Kerberos V4 Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio Video recordings of this lecture are available at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 10 1 2007 Raj Jain Overview What is Kerberos Kerberos V4 Concepts and Design Principles Replicated KDCs Multiple Realms Other details Washington University in St Louis CSE571S 10 2 2007 Raj Jain Overview of Kerberos Allows two users or client and server to authenticate each other over an insecure network Named after the Greek mythological character Kerberos or Cerberus known in Greek mythology as being the monstrous three headed guard dog of Hades Designed originally for Project Athena at M I T Implementation freely available from M I T V5 is proposed as an Internet Standard RFC 4120 Windows 2000 XP Server 2003 Vista use Kerberos as their default authentication mechanism Apple s Mac OS X clients and servers also use Kerberos Apache HTTP Server Eudora NFS OpenSSH rcp remote copy rsh X window system allow using Kerberos for authentication Washington University in St Louis CSE571S 2007 Raj Jain 10 3 Overview Cont Protects against eavesdropping and replay attacks Uses a trusted third party Key Distribution Center and symmetric key cryptography First 3 versions are no longer in use V5 is a generalization of V4 with several problems fixed and additional features It is easier to understand V5 if you know V4 Learn V4 s features and mistakes Washington University in St Louis CSE571S 10 4 2007 Raj Jain Sample Kerberos Exchange 1 Client 2 3 Hi Jain cse would like to use the network today Here is a day pass for jain cse Authentication Server KDC Hi Jain cse would like to communicate with PrintServer Attached is his day pass 4 Here is the ticket for jain cse to communicate with PrintServer It includes a session key Ticket Granting Server TGS 5 Hi jain cse wants to communicate with you Here is his ticket 6 Perfect Let us use the session key that was in your ticket Washington University in St Louis CSE571S 10 5 Service Server 2007 Raj Jain Kerberos V4 Concepts Key Distribution Center KDC Physically secure node with complete authentication database Principal Authentication Server A Ticket Granting Server G Client Computer C User Human U Server S Ticket Granting Server TGS Keys Kcg Kcs Kag Ku Kgs Ticket Encrypted information All current V4 implementations use DES Ticket Granting Ticket TGT Allows user to get tickets from TGS Washington University in St Louis CSE571S 10 6 2007 Raj Jain Concepts Cont Authenticator Name and time encrypted with a session key Sent from client to server with the ticket and from server to client Credentials Session key Ticket Session One user login logout session User enters a name and password Client converts the password to a key Ku TGT and the session key are good for a limited time 21 hours Washington University in St Louis CSE571S 10 7 2007 Raj Jain Key Design Principles 1 2 3 4 5 The network is open Need a proper secret key to understand the messages received except message 1 which is in clear Every client and server has a pre shared secret with the KDC KDC and Ticket Granting Server TGS are logically separate but share a secret key Both KDC and TGS are stateless and do not need to remember the permissions granted All the state is in the tickets Day pass is just a longer term ticket Longer term secrets are used less frequently Short term secrets are created and destroyed after a limited use Washington University in St Louis CSE571S 10 8 2007 Raj Jain Information Exchanged 1 Client User TGS User User Client TGS Kcg SesStartTime1 SesEndTime1 Kag TGS Kcg SesStartTime1 2 SesEndTime2 Ku Service SvcNonce4 User Client TGS 3 Kcg SesSartTime1 SesEndTime1 Kag Client SesTime1 Kcg KDC User User Client Service Kcs SvcStartTime2 4 SvcEndTime2 Kgs Service Kcs SvcStartTime2 SvcEndTime2 SvcNonce4 Kcg TGS 5 6 User Client Service Kcs SvcStartTime2 SvcEndTime2 Kgs Client SvcTime2 Kcs SvcTime2 Kcs Service Server Washington University in St Louis CSE571S 10 9 2007 Raj Jain Kerberous Protections Kerberos protects against eavesdropping If someone else sends TGT they get back a ticket and can t decrypt the service key unless they know the client s secret key Kerberos protects against replay attacks If someone sends TGT or ticket later it is rejected All clients servers should have time synchronized within a specified limit Washington University in St Louis CSE571S 10 10 2007 Raj Jain Replicated KDCs KDC is a single point of failure Multiple KDCs with database replication are allowed One KDC keeps a master copy to which all changes are made Changes propagated to other copies All keys are already encrypted An integrity check is added during transfers Most KDC operations are read only Washington University in St Louis CSE571S 10 11 2007 Raj Jain Realms Realm One organization or one trust domain Each realm has its own set of principles including KDC TGT Each Principal s name Name Instance Realm 40 characters each Null terminated Instance Particular Server or Human role administrator game player In V4 both realms should have a direct trust relationship Chaining prohibited Washington University in St Louis CSE571S 10 12 2007 Raj Jain Inter Realm Authentication Request ticket for local TGS Ticket for local TGS Request Remote Service Washington University in St Louis Request ticket for Remote TGS Ticket for Remote TGS Reque st tick et for Ticke Remo t for R te Ser emote ve r Serve r CSE571S 10 13 Local AS TGS Remote AS TGS 2007 Raj Jain Key Version Number All clients and servers remember their previous keys for a short time Users have to wait after changing their password Washington University in St Louis CSE571S 10 14 2007 Raj Jain Privacy and Integrity With CBC only two blocks are affected by a change Plaintext Cipher Block Chaining PCBC causes all blocks to change Recognizable data is put at the end Washington University in St Louis CSE571S 10 15 2007 Raj Jain Integrity Only DES too expensive Kerberos uses a checksum on session key and the message The session key is not transmitted Only message and checksum is transmitted Although not broken Not believed to be strong Not used in V5 Washington University in St Louis CSE571S 10 16 2007 Raj Jain Network Layer Addresses in Tickets Ticket s contain requesters IP address No one else can use the ticket without changing their IP addresses Makes the delegation difficult Problem for multi homed systems Potential problems