Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extra Reading Network Security: Kerberos

Published byJodie Lucy Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "Extra Reading Network Security: Kerberos"— Presentation transcript:

1 Extra Reading Network Security: Kerberos
Tuomas Aura T Network security Aalto University, Autumn 2015

2 Outline Kerberos authentication Kerberos in Windows domains

3 Kerberos authentication

4 Kerberos Shared-key protocol for user login authentication
Uses passwords as shared keys Solves security and scalability problems in password-based authentication in large domains Based loosely on the Needham-Schroeder secret-key protocol Kerberos v at MIT Kerberos v [RFC 4120] Updated protocol and algorithms ASN.1 BER message encoding Implemented in Windows 2000 and later Used in intranets: e.g. university Unix systems, corporate Windows domains

5 Kerberos architecture
1.–2. Authentication 3.–4. Ticket for a specific service 5.–6. Authentication to the service

6 Kerberos terminology Client-server computing model
Authentication for remote login sessions: e.g. interactive telnet, RPC Users and services are principals Key distribution center (KDC) Two components: authentication server (AS) and ticket-granting server (TGS) Trusted by all principals to help in the authenticated key exchange KDC shares a master key with each principal Long-term secret that is used only for initial key exchange Usually derived by hashing a password [RFC3961]: password for each user; also a password for each service When user logs in, his workstation uses the password to obtain a ticket-granting-ticket (TGT) from AS When client needs to access remote services, it uses TGT to request a service ticket from TGS for each server (Note how the two-step process could be generalized to more steps)

7 Kerberos architecture (some details)
1.–2. Authentication with password → client gets TGT and KAT 3.–4. Authentication with TGT and KAT → client gets service ticket and KAB 5.–6. Authentication with service ticket and KAB → client gets service access

8 Kerberos ticket Same format for both TGT and service ticket
Credentials = ticket + key ASN.1 encoding in Kerberos v5 “Encryption” also protects integrity, actually encryption and a MAC Flags: FORWARDABLE, FORWARDED, PROXIABLE, PROXY, MAY-POST-DATE, POSTDATED, INVALID, RENEWABLE, INTINIAL, PRE-AUTHENT, HW-AUTHENT INITIAL flag indicates TGT Message type, version REALM, SNAME Server name and realm FLAGS Encrypted with server’s master key KEY CNAME, CREALM Client name and realm TRANSITED transit realms AUTH-TIME, END-TIME CADDR Client IP address (optional) AUTORIZATION-DATA App-specific access constraints

9 Kerberos protocol (more details)
Initial login of user A: 1. A → AS: Preauthentication, A, TGS, NA1, AddrA 2. AS → A: A, TGT, EKA (KA-TGS, NA1, TGS, AddrA) Ticket request: 3. A → TGS: TGT, AuthenticatorA-TGS, B, NA2, AddrA 4. TGS → A: A, Ticket, EKA-TGS (KAB, NA2, B, AddrA) Authentication to server B: 5. A → B: Ticket, AuthenticatorAB 6. B → A: AP_REP KA , KTGS, KB = master keys of A, TGS and B KA-TGS = shared key for A and TGS KAB = shared key for A and B TGT = B, EKTGS (initial, KA-TGS, A, Tauth, Texpiry1, AddrA)) Ticket = B, EKB(KAB, A, Tauth, Texpiry2, AddrA)) Preauthentication = EKA (1 TA) AuthenticatorA-TGS = EKA-TGS (2 TA) AuthenticatorAB = EKAB (3 TA) AP_REP = EKAB(4 TA) A, B = principal names Tx = timestamp AddrA = A’s IP addresses Notes: 1234) ASN.1 encoding adds type tags to all messages Encryption mode also protects message integrity

10 Crypto algorithms Algorithms in older implementations were complex and potentially weak e.g.: DES encryption CRC-32 encrypted with DES in CBC mode for integrity Latest algorithm specification [RFC3961] recommends AES and HMAC Encryption mode must protect message integrity Can be implemented by appending an HMAC

11 Kerberos realms Users and services registered to one KDC form a realm
e.g. Cross-realm trust: Two KDCs X and Y share a key is registered in KDC X and in KDC Y) KDCs believe each other to be honest and competent to name users in their own realm Cross-realm authentication: Client requests from TGS at realm X a ticket for TGS at realm Y The ticket is encrypted for (i.e. TGS at realm Y) Client requests from TGS at realm Y a ticket for server Access control at several steps: Local policy at each KDC about when to honor tickets from other realms Local policy at about whether to allow access to users from other realms ACLs at determine whether the users is allowed to access the particular resources Possible to transit multiple realms → TRANSITED field in the ticket lists intermediate realms Local policy at each server about which transit realms are allowed

12 Realm hierarchy Large organizations can have a realm hierarchy
Hierarchy follows internet names → easy to find a path between realms → can filter cross-realm requests based on the names Can add shortcut links or create even a fully connected graph between KDCs E.g. Windows domain hierarchy Compare with X.509 certification hierarchy: similarities, differences?

13 Password guessing attacks
! Kerberos is vulnerable to password guessing: Sniffed KRB_AS_REQ or KRB_AS_REP can be used to test candidate passwords → offline brute-force password guessing In Kerberos v4, anyone could request a password-encrypted TGT from AS → easy to obtain material for password cracking Preauthentication in Kerberos v5 prevents active attacks to obtain material for password cracking → must sniff it Note: active vs. passive attacks Misleading thinking: active attacks (e.g. MitM) are more difficult to implement than passive attacks (sniffing) Reality: Active attacks can often be initiated by the attacker while passive attacks require attacker to wait for something to sniff → vulnerability to such active attacks is serious !

14 PKINIT Goal: take advantage of an existing PKI to bootstrap authentication in Kerberos Replaces the KRB_AS_REQ / KRB_AS_REP exchange with a public-key protocol Public-key authentication and encryption to obtain TGT Continue with standard Kerberos → transparent to TGS and application servers No password, so not vulnerable to password guessing Uses DSS signatures and ephemeral DH Windows 2000 and later, now standard [RFC 4556]

15 Using the session key Applications need to be modified i.e. “Kerberized” to use Kerberos for authentication Authentication at the beginning of a session is of little value unless session data is protected with the session keys Attacker could not initiate sessions but is could sniff, modify and spoof session data (e.g. Kerberized telnet) Applications use the session key KAB in any way they want KRB_AP_REQ and KRB_AP_REP may include further key material (subkeys) that is sent encrypted under KAB Kerberos provides special messages for integrity protection and encryption: KRB_SAFE: data, TA, SN, addrA, addrB, MACKAB(…) KRB_PRIV: EKAB(data, TA, SN, addrA, addrB) Access to these functions happens often through GSSAPI (called SSPI in Windows) Another message KRB_CRED for sending credentials (ticket and secret key) for the purpose of delegation

16 Delegation Server may need to perform tasks on the client’s behalf
Recursive RPC; agents operating when the user is no longer logged in; batch processing at night Alice can give her TGT or service ticket and key to David Controlling the use of delegated rights in applications: Ticket may specify many allowed client IP addresses Authorization-data field in ticket may contain app-specific restrictions It is safer to delegate a service ticket than TGT Ticket flags related to delegation: FORWARDABLE flag in TGT: the TGT can be used to obtain a new TGT with different IP addresses PROXIABLE flag in TGT: the TGT can be used to obtain service tickets with a different IP address Kerberos delegation is identity delegation When B has A’s ticket and key, B can act as A and nobody can tell the difference → difficult to audit access; similar to sharing passwords Other protocols delegate only access rights, and the delegate can be identified

17 Kerberos in Windows domains
Thanks to Dieter Gollmann

18 Windows access control summary
The O/S stores security attributes for each processes (subject) in an access token Token contains a list of privileges and SIDs (i.e. user and group identifiers) Permissions are decided by comparing the list of SIDs against a DACLs on an object The access token is local to the machine, created at login time, and never sent over the network How to authorize access to resources managed by a Windows service (=daemon) on a remote server, e.g. over remote procedure call (RPC)?

19 Network credentials Alice’s user name, SID and network credentials are cached on the user workstation username and password, or TGT and KA-TGS Alice’s processes can use her network credentials for remote login Two authentication protocols: NTLM and Kerberos V5 (RFC 1510) These authentication protocols do not reveal the password to the server Applications can also ask the user for a different user name and credentials and store them separately

20 Tokens and remote access
Access tokens are meaningful only to the local machine and cannot be sent over network The server does not trust the client machine to tell who Alice is and which groups she belongs to Instead, the client authenticates Alice to the server using her network credentials. The server creates a new login session and a new token (on the server) for Alice The service may now assign the token to a process or thread (=impersonation) The authentication protocols also provide the server with Alice’s user and group SIDs produce a session key for protecting data between the client and server Encryption and authentication of session data is controlled by applications Different secure session protocol exist for network logon, RPC, COM

21 Kerberos in Windows Realm = Windows domain
Realm hierarchy = domain hierarchy KDC = domain controller (DC) Information about users is stored in active directory (AD) Kerberos authenticates “principals”, but which principals should be authenticated? User name and a domain name (e.g. MYCOMPANY\Boss)? Appropriate fields in the ticket for this are CNAME and CREALM Principals according to the access control model? Windows puts the user SID and group SIDs in the field authorization-data  This created a major controversy in the early 2000s, now standardized

22 Kerberos ticket in Windows
Message type, version REALM, SNAME Server name and realm FLAGS Encrypted with server’s master key KEY Username, domain CNAME, CREALM Client name and realm TRANSITED transit realms AUTH-TIME, END-TIME CADDR Client IP address (optional) User and group SIDs AUTORIZATION-DATA App-specific access constrains

23 Related reading William Stallings. Network security essentials: applications and standards, 3rd ed. chapter 4.1; 4th ed. chapter 4.1–4.2 (Kerberos v5 only) William Stallings. Cryptography and Network Security, 4th ed.: chapters 14.1 (Kerberos v5) Dieter Gollmann. Computer Security, 2nd ed.: chapter 12.4; 3rd ed. chapter 15.4 Kaufmann, Perlman, Speciner. Network security, 2nd ed.: chapter 14 Online: How the Kerberos Version 5 Authentication Protocol Works,

24 Exercises How does Kerberos fix the flaw in Needham-Schroeder secret-key protocol? Find source code for a Kerberized client/server application (e.g. telnet) and see how it accesses Kerberos services Why is Kerberos used on the intranets and TLS/SSL on the Internet? Could it be the other way? Learn about Encrypted Key Exchange (EKE) and other similar password-based authentication protocols. Which problem do they solve? Should standard protocols include data fields or messages for proprietary extensions? What are the arguments for and against?

Download ppt "Extra Reading Network Security: Kerberos"

Similar presentations

COEN 350 Kerberos.

COEN 350 Kerberos.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Network Security: Kerberos Tuomas Aura. 2 Outline Kerberos authentication Kerberos in Windows domains.

Network Security: Kerberos Tuomas Aura. 2 Outline Kerberos authentication Kerberos in Windows domains.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Network Security Essentials Chapter 4

Network Security Essentials Chapter 4
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Similar presentations

Ads by Google