Kerberos and Centralised Password Management

1
Kerberos and Centralised Password Management

• Introduction to Kerberos
• History and origin
• Active directory, Samba and Kerberos
• Kerberos diagram
• Definitions of terms
• Security Protocol Notation and examples
• The Needham Schroeder Symmetric Protocol
• The Kerberos protocol in brief and in detail

2
Introduction to Kerberos 1

• Once an organisation has many users sharing many
  computers, trying to organise security using the
  host-based security systems we have studied so
  far rapidly becomes unmanageable.
• For a network of a few dozen computers it is
  possible to synchronise /etc/password and
  /etc/shadow files. This can work if all users
  need the same access to all computers. But it
  creates as many or more security issues than it
  solves if attempted on a larger scale.

3
Introduction to Kerberos 2

• The problem Kerberos solves is the multiplication
  of effort, insecurity and inefficiency within a
  large organisation resulting from the
  decentralised authentication of
• many users to many services and servers,
• services and servers to users,
• workstations to servers,
• servers to workstations
• and users to workstations.
• This isn't an easy problem to solve.

4
Introduction to Kerberos 3

• Many attacks became possible within larger
  networks
• Listening for passwords travelling over the
  network cable.
• Setting up a bogus server on a network to mimic a
  real one to prompt users for passwords and store
  these.
• Logging into a server years after someone has
  left.
• Misusing trust by machine A in machine B, e.g.
  based on the physical or logical network address
  of B, when machine C is mimicking machine B.
• Universities were the first places where many of
  these issues were actively explored. Corporate
  employees are less likely to test or want to
  study the security of a large network involving
  many machines than students and researchers of
  computing subjects.

5
History and origin of Kerberos 1

• Kerberos is the name given by Greek legend to a 3
  headed dog which guards the gates of Hades.
  Cerberus is the Roman name for the same legendary
  character. (The number of heads varies !)?

6
History and origin of Kerberos 2

• The Kerberos network security protocol was
  developed at MIT (Massachusetts Institute of
  Technology) as part of Project Athena. Kerberos
  Developers have included Steve Miller, Clifford
  Neuman and John Kohl. It is documented in
  RFC4120.

7
Active Directory and Samba

• The Microsoft Active Directory product is based
  upon the Kerberos protocol. This replaces the
  previous and insecure NTLM networked password
  authentication system.
• Some Microsoft additions to the Kerberos suite of
  protocols are documented in RFC 3244 "Microsoft
  Windows 2000 Kerberos Change Password and Set
  Password Protocols".
• Samba is a free software implementation of
  Microsoft file, print and authentication network
  services. Samba version 4 is being developed to
  implement full Active Directory capabilities in a
  heterogeneous environment.

8
Kerberos Diagram source http//www.xml-dev.com/
9
Definitions of terms

• AS - Authentication Server. A centralised
  high-availability resource where all system
  secrets are stored. It grants TGTs to clients.
• TGT - Ticket Granting Ticket. A session key
  typically with validity of a few hours' duration.
• TGS - Ticket Granting Server. A distributed
  server which grants clients presenting valid TGTs
  with tickets required to access specified
  services.
• Service - A system providing a service to users
  with valid tickets, e.g. access to a networked
  file or web server.

10
Security Protocol Notation 1source
http//en.wikipedia.org/wiki/Security_protocol_not
ation

• This standard notation consists of a set of
  individuals (traditionally named Alice, Bob,
  Charlie, and so on) who wish to communicate. They
  may have access to a server S, shared keys K,
  timestamps T, and can generate nonces N for
  authentication purposes.
• This example states that Alice intends a message
  for Bob consisting of a plain text X1 encrypted
  under shared key KAB.

11
Security Protocol Notation 2

• This states that Bob intends a message for Alice
  consisting of a Nonce encrypted using public key
  of Alice.
• A key with two subscripts is a symmetric key
  shared by the two corresponding individuals. A
  key with one subscript is the public key of the
  corresponding individual. A private key is
  represented as the inverse of the public key.

12
The Needham Schroeder Protocols

• Kerberos is a protocol which is based on the
  Needham Schroeder symmetric key protocol to
  establish a session key. This is achieved by
  using shared secrets, i.e. passwords, or one way
  hashed passwords, which are known both by a
  client or service and by a trusted third party
  (TTP). In the case of Kerberos, the TTP is the
  Authentication Server (AS). The Needham
  Schroeder Symetric Key Protocol enables the
  shared secret to be used to establish a session
  key in a manner that denies anyone monitoring
  traffic between the client and AS knowledge of
  the password or use of the session key.
• Other versions of the Needham Schroeder Protocol
  and Kerberos use asymmetric cryptography. This
  uses 2 part keys which avoid secrets having to be
  shared.

13
Needham Schroeder Symmetric ProtocolSource
http//en.wikipedia.org/wiki/Needham-Schroeder_pro
tocol

• Here, Alice (A) initiates the communication to
  Bob (B). Also,
• S is a server trusted by both parties
• KAS is a symmetric key known only to A and
  S
• KBS is a symmetric key known only to B and
  S
• NA and NB are nonces (numbers used once)?

14
NSSP Message 1

• The protocol can be specified as follows in
  security protocol notation
• Alice sends a message to the server
  identifying herself and Bob, telling the server
  she wants to communicate with Bob.

15
NSSP Message 2

• The server generates KAB and sends back to Alice
  a copy encrypted under KBS for Alice to forward
  to Bob and also a copy for Alice. Since Alice may
  be requesting keys for several different people,
  the nonce assures Alice that the message is fresh
  and that the server is replying to that
  particular message and the inclusion of Bob's
  name tells Alice whom she is to share this key
  with.

16
NSSP Message 3

• Alice forwards the key to Bob who can decrypt it
  with the key he shares with the server, thus
  authenticating the data.

17
NSSP Message 4

• Bob sends Alice a nonce encrypted under KAB to
  show that he has the key. This part of the
  protocol is vulnerable to a replay attack. If an
  attacker uses an older compromised value for KAB,
  he can then replay the message to Bob, who will
  accept it, being unable to tell that the key is
  not fresh. This flaw is fixed in the Kerberos
  protocol by the inclusion of a timestamp.

18
NSSP Message 5

• Alice performs a simple operation on the nonce,
  re-encrypts it and sends it back verifying that
  she is still alive and that she holds the key.

19
Kerberos in briefsource http//en.wikipedia.org/
wiki/Kerberos_(protocol)?

• AS Authentication Server
• TGS Ticket Granting Server
• SS Service Server
• TGT Ticket Granting Ticket
• The client authenticates to AS using a long-term
  shared secret and receives a ticket from the AS.
  Later the client can use this ticket to get
  additional tickets for SS without resorting to
  using the shared secret. These tickets can be
  used to prove authentication to SS.

20
In more detail 1source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• User Client-based Logon
• A user enters a username and password on the
  client machine.
• The client performs a one-way function (Hash) on
  the entered password, and this becomes the secret
  key of the client/user.
• The client sends a cleartext message to the AS
  requesting services on behalf of the user. Sample
  message "User XYZ would like to request
  services". Note Neither the secret key nor the
  password is sent to the AS.

21
In more detail 2source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client authentication
• The AS checks to see if the client is in its
  database. If it is, the AS sends back the
  following two messages to the client
• Message A Client/TGS Session Key encrypted
  using the secret key of the client/user.
• Message B Ticket-Granting Ticket (which
  includes the client ID, client network address,
  ticket validity period, and the client/TGS
  session key) encrypted using the secret key of
  the TGS.

22
In more detail 3source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client authentication continued
• Once the client receives messages A and B, it
  decrypts message A to obtain the Client/TGS
  Session Key. This session key is used for further
  communications with TGS. (Note The client cannot
  decrypt Message B, as it is encrypted using TGS's
  secret key.) At this point, the client has enough
  information to authenticate itself to the TGS.

23
In more detail 4source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client Service Authorization
• When requesting services, the client sends the
  following two messages to the TGS
• Message C Composed of the
  Ticket-Granting Ticket from message B and the ID
  of the requested service.
• Message D Authenticator (which is
  composed of the client ID and the timestamp),
  encrypted using the Client/TGS Session Key.

24
In more detail 5source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client Service Authorization continued
• Upon receiving messages C and D, the TGS
  retrieves message B out of message C. It decrypts
  message B using the TGS secret key. This gives it
  the "client/TGS session key". Using this key, the
  TGS decrypts message D (Authenticator) and sends
  the following two messages to the client
• Message E Client-to-server ticket
  (which includes the client ID, client network
  address, validity period and Client/Server
  Session Key) encrypted using the service's secret
  key.
• Message F Client/server session key
  encrypted with the Client/TGS Session Key.

25
In more detail 6source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client Service Request
• Upon receiving messages E and F from TGS, the
  client has enough information to authenticate
  itself to the SS. The client connects to the SS
  and sends the following two messages
• Message E from the previous step (the
  client-to-server ticket, encrypted using
  service's secret key).
• Message G a new Authenticator, which
  includes the client ID, timestamp and is
  encrypted using client/server session key.

26
In more detail 7source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client service request continued
• The SS decrypts the ticket using its own secret
  key to retrieve the Client/Server Session Key.
  Using the sessions key, SS decrypts the
  Authenticator and sends the following message to
  the client to confirm its true identity and
  willingness to serve the client
• Message H the timestamp found in client's
  Authenticator plus 1, encrypted using the
  Client/Server Session Key.

27
In more detail 8source http//en.wikipedia.org/w
iki/Kerberos_(protocol)?

• Client service request continued
• The client decrypts the confirmation using the
  Client/Server Session Key and checks whether the
  timestamp is correctly updated. If so, then the
  client can trust the server and can start issuing
  service requests to the server.
• The server provides the requested services to the
  client.

28
Drawbacks

• The AS provides a single point of operational
  failure and of security compromise
• Clocks have to be synchronised
• Compromising the client can compromise the user
  password, e.g. using a Linux boot CD or USB stick
  that boots into a Windows look-alike login screen
  complete with ltctrlgt ltaltgt ltdelgt behaviour.

29
Further Reading

• http//en.wikipedia.org/wiki/Kerberos_(protocol)?
  
• Wikipedia Kerberos page
• http//learn-networking.com/network-security/how-k
  erberos-authentication-works
• How Kerberos authentication works
• http//www.faqs.org/faqs/kerberos-faq/general/
• Kerberos FAQ
• http//tools.ietf.org/html/rfc4120
• RFC4120 - The current IETF Kerberos standards
  document