Kerberos protocol

Kerberos (protocol)
◦ Kerberos is a computer network authentication protocol
◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network
◦ Prove their identity to one another in a secure manner
◦ Aimed primarily at a client–server model and it provides mutual authentication
◦ Protected against eavesdropping and replay attacks
http://www.ifour-consultancy.com Offshore software development company India

Microsoft Windows, UNIX & Kerberos
◦ Windows 2000 and later uses Kerberos as its default authentication method
◦ Documentation:
◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols"
◦ RFC 4757 documents Microsoft's use of the RC4 cipher
◦ Include software for Kerberos authentication of users or services

Components
Principal Realm
KDC
AS TGS
Client Server

Mechanism
• Client authenticates itself to the Authentication
Server (AS) which forwards the username to a Key
distribution center (KDC)
• KDC issues a Ticket Granting Ticket (TGT), which is
time stamped
• Encrypts it using the user's password and returns the
encrypted result to the user's workstation
• TGT remains valid until it expires, though may be
transparently renewed by the user's session manager
while they are logged in

Mechanism
When the client needs to communicate with
another node
• Client sends the TGT to the Ticket Granting
Service (TGS)
• After verifying the TGT is valid and the user is
permitted to access the requested service
• TGS issues a Ticket and session keys, which are
returned to the client
• Client then sends the Ticket to the service
server (SS) along with its service request

User Client-based Logon
◦ User enters a username and password on the client machines
◦ Client transforms the password into the key of a symmetric cipher
◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used

Client Authentication
◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the
user
◦ AS generates the secret key by hashing the password of the user found at the database
◦ AS checks to see if the client is in its database

Client Authentication
◦ If it is, the AS sends back the
following two messages to the
client:
◦ Message A: Client/TGS Session Key
encrypted using the secret key of the
client/user.
◦ Message B: Ticket-Granting-Ticket
(which includes the client ID, client
network address, ticket validity period,
and the client/TGS session key)
encrypted using the secret key of the
TGS.

Client Service Authorization
◦ Client attempts to decrypt message A with the secret key generated from the password
entered by the user
◦ If the password does not match the password in the AS database, the client's secret key will
be different and thus unable to decrypt message A
◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS
Session Key
◦ Session key is used for further communications with the TGS

When requesting services, the client sends
the following two messages to the TGS
◦ Message C: Composed of the TGT from
message B and the ID of the requested
service.
◦ Message D: Authenticator (which is
composed of the client ID and the
timestamp), encrypted using the Client/TGS
Session Key.

◦ Upon receiving messages C and D, the TGS retrieves message B out of message C
◦ Decrypts message B using the TGS secret key
◦ Gives it the "client/TGS session key“

Using this "client/TGS session key“, the TGS
decrypts message D
Sends the following two messages to the
client:
◦ Message E: Client-to-server ticket (which
includes the client ID, client network address,
validity period and Client/Server Session Key)
encrypted using the service's secret key.
◦ Message F: Client/Server Session Key encrypted
with the Client/TGS Session Key.

Client Service Request
Upon receiving messages E and F from TGS
◦ Client has enough information to authenticate
itself to the SS
◦ Client connects to the SS and sends the following
two messages
◦ Message E from the previous step (the client-to-server ticket,
encrypted using service's secret key).
◦ Message G: a new Authenticator, which includes the client
ID, timestamp and is encrypted using Client/Server Session
Key.

◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server
Session Key
◦ SS decrypts the Authenticator and sends the following message to the client
to confirm its true identity and willingness to serve the client
◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server
Session Key.
◦ Client decrypts the confirmation using the Client/Server Session Key

◦ Checks whether the timestamp is correctly updated
◦ Client can trust the server and can start issuing service requests to the server
◦ Server provides the requested services to the client

Kerberos Authentication Process ( Cross
Domain)
◦ Client in Domain 1 wishes to access a network resource in remote Domain 2
◦ The client has already been authenticated to KDC in Domain 1 and has received TGT
◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources

Kerberos Authentication Process ( Cross
Domain)
◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in
Domain 1 respond to the client with TGT for Domain 2
◦ The client presents the new TGT to KDC in domain 2
◦ The KDC in Domain 2 responds with TGS fro the network resource
◦ The client accesses the Network resource in Domain 2 using the new TGS

Drawbacks and Limitations
Single point of failure
Kerberos has strict time requirements
Administration protocol is not standardized
All authentications are controlled by a centralized KDC

Drawbacks and Limitations
Each network service which requires a different host name
Requires user accounts, user clients and the services on the
server to all have a trusted relationship to the Kerberos token
server
Required client trust makes creating staged environments
difficult

Weakness in Kerberos Protocol
Susceptible to offline password cracks
Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability
If TGT stolen, the attacker can access n/w until the session expires
Severe effects if KDC is compromised

References
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
http://technet.microsoft.com/en-us/library/bb742516.aspx
http://www.kerberos.info
Symbiosis students
◦ Deepak Aggarwal
◦ Rohit Khadke
◦ Sonali Solanki
◦ Vineela Kanapala

Kerberos protocol

More Related Content

What's hot (20)

Similar to Kerberos protocol (20)

More from Ajit Dadresa (6)

Recently uploaded (20)

Kerberos protocol

Editor's Notes