Risk Assessment of Authentication Protocol: Kerberos

Shared by: ijcsiseditor

Stats

views:: 133
posted:: 7/5/2011
language:: English
pages:: 5

Public Domain

Document Sample

(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

Risk Assessment of Authentication Protocol:
Kerberos
Pathan Mohd. Shafi1, Dr Abdul sattar2, Dr. P. chenna Reddy3
1
Smtg Kashibai Navale College of Engineering,Pune
2
Royal Institute of Technology and Science R. R. Dist.
3 JNTU College of Engineering, Pulivendula.

Abstract—Kerberos is a well-established authentication Kerberos is a system of authentication developed at MIT
system. As new authentication methods arise, incorporating (Massachusetts Institute of Technology) as part of the
them into Kerberos is desirable. However, extending Athena project. Steve Miller and Clifford Neuman are
Kerberos poses challenges due to a lack of source code primary designers of Kerberos version 4 (Published year -
availability for some implementations and a lengthy 1980)Although they had targeted it primarily for project
standardization process.
This proposal presents important functions, strengths and
Athena, Version 5 designed by John Kohl and Clifford
weakness in Kerberos. It details out design issues, Neuman ,appeared as PFC 1510 in 1993,with intention of
limitations and risks associated with Kerberos. This overcoming the limitations and security problems of
proposal also explains one more aspect that is version 4.
“extensibility” with Kerberos. This proposal also briefs The Kerberos protocol involves use of a trusted third
Kerberos enhancements for using public-key cryptography. party known as the Key Distribution Center (KDC) to
It discusses scalability and security needs & how public-key negotiate shared session keys between clients and
helps in accomplishing these goals. At the end it focuses on services and provide mutual authentication between them.
commercial application/services those uses Kerberos rigidly. Kerberos differs from many other distributed security
This proposal on pre-authentication. A Pre-
Authentication in Kerberos (EPAK) is Kerberos extension
systems in its ability to incorporate a very wide range of
which enables many authentication methods to be loosely security technologies and mechanisms. Kerberos has
coupled with Kerberos, without further modification to risen from a well-respected authentication standard to a
Kerberos. Why pre-authentication is necessary? An leading security infrastructure component in recent years,
attacker usually impersonates user by obtaining for example Microsoft announced that Microsoft Active
authentication responses & performs offline dictionary Directory would support the protocol for authentication
attacks against the encrypted data, this is a likely attack purposes within Windows Primary Domain Controllers.
with Kerberos. Thus “pre-authentication” can lower the
possibility for offline password-guessing attacks. We also MOTIVATION
discuss two prototype examples to understand flexibility
Kerberos using EPAK .It uses public key approach which is
Today, open & distributed architectures are widely used
very resource consuming but in the era of wireless across organizations, companies, offices & IT services. In
communication and mobile devices we need to find the light general such open & distributed environments consist of
weight application. dedicated workstations and distributed or centralized
Kerberos has grown to become the most widely deployed servers. In open environment user requires to prove
system for authentication and authorization in modern identity for each service invoked, and in turn server(s)
computer networks. Kerberos is currently shipped with all also require proving their identity to clients. The process
major computer operating systems and is uniquely of verifying the user's identity is called authentication.
positioned to become a universal solution to the distributed Traditional Kerberos provides a centralize
authentication and authorization problem of
communicating parties.
authentication server whose function is to authenticate
users to servers and servers to users. The authentication
I. INTRODUCTION service in open environments can made more secure by
enhancing or extending Kerberos. New authentication
Authentication is critical for the security Computer systems need to integrate more easily into Kerberos to
systems. Without knowledge of a principal requesting an increase their usability and performance without
operation, it is difficult to decide whether the operation changing existing Kerberos base security framework.
should be allowed. Traditional authentication methods are
not suitable for use in computer networks where attackers UNDERSTANDING KERBEROS
monitor network traffic to intercept passwords. The use Kerberos is a network authentication protocol based on
of strong authentication methods that do not disclose conventional cryptography that relies on symmetrical
passwords is imperative. The Kerberos authentication cryptographic algorithms that use the same key for
system is well suited for authentication of users in such encryption as for decryption. Network authentication
environments protocols do two things: help you discover who is on the
other end of the wire, and help you and your peer
exchange a cryptographic key (also known as a session

183 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

key) so you can maintain integrity and confidentiality session key is contained in the application server ticket
protection for the ensuing conversation. ticketV and is encrypted using the long-term secret key
of the application server KV which is shared between the
application server and the Kerberos infrastructure (the
TGS can access the database of the Kerberos
infrastructure). The information directed to the client is
encrypted with the session key of the first stage Kc,tgs.
Phase 3: Contacting application server / Requesting
specific service

Figure 1. Kerberos overview

Exchange between the client and the Kerberos AS
(Authentication Server) in messages 1 and 2 are used
only when the user first logs in to the system. Exchange
between the client and the Kerberos TGS (Ticket
Granting Server) in Messages 3 and 4 are used whenever
a user authenticates to a new server. Message 5 is used
each time the user authenticates itself to a server. And Figure 2 - Kerberos authentication dialog
finally, Message 6 is the mutual-authentication response
by the server In the third phase, the client forwards the application
server ticket ticketV, along with a new authenticator
HOW IT WORKS? AuthenticatorC2 encrypted with the session key obtained
It basically involves THREE primary phases when a in the second phase Kc,v, to the application server,
client wishes to authenticate to an application server. requesting certain service. The application server ticket
Phase 1: LOGIN / Requesting ticket granting ticket plus the secret session key are the client's credentials to
(TGT) be authenticated to a specific application server. If all
In the first phase, the client sends a request to the credentials are valid, the application server will
Kerberos Authentication Server (AS) requesting a ticket authenticate the client and provide the service. The
granting ticket ticket(tgs) to be used in the second phase acknowledgement message from the application server is
with the Ticket Granting Server (TGS). The AS is optional and used only when the system requires mutual
expected to reply with a message consisting of a ticket authentication by the application server.
granting ticket ticket(tgs) of lifetime lifetime2 and an
encrypted component containing a fresh session key II. ANALYSIS OF KERBEROS WEAKNESSES
Kc,tgs to be shared between the client and the TGS.
Another copy of this session key is contained in the Vulnerability to password guessing attacks -
Ticket granting ticket and is encrypted using the long- Kerberos is vulnerable to password guessing attacks. The
term secret key of the TGS Ktgs which is shared between Kerberos message includes material encrypted with a key
TGS and Kerberos infrastructure (the AS can access the based on the client's password. An opponent can capture
database of Kerberos infrastructure). The information this message and attempt to decrypt it by trying various
directed to the client is encrypted under the client's long- passwords. If the result of a test decryption is of the
term secret key KC. proper form, then the opponent has discovered the client's
Phase 2: Requesting service granting ticket (SGT) password and may subsequently use it to gain
In the second phase, the client forwards the ticket authentication credentials from Kerberos.
granting ticket, along with an authenticator Dependency on system clock synchronization – The
AuthenticatorC1 encrypted with the session key Kc,tgs system clock of the hosts that are involved in the protocol
obtained in the first phase, to the TGS, requesting a should be synchronized. The tickets have a time
service ticket to be used in the third phase with the availability period and if the host clock is not
application server. The TGS is expected to reply with a synchronized with the Kerberos server clock, the
message consisting of an application server ticket ticketV authentication will fail. In practice, Network Time
of lifetime lifetime4 and an encrypted component Protocol daemons are usually used to keep the host clocks
containing a fresh session key Kc,v to be shared between synchronized.
the client and the application server. Another copy of this

184 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

Continuous availability of the KDC - Kerberos requirements there can be additional, read-only copies of
requires continuous availability of the KDC. When the the database on slave machines elsewhere in the system.
KDC is down, the system will suffer from the single point The advantages of having multiple copies of the
of failure problem. This can be mitigated by using database are higher availability and better performance. If
multiple Kerberos servers. the master machine is down, authentication can still be
Lack of standards to explain administration - There achieved on one of the slave machines. The ability to
are no standards to explain the administration of the perform authentication on any one of several machines
Kerberos protocol. This will differ between server reduces the probability of a bottleneck at the master
implementations machine
• Load Balance Kerberos Authentication Servers:
DESIGN CHALLENGES To scale performance, clustering technology can be
Deciding appropriate lifetime for a ticket - used for Kerberos servers. Once the architecture is
The ticket lifetime problem is a puzzle situation properly designed to use clustering technology, incoming
between security and convenience. If the life of a ticket is IP traffic can be distributed across multiple cluster hosts.
long, then if a ticket and its associated session key are If one of the cluster systems fails, network
stolen or misplaced, they can be used for a longer period architecture should support in detecting the failure on the
of time. Such information can be stolen if a user forgets fly. The requests can be automatically redistributed
to log out of a public workstation surviving hosts
If a user has been authenticated on a system that allows There are different ways to look at this unique problem
multiple users, a “super user” or a user having access as in real world. One of the way to sort this issues is by
“root user” might be able to find the information needed keeping keys independent of passwords. As the keys are
to use stolen tickets (of other users). not at all derived from password, there is no easy way to
Also, the obvious problem with giving a ticket a short crack the key code and or read the contents, thus we can
lifetime is that when it expires the user will have to obtain possibly eliminate password guessing attacks.
a new ticket. In this case it requires the user to enter the The principal’s secret key will be independent of the
password again. user password to overcome the weak passwords chosen
Allowing proxies requests / proxy services / on-behalf by the network principals that are susceptible to password
services- guessing attacks, the main drawback of Kerberos
How can an authenticated user allow a server to acquire protocol. Instead the Kerberos distribution center saves a
other network services on her/his behalf? An open profile for every instance in its realm to generate the
problem is the proxy problem. This is applicable for principal secret key by hashing the profile, and
scenarios when authentication forwarding is not desirable encrypting the output digest
but still remote accesses are needed.
An example of this problem is what we call III. KERBEROS EXTENSION THROUGH PUBLIC
authentication forwarding. If a user is logged into a KEY (PKINIT)
workstation and logs in to a remote host, it would be nice Authentication in Kerberos (PKINIT)
if the user can access to the local data (workstation data) Microsoft, CyberSafe and Heimdal have all adopted
while running a program on the remote host. What makes PKINIT in their implementations of Kerberos. The
this difficult is that the user might not trust the remote specification defines how public-key cryptography can be
host, thus authentication forwarding is not desirable in all used to secure the initial authentication procedure.
cases. Steps:
How to guarantee workstation integrity: i. The KDC receives AS_REQ and verifies the
Another problem, and one that is important in the Athena client’s digital signature
environment, is how to guarantee the integrity of the ii.The KDC encrypts the TGT using the client’s
software running on a workstation. This is not so much of public key, and transmit it in AS_REP. This message is
a problem on private workstations since the user that will signed by the KDC with its private key.
be using it has control over it. On public workstations, iii.The client validates AS_REP using KDC’s public
however, someone might have come along and modified key
the login program to save the user's password. The only iv. TGT.
solution presently available in our environment is to v.The client proceeds with standard symmetric
make it difficult for people to modify software running on cryptography and secret keys.
the public workstations.
IV. KERBEROS EXTESIONS IN REAL WORLD
POSSIBLE AREAS FOR MINIMIZING RISKS
1. ACTIVE DIRECTORY IMPLEMENTATIONS
MINIMIZE RISKS WITH OPTIMUM OVERHEADS USING KERBEROS
• Kerberos Database Replication: “Kerberos has replaced NTLM as the default
Each Kerberos realm has a master Kerberos authentication protocol in an Active Directory based
machine, which houses the master copy of the single sign-on scheme, Kerberos is an integral part of
authentication database. To meet high availability Windows Active Directory implementations”

185 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

Here are few highlights: supports both Kerberos client and Kerberos server. It is
• The Active Directory domain controller maintains being used in following areas:
user account and log-in information to support the Network File System (NFS) Version 4 deployment,
Kerberos service IBM DB2® Universal Database™ (DB2® UDB™)
• The process of authenticating the identity of users security,
during log-in is the first step in gaining system access Kerberized AIX integrated login,
• In domain environments, Microsoft has coupled Enterprise-wide authentication and more….
Active Directory closely with Kerberos.
• A TGT and a service ticket are needed to access
services on remote computers, but they are also required
to successfully log on to a local system.
• When the log-on window appears, password
encryption using a one-way hash algorithm occurs
immediately and negotiations commence with the KDC
for a valid TGT and service ticket.
• The process is the same as accessing a remote
service.
• An access token is created for the user containing all
security groups to which they belong.
This access token is attached to the user's log-on session
and is subsequently inherited by any process or
application the user starts Figure 3: Kerberized authentication in IBM-AIX for
Windows Terminal Services
NTLM – NT LAN Manager is suite of Microsoft
security protocols. NTLM does not support any recent Below figure (figure no 9) shows 3 entities
cryptographic methods, such as AES or SHA-256. I. IBM AIX V5.3 Server – acts as KDC
Therefore, applications are generally advised not to use II. Windows 2003 Server - This is to authentication
NTLM. But NTLM is still used in situations where a terminal service users with IBM KDC which is
domain controller is not available or is unreachable. For hosted on AIX
example, NTLM would be used if a client is not III. Windows Terminal Service Client – user looking
Kerberos capable, the server is not joined to a domain, for interpretability across Windows and IBM AIX.
or the user is remotely authenticating over the web.

2.ADVANCE SECURITY WITH ORACLE
DATABASE 11g
“Oracle Advanced Security provides strong
authentication solutions as an alternative to traditional
password based authentication”
• Oracle Advanced Security supports Kerberos, PKI.
• Oracle Advanced Security enables database users to
achieve single sign-on to the Oracle database in Figure 4: Sample login window through Windows
Windows environments in conjunction with a Microsoft Terminal Services
KDC.
• Oracle Advanced Security includes a Kerberos client Benefits of below setup:
that is compatible with a Kerberos v5 ticket that is I. Gives kerberized authentication for Terminal Service
issued by any MIT v5 compliant Kerberos server or Users.
Microsoft KDC. II. Allows user to have uniform user id and password
• Oracle Advanced Security provides Kerberos cross across AIX and Windows Server System.
realm support allowing Kerberos principals in one realm
to authenticate to Kerberos principals in another realm. 4. SINGLE SIGN-ON (SSO) AND KERBEROS IN
Oracle Advanced Security Kerberos includes support for MAC OS X
principal names up to 2000 characters in length. While security is vitally very important, user need the
convenience of entering their passwords just once in
3. KERBERIZED AUTHENTICATION IN IBM-AIX order to gain access to system and services such as
“Many enterprises worldwide use IBM NAS for AIX websites, file shares and printers.
as the Key Distribution Center for their Kerberos To address the need for Single Sign-On (SSO) while
realm.” safeguarding critical data and passwords, Mac OS X
IBM Version of Kerberos is referred as IBM Network implements Kerberos, the open-source, SSO
Authentication Service (IBM NAS). IBM NAS for AIX authentication protocol.
Mac OS X uniquely supports highly secure peer-to-

186 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 6, June 2011

peer communications between anonymous machines
using local KDCs and Public Key Cryptography for
Initial Authentication (PKINIT)

IV. CONCLUSION
In this paper, we have analyzed Kerberos and its
potential areas for optimization and extension.
Authentication is critical for the security of computer
systems. Traditional authentication methods are not
suitable for use in computer networks where attackers
monitor network traffic to intercept passwords. Through
detail analysis of Kerberos we have learned that Kerberos
is conceptually well suited for authentication of users in
distributed and open environments.
We have analyzed PKINIT and find that PKINIT is a
Kerberos Extension that moves Kerberos beyond
password based authentication to public key
cryptography, which provides greater scalability. EPAK
builds on ideas from PKINIT and other public key
extensions to enhance Kerberos in similar ways.

REFERENCES
[1] L. Zhu and B. Tung. RFC: 4556: Public Key
Cryptography for Initial Authentication in Kerberos
(PKINIT), Jun 2006
[2l-Emam, E. Koutb, M. Kelash, H. Allah, O.F.
Egyptian Space Program, Nat. Authority for Remote
Sensing & Space Sci., Cairo, Egypt "An optimized
Kerberos authentication protocol ",Dec 2009
[3 P. Hellewell. Extensible Pre-Authentication in
Kerberos. Master’s thesis, Computer Science
Department, Brigham Young University, Aug 2007
[4] M. BellovinandM. Merritt, Limitations of the
Kerberos authenication
system, ComputerCommun. Rev., vol. 20, no. 5, pp. 1 19-
1 32, Oct. 1990.
I51 G. A. Champine, D. E. Geer, Jr.. and William N.
Ruh. Project Athena as a distributed computer system,
IEEE Computer, vol. 23, no. 9, pp. 40-51,S ept. 1990.
[6] S. Chokhani. Toward a national public key
infrastructure. IEEE Commun. Mag.in this issue.
[7] Computer Emergency Response Team, Ongoing
network monitoring attacks, CERT Advisory CA-94:01,F
eb. 3, 1994.
[8] CyberSAFE Corporation. Deploying Kerberos for
large organizations. Technical Report 94-47. CyberSAFE
Corporation, 2443 152 and Avenue NE, Redmond WA
98052 USA; tr-request@ocsg.com.
[9l D. E. Denning and G. M. Sacco, Timestamps in key
distribution protocols, Commun. of the ACM. vol. 24, no.
8. pp. 533-536,A ug. 1981.
[11] B. Jarpan, Kerberos users'frequentlyasked
questions, periodically posted to Usenet newsgroup
comp.protoco1s.kerberos. April 1994.
[12] S. T. Kent, Internet privacy enhanced mail,
Commun. of the ACM. vol 36, no. 8. pp. 48-60, Aug.
1993.
[13] J T. Kohl and B. C. Neuman. The Kerberos network
authentication service. Internet RFC 1510, September
1993.

187 http://sites.google.com/site/ijcsis/
ISSN 1947-5500