11

KerberosKerberosAnita Jones Anita Jones

November, 2006November, 2006

22

Kerberos Kerberos ** : Objective : Objective

Assumed environmentAssumed environment– Open distributed environmentOpen distributed environment– Wireless and EthernettedWireless and Ethernetted– Users wish to access services on serversUsers wish to access services on servers– Need to restrict access to authorized usersNeed to restrict access to authorized users– Need to authenticate requests for serviceNeed to authenticate requests for service

* Greek mythology – many headed dog who guards the entrance to Hades* Implemented at MIT as part of Project Athena

33

Kerberos : ObjectiveKerberos : Objective

Provide authentication serviceProvide authentication service– Clients to serversClients to servers– Servers to clientsServers to clients

44

Kerberos: StrategyKerberos: Strategy

What NOT to do:What NOT to do:– Does not rely on workstation OS to assure Does not rely on workstation OS to assure

identity of clients/usersidentity of clients/users– Does not rely on server to provide stand-Does not rely on server to provide stand-

alone authentication servicealone authentication service– Does not force clients to prove identity over Does not force clients to prove identity over

and overand over– Does not rely on client to determine identity of Does not rely on client to determine identity of

each service invokedeach service invoked Provide an authentication Provide an authentication serviceservice

55

When is authentication When is authentication useful?useful?

– Once per creation of new userOnce per creation of new user Once per user logon sessionOnce per user logon session Once per type of serviceOnce per type of service Once per service sessionOnce per service session

– Once per service requestOnce per service request

Kerberos provides the middle three services

66

Kerberos: StrategyKerberos: Strategy

““Knows” about the existence of users and serversKnows” about the existence of users and servers– Shares (different) symmetric key with eachShares (different) symmetric key with each

More recent versions of Kerberos use public/private keysMore recent versions of Kerberos use public/private keys We will not discuss key distribution hereWe will not discuss key distribution here

Uses “capabilities” – calls them “tickets”Uses “capabilities” – calls them “tickets”– Key property – tickets are unforgeable Key property – tickets are unforgeable

Passes out tickets on requestPasses out tickets on request– Key points – form of the tickets, when they are useful, Key points – form of the tickets, when they are useful,

and where they are usefuland where they are useful

77

Kerberos: Strategy – more detailKerberos: Strategy – more detail

Kerberos has a table ofKerberos has a table of– Identity of users & serversIdentity of users & servers– Net address of clients & serversNet address of clients & servers– Current user passwordCurrent user password

Key/password distribution, i.e. initialization & update Key/password distribution, i.e. initialization & update discussed earlier in coursediscussed earlier in course

Uses DES for encryptionUses DES for encryption Kerberos provides a “Ticket granting server” (tgs). Kerberos provides a “Ticket granting server” (tgs).

Tickets that it creates must beTickets that it creates must be– UnforgeableUnforgeable– Non-replayableNon-replayable– Authenticated Authenticated

88

Assumption – key sharingAssumption – key sharing

Kerberos composed of AS plus TGS Kerberos composed of AS plus TGS AS (authentication server) shares a secret AS (authentication server) shares a secret

key with each userkey with each user– Typically called IDTypically called IDC C – C is the client machine– C is the client machine

TGS (ticket granting server)TGS (ticket granting server)– TGS shares secret key with each known serverTGS shares secret key with each known server– Server machine and server software notated as Server machine and server software notated as

the samethe same Each user and service share a secret keyEach user and service share a secret key

99

Three authentication servicesThree authentication services

Transactions:Transactions:– Authenticate user – client machine talks to AS Authenticate user – client machine talks to AS

(authentication service)(authentication service) when user logs on when user logs on User receives authentication ticket (ticket-granting ticket)User receives authentication ticket (ticket-granting ticket)

– Get ticket to use a server – client machine talks to TGS Get ticket to use a server – client machine talks to TGS when user first wants to use a particular servicewhen user first wants to use a particular service

User receives a service-granting ticketUser receives a service-granting ticket

– Service session – client workstation proffers ticket to Service session – client workstation proffers ticket to server that is good for the sessionserver that is good for the session

User may require server to authenticate self to userUser may require server to authenticate self to user

1010

Protocol 1Protocol 1 – get ticket-granting ticket – get ticket-granting ticket simple illustrationsimple illustration Once per client logon session:Once per client logon session:

1 C AS: IDC , IDtgs

2 AS C: EKC [ tickettgs ]Notes: “comma” indicates concatenation AS is authentication service of Kerberos

IDC – name of the user on client C IDtgs – client C is asking for TGS service from Kerberos EKC is encryption with key derived from C’s password tickettgs – ticket C uses to get service from TGS

1111

Ticket Ticket (ticket-granting ticket)(ticket-granting ticket) from TGS from TGS

tickettgs = EKtgs[ IDC , ADC , IDtgs , Time1 , Lifetime1 ]

Notes: EKtgs – key known only to AS and TGS IDC – identity of client C ADC – network address of C Time1 – TGS-created time stamp Lifetime1 – ticket lifetime

1212

Prot’l 2Prot’l 2 – get service-granting ticket – get service-granting ticket simple illustrationsimple illustration

Get service-granting ticket – at first request for a Get service-granting ticket – at first request for a particular serviceparticular service

1 C TGS: IDC , IDv , tickettgs

2 TGS C: ticketv

Notes: ticketV is ticket that server V will accept as valid TGS knows whether IDC is allowed to use service V ticketV has same form as tickettgs

1313

Ticket Ticket (service V)(service V) from TGS from TGS

ticketV = EKVTGS[ IDC , ADC , IDV , Time2 , Lifetime2 ]

Notes: EKVtgs – key known only to TGS and V IDC – identity of user on client C ADC – network address of C Time2 – TGS created time stamp Lifetime2 – ticket lifetime

1414

Protocol 3Protocol 3 – to obtain the service – to obtain the service simple illustrationsimple illustration

Once per Once per serviceservice session: session:

1 C V: IDC , ticketV

Note: C gives user name & submits ticket for V’s service

1515

It ain’t quite that simple It ain’t quite that simple

Tickets are a little more complexTickets are a little more complex– Time stamps – limit replay of requests for ticketsTime stamps – limit replay of requests for tickets– Ensure clocks of various computers are Ensure clocks of various computers are

sufficiently in synchsufficiently in synch– Tickets have a “lifetime” validity stampTickets have a “lifetime” validity stamp

We have not dealt with users who rove We have not dealt with users who rove among multiple workstationsamong multiple workstations– Client/user and the client’s workstation OS are Client/user and the client’s workstation OS are

not the same thingnot the same thing

1616

Protocol 1Protocol 1 – more complete – more complete get ticket-granting ticket get ticket-granting ticket

Once per client logon session:Once per client logon session:

1 C AS: IDC , IDtgs , Time1

2 AS C: EKC [KC,tgs , IDtgs , Time2 , Lifetime2 , tickettgs]

Notes: Time1 is time from C’s clock; AS assures that clocks are sufficiently in synch EKC – encryption with key derived from IDC’s password KC,tgs – session key created by TGS; permits secure exchange for AS & IDC for the session

1717

Full Ticket-granting ticket Full Ticket-granting ticket

tickettgs = EKtgs[ KC,tgs , IDC , ADC , IDtgs , Time2 , Lifetime2 ]

Notes: EKtgs – key known only to AS and TGS

KC,tgs – session key available to user; permits secure exchange for TGS & C for the session IDC – identifier for user on machine C ADC – network address of machine C Time2 – time stamp created for this ticket Lifetime2 – ticket lifetime

1818

Prot’l 2Prot’l 2 – get service-granting ticket – get service-granting ticket fuller illustrationfuller illustration

Get service-granting ticket – at first request for a Get service-granting ticket – at first request for a particular serviceparticular service

1 C TGS: IDv , tickettgs , authC

2 TGS C: EKC,tgs[KC,V , IDV , Time4 , ticketV ]

Note: ticketV – ticket that server will accept as valid and then deliver service KC,V – secure session key that C and server V use authC – generated by user to validate ticket; encrypted with KC,tgs

1919

Full service-granting ticketFull service-granting ticket

ticketv = EKVtgs[ KC,V , IDC , ADC , IDV , Time4 , Lifetime4 ]

Notes: EKVtgs – key derived from server’s password; known only to TGS and V; prevents tampering KC,V – session key available to user; permits secure exchange for V & IDC for the session

IDC – identifier of user on C; ditto V ADC – network address of C Time4 – time stamp created for this ticket Lifetime4 – ticket lifetime

2020

Authenticator (authAuthenticator (authCC) )

authC = EKC,tgs[ IDC , ADC , Time3 ]

Notes: Authenticator created by user to assure TGS that ticket presenter is same as user for whom ticket was issued; intended for one time use; timestamp limits replay

KC,tgs – session key available to user; permits secure exchange for TGS &IDC for the session

Time3 – time stamp created for this authenticator

2121

Protocol 3Protocol 3 – to gain service – to gain service fuller illustration fuller illustration

Once per service session:Once per service session:

1 C V: ticketV , authC

2 V C: EKc,v[Time5 + 1]

Note: Step 2 is for server V to authenticate to client C authC is similar to that in protocol 2; includes Time5

2222

Authenticator (authAuthenticator (authCC) )

authC = EKC,V[ IDC , ADC , Time5 ]

Notes: Authenticator created by user to assure V that ticket presenter is same as user for whom ticket was issued; intended for one time use; timestamp limits replay

KC,V – session key available to user and V permitssecure session exchange for V & IDC

Time5 – time stamp created for this authenticator

2323

Kerberos – EndKerberos – End