ECE-6612

1
ECE-6612 http//www.csc.gatech.edu/copeland/jac/66
12/ Prof. John A. Copeland john.copeland_at_ece.gat
ech.edu 404 894-5177 fax 404 894-0035 Office
Klaus Bldg 3362 email or call for office
visit. Chapter 4a - Kerberos
2
Kerberos, v4 and v5
Provides a complete protocol for authentication
and
secure communications for hosts connected by a
data
communications network

Provides secure "tickets" to hosts that can be
used
to initiate a secure message exchange

Standard message formats for encrypted and signed
messages, or signed plaintext messages

Formats for encoding expiration time, names, ...

Allows "read-only" slave KDC's (distributed KDCs)
Wikipedia KDC or http//www.zeroshell.org/kerb
eros/Kerberos-operation/
2
3
Keberos uses Mediated Authentication
(with a Key Distribution Center, KDC
)
Bob
Jack
Alice
Kbob
Kalice
Mary
Tom
KDC
Paul
Dick
Trudi
Jip
Harry
Peter
KDC has unique Secret Keys with all legitimate
hosts.
3
4
Alice
Alice
Bob has
Alice PC
(human)
Key
Ka,TGTKk
hashes
Shared
logs on
Distribut.
Kak
Alice's
to
Ctr., KDC
Secret Key
password
Alice,
Alice wants
to get a
with KDC,
(PC)
Bob,TGTKk,
generates Kab Ka, has Kak, Kbob
DES Key,
timeKa
Kbob
KalicegtKak (1)
Bob,Kab,Ticket
-Bob Ka
time Kab,
Kab,Alice Kbob "Ticket"
time 1, Kab
After the 1st exchange with the KDC, Alice has a
session key, Ka, and a "Ticket-Granting Ticket"
that she can use to request "Tickets" from KDC
(1) PC erases Alice's password and Kak from RAM
(keeps session key Ka in RAM). No keys ever
stored on disk (what about virtual memory?).
(2)Time(stamp) is used as nonce (seconds after
1/1/1970)
4
5
The Keys of Kerberos

• 1. Password, Kalice - Only Alice knows it.
• Alices PC can hash what Alice types in
  Kak Hash(Kalice) .
• KDC - also knows the hash, Kak. Uses
  Kak as key for encrypting TGT to Alice (not used
  after that). TGT contains the daily session key
  Ka for use with the Ticket Granting Server, TGS.
• Ka Session Key (KDC gave to Alice) Now
  Alices PC, as well as TGS know it.
• Kab Key for Alice Bob - temporarily (daily)
  assigned by TGS
• Given to Alice by TGS - encrypted with
  Ka and also encrypted
• with Kb (Kkdc-Bob) inside a contact ticket. (Kb
  is Bob's daily session key from KDC)
• Alice gives Bob the Ticket from KDC
  which has it (Kab)
• encrypted with Kb (gotten by Bob from the TGS).
• 4. Kk Key known only by KDC and TGS. Used to
  sign Ticket-Granting-Ticket for verification.
  Alice can only replay TGTKk back to TGS to get
  a contact ticket.

5
6
KDC
6
7
Slave
Version 5
Host
KDC
Host
Slave
Host
Host
KDC
Host
Master
Host
KDC
Slave
dbKmaster
Host
KDC
Host
Host
Slave
Host
Slave
KDC
Host
Realm
KDC

Replicated KDCs (slaves) are read only.

Entire Host-KDC database is downloaded
periodically
7
8
KDC
(Hatter)
KDC
Lion
(Lion)
1
2
Dorothy
Alice
3
Lion can also be a
Realm
Realm
"principal" in
Wonderland
Oz
Wonderland (with the
Queen's OK)
Alice wants to talk to Dorothy
8
9
Plaintext
Cipher Block Chaining (
P
PCBC)

m1
m2
m3
IV
()
()
()

Key
E
E
E

c1
c2
c3
The 1st 64-bit message segment is XOR'ed with
an initial vector (IV). Each following message
segment is XOR'ed with the preceding ciphertext
and plaintext segments-for privacy integrity
.
9
10
Kerberos Message Integrity Check
(Message Digest)
MIC is Hash(ltKsession,messagegt)
The Hash algorithm was never published (but
source code can be obtained)
It is based on a checksum algorithm designed
by Juneman to use mod 231-1 (prime), but
changed to use 263-1 (not prime).
Cryptographers worry that it might be
breakable, or reversible (to get Ksession).
10
11
Network Layer (IP) Addresses in Tickets
Only 4 bytes available, so limited to Internet
Protocol (Novel, IBM, Appletalk, IPv6... longer)
Makes "spoofing" harder, IP address must be
stolen from network as well as Ticket from Alice.
Prevents delegation, giving the ticket to another
host to represent you (which is allowed by
Kerberos V5)
11
12
Why Study Kerberos v4
(Why doesn't everyone switch to v5)
Kerberos V4 is working well in many systems
Switching to V5 requires stopping the network
and upgrading every host at once before restart
Kerberos V5 is inefficient in some ways compared
to V4

Specified in ASN.1 (abstraction good and bad)

Example 11 bytes required for 4-byte IP address.
12
13
Kerberos v5 Cryptographic Algorithms
Kerberos v4 used Plaintext Cipher Block Chaining
and modified Juneman hash
Kerberos v5 can use a variety of encryptions
(DES in practice) and hashes (MD4, MD5).
Primary MIC (message integrity check) uses

confounder MD5(confounder message)K'

K' Kalice-bob () F0F0F0F0F0F0F0F0
A more modern MIC that is not used is

MD5(Kalice-bob message)
13
14
Password security
Originally UNIX stored a hash of each Users
password in a globally readable account. This
can be attacked by hashing all common words for a
reverse lookup table.

Do not send in clear except over short secure
channels (avoid using Telnet, FTP, http (for
passwords), )

Choose had to guess passwords, enforce.

Force changing passwords periodically

Avoid keeping password in memory longer than
necessary to generate the user's key.

Send hash of (keynonce) to KDC for authentication

Add salt before hashing passwords for pw database

Add realm name to password before hashing for pw
db
14
15
Message Security and Integrity
Only exchange messages with authenticated hosts
Develop a session key and separate MIC key
using initial password exchange
Encrypt Diffie-Hellman exchanges to prevent
Bucket Brigade (man-in-middle) attacks.
Use MICs, especially with self-synchronizing
encryptions that survive permuting
message blocks (e.g., ECB) .
Get "random" numbers from true sources
Protect Master KDC Key and hashed-key database
15
16
Concepts Used in Kerberos
Central Key Server (KDC) - n rather than
n(n-1)/2 sets of keys. Could enforce
Connection Policy. Distributed KDCs (Slave
KDCs) to prevent Denial of Service (DoS)
Attack. Use of password hashes, for verifying
password without storing password.
Dictionary Attack - use of salt to improve
security. Message hashes for Message Integrity
Check (MIC). Authentication exchange - nonce
to prevent Replay Attack. Standard block
encryption algorithm (DES) with unique cipher
feedback. Session keys to reduce exposure of
primary keys. Version 4 to 5 upgrade difficult.
Newer systems (SSL, PGP, SSH) negotiate to find
the best common algorithms available to both.
16