Date post: | 14-Jun-2015 |
Category: |
Technology |
Upload: | ajit-dadresa |
View: | 363 times |
Download: | 0 times |
Kerberos Authentication
Kerberos (protocol)
◦ Kerberos is a computer network authentication protocol
◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network
◦ Prove their identity to one another in a secure manner
◦ Aimed primarily at a client–server model and it provides mutual authentication
◦ Protected against eavesdropping and replay attacks
http://www.ifour-consultancy.com Offshore software development company India
Microsoft Windows, UNIX & Kerberos
◦ Windows 2000 and later uses Kerberos as its default authentication method◦ Documentation:
◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols"◦ RFC 4757 documents Microsoft's use of the RC4 cipher
◦ Include software for Kerberos authentication of users or services
http://www.ifour-consultancy.com Offshore software development company India
Components
Principal Realm KDCAS TGS
Client Server
http://www.ifour-consultancy.com Offshore software development company India
Mechanism• Client authenticates itself to the Authentication
Server (AS) which forwards the username to a Key distribution center (KDC)
• KDC issues a Ticket Granting Ticket (TGT), which is time stamped
• Encrypts it using the user's password and returns the encrypted result to the user's workstation
• TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in
http://www.ifour-consultancy.com Offshore software development company India
MechanismWhen the client needs to communicate with another node
• Client sends the TGT to the Ticket Granting Service (TGS)
• After verifying the TGT is valid and the user is permitted to access the requested service
• TGS issues a Ticket and session keys, which are returned to the client
• Client then sends the Ticket to the service server (SS) along with its service request
http://www.ifour-consultancy.com Offshore software development company India
User Client-based Logon
◦ User enters a username and password on the client machines
◦ Client transforms the password into the key of a symmetric cipher
◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used
http://www.ifour-consultancy.com Offshore software development company India
Client Authentication
◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the user
◦ AS generates the secret key by hashing the password of the user found at the database
◦ AS checks to see if the client is in its database
http://www.ifour-consultancy.com Offshore software development company India
Client Authentication
◦ If it is, the AS sends back the following two messages to the client:
◦ Message A: Client/TGS Session Key encrypted using the secret key of the client/user.
◦ Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.
http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization◦ Client attempts to decrypt message A with the secret key generated from the password
entered by the user
◦ If the password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A
◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key
◦ Session key is used for further communications with the TGS
http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization
When requesting services, the client sends the following two messages to the TGS
◦ Message C: Composed of the TGT from message B and the ID of the requested service.
◦ Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key.
http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization
◦ Upon receiving messages C and D, the TGS retrieves message B out of message C
◦ Decrypts message B using the TGS secret key
◦ Gives it the "client/TGS session key“
http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization
Using this "client/TGS session key“, the TGS decrypts message D
Sends the following two messages to the client:
◦ Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key.
◦ Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.
http://www.ifour-consultancy.com Offshore software development company India
Client Service Request
Upon receiving messages E and F from TGS
◦ Client has enough information to authenticate itself to the SS
◦ Client connects to the SS and sends the following two messages
◦ Message E from the previous step (the client-to-server ticket, encrypted using service's secret key).
◦ Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.
http://www.ifour-consultancy.com Offshore software development company India
Client Service Request
◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key
◦ SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client
◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key.
◦ Client decrypts the confirmation using the Client/Server Session Key
http://www.ifour-consultancy.com Offshore software development company India
Client Service Request
◦ Checks whether the timestamp is correctly updated
◦ Client can trust the server and can start issuing service requests to the server
◦ Server provides the requested services to the client
http://www.ifour-consultancy.com Offshore software development company India
Kerberos Authentication Process ( Cross Domain)
◦ Client in Domain 1 wishes to access a network resource in remote Domain 2
◦ The client has already been authenticated to KDC in Domain 1 and has received TGT
◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources
http://www.ifour-consultancy.com Offshore software development company India
Kerberos Authentication Process ( Cross Domain)
◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in Domain 1 respond to the client with TGT for Domain 2
◦ The client presents the new TGT to KDC in domain 2
◦ The KDC in Domain 2 responds with TGS fro the network resource
◦ The client accesses the Network resource in Domain 2 using the new TGS
http://www.ifour-consultancy.com Offshore software development company India
Drawbacks and Limitations
Single point of failure
Kerberos has strict time requirements
Administration protocol is not standardized
All authentications are controlled by a centralized KDC
http://www.ifour-consultancy.com Offshore software development company India
Drawbacks and Limitations
Each network service which requires a different host name
Re
quires
user acc
ounts,
user clie
nts a
nd t
he services
on t
he server t
o all
have a tr
uste
d relati
ons
hi
p t
o t
he
Ker
ber
os t
oke
n server
Required client trust makes creating staged environments difficult
http://www.ifour-consultancy.com Offshore software development company India
Weakness in Kerberos Protocol
Susceptible to offline password cracks
Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability
If TGT stolen, the attacker can access n/w until the session expires
Severe effects if KDC is compromised
http://www.ifour-consultancy.com Offshore software development company India
References
http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
http://technet.microsoft.com/en-us/library/bb742516.aspx
http://www.kerberos.info
Symbiosis students◦ Deepak Aggarwal◦ Rohit Khadke◦ Sonali Solanki◦ Vineela Kanapala
http://www.ifour-consultancy.com Offshore software development company India
http://www.ifour-consultancy.com Offshore software development company India