Risk Assessment of Authentication Protocol: Kerberos by ijcsiseditor


									                                                    (IJCSIS) International Journal of Computer Science and Information Security,
                                                    Vol. 9, No. 6, June 2011

      Risk Assessment of Authentication Protocol:
                           Pathan Mohd. Shafi1, Dr Abdul sattar2, Dr. P. chenna Reddy3
                                     Smtg Kashibai Navale College of Engineering,Pune
                                     Royal Institute of Technology and Science R. R. Dist.
                                       3 JNTU College of Engineering, Pulivendula.

   Abstract—Kerberos is a well-established authentication             Kerberos is a system of authentication developed at MIT
system. As new authentication methods arise, incorporating           (Massachusetts Institute of Technology) as part of the
them into Kerberos is desirable. However, extending                  Athena project. Steve Miller and Clifford Neuman are
Kerberos poses challenges due to a lack of source code               primary designers of Kerberos version 4 (Published year -
availability for some implementations and a lengthy                  1980)Although they had targeted it primarily for project
standardization process.
   This proposal presents important functions, strengths and
                                                                     Athena, Version 5 designed by John Kohl and Clifford
weakness in Kerberos. It details out design issues,                  Neuman ,appeared as PFC 1510 in 1993,with intention of
limitations and risks associated with Kerberos. This                 overcoming the limitations and security problems of
proposal also explains one more aspect that is                       version 4.
“extensibility” with Kerberos. This proposal also briefs                The Kerberos protocol involves use of a trusted third
Kerberos enhancements for using public-key cryptography.             party known as the Key Distribution Center (KDC) to
It discusses scalability and security needs & how public-key         negotiate shared session keys between clients and
helps in accomplishing these goals. At the end it focuses on         services and provide mutual authentication between them.
commercial application/services those uses Kerberos rigidly.            Kerberos differs from many other distributed security
   This proposal on pre-authentication. A Pre-
Authentication in Kerberos (EPAK) is Kerberos extension
                                                                     systems in its ability to incorporate a very wide range of
which enables many authentication methods to be loosely              security technologies and mechanisms. Kerberos has
coupled with Kerberos, without further modification to               risen from a well-respected authentication standard to a
Kerberos. Why pre-authentication is necessary? An                    leading security infrastructure component in recent years,
attacker usually impersonates user by obtaining                      for example Microsoft announced that Microsoft Active
authentication responses & performs offline dictionary               Directory would support the protocol for authentication
attacks against the encrypted data, this is a likely attack          purposes within Windows Primary Domain Controllers.
with Kerberos. Thus “pre-authentication” can lower the
possibility for offline password-guessing attacks. We also           MOTIVATION
discuss two prototype examples to understand flexibility
Kerberos using EPAK .It uses public key approach which is
                                                                     Today, open & distributed architectures are widely used
very resource consuming but in the era of wireless                   across organizations, companies, offices & IT services. In
communication and mobile devices we need to find the light           general such open & distributed environments consist of
weight application.                                                  dedicated workstations and distributed or centralized
   Kerberos has grown to become the most widely deployed             servers. In open environment user requires to prove
system for authentication and authorization in modern                identity for each service invoked, and in turn server(s)
computer networks. Kerberos is currently shipped with all            also require proving their identity to clients. The process
major computer operating systems and is uniquely                     of verifying the user's identity is called authentication.
positioned to become a universal solution to the distributed           Traditional     Kerberos       provides      a    centralize
authentication      and      authorization    problem     of
communicating parties.
                                                                     authentication server whose function is to authenticate
                                                                     users to servers and servers to users. The authentication
                    I. INTRODUCTION                                  service in open environments can made more secure by
                                                                     enhancing or extending Kerberos. New authentication
Authentication is critical for the security Computer                 systems need to integrate more easily into Kerberos to
systems. Without knowledge of a principal requesting an              increase their usability and performance without
operation, it is difficult to decide whether the operation           changing existing Kerberos base security framework.
should be allowed. Traditional authentication methods are
not suitable for use in computer networks where attackers            UNDERSTANDING KERBEROS
monitor network traffic to intercept passwords. The use                Kerberos is a network authentication protocol based on
of strong authentication methods that do not disclose                conventional cryptography that relies on symmetrical
passwords is imperative. The Kerberos authentication                 cryptographic algorithms that use the same key for
system is well suited for authentication of users in such            encryption as for decryption. Network authentication
environments                                                         protocols do two things: help you discover who is on the
                                                                     other end of the wire, and help you and your peer
                                                                     exchange a cryptographic key (also known as a session

                                                               183                                  http://sites.google.com/site/ijcsis/
                                                                                                    ISSN 1947-5500
                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                   Vol. 9, No. 6, June 2011

key) so you can maintain integrity and confidentiality               session key is contained in the application server ticket
protection for the ensuing conversation.                             ticketV and is encrypted using the long-term secret key
                                                                     of the application server KV which is shared between the
                                                                     application server and the Kerberos infrastructure (the
                                                                     TGS can access the database of the Kerberos
                                                                     infrastructure). The information directed to the client is
                                                                     encrypted with the session key of the first stage Kc,tgs.
                                                                        Phase 3: Contacting application server / Requesting
                                                                     specific service

              Figure 1. Kerberos overview

   Exchange between the client and the Kerberos AS
(Authentication Server) in messages 1 and 2 are used
only when the user first logs in to the system. Exchange
between the client and the Kerberos TGS (Ticket
Granting Server) in Messages 3 and 4 are used whenever
a user authenticates to a new server. Message 5 is used
each time the user authenticates itself to a server. And                     Figure 2 - Kerberos authentication dialog
finally, Message 6 is the mutual-authentication response
by the server                                                          In the third phase, the client forwards the application
                                                                     server ticket ticketV, along with a new authenticator
HOW IT WORKS?                                                        AuthenticatorC2 encrypted with the session key obtained
   It basically involves THREE primary phases when a                 in the second phase Kc,v, to the application server,
client wishes to authenticate to an application server.              requesting certain service. The application server ticket
   Phase 1: LOGIN / Requesting ticket granting ticket                plus the secret session key are the client's credentials to
(TGT)                                                                be authenticated to a specific application server. If all
   In the first phase, the client sends a request to the             credentials are valid, the application server will
Kerberos Authentication Server (AS) requesting a ticket              authenticate the client and provide the service. The
granting ticket ticket(tgs) to be used in the second phase           acknowledgement message from the application server is
with the Ticket Granting Server (TGS). The AS is                     optional and used only when the system requires mutual
expected to reply with a message consisting of a ticket              authentication by the application server.
granting ticket ticket(tgs) of lifetime lifetime2 and an
encrypted component containing a fresh session key                       II. ANALYSIS OF KERBEROS WEAKNESSES
Kc,tgs to be shared between the client and the TGS.
Another copy of this session key is contained in the                   Vulnerability to password guessing attacks -
Ticket granting ticket and is encrypted using the long-              Kerberos is vulnerable to password guessing attacks. The
term secret key of the TGS Ktgs which is shared between              Kerberos message includes material encrypted with a key
TGS and Kerberos infrastructure (the AS can access the               based on the client's password. An opponent can capture
database of Kerberos infrastructure). The information                this message and attempt to decrypt it by trying various
directed to the client is encrypted under the client's long-         passwords. If the result of a test decryption is of the
term secret key KC.                                                  proper form, then the opponent has discovered the client's
Phase 2: Requesting service granting ticket (SGT)                    password and may subsequently use it to gain
   In the second phase, the client forwards the ticket               authentication credentials from Kerberos.
granting ticket, along with an authenticator                           Dependency on system clock synchronization – The
AuthenticatorC1 encrypted with the session key Kc,tgs                system clock of the hosts that are involved in the protocol
obtained in the first phase, to the TGS, requesting a                should be synchronized. The tickets have a time
service ticket to be used in the third phase with the                availability period and if the host clock is not
application server. The TGS is expected to reply with a              synchronized with the Kerberos server clock, the
message consisting of an application server ticket ticketV           authentication will fail. In practice, Network Time
of lifetime lifetime4 and an encrypted component                     Protocol daemons are usually used to keep the host clocks
containing a fresh session key Kc,v to be shared between             synchronized.
the client and the application server. Another copy of this

                                                               184                                http://sites.google.com/site/ijcsis/
                                                                                                  ISSN 1947-5500
                                                    (IJCSIS) International Journal of Computer Science and Information Security,
                                                    Vol. 9, No. 6, June 2011

  Continuous availability of the KDC - Kerberos                       requirements there can be additional, read-only copies of
requires continuous availability of the KDC. When the                 the database on slave machines elsewhere in the system.
KDC is down, the system will suffer from the single point                 The advantages of having multiple copies of the
of failure problem. This can be mitigated by using                    database are higher availability and better performance. If
multiple Kerberos servers.                                            the master machine is down, authentication can still be
  Lack of standards to explain administration - There                 achieved on one of the slave machines. The ability to
are no standards to explain the administration of the                 perform authentication on any one of several machines
Kerberos protocol. This will differ between server                    reduces the probability of a bottleneck at the master
implementations                                                       machine
                                                                        • Load Balance Kerberos Authentication Servers:
   DESIGN CHALLENGES                                                         To scale performance, clustering technology can be
   Deciding appropriate lifetime for a ticket -                       used for Kerberos servers. Once the architecture is
    The ticket lifetime problem is a puzzle situation                 properly designed to use clustering technology, incoming
between security and convenience. If the life of a ticket is          IP traffic can be distributed across multiple cluster hosts.
long, then if a ticket and its associated session key are                   If one of the cluster systems fails, network
stolen or misplaced, they can be used for a longer period             architecture should support in detecting the failure on the
of time. Such information can be stolen if a user forgets             fly. The requests can be automatically redistributed
to log out of a public workstation                                    surviving hosts
   If a user has been authenticated on a system that allows              There are different ways to look at this unique problem
multiple users, a “super user” or a user having access as             in real world. One of the way to sort this issues is by
“root user” might be able to find the information needed              keeping keys independent of passwords. As the keys are
to use stolen tickets (of other users).                               not at all derived from password, there is no easy way to
Also, the obvious problem with giving a ticket a short                crack the key code and or read the contents, thus we can
lifetime is that when it expires the user will have to obtain         possibly eliminate password guessing attacks.
a new ticket. In this case it requires the user to enter the             The principal’s secret key will be independent of the
password again.                                                       user password to overcome the weak passwords chosen
  Allowing proxies requests / proxy services / on-behalf              by the network principals that are susceptible to password
services-                                                             guessing attacks, the main drawback of Kerberos
  How can an authenticated user allow a server to acquire             protocol. Instead the Kerberos distribution center saves a
other network services on her/his behalf? An open                     profile for every instance in its realm to generate the
problem is the proxy problem. This is applicable for                  principal secret key by hashing the profile, and
scenarios when authentication forwarding is not desirable             encrypting the output digest
but still remote accesses are needed.
 An example of this problem is what we call                            III. KERBEROS EXTENSION THROUGH PUBLIC
authentication forwarding. If a user is logged into a                  KEY (PKINIT)
workstation and logs in to a remote host, it would be nice              Authentication in Kerberos (PKINIT)
if the user can access to the local data (workstation data)             Microsoft, CyberSafe and Heimdal have all adopted
while running a program on the remote host. What makes                PKINIT in their implementations of Kerberos. The
this difficult is that the user might not trust the remote            specification defines how public-key cryptography can be
host, thus authentication forwarding is not desirable in all          used to secure the initial authentication procedure.
cases.                                                                 Steps:
How to guarantee workstation integrity:                                    i. The KDC receives AS_REQ and verifies the
 Another problem, and one that is important in the Athena               client’s digital signature
environment, is how to guarantee the integrity of the                     ii.The KDC encrypts the TGT using the client’s
software running on a workstation. This is not so much of               public key, and transmit it in AS_REP. This message is
a problem on private workstations since the user that will              signed by the KDC with its private key.
be using it has control over it. On public workstations,                 iii.The client validates AS_REP using KDC’s public
however, someone might have come along and modified                     key
the login program to save the user's password. The only                  iv. TGT.
solution presently available in our environment is to                     v.The client proceeds with standard symmetric
make it difficult for people to modify software running on              cryptography and secret keys.
the public workstations.
                                                                         IV. KERBEROS EXTESIONS IN REAL WORLD
                                                                       1. ACTIVE DIRECTORY IMPLEMENTATIONS
  •      Kerberos Database Replication:                                   “Kerberos has replaced NTLM as the default
     Each Kerberos realm has a master Kerberos                         authentication protocol in an Active Directory based
machine, which houses the master copy of the                           single sign-on scheme, Kerberos is an integral part of
authentication database. To meet high availability                     Windows Active Directory implementations”

                                                                185                                 http://sites.google.com/site/ijcsis/
                                                                                                    ISSN 1947-5500
                                                 (IJCSIS) International Journal of Computer Science and Information Security,
                                                 Vol. 9, No. 6, June 2011

Here are few highlights:                                            supports both Kerberos client and Kerberos server. It is
• The Active Directory domain controller maintains                  being used in following areas:
user account and log-in information to support the                    Network File System (NFS) Version 4 deployment,
Kerberos service                                                      IBM DB2® Universal Database™ (DB2® UDB™)
• The process of authenticating the identity of users               security,
during log-in is the first step in gaining system access              Kerberized AIX integrated login,
• In domain environments, Microsoft has coupled                       Enterprise-wide authentication and more….
Active Directory closely with Kerberos.
• A TGT and a service ticket are needed to access
services on remote computers, but they are also required
to successfully log on to a local system.
• When the log-on window appears, password
encryption using a one-way hash algorithm occurs
immediately and negotiations commence with the KDC
for a valid TGT and service ticket.
• The process is the same as accessing a remote
• An access token is created for the user containing all
security groups to which they belong.
This access token is attached to the user's log-on session
and is subsequently inherited by any process or
application the user starts                                         Figure 3: Kerberized authentication in IBM-AIX for
                                                                    Windows Terminal Services
NTLM – NT LAN Manager is suite of Microsoft
security protocols. NTLM does not support any recent                Below figure (figure no 9) shows 3 entities
cryptographic methods, such as AES or SHA-256.                        I. IBM AIX V5.3 Server – acts as KDC
Therefore, applications are generally advised not to use             II. Windows 2003 Server - This is to authentication
NTLM. But NTLM is still used in situations where a                      terminal service users with IBM KDC which is
domain controller is not available or is unreachable. For               hosted on AIX
example, NTLM would be used if a client is not                      III. Windows Terminal Service Client – user looking
Kerberos capable, the server is not joined to a domain,                 for interpretability across Windows and IBM AIX.
or the user is remotely authenticating over the web.

2.ADVANCE          SECURITY        WITH        ORACLE
   “Oracle Advanced Security provides strong
authentication solutions as an alternative to traditional
password based authentication”
• Oracle Advanced Security supports Kerberos, PKI.
• Oracle Advanced Security enables database users to
achieve single sign-on to the Oracle database in                    Figure 4: Sample login window through Windows
Windows environments in conjunction with a Microsoft                Terminal Services
• Oracle Advanced Security includes a Kerberos client               Benefits of below setup:
that is compatible with a Kerberos v5 ticket that is                I. Gives kerberized authentication for Terminal Service
issued by any MIT v5 compliant Kerberos server or                     Users.
Microsoft KDC.                                                     II. Allows user to have uniform user id and password
• Oracle Advanced Security provides Kerberos cross                    across AIX and Windows Server System.
realm support allowing Kerberos principals in one realm
to authenticate to Kerberos principals in another realm.            4.  SINGLE SIGN-ON (SSO) AND KERBEROS IN
Oracle Advanced Security Kerberos includes support for                  MAC OS X
principal names up to 2000 characters in length.                       While security is vitally very important, user need the
                                                                    convenience of entering their passwords just once in
3. KERBERIZED AUTHENTICATION IN IBM-AIX                             order to gain access to system and services such as
   “Many enterprises worldwide use IBM NAS for AIX                  websites, file shares and printers.
 as the Key Distribution Center for their Kerberos                   To address the need for Single Sign-On (SSO) while
 realm.”                                                            safeguarding critical data and passwords, Mac OS X
 IBM Version of Kerberos is referred as IBM Network                 implements       Kerberos, the open-source, SSO
 Authentication Service (IBM NAS). IBM NAS for AIX                  authentication protocol.
                                                                      Mac OS X uniquely supports highly secure peer-to-

                                                             186                                http://sites.google.com/site/ijcsis/
                                                                                                ISSN 1947-5500
                                                 (IJCSIS) International Journal of Computer Science and Information Security,
                                                 Vol. 9, No. 6, June 2011

 peer communications between anonymous machines
 using local KDCs and Public Key Cryptography for
 Initial Authentication (PKINIT)

                    IV. CONCLUSION
   In this paper, we have analyzed Kerberos and its
potential areas for optimization and extension.
Authentication is critical for the security of computer
systems. Traditional authentication methods are not
suitable for use in computer networks where attackers
monitor network traffic to intercept passwords. Through
detail analysis of Kerberos we have learned that Kerberos
is conceptually well suited for authentication of users in
distributed and open environments.
    We have analyzed PKINIT and find that PKINIT is a
Kerberos Extension that moves Kerberos beyond
password based authentication to public key
cryptography, which provides greater scalability. EPAK
builds on ideas from PKINIT and other public key
extensions to enhance Kerberos in similar ways.

[1] L. Zhu and B. Tung. RFC: 4556: Public Key
Cryptography for Initial Authentication in Kerberos
(PKINIT), Jun 2006
[2l-Emam, E. Koutb, M. Kelash, H. Allah, O.F.
Egyptian Space Program, Nat. Authority for Remote
Sensing & Space Sci., Cairo, Egypt "An optimized
Kerberos authentication protocol ",Dec 2009
[3 P. Hellewell. Extensible Pre-Authentication in
Kerberos.     Master’s    thesis,   Computer      Science
Department, Brigham Young University, Aug 2007
[4] M. BellovinandM. Merritt, Limitations of the
Kerberos authenication
system, ComputerCommun. Rev., vol. 20, no. 5, pp. 1 19-
1 32, Oct. 1990.
I51 G. A. Champine, D. E. Geer, Jr.. and William N.
Ruh. Project Athena as a distributed computer system,
IEEE Computer, vol. 23, no. 9, pp. 40-51,S ept. 1990.
[6] S. Chokhani. Toward a national public key
infrastructure. IEEE Commun. Mag.in this issue.
[7] Computer Emergency Response Team, Ongoing
network monitoring attacks, CERT Advisory CA-94:01,F
eb. 3, 1994.
[8] CyberSAFE Corporation. Deploying Kerberos for
large organizations. Technical Report 94-47. CyberSAFE
Corporation, 2443 152 and Avenue NE, Redmond WA
98052 USA; tr-request@ocsg.com.
[9l D. E. Denning and G. M. Sacco, Timestamps in key
distribution protocols, Commun. of the ACM. vol. 24, no.
8. pp. 533-536,A ug. 1981.
 [11] B. Jarpan, Kerberos users'frequentlyasked
questions, periodically posted to Usenet newsgroup
comp.protoco1s.kerberos. April 1994.
[12] S. T. Kent, Internet privacy enhanced mail,
Commun. of the ACM. vol 36, no. 8. pp. 48-60, Aug.
[13] J T. Kohl and B. C. Neuman. The Kerberos network
authentication service. Internet RFC 1510, September

                                                             187                            http://sites.google.com/site/ijcsis/
                                                                                            ISSN 1947-5500

To top