC)
- Each user and service shares a secret key with
the KDC - KDC generates a session key, and securely
distributes it to communicating parties - Communicating parties prove to each other that
they know the session key
20Mediated Authentication
- Nomenclature
- Ka Master key for alice, shared by alice and
the KDC - Kab Session key shared by alice and bob
- Tb Ticket to use bob
- Kdata data encrypted with key K
21(No Transcript)
22Mediated Authentication
23Mediated Authentication
24Kerberos uses timestamps
- Timestamps as nonces are used in the mutual
authentication phase of the protocol - This reduces the number of total messages in the
protocol - But it means that Kerberos requires reasonably
synchronized clocks amongst the users of the
system
25Kerberos (almost)
26Kerberos (roughly)
27Needham-Schroeder Protocol
28Kerberos (detailed)
- Each user and service registers a secret key with
the KDC - Everyone trusts the KDC
- Put all your eggs in one basket, and then watch
that basket very carefully - Anonymous Mark
Twain - The users key is derived from a password, by
applying a hash function - The service key is a large random number, and
stored on the server
29Kerberos principal
- A client of the Kerberos authentication service
- A user or a service
- Format
- name/instance_at_REALM
- Examples
- peggy_at_UPENN.EDU
- ftp/pobox.upenn.edu_at_UPENN.EDU
30Kerberos without TGS
- A simplified description of Kerberos without the
concept of a TGS (Ticket Granting Service)
31(No Transcript)
32(No Transcript)
33(No Transcript)
34Combining 2 previous diags
35(No Transcript)
36Review Kerberos Credentials
- Ticket
- Allows user to use a service (actually
authenticate to it) - Used to securely pass the identity of the user to
which the ticket is issued between the KDC and
the application server - Kbalice, Kab, lifetime
- Authenticator
- Proves that the user presenting the ticket is the
user to which the ticket was issued - Proof that user knows the session key
- Prevents ticket theft from being useful
- Prevents replay attacks (timestamp encrypted with
the session key) Kabtimestamp, in combination
with a replay cache on the server
37Ticket Granting Service (TGS)
38(No Transcript)
39(No Transcript)
40Kerberos with TGS
- Ticket Granting Service (TGS)
- A Kerberos authenticated service, that allows
user to obtain tickets for other services - Co-located at the KDC
- Ticket Granting Ticket (TGT)
- Ticket used to access the TGS and obtain service
tickets - Limited-lifetime session key TGS sessionkey
- Shared by user and the TGS
- TGT and TGS session-key cached on Alices
workstation
41TGS Benefits
- Single Sign-on (SSO) capability
- Limits exposure of users password
- Alices workstation can forget the password
immediately after using it in the early stages of
the protocol - Less data encrypted with the users secret key
travels over the network, limiting attackers
access to data that could be used in an offline
dictionary attack
42(No Transcript)
43(No Transcript)
44(No Transcript)
45(No Transcript)
46Levels of Session Protection
- Initial Authentication only
- Safe messages
- Authentication of every message
- Keyed hashing with session key
- Private messages
- Encryption of every message
- With session key, or mutually negotiated
subsession keys - Note Application can choose other methods
47Pre-authentication
- Kerberos 5 added pre-authentication
- Client is required to prove its identity to the
Kerberos AS in the first step - By supplying an encrypted timestamp (encrypted
with users secret key) - This prevents an active attacker being able to
easily obtain data from the KDC encrypted with
any users key - Then able to mount an offline dictionary attack
48(No Transcript)
49Kerberos Two-factor auth
- In addition to a secret password, user is
required to present a physical item - A small electronic device h/w authentication
token - Generates non-reusable numeric responses
- Called 2-factor authentication, because it
requires 2 things - Something the user knows (password)
- Something the user has (hardware token)
50Cross Realm Authentication
51Hierarchy/Chain of Realms
52Kerberos and PubKey Crypto
- Proposed enhancements
- Public key crypto for Initial Authentication
- PKINIT
- Public key crypto for Cross-realm Authentication
- PKCROSS
53Kerberos summary
- Authentication method
- Users enter password on local machine only
- Authenticated via central KDC once per day
- No passwords travel over the network
- Single Sign-on (via TGS)
- KDC gives you a special ticket, the TGT,
usually good for rest of the day - TGT can be used to get other service tickets
allowing user to access them (when presented
along with authenticators)
54Advantages of Kerberos (1)
- Passwords arent exposed to eavesdropping
- Password is only typed to the local workstation
- It never travels over the network
- It is never transmitted to a remote server
- Password guessing more difficult
- Single Sign-on
- More convenient only one password, entered once
- Users may be less likely to store passwords
- Stolen tickets hard to reuse
- Need authenticator as well, which cant be reused
- Much easier to effectively secure a small set of
limited access machines (the KDCs)
55Advantages of Kerberos (2)
- Easier to recover from host compromises
- Centralized user account administration
56Kerberos caveats
- Kerberos server can impersonate anyone
- KDC is a single point of failure
- Can have replicated KDCs
- KDC could be a performance bottleneck
- Everyone needs to communicate with it frequently
- Not a practical concern these days
- Having multiple KDCs alleviates the problem
- If local workstation is compromised, users
password could be stolen by a trojan horse - Only use a desktop machine or laptop that you
trust - Use hardware token pre-authentication
57Kerberos caveats (2)
- Kerberos vulnerable to password guessing attacks
- Choose good passwords!
- Use hardware pre-authentication
- Hardware tokens, Smart cards etc
58References
- Kerberos An Authentication Service for Open
Network Systems - Steiner, Neuman, Schiller, 1988, Winter USENIX
- Kerberos An Authentication Service for Computer
Networks - Neuman and Tso, IEEE Communications, Sep 1994
- A Morons guide to Kerberos - Brian Tung
- http//www.isi.edu/gost/brian/security/kerberos.ht
ml - Designing an Authentication System A Dialogue in
Four Scenes - Bill Bryant, 1988
- http//web.mit.edu/kerberos/www/dialogue.html
59References (cont)
- RFC 1510 The Kerberos Network Authentication
Service (v5) - Kohl and Neuman, September 1993
- draft-ietf-krb-wg-kerberos-clarifications-03.txt
- IETF Kerberos Working Group rfc1510 revision
- Using Encryption for Authentication in Large
Networks of Computers - Roger Needham, Michael D. Schroeder
- CACM, Volume 21, December 1978, pp 993-999
60Questions or comments?
- Shumon Huque
- E-mail ltshuque_at_isc.upenn.edugt