Presentation on theme: "The Authentication Service ‘Kerberos’ and It’s Limitations"— Presentation transcript:
1The Authentication Service ‘Kerberos’ and It’s Limitations
2OUTLINE What is Kerberos ? How does it work ? Kerberos infrastructure and Cross-realm AuthenticationKerberos EncryptionAttacks on Kerberos ?Limitations of KerberosFuture Work
31. What Is Kerberos ? Definition : In Greek mythology, Kerberos was “ a three headeddog that guards the entrance to Hades.An authentication service developed as part of ProjectAthena at MIT to enable network applications tosecurely identify their peers.It was intended to have three components to guard anetwork’s gate: authentication, accounting, and audit.The last two were never implemented.Versions 1 through 3 were internal developmentversions. Version 4 is the original Kerberos.Motivation :In an open environment, in which network connections
4to other machines are supported, there is a need to protect user information and resources stored at theserver. To do this :Require the user to prove identity for each serviceinvoked. Also require that servers prove their identityto clients.These are supported by Kerberos.It should be :Secure: opponent does not find it to be the weak linkReliable: it should employ a distributed server architecture,with one system able to back up another.Transparent : user should not be aware that authenticationis taking place.Scalable : supporting large numbers of clients and servers.
5(2) (1) (4) (3) (5) (6) Kerberos Authentication Server Ticket - grantingServer (TGS)Request ticket-granting ticketTicket + session keyRequest ServiceProvide server authenticatorRequest service-granting ticketTicket+session keyOnce per user logon sessionOnce per type of serviceOnce per service session(1)(4)(3)(5)(6)
61. User logs on to workstation and request service on host. 2. AS verifies user’s access rights in database, creates TGTand session key. Results are encrypted using key derivedfrom user’s password.3. Workstation prompts user for password and uses pass-word to decrypt incoming message, then sends ticket andauthenticator that contains user’s name, network address,and time to TGS.4. TGS decrypts ticket and authenticator, verifies request,then creates ticket for requested server.5. Workstation sends ticket and authenticator to server.6. Server verifies that ticket and authenticator match, thengrants access to service. If mutual authentication isrequired, server returns an authenticator.
7How does it work ? 1. C -----> AS : IDC , PC , IDV AS----> C : TicketC------> IDC, TicketTicket = EKv [ IDC , ADC , IDV ]WhereC = ClientAS = Authentication ServerV = ServerIDC = Identifier of user on CIDV = Identifier of VPC = Password of user on CADC = Network address of CKV = Secret encrytion key shared by AS and V
8A more secure Authentication The first scenario does not solve the followings:1. The number of times that a user has to enter a password.2. It involved a plaintext transmission of the password (mess1)To solve these problems, we introduce ticket-granting server.The new scenario:Once per user logon session :1. C -----> AS : IDC , IDtgs2. AS----> C : Ekc[ Tickettgs]Once per type of service:3. C------> TGS : IDC , IDV , Tickettgs4. TGS--> C : TicketV
9Once per service session : 5. C------>V : IDC , TicketVTickettgs = EKtgs[IDC , ADC , IDtgs, TS1, Lifetime1]TicketV = EKv[ IDC , ADC , IDV , TS2 , Lifetime2]TS = TimestampThis new scenario satisfies the two requirements of only onepassword query per user session and protection of the userpassword.We still have two additional problems :1. The lifetime associated with the ticket-granting ticket.If it is short (e.g., minutes), the user will be repeatedly
10asked for a password. If it is long, then an opponent has a greater opportunity for replay.2. There might be a need for server to authenticate itself tousers.Solution : Session KeysThe threat : Opponent will steal the ticket and use it before itexpires.The solution : AS provide both the C and TGS with a secretpiece of information in a secure manner. Then,C can prove its ID to the TGS by revealing thesecret. An encryption key ise used as the secureinfo., this is referred to as a session key.So the actual Kerberos protocol :
11Summary of Kerberos Version 4 Message Exchanges a) Authentication Service Exchange : to obtain TGT1. C > AS : IDC , IDtgs ,TS12. AS-----> C : EKc[ KC,tgs, IDtgs,TS2, Lifetime2, Tickettgs]Tickettgs = EKtgs[ KC,tgs, IDC, ADC, IDtgs,TS2, Lifetime2]b) Ticket-Granting Service Exchange : to obtain service-granting ticket3. C > TGS : IDV , Tickettgs ,AuthenticatorC4. TGS---> C : EKc[ KC,V, IDV,TS4, TicketV]TicketV = EKv[ KC,V, IDC, ADC, IDV,TS4, Lifetime4]
13Kerberos RealmsA full-service Kerberos environment consisting of a Kerberosserver, a number of clients, and a number of applicationservers, requires the following :1. The Kerberos server must have the UID and hashed pass-word of all participating users in its database. All users areregistered with the Kerberos server.2. The Kerberos server must share a secret key with eachserver. All servers are registered with the Kerberos server.For inter-realm authentication;3. The Kerberos server in each interoperating realm shares asecret key with the server in the other realm. The twoKerberos servers are registered with each other.This means that the Kerberos server in one realm trust theKerberos server in the other realm to authenticate its users
14ASTGSKerberosClientServer12345671. Request ticket for local2. Ticket for local TGS3. Request ticket forremote TGS4. Ticket for remote TGS5. Request ticket forremote server6. Ticket for remote server7. Request remote serviceRealm ARealm B
15Encryption for Privacy and Integrity The data structures that Kerberos encrypts need to beprotected from both disclosure and modification.Kerberos uses DES algorithm for encryption. For a longmessage CBC (Cipher Block Chaining) could be used andit does a good job on privacy.Problem :However, there is no integritycheck. If an intruder were to modify block cn,then mn and mn+1would be garbage. No way for kerberos to detect this.Solution: Plaintext Cipher Block Chaining (PCBC).It has the property that modifying any ci will result in garblingplaintext blocks starting with mi all the way to the end. Thereis a recognizable data at the end of a message so that it willdecrypt to see whether the final block is proper.Question: What if we swap two adjacent blocks of ciphertext?
17Attacks on Kerberos 1. Replay Attacks 2. Secure Time Services 3. Password-Guessing Attacks4. Spoofing Login5. Inter-Session Chosen Plaintext attacks6. Exposure of Session Keys7. The Scope of Tickets
18Limitations of Version 4 Environmental Shortcomings :1. Encryption system dependence (it uses only DES)2. Internet protocol dependence (requires the use of IP addr.3. Message byte ordering4. Ticket Lifetimes (a maximum lifetime of 211/4 hours).5. Authentication Forwarding ( an intermediate server mayneed to accsess some resource with the rights of the clientfor example a print server)6. Principal naming. ( principals are named with three compo-nents: name, instance, and realm, each of which may be upto 39 charactres long which are too short for some applicati-ons and installation environments7. Inter-realm authentication. (The pairwise key exchangerequires a lot of key exchanges for n realms).
19Technical Deficiencies : 1. Double Encryption: The ticket is encrypted twice whentransmitted to the client, and only once when sent to theapplication server. If encryption is computationally intensivethis is unneccesary use of processing time.2. PCBC encryption:This mode was an attempt to provide dataencryption and integrity protection in one operation. But, anintruder can modify a message with a special block-exchange attack which may not be detected by the receiver.3. Authenticators and replay detection4. Password attacks5. Session keys6. Cryptographic checksum : The MIT implementation doesnot perform this algorithm as described; the suitability of themodified version as a CCF is unknown.
20Future Work Version 5 of Kerberos is a step toward the design of an authentication system that is widely applicable.The frameworkis flexible enough to accommodate future requirements.Someitems expected to add to Kerberos in the near future include:1.Public-key cryptosystems: It will give the ability to interope-rate with the Privacy Enhanced Mail (PEM) infrastructure.2.Smartcards: Hand-held devices can be used to augmentnormal password security methods.3.Remote administration : Remote extraction of server keytables, password “quality checks”, and a provision forservers to change their secret keys automatically often.4.Validation suites: To verify that the protocol is properly imp-lemented. It could prevent future problems.5. Applications : , Usenet, distributed file systems.