Kerberos. Guilin Wang School of Computer Science 03 Dec. 2007. Outline. ■ Password-based key agreement protocols ( Continuing our last lecture). ■ Kerberos authentication protocol. 0. Password-based Protocols.
School of Computer Science
03 Dec. 2007
■ Password-based key agreement protocols (Continuing our last lecture).
■ Kerberos authentication protocol.
■ In the NS protocol, both parties need to share long-term secrets with the server. For humans, long secret keys are not easy to memorize.
■ One naïve approach is to set long-term secrets as passwords.
■ For example, let Kbs=Pbs, a password shared btw B and S in the NS protocol.
■ However, this approach suffers off-line dictionary attack.
■ That is, an attacker can try each possible P’ to decrypt EP-bs (K, A). If
P’ is likely the correct password.
■ Off-line dictionary attack works since passwords are short strings with low entropy.
- Enhance the strength of passwords by requiring certain length, format, and randomness.
- Combine the password with a security token.
The following Encrypted Key Exchange (EKE) protocol can resist the off-line dictionary attack:
■ PK is an ephemeral public key generated by A.
■ B transfers K to A by using double encryptions.
■ Why EKE protocol is immune to the off-line dictionary attack?
■ The purpose of entity authentication is to prevent impersonation attack.
■ Authentication is important in key exchange. E.g, the DH protocol suffers the MITM attack.
■ Actually, key exchange techniques can also be used to realize authentication. Kerberos is such an example.
■ In the literature, the differences btw authentication and key exchange are not very clear sometimes.
■ Key exchange usually requires authentication. Otherwise, you are not sure with whom you are agreeing on a session key.
■ However, authentication does not necessarily involve key exchange.
■ For example, a successful authentication can enable a client to enjoy a service without encryption.
■ In Greek mythology, Kerberos is the guardian of Hades, a dog with three heads.
■ In security community, Kerberos denotes the distributed authentication protocol developed from MIT's project Athena in 1980s.
■ Kerberos has been widely accepted in industry.
■ Kerberos has been integrated into Windows and many many versions of Unix systems.
■ Full specification of Kerberos Version 5 is given by a draft Internet Standard RFC 1510.
■ Free source codes for different releases of Kerberos are available at the Kerberos website:
In this scenario of distributed networks, there exist at least three threats:
■ User impersonation:
A dishonest user may pretend to be another user from the same workstation.
■ Network address impersonation:
A dishonest user can changes the network address of his/her workstation to impersonate another workstation.
■ Eavesdropping, replay attack, and so on.
Attackers may try their best to access network service by mounting different attacks.
Kerberos uses symmetric mechanisms to realize entity authentication and key exchange. Basically, Kerberos uses two kinds of credentials:
Issued by a trusted administration server that shows who is granted to access a specific service.
Used to prove the identity of a communicating client.
This is similar to the following immigration policy, which allows a foreigner to enter a country:
■ Visa (=tickets in Kerberos):
Specifies who is allowed to entry this country for how many days.
■ Passport (=Authenticators in Kerberos):
Shows your identity, i.e., who are you.
In Kerberos system, there are three kinds of servers:
■ Kerberos authentication server (AS):
A centralized trusted authentication server for the whole system, who issues long lifetime tickets.
■ Ticket-granting servers (TGS):
Issue short lifetime tickets.
■ Service server S:
Provide different service.
Kerberos (Version 5) can be divided into three procedures from the view point of a client:
■ obtaining ticket-granting ticket,
■ obtaining service ticket, and
■ obtaining a concrete service.
We now discuss the details.
■ K_c is derived from the client’s password, which is shared with the AS.
■ K_tgs is a secret key shared btw the AS and the TGS.
■ K_1 is session key that enables the client to authenticate itself to the TGS server.
■ A1 is an authenticator using K1.
■ K2 is a session key that enables the client to authenticate itself to the server S.
■ Ks is a secret key shared btw the TGS and a server S.
■ A1 is an authenticator using K2.
■ K3 is a session key for coming secure communications.
■ The server S authenticates itself to the client in step 6.
■ Single Failure Problem: If the AS is down, no user can access any resources. So Kerberos is prone to denial-of-service (DoS) attacks.
- Duplicated AS? Possible, but not easy to maintain.
■ Clock Synchronizationis needed, since timestamps are used. Reasonable time interval for clock skew?
- Too short: Rejecting many valid requests.
- Too long: Suffering replay attack.
■ Limited Scalability: Usually, the AS can support with hundreds of thousands users. Suitable for a university but not for the Internet, where PKIs with digital certificates are better.
■ Off-line Password Attacks: Kerberos is vulnerable to this kind of attacks since a message is encrypted with a key derived from the client's password.
■ Introduced off-line dictionary attack.
■ Briefly discussed the relation btw entity authentication and key exchange.
■ Reviewed a practice-oriented authentication protocol: Kerberos.
- Basic ideas
- Technical mechanisms