Kerberos: An Authentication Service for Computer Networks

Review by Kevin LoGuidice, April 1998

Introduction:

· Authentication is the process of verifying a user's identity on a system. Password based authentication is not suitable for computer networks as passwords sent across the wire can be compromised and subsequently used to impersonate the user.

Goal:

· A strong authentication mechanism based on cryptography that allows a process, running on behalf of a user (i.e. a client), to prove its identity to a verifier (i.e. a server) without disclosing the user's password.

Advantages:

· Data Confidentiality
· Transparent to user (i.e. single signon)
· Authorization Support (Version 5)

Protocol:

AS = Authentication Service	TGS = Ticket Granting Service
c = client name	s = server name
n = rand #	T_c,s = Ticket
K_c = client private key	K_s = server private key
K_c,s = session key	K_c,_tgs = TGS session key
{} = encryption

· Basic Authentication Protocol

Client -> AS: c,s,n
AS -> Client: {K_c,s,n_}K_c, {T_c,s}K_s
Client -> Server: {A_c}K_c,s ,{T_c,s}K_s
Server->Client: {t_s…}Kc,s(optional)

· Complete Authentication Protocol

Client -> TGS: c, tgs, n
TGS -> Client: {K_c,tgs,n}Kc, {T_c,tgs}K_tgs
Client ->TGS: {Ac}K_c,tgs, {T_c,tgs}K_tgs,s,n
TGS -> Client: {K_c,s,n}K_c,tgs,{T_c,s}K_s
Client -> Server: {A_c}K_c,s. {T_c,s}K_s

· Inter-Realm Authentication Protocol

Client -> TGS_local: {Ac}K_c,tgs , {T_c,tgs}K_tgs, tgs_rem
TGS_local -> Client: {K_c,tgsrem}K_c,tgs , {T_c,tgsrem}K_tgsrem
Client -> TGS_remote: {A_c}K_c,tgsrem , {T_c,tgsrem}K_tgsrem,s_rem
TGS_remote -> Client: {K_c,srem}K_c,tgsrem , {T_c,srem}K_srem
Client -> Server_remote: {A_c}K_c,srem , {T_c,srem}K_srem

Disadvantages:

· Trusted and reliable secret key online authentication server (i.e. single point of failure)
· "Kerberized" application infrastructure needed.
· Realm scalability (O(n2) v4)
· No support for ticket forwarding or proxy (v4)
· Not effective against password guessing attacks
· Not effective "Trojan Horse" attacks

Performance:

· More computationally efficient than public-key cryptosystems (i.e. symmetric).

Questions

Any comments on timestamps in authentication protocols (Hint: Lamport's/syncronization)?
The authenticator relies on the use of a timestamp to guard against reuse, is this acceptable ?
Can a ticket from one machine be used on another ?
Data Encryption Standard (DES) is used for encryption. Any problems with this ?