Kerberos V5 Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio Video recordings of this lecture are available at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 11 1 2007 Raj Jain Overview Kerberos V4 Issues ASN 1 and BER Names Delegation of Rights Ticket Lifetimes Cryptographic Algorithms Hierarchy of Realms Washington University in St Louis CSE571S 11 2 2007 Raj Jain Kerberos V4 Issues 1 Names Instance Realm non standard 1 Only DES encryption 2 Only IPv4 addresses 3 Byte ordering indicated in the message ASN 1 better 4 Maximum life time limited to 21 hours 8 bit life time in units of 5 minutes 5 No delegation 6 Inter realm authentication limited to pairs N2 pairs 7 Double encryption of the ticket Kclient Kserver 8 PCBC does not detect interchange of cipher blocks 9 No subsession keys for long sessions 10 Brute force password attack Washington University in St Louis CSE571S 11 3 2007 Raj Jain ASN 1 Abstract Syntax Notation One Joint ISO and ITU T standard Original 1984 latest 2002 Used to specify protocol data structures X 400 electronic mail X 500 and LDAP directory services H 323 VOIP SNMP etc use ASN 1 Pre Defined INTEGER BOOLEAN BIT STRING OCTET STRING Constructed SEQUENCE structure SEQUENCE OF lists CHOICE Washington University in St Louis CSE571S 11 4 2007 Raj Jain ASN 1 Example AddressType SEQUENCE name OCTET STRING number INTEGER street OCTET STRING city OCTET STRING state OCTET STRING zipCode INTEGER Washington University in St Louis CSE571S 11 5 2007 Raj Jain Encoding Rules ASN 1 only specifies the structure Encoding rules indicate how to encode the structure in to bits on the wire Examples Basic Encoding Rules BER Packed Encoding Rules PER XML Encoding rules XER Distinguished Encoding Rules DER In BER everything is encoded as Tag Length Value Washington University in St Louis CSE571S 11 6 2007 Raj Jain BER Example John Miller 126 Main Street Big City MO 63130 30 Seq 02 Int 80 Len 01 Len 04 Oct Str 0B Len 4A J 6F o 68 h 6E n 20 4D M 69 i 6C l 6E n 20 53 S 74 t 72 r 65 e 65 e 74 t 20 43 C 69 i 74 t 79 y 6C l 65 e 72 r FE 123 04 Oct str 0B 11 4D M 61 a 04 Oct Str 08 Len 42 B 69 i 04 Oct Str 02 Len 4D M 4F O Washington University in St Louis 69 i 67 g 02 Int 02 len F6 96 63130 CSE571S 11 7 0 Null 2007 Raj Jain Names V4 Name Instance Realm 40 character each Null terminated Dot is illegal V5 Name can contain dot and can have many parts e g jain raj V4 Realms are DNS names V5 Realms can be DNS names X 500 names etc Washington University in St Louis CSE571S 11 8 2007 Raj Jain Delegation of Rights Need Backup job requires operators to access files V5 allows requesting a TGT with a different address Can include many addresses or no addresses Anyone TGT with operator s address can then be passed to the operator Can also request to include application specific restrictions in the TGT These restrictions are copied in the tickets Can request that TGT be forwardable One operator can pass it to another operator Can request that TGT be proxiable Alice can request a ticket from TGT for use by the operator Allowing delegation forwarding proxy many addresses no addresses are policy decisions Washington University in St Louis CSE571S 11 9 2007 Raj Jain Ticket Lifetimes V4 Lifetime is one octet max 256 in units of 5 minutes Max 21 hours V5 Many timestamps each in ASN 1 format 17 bytes in s Start Time End Time Auth Time Time at which initial TGT was obtained Renew Till Must renew after this time Start Time End Time Renew Till Washington University in St Louis CSE571S 11 10 2007 Raj Jain Renewable Tickets Tickets cannot be invalidated Long term use permitted only if renewed frequently Expired tickets cannot be renewed KDC does not have to remember revoked tickets for long time Washington University in St Louis CSE571S 11 11 2007 Raj Jain Postdated Tickets Start Time in future Pre invalidated Must be validated at the start time Allows revoking the authentication May Postdate flag in TGT TGS can issue post dated tickets Washington University in St Louis CSE571S 11 12 2007 Raj Jain Key Versions Allows principals to change keys Multiple versions of keys are kept at KDC and TGS Each key is stored as Key Principal KeyVersionNo KDC KeyVersionNo Allows the possibility of KDC changing its key Helpful for renewable and post dated tickets Renewal Tickets are issued with the latest keys Washington University in St Louis CSE571S 11 13 2007 Raj Jain Master Keys in Different Realms Password to key hash function uses realm name also Attacker cannot use the same key in multiple realms Attacker can still use the same password in multiple realms Washington University in St Louis CSE571S 11 14 2007 Raj Jain Optimizations V4 Ticket is encrypted with client s key Ticket is already encrypted with Server s key Double encryption V5 Ticket is not encrypted again V4 Target s name inside the ticket V5 No name inside the ticket Washington University in St Louis CSE571S 11 15 2007 Raj Jain Cryptographic Algorithms V4 DES V5 Encryption field is type value encoded Any encryption Washington University in St Louis CSE571S 11 16 2007 Raj Jain Integrity Only Algorithm V4 Jueneman Checksum V5 Choice of algorithms rsa md5 des des mac des mac k res md4 des optional rsa md4 des k Optional Washington University in St Louis CSE571S 11 17 2007 Raj Jain Encryption for Privacy and Integrity Choice des cbc crc des cbc md4 des cbc md5 Checksum is combined with the message and then encrypted with DES in CBC mode Washington University in St Louis CSE571S 11 18 2007 Raj Jain Hierarchy of Realms V4 Limits to pairs V5 Transition allowed B is registered with A and C is registered with B x A can get to y C via B List of all transited KDC s is put in the ticket It is the applications responsibility to decide if some transited KDC is trustworthy A C B D Washington University in St Louis E F CSE571S 11 19 G 2007 Raj Jain Password Attacks V4 Initial request in clear Anyone can request TGT for president whitehouse gov and use it for offline attack V5 Need to send pre authentication data Current time encrypted by user s key One can still do offline analysis of tickets received for another user V5 does not allow tickets for human users Attackers can still monitor pre authenticated data and analyze it offline Washington University in St Louis CSE571S 11 20 2007 Raj Jain Key Inside Authenticator Alice having two conversations with Bob Attacker can inter mingle packets and confuse