Lecture notes by Lynette I. Millett
Employing a KDC requires O(n) keys: a shared key K_A between every host A and the KDC. The KDC generates a fresh, shared key for any communicating pair of hosts that request one; the KDC distributes this fresh, shared key to those hosts. The disadvantages of a KDC-based system include: the need for a protocol, the need to trust the KDC, and the fact that KDC itself becomes a performance bottleneck. On other other hand, with a KDC it is now possible to have short-lived keys (e.g. a different key each day.) Such short-lived keys are called session keys and make the job of a cryptoanalyst very difficult.
One simple (and flawed) protocol for key distribution works as diagrammed below. Assume that A and B have keys K_A and K_B respectively that are shared with the KDC.
A --> KDC: A,B
KDC: invent fresh key K_AB
KDC --> A: { K_AB, B}K_A
KDC --> B: { K_AB, A}K_B
Note that once the fresh key K_AB is created, the KDC cannot send it in the
clear; it must be encrypted. Moreover, A (respectively B) needs to
be convinced that the key it receives is for communication with B (respectively
A). This is done by encrypting both the key and the name of the host that the
receiver can use this key to communicate with.
The above protocol is flawed in several ways. For example, after receiving the key K_AB, A may send a message to B. However, this message could arrive at B before B has received K_AB. B would then need to buffer the message while expecting to eventually receive the appropriate key. This buffering provides an opportunity for denial of service attacks. A solution is to make sure that A can't send an encrypted message to B until B has the shared key. To do this, the KDC will send to A key K_AB encrypted under K_B instead of sending that to B. A will then send this to B before sending any messages to B.
A --> KDC: A,B
KDC: invent fresh key K_AB
KDC --> A: { K_AB, B, { K_AB, A}K_B }K_A
A --> B: { K_AB, A}K_B
We are now well on our way to the famed
Needham Schroeder protocol that we have seen
before.
The Kerberos system consists of a KDC that runs on a physically secure node in the network as well as a software library that is linked into workstation operating systems and applications. A user logs into a workstation and provides a username and password. The workstation uses the username and password to obtain information (credentials) that are used by processes to access remote resources on behalf of the user. The unit of certification is a session. A session is the period of time from logon to logoff at a given workstation.
Each principal (user, server, printer, etc) shares a key (called its "master key") with the KDC. A workstation uses a session key instead of a master key or password. Because of this, workstations erase the master key as soon as possible (it's needed only long enough to acquire a session key), and thus programs on the workstation cannot steal the master key as easily. This is not absolutely secure, but works well for the kind of environment Kerberos was designed for.
The KDC maintains a database whose entries are pairs: a principal name, p, and an encrypted version (under a key only the KDS knows) of p's master key.
We present three Kerberos protocols: logging on to the network, acquiring credentials for a resource, and using credentials to access a resource.
Logging on to the network involves the creation of a ticket-granting ticket (TGT) by the KDC. The TGT will take the place of the master key and has an expiration time. The principal A then uses the TGT when contacting the KDC for credentials. Below, A is a person, WkStation_A is a computer owned by A, K_A is the master key for A, and KDC is a server.
A --> WkStation_A: A wishes to login.
WkStation_A --> KDC: A needs TGT
KDC: invent fresh session key S_A
lookup K_A in local database
TGT := {A , S_A , expTime}K_KDC
KDC --> WkStation_A: { S_A , TGT }K_A
WkStation_A --> A: Password?
A --> WkStation_A: Password is: xxxxxx
WkStation_A: Derive K_A from Password xxxxxx
Extract S and TGT from "{ S_A , TGT }K_A" received earlier
Forget K_A at WkStation_A
Note, in the above protocol, the only period of significant vulnerability occurs while the workstation is storing K_A (after asking for the password). Note also that because WkStation_A has received and will store TGT, the KDC does not need to remember any state (and, in particular, S_A)---all relevant state is encoded in the TGT. (If the KDC had to remember state, then it would need storage and a garbage collection routine. Moreover, supporting multiple KDCs would introduce a consistency problem.)
Suppose that A would like to get credentials for a resource B. To do this, A types the request into the workstation, which sends a the request (with the TGT) to the KDC. The KDC will invent a fresh key and also provide A with a ticket (Tick_B) to B. This ticket will be used when A actually wants to access B. We first diagram the protocol for acquiring credentials.
A --> WkStation_A: A wishes to access service B.
WkStation_A --> KDC: A, B, TGT
KDC: invent fresh key K_AB
extract S_A from TGT found in message from WkStation_A
Tick_B := {A, B, K_AB, expTime}K_B
KDC --> WkStation_A: {B, K_AB, Tick_B}S_A
Now these credentials can be used by A to access resource B.
In particular, WkStation_A
will send Tick_B to service B, along with the current
time encoded under the shared key (call this the authenticator).
B extracts the shared key K_AB from Tick_B and checks the
authenticator (to prevent a replay of an earlier request).
B will then send back its own authenticator (derived from the one
that WkStation_A sent).
From this second authenticator, A can determine that
whoever sent the massage knows K_AB, thus was able to
decrypt Tick_B, thus knew K_B and thus had to have been B.
WkStation_A --> B: Tick_B, {timeNow}K_AB
B: extract A, B, K_AB, and expTime from Tick_B (since B knows K_B)
abort unless timeNow < expTime
B --> WkStation_A: {timeNow+1}K_AB
Note that this does not prevent a 'replay' of a current request. To do
this, B should keep all the requests for the last 5 minutes, and check
that all the requests from a given source are for different times.
There are several engineering issues that arise in Kerberos. It is not feasible to have only one KDC due to issues of scaling and fault-tolerance. Instead, there is one master KDC and n slave copies that contain read-only copies of the data. The master updates the slave KDCs periodically. The data can be transferred from the master to slave KDCs without additional encryption (recall that the master keys are already encrypted under kKDC.) However, to prevent a splicing attack, a cryptographic checksum should be also be encrypted and sent.
Another issue is how to manage the KDC in a very large network (e.g. an international network). It is impossible to find a single organization that all participants will trust. A solution is to partition the network (namespace) into realms and have a separate KDC for each realm. Principal names will be of the form: p@realm. A KDC for one realm can be registered as a principal in a KDC for another realm. In this way a KDC for another realm can be accessed like any other resource. In Kerberos V4 every KDC can be a principal in every other realm. However, authentication across realms is not allowed unless the path not longer than 2. In V5, the entire path is passed as a list, and a KDC can decide whether it trusts everyone on the list.