An Introduction to Kerberos

Shumon Huque
ISC Networking & Telecommunications
University of Pennsylvania
March 19th 2003

What this talk is about

A high-level view of how Kerberos works
How Kerberos differs from some other
authentication systems

SSH password auth, SSH public key auth, SSL

Target audience:

LSPs, computing staff, others?

What this talk is not about

Details of Penns Kerberos deployment plans

How to get PennKeys, which Kerberos enabled

applications do I need to use

Writing Kerberized applications

In-depth protocol details and packet formats
Number Theory & Cryptography

What is Kerberos?
Developed at M.I.T.
A secret key based service for providing
authentication in open networks
Authentication mediated by a trusted 3rd
party on the network:

Key Distribution Center (KDC)

Kerberos: etymology
The 3-headed dog
that guards the
entrance to Hades
Originally, the 3
heads represented
the 3 As
But one A was work
enough!

Fluffy, the 3 headed dog, from

Harry Potter and the Sorcerers Stone

Some Kerberos benefits

Standards based strong authentication system
Wide support in various operating systems
Make strong authentication readily available for use
with campus computer systems
Prevents transmission of passwords over the network
Provides single-sign-on capability

Only 1 password to remember

Only need to enter it once per day (typically)

So, what is Authentication?

The act of verifying someones identity
The process by which users prove their
identity to a service
Doesnt specify what a user is allowed or not
allowed to do (Authorization)

Password based Authentication

Transmit password in clear over the network
to the server
Main Problem

Eavesdropping/Interception

10

Cryptographic Authentication
No password or secret is transferred over the
network
Users prove their identity to a service by
performing a cryptographic operation,usually
on a quantity supplied by the server
Crypto operation based on users secret key

11

Encryption and Decryption

Encryption

Process of scrambling data using a cipher and a

key in such a way, that its intelligible only to the
recipient

Decryption

Process of unscambling encrypted data using a

cipher and key (possibly the same key used to
encrypt the data)

12

Symmetric Key Cryptography

Aka, Secret Key cryptography
The same key is used for both encryption and
decryption operations (symmetry)
Examples: DES, 3-DES, AES

13

Asymmetric Key Cryptography

Aka Public key cryptography
A pair of related keys are used:
Public and Private keys
Private key cant be calculated from Public key
Data encrypted with one can only be decrypted with
the other
Usually, a user publishes his public key widely

Others use it to encrypt data intended for the user

User decrypts using the private key (known only to him)

Examples: RSA

14

Communicating Parties
Alice and Bob

Alice: initiator of the communication

Think of her as the client or user

Bob: correspondent or 2nd participant

Think of him as the server

Alice wants to access service Bob

Baddies:

Eve, Trudy, Mallory

15

Simple shared-secret based

cryptographic authentication

16

Add mutual authentication

17

Problems with this scheme

Poor scaling properties
Generalizing the model for m users and n
services, requires a priori distribution of m x n
shared keys
Possible improvement:

Use trusted 3rd party, with which each user and

service shares a secret key: m + n keys
Also has important security advantages

18

Mediated Authentication
A trusted third party mediates the
authentication process
Called the Key Distribution Center (KDC)
Each user and service shares a secret key
with the KDC
KDC generates a session key, and securely
distributes it to communicating parties
Communicating parties prove to each other
that they know the session key
19

Mediated Authentication
Nomenclature:

Ka = Master key for alice, shared by alice and the

KDC
Kab = Session key shared by alice and bob
Tb = Ticket to use bob
K{data} = data encrypted with key K

20

21

Mediated Authentication

22

Mediated Authentication

23

Kerberos uses timestamps

Timestamps as nonces are used in the
mutual authentication phase of the protocol
This reduces the number of total messages in
the protocol
But it means that Kerberos requires
reasonably synchronized clocks amongst the
users of the system

24

Kerberos (almost)

25

Kerberos (roughly)

26

Needham-Schroeder Protocol

27

Kerberos (detailed)
Each user and service registers a secret key
with the KDC
Everyone trusts the KDC

Put all your eggs in one basket, and then watch

that basket very carefully - Anonymous Mark
Twain

The users key is derived from a password, by

applying a hash function
The service key is a large random number,
and stored on the server
28

Kerberos principal
A client of the Kerberos authentication service
A user or a service
Format:

name/instance@REALM

Examples:

peggy@UPENN.EDU
ftp/pobox.upenn.edu@UPENN.EDU
29

Kerberos without TGS

A simplified description of Kerberos without
the concept of a TGS (Ticket Granting
Service)

30

31

32

33

Combining 2 previous diags

34

35

Review: Kerberos Credentials

Ticket

Allows user to use a service (actually authenticate to it)

Used to securely pass the identity of the user to which the
ticket is issued between the KDC and the application server
Kb{alice, Kab, lifetime}

Authenticator

Proves that the user presenting the ticket is the user to

which the ticket was issued
Proof that user knows the session key
Prevents ticket theft from being useful
Prevents replay attacks (timestamp encrypted with the
session key): Kab{timestamp}, in combination with a replay
cache on the server
36

Ticket Granting Service (TGS)

Motivation

37

38

39

Kerberos with TGS

Ticket Granting Service (TGS):

A Kerberos authenticated service, that allows user to obtain

tickets for other services
Co-located at the KDC

Ticket Granting Ticket (TGT):

Ticket used to access the TGS and obtain service tickets

Limited-lifetime session key: TGS sessionkey

Shared by user and the TGS

TGT and TGS session-key cached on Alices

workstation
40

TGS Benefits
Single Sign-on (SSO) capability
Limits exposure of users password

Alices workstation can forget the password

immediately after using it in the early stages of the
protocol
Less data encrypted with the users secret key
travels over the network, limiting attackers access
to data that could be used in an offline dictionary
attack

41

42

43

44

45

Levels of Session Protection

Initial Authentication only
Safe messages:

Authentication of every message

Keyed hashing with session key

Private messages:

+ Encryption of every message

With session key, or mutually negotiated subsession keys

Note: Application can choose other methods

46

Pre-authentication
Kerberos 5 added pre-authentication

Client is required to prove its identity to the

Kerberos AS in the first step
By supplying an encrypted timestamp (encrypted
with users secret key)
This prevents an active attacker being able to
easily obtain data from the KDC encrypted with
any users key
Then able to mount an offline dictionary attack

47

48

Kerberos & Two-factor auth

In addition to a secret password, user is
required to present a physical item:

A small electronic device: h/w authentication token

Generates non-reusable numeric responses

Called 2-factor authentication, because it

requires 2 things:

Something the user knows (password)

Something the user has (hardware token)

49

Cross Realm Authentication

50

Hierarchy/Chain of Realms

51

Kerberos and PubKey Crypto

Proposed enhancements

Public key crypto for Initial Authentication

PKINIT
Public key crypto for Cross-realm Authentication
PKCROSS

52

Kerberos: summary
Authentication method:

Users enter password on local machine only

Authenticated via central KDC once per day
No passwords travel over the network

Single Sign-on (via TGS):

KDC gives you a special ticket, the TGT, usually

good for rest of the day
TGT can be used to get other service tickets
allowing user to access them (when presented
along with authenticators)
53

Advantages of Kerberos (1)

Passwords arent exposed to eavesdropping
Password is only typed to the local workstation

It never travels over the network

It is never transmitted to a remote server

Password guessing more difficult

Single Sign-on

More convenient: only one password, entered once

Users may be less likely to store passwords

Stolen tickets hard to reuse

Need authenticator as well, which cant be reused

Much easier to effectively secure a small set of

limited access machines (the KDCs)
54

Advantages of Kerberos (2)

Easier to recover from host compromises
Centralized user account administration

55

Kerberos caveats
Kerberos server can impersonate anyone
KDC is a single point of failure

Can have replicated KDCs

KDC could be a performance bottleneck

Everyone needs to communicate with it frequently

Not a practical concern these days
Having multiple KDCs alleviates the problem

If local workstation is compromised, users password

could be stolen by a trojan horse

Only use a desktop machine or laptop that you trust

Use hardware token pre-authentication

56

Kerberos caveats (2)

Kerberos vulnerable to password guessing attacks

Choose good passwords!

Use hardware pre-authentication
Hardware tokens, Smart cards etc

57

References
Kerberos: An Authentication Service for Open Network
Systems

Steiner, Neuman, Schiller, 1988, Winter USENIX

Kerberos: An Authentication Service for Computer

Networks

Neuman and Tso, IEEE Communications, Sep 1994

A Morons guide to Kerberos - Brian Tung

http://www.isi.edu/gost/brian/security/kerberos.html

Designing an Authentication System: A Dialogue in

Four Scenes

Bill Bryant, 1988

http://web.mit.edu/kerberos/www/dialogue.html
58

References (cont)
RFC 1510: The Kerberos Network Authentication
Service (v5)

Kohl and Neuman, September 1993

draft-ietf-krb-wg-kerberos-clarifications-03.txt

IETF Kerberos Working Group: rfc1510 revision

Using Encryption for Authentication in Large Networks

of Computers

Roger Needham, Michael D. Schroeder

CACM, Volume 21, December 1978, pp 993-999

59

Questions or comments?
Shumon Huque
E-mail: <shuque@isc.upenn.edu>

60