Kerberos: An Authentication Service for Computer Networks
Notes by Ralph Benzinger, 1999. Cut and pasted some funny symbols from notes by
Kevin LoGuidice, 1998.
Authentication
- au·then·ti·cate (&-'then-ti-"kAt): v. to prove sth to be valid or
genuine or true (Middle English autentik, from Middle French autentique, from Late Latin
authenticus, from Greek authentikos)
- Authentication in distributed computing environments: the process of assuring the
identity of a principal (user) to a verifier (server)
- Workstations should not be trusted to identify users correctly to network services
(authentication by assertion: BSD rhosts, Xauth, ...)
- Passwords may be intercepted by eavesdroppers and can be used to impersonate legitimate
users
Kerberos
- Cerberus (kerberos), in Greek mythology, a
three-headed, dragon-tailed dog that guarded the entrance to the lower world, or Hades.
The monster permitted all spirits to enter Hades, but would allow none to leave.
- Kerberos is a trusted third-party authentication service for mutual authentication
between a client and a server
- Part of Athena project; design goals: security, reliability, transparency, scalability
- Does not make any assumptions about workstations, but concentrates trust into
authentication server
- Principal and authentication server share secret key, access to network services is
granted through tickets and authenticators
- Timestamps are used to detect replay attacks
The Kerberos Protocol
Names
- AS = authentication service, TGS = ticket granting service
- c = client name, s = server name (denoted v in paper)
- Tc,s = ticket, Ac = authenticator, ts =
timestamp, texp = expiration time
- Kc = client private key, Ks = server private key, Kc,s
= session key, Kc,tgs = TGS session key
- {x}K = x encrypted with key K
Credentials
- Name: name.instance@realm
- Ticket: Tc,s = {c, s, ts, texp, Kc,s}Ks
- Authenticator: Ac = {c, ts}Kc,s
Basic Authentication Protocol
- Client -> AS: c, s
- AS -> Client: {Kc,s, s}Kc, {Tc,s}Ks
- Client -> Server: {Ac}Kc,s, {Tc,s}Ks
- Server -> Client: {ts+1}Kc,s (optional)
Complete Authentication Protocol
- Client -> AS: c, tgs
- AS -> Client: {Kc,tgs, tgs}Kc, {Tc,tgs}Ktgs
- Client -> TGS: {ts}Kc,tgs, {Tc,tgs}Ktgs,
s
- TGS -> Client: {Kc,s, s}Kc,tgs, {Tc,s}Ks
- Client -> Server: {Ac}Kc,s, {Tc,s}Ks
- Server -> Client: {ts+1}Kc,s (optional)
Cross-Realm Authentication Protocol
- Ticket granting services share private keys for cross-realm authentication; hierarchical
structure reduces the number of keys required
- Client obtains ticket for remote TGS from its local TGS using its ticket granting ticket
- Client obtains ticket for remote server from remote TGS using remote ticket granting
ticket
Limitations
- Authentication server database is system's Achilles heel
- Slack in ticket lifetime does not eradicate replay attacks
- Susceptible to password guessing and Trojan horse attacks
- Proxies and rights forwarding unclear
- Requires Kerberized software
Questions
- Who were the Greeks who escaped from Hades, and what did they use to get past Cerberus?
- How does Kerberos compare to PGP?
- Are there better ways to repel replay attacks?
- Is password-based security still state of the art?