Kerberos
Guilin Wang
School of Computer Science
03 Dec. 2007
Outline
■ Password-based key agreement protocols (Continuing our last lecture).
■ Kerberos authentication protocol.
0. Password-based Protocols
■ In the NS protocol, both parties need to share long-term secrets with the server. For humans, long secret keys are not easy to memorize.
■ One naïve approach is to set long-term secrets as passwords.
■ For example, let Kbs=Pbs, a password shared btw B and S in the NS protocol.
0. Password-based Protocols
■ However, this approach suffers off-line dictionary attack.
■ That is, an attacker can try each possible P’ to decrypt EP-bs (K, A). If
P’ is likely the correct password.
),( : .3 AKEBAbsP
,||...)],([' AAKEDbsPP
0. Password-based Protocols
■ Off-line dictionary attack works since passwords are short strings with low entropy.
■ Countermeasures:
- Enhance the strength of passwords by requiring certain length, format, and randomness.
- Combine the password with a security token.
0. Password-based Protocols
The following Encrypted Key Exchange (EKE) protocol can resist the off-line dictionary attack:
■ PK is an ephemeral public key generated by A.
■ B transfers K to A by using double encryptions.
■ Why EKE protocol is immune to the off-line dictionary attack?
1. Authentication & Key Exchange
■ The purpose of entity authentication is to prevent impersonation attack.
■ Authentication is important in key exchange. E.g, the DH protocol suffers the MITM attack.
■ Actually, key exchange techniques can also be used to realize authentication. Kerberos is such an example.
■ In the literature, the differences btw authentication and key exchange are not very clear sometimes.
1. Authentication & Key Exchange
■ Key exchange usually requires authentication. Otherwise, you are not sure with whom you are agreeing on a session key.
■ However, authentication does not necessarily involve key exchange.
■ For example, a successful authentication can enable a client to enjoy a service without encryption.
2. Kerberos: What is it?
■ In Greek mythology, Kerberos is the guardian of Hades, a dog with three heads.
■ In security community, Kerberos denotes the distributed authentication protocol developed from MIT's project Athena in 1980s.
2. Kerberos: What is it?
■ Kerberos has been widely accepted in industry.
■ Kerberos has been integrated into Windows and many many versions of Unix systems.
■ Full specification of Kerberos Version 5 is given by a draft Internet Standard RFC 1510.
■ Free source codes for different releases of Kerberos are available at the Kerberos website:
http://web.mit.edu/Kerberos/
2. Kerberos: Motivations
In this scenario of distributed networks, there exist at least three threats:
■ User impersonation:
A dishonest user may pretend to be another user from the same workstation.
■ Network address impersonation:
A dishonest user can changes the network address of his/her workstation to impersonate another workstation.
■ Eavesdropping, replay attack, and so on.
Attackers may try their best to access network service by mounting different attacks.
2.1 Kerberos: Basic Ideas
Kerberos uses symmetric mechanisms to realize entity authentication and key exchange. Basically, Kerberos uses two kinds of credentials:
■ Tickets:
Issued by a trusted administration server that shows who is granted to access a specific service.
■ Authenticators:
Used to prove the identity of a communicating client.
2.1 Kerberos: Basic Ideas
This is similar to the following immigration policy, which allows a foreigner to enter a country:
■ Visa (=tickets in Kerberos):
Specifies who is allowed to entry this country for how many days.
■ Passport (=Authenticators in Kerberos):
Shows your identity, i.e., who are you.
2.1 Kerberos: Basic Ideas
In Kerberos system, there are three kinds of servers:
■ Kerberos authentication server (AS):
A centralized trusted authentication server for the whole system, who issues long lifetime tickets.
■ Ticket-granting servers (TGS):
Issue short lifetime tickets.
■ Service server S:
Provide different service.
2.1 Kerberos: Basic Ideas
2.2 The Protocol
Kerberos (Version 5) can be divided into three procedures from the view point of a client:
■ obtaining ticket-granting ticket,
■ obtaining service ticket, and
■ obtaining a concrete service.
We now discuss the details.
2.2 The Protocol
2.2 The Protocol
Here:
■ K_c is derived from the client’s password, which is shared with the AS.
■ K_tgs is a secret key shared btw the AS and the TGS.
■ K_1 is session key that enables the client to authenticate itself to the TGS server.
2.2 The Protocol
Here:
■ A1 is an authenticator using K1.
■ K2 is a session key that enables the client to authenticate itself to the server S.
■ Ks is a secret key shared btw the TGS and a server S.
2.2 The Protocol
Here:
■ A1 is an authenticator using K2.
■ K3 is a session key for coming secure communications.
■ The server S authenticates itself to the client in step 6.
2.3 Kerberos: Its Limitations
■ Single Failure Problem: If the AS is down, no user can access any resources. So Kerberos is prone to denial-of-service (DoS) attacks.
- Duplicated AS? Possible, but not easy to maintain.
■ Clock Synchronization is needed, since timestamps are used. Reasonable time interval for clock skew?
- Too short: Rejecting many valid requests.
- Too long: Suffering replay attack.
2.3 Kerberos: Its Limitations
■ Limited Scalability: Usually, the AS can support with hundreds of thousands users. Suitable for a university but not for the Internet, where PKIs with digital certificates are better.
■ Off-line Password Attacks: Kerberos is vulnerable to this kind of attacks since a message is encrypted with a key derived from the client's password.
3. Summary
■ Introduced off-line dictionary attack.
■ Briefly discussed the relation btw entity authentication and key exchange.
■ Reviewed a practice-oriented authentication protocol: Kerberos.
- Basic ideas
- Technical mechanisms
- Limitations
Questions and Comments?