2. Kerberos (protocol)
◦ Kerberos is a computer network authentication protocol
◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network
◦ Prove their identity to one another in a secure manner
◦ Aimed primarily at a client–server model and it provides mutual authentication
◦ Protected against eavesdropping and replay attacks
http://www.ifour-consultancy.com Offshore software development company India
3. Microsoft Windows, UNIX & Kerberos
◦ Windows 2000 and later uses Kerberos as its default authentication method
◦ Documentation:
◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols"
◦ RFC 4757 documents Microsoft's use of the RC4 cipher
◦ Include software for Kerberos authentication of users or services
http://www.ifour-consultancy.com Offshore software development company India
4. Components
Principal Realm
KDC
AS TGS
Client Server
http://www.ifour-consultancy.com Offshore software development company India
5. Mechanism
• Client authenticates itself to the Authentication
Server (AS) which forwards the username to a Key
distribution center (KDC)
• KDC issues a Ticket Granting Ticket (TGT), which is
time stamped
• Encrypts it using the user's password and returns the
encrypted result to the user's workstation
• TGT remains valid until it expires, though may be
transparently renewed by the user's session manager
while they are logged in
http://www.ifour-consultancy.com Offshore software development company India
6. Mechanism
When the client needs to communicate with
another node
• Client sends the TGT to the Ticket Granting
Service (TGS)
• After verifying the TGT is valid and the user is
permitted to access the requested service
• TGS issues a Ticket and session keys, which are
returned to the client
• Client then sends the Ticket to the service
server (SS) along with its service request
http://www.ifour-consultancy.com Offshore software development company India
7. User Client-based Logon
◦ User enters a username and password on the client machines
◦ Client transforms the password into the key of a symmetric cipher
◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used
http://www.ifour-consultancy.com Offshore software development company India
8. Client Authentication
◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the
user
◦ AS generates the secret key by hashing the password of the user found at the database
◦ AS checks to see if the client is in its database
http://www.ifour-consultancy.com Offshore software development company India
9. Client Authentication
◦ If it is, the AS sends back the
following two messages to the
client:
◦ Message A: Client/TGS Session Key
encrypted using the secret key of the
client/user.
◦ Message B: Ticket-Granting-Ticket
(which includes the client ID, client
network address, ticket validity period,
and the client/TGS session key)
encrypted using the secret key of the
TGS.
http://www.ifour-consultancy.com Offshore software development company India
10. Client Service Authorization
◦ Client attempts to decrypt message A with the secret key generated from the password
entered by the user
◦ If the password does not match the password in the AS database, the client's secret key will
be different and thus unable to decrypt message A
◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS
Session Key
◦ Session key is used for further communications with the TGS
http://www.ifour-consultancy.com Offshore software development company India
11. Client Service Authorization
When requesting services, the client sends
the following two messages to the TGS
◦ Message C: Composed of the TGT from
message B and the ID of the requested
service.
◦ Message D: Authenticator (which is
composed of the client ID and the
timestamp), encrypted using the Client/TGS
Session Key.
http://www.ifour-consultancy.com Offshore software development company India
12. Client Service Authorization
◦ Upon receiving messages C and D, the TGS retrieves message B out of message C
◦ Decrypts message B using the TGS secret key
◦ Gives it the "client/TGS session key“
http://www.ifour-consultancy.com Offshore software development company India
13. Client Service Authorization
Using this "client/TGS session key“, the TGS
decrypts message D
Sends the following two messages to the
client:
◦ Message E: Client-to-server ticket (which
includes the client ID, client network address,
validity period and Client/Server Session Key)
encrypted using the service's secret key.
◦ Message F: Client/Server Session Key encrypted
with the Client/TGS Session Key.
http://www.ifour-consultancy.com Offshore software development company India
14. Client Service Request
Upon receiving messages E and F from TGS
◦ Client has enough information to authenticate
itself to the SS
◦ Client connects to the SS and sends the following
two messages
◦ Message E from the previous step (the client-to-server ticket,
encrypted using service's secret key).
◦ Message G: a new Authenticator, which includes the client
ID, timestamp and is encrypted using Client/Server Session
Key.
http://www.ifour-consultancy.com Offshore software development company India
15. Client Service Request
◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server
Session Key
◦ SS decrypts the Authenticator and sends the following message to the client
to confirm its true identity and willingness to serve the client
◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server
Session Key.
◦ Client decrypts the confirmation using the Client/Server Session Key
http://www.ifour-consultancy.com Offshore software development company India
16. Client Service Request
◦ Checks whether the timestamp is correctly updated
◦ Client can trust the server and can start issuing service requests to the server
◦ Server provides the requested services to the client
http://www.ifour-consultancy.com Offshore software development company India
17. Kerberos Authentication Process ( Cross
Domain)
◦ Client in Domain 1 wishes to access a network resource in remote Domain 2
◦ The client has already been authenticated to KDC in Domain 1 and has received TGT
◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources
http://www.ifour-consultancy.com Offshore software development company India
18. Kerberos Authentication Process ( Cross
Domain)
◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in
Domain 1 respond to the client with TGT for Domain 2
◦ The client presents the new TGT to KDC in domain 2
◦ The KDC in Domain 2 responds with TGS fro the network resource
◦ The client accesses the Network resource in Domain 2 using the new TGS
http://www.ifour-consultancy.com Offshore software development company India
19. Drawbacks and Limitations
Single point of failure
Kerberos has strict time requirements
Administration protocol is not standardized
All authentications are controlled by a centralized KDC
http://www.ifour-consultancy.com Offshore software development company India
20. Drawbacks and Limitations
Each network service which requires a different host name
Requires user accounts, user clients and the services on the
server to all have a trusted relationship to the Kerberos token
server
Required client trust makes creating staged environments
difficult
http://www.ifour-consultancy.com Offshore software development company India
21. Weakness in Kerberos Protocol
Susceptible to offline password cracks
Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability
If TGT stolen, the attacker can access n/w until the session expires
Severe effects if KDC is compromised
http://www.ifour-consultancy.com Offshore software development company India