A Survey of Kerberos V and Public-Key KerberosSecurityMinkyu Kim, [email protected] (A project report written under theguidance of Prof. Raj Jain)DownloadAbstractKerberos was initially developed at MIT as a part of Project Athena and in these days it is widely deployedsingle sign-on protocol that is developed to authenticate clients to multiple networked services. Furthermore,Cross-realm authentication is a useful and interesting component of Kerberos aimed at enabling secure access toservices astride organizational boundaries. Also, Kerberos has continued to evolve as new functionalities areadded to the basic protocol and one of well-known these protocols is PKINIT. First, I review and analyze thestructure of Kerberos recently proposed and the cross-realm authentication model of Kerberos. Also, I discussPKINT, an extension version of Kerberos, which modifies the basic protocol to allow public-key authentication.Although Kerberos has been proven its strengths so far, it also has a number of limitations and some flaws. Idedicate my efforts to an analysis of PKINIT and mainly focus on a number of vulnerability, flaws and attackslately discovered on Kerberos as well as PKINIT in this paper. Lastly, I introduce several possible solutions toenhance Kerberos.KeywordsKerberos, Attack on Kerberos, PKINT, Kerberos 5, Kerberos security, Reply attack, Password attack, Guessingattack. Cross-Realm AuthenticationTable of Contents1. Introduction2. Kerberos V Basic2.1 Principals2.2 Message Exchange2.3 Security Consideration3. Kerberos Cross-Realm Authentication3.1 Issues in Kerberos Cross-Realm Operation4. Public-Key Kerberos: PKINIT4.1 Public-key encryption mode4.2 Diffie-Hellman mode5. Attacks on Kerberos V5.1 Hijacking a Network Connection on a Switched Network5.1.1 Analysis of this Attack5.1.2 Protecting your environment against this attack5.2 Password Attack5.2.1 Analysis of this Attack5.2.2 Protecting your environment against this attackA Survey of Kerberos V and Public-Key Kerberos Securityhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/kerb5/index.html 1 of 215.3 Reply Attack5.3.1 Analysis of this Attack5.3.2 Protecting your environment against this attack6. Attacks on Public-Key Kerberos6.1 How to break Public-Key Kerberos6.2 Effects of this attack6.3 Detecting and preventing this attack7. Improving Kerberos for Cross-Realm Collaborative Interactions7.1 XKDCP protocol5.1.1 XASP5.1.2 XTGST8. Summary9. ReferencesList of Acronyms1 IntroductionKerberos was initially designed at MIT as a part of Project Athena [Neuman06] . It has been successfullydeployed as a single sign-on protocol that is designed to authenticate clients to multiple different networkservices. There have been two different versions of the protocol in widely used, known as Kerberos 4 and 5.Kerberos 5 is the most recently proposed and is a trusted third-party authentication mechanism designed forTCP/IP networks. It uses strong symmetric cryptography to enable secure authentication in an insecurenetwork. Currently it is available for all major operating systems, e.g., Linux, Microsoft Windows as well asApple's OS X. Furthermore, Kerberos 5 has been improved as new functionalities are added to the basicprotocol and one of these results is known as PKINIT [Zhu05] (Public-Key Cryptography for InitialAuthentication) which modifies the basic protocol to allow public-key authentication and it causes considerablecomplexity to the protocol.Regarding the security issues of Kerberos, it has been discussed in several papers which represents possibleweak points including replay attacks, password attack against Ticket-Granting tickets or pre-authentication data,attacks against network time protocols (Kerberos requires time synchronization) and malicious client software.Furthermore, a guessing attack and particularly man-in-the-middle attack in PKINIT have been discovered.Before discussing flaws and weakness of Kerberos, in Section 2-4, an analysis of the structure of Kerberos 5,intra- and cross-realm authentication as well as a detailed description of PKINIT will be reviewed.In Section 5-7, I discuss the flaws and attacks on Kerberos. In Section 5, I focus on the attacks on the basicprotocol, Kerberos 5 without PKINIT, such as the password attack, reply attack and guessing attack. Firstly,regarding the reply attack, I reason that it is feasible by presenting attacks on both SMB and LDAPv3. Anattacker will be able to access file shares and modify directory entries with the victim's credentials. Some serverimplementations have actual weaknesses, while others have default configurations that make the attackpossible. Secondly, I show that a password attack is feasible, thus allowing the attacker to discover weak userpasswords. Pre-authentication data are used for this attack. A replay attack is presented with the SMB protocol.This allows an attacker to access file shares with the victim's credentials without actually knowing the password.Lastly, in many computer systems, users are authenticated via passwords which they choose. Unfortunately,people tend to choose easy-to-remember passwords, which are vulnerable to guessing attacks. A maliciousattacker can guess such passwords using the words in a machine-readable dictionary. I show that Kerberos isone of many existing authentication protocols which are vulnerable to so-called off-line guessing attacks, and InSection 8, I will discuss some useful guidelines to be secure against guessing attack as well as other attacks.Based on these guidelines, I will discuss a possible solution to enhance Kerberos protocol so that it can resist theeach of attacks.A Survey of Kerberos V and Public-Key Kerberos Securityhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/kerb5/index.html 2 of 21In Section 6, I discuss the attack on PKINIT, particularly man-in-the-middle attack, which allows an attacker toimpersonate Kerberos administrative principals Key Distribution Center(KDC) and end-servers to a client,therefore breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDCwould normally generate to encrypt the service requests of this client, hence defeating confidentiality as well, InSection 7, I will discuss about the possible enhancement for scalability and reliability issues in Kerberoscross-realm operation, followed by in Section 9, I provide some concluding remarks.2 Kerveros V BasicNetworked computer systems provide a great number of shared resources at a user's