PROJECTS: Kerberos Research - What is Kerberos?

Page last modified Mon Sep 8 14:55:19 2003

Security Primer

Network security can be divided into four topics:

• Secrecy: Secrecy has to do with restricting access to information by unauthorized entities.
• Authentication: Authentication deals with confirming the identity of a communication partner.
• Non repudiation: Non repudiation deals with signatures, it uniquely identifies the sender of a message or file.
• Integrity control: Integrity control assures that vital data has not been modified.

Of these security areas, Kerberos deals only with authentication. Unlike other centralized authentication services (like LDAP, NIS, NIS+, etc), Kerberos deals only with the security issue of authentication. It does not provide meta information like home directories or provide authorization details such as UID and group information. This means that Kerberos must generally be combined with another information distribution scheme. The effort is generally worth it as Kerberos does the security aspect of authentication very well whereas other technologies tend thave security problems built right into their design.

Who are Alice and Bob?

Cryptography traditionally used the names Alice and Bob to refer to two parties who want to communicate securely over an insecure channel. Eve is the traditional name of someone who wishes to intercept and read their communications.

What is Authentication?

Authentication is the act of verifying the identity of the communication partner. As an example, take Alice, who wishes to deal with Bob, her banker. In real life Bob and Alice can authenticate each other by recognizing each others faces, voices or handwriting. However if they wish to transact over network none of these options are available. How can Bob be sure that the request to transfer all of Alice's money to a secret Swiss bank account came from Alice and not from Eve? This is where an authentication service comes in. Alice starts by sending out a message to Bob. As these messages are being sent, we have Eve, an intruder, who may intercept, modify or replay the messages to trick Alice and Bob or just to be a nuisance. Nevertheless when the authentication is complete, Alice is sure she is talking to Bob and Bob is sure that he is talking to Alice.

What is Kerberos?

Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. Kerberos provides only one function -- the secure authentication of users on the network. It does not provide authorization fucntions (what those users are able to perform) or auditing fuctions. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

Kerberos is both the name of a network authentication protocol and an adjective to describe programs that implement the program (Kerberos telnet, for example). The current version of the protocol is version 5, described in RFC 1510. Kerberos was designed to provide strong authentication for client/server applications (such as traditional Internet services like FTP and telent) by using secret-key cryptography. Several free implementations of this protocol have been developed. The Massachusetts Institute of Technology, where Kerberos was developed, continues to develop their Kerberos package and it is commonly used in the US (as a cryptography product, it is affected by US export regulations). Heimdal Kerberos is another version 5 implementation, and was explicitly developed outside of the US to avoid export regulations (and is thus often included in non-commercial Unix variants).

Kerberos can be described as a identity-verifying proxy, it can also be described as a trusted third-party authentication system.

How Kerberos works

The following description of how Kerberos works was taken from The Moron's/ Guide to Kerberos.

Both the user and the service are required to have keys registered with the KDC. The user's key is derived from a password that he chooses; the service key is a randomly selected key (since no person is available to type in a password). For the purposes of this explanation, let us imagine that messages are written on paper (instead of being electronic), and are ``encrypted'' by being locked in a strongbox by means of a key. In this ``box world,'' principals are initialized by making a physical key and registering a copy of the key with the KDC.

1. First the user sends a message to the KDC: ``I, J Random User, would like to talk to the server named Foo.''
2. When the KDC receives this message, it makes up two copies of a brand new key. This is called the session key. It will be used in the direct exchange between user and service.
3. It puts one of the session keys in Box 1, along with a piece of paper with the name ``Foo Server'' written on it. It locks this box with the user's key. Why is this piece of paper here? Recall that this box is really just an encrypted message, and that the session key is really just a sequence of random bytes. If Box 1 only contained the session key, then the user wouldn't be able to tell whether the response came back from the AS, or whether the decryption was successful. By putting in ``Foo Server,'' the user (or more precisely, the user's program) will be able to verify both that the box comes from the AS, and that the decryption was successful.
4. It puts the other session key in Box 2. In Kerberos terms, Box 2 is called the ticket, and Box 3 is called the authenticator. The authenticator typically contains more information than what is listed here. Some of this added information arises from the fact that this is an electronic message (for example, there is a checksum). There may also be an encryption key in the authenticator to provide for privacy in future communications between the user and the service. Also in Box 2 is placed a piece of paper with the name ``J Random User'' written on it. It locks this box with the service's key.
5. It returns both boxes to the user (Note that in version 4 of the protocol, Box 2 was placed (unnecessarily) in Box 1.).
6. The user unlocks Box 1 with his key, extracting the session key and the paper with ``Foo Server'' written on it.
7. The user can't open Box 2 (since it's locked with the service's key). Instead, he puts a piece of paper with the current time written on it in Box 3, and locks it with the session key. He then hands both boxes to the service.
8. The service opens the Box 2 with its own key, extracting the session key and the paper with ``J Random User'' written on it. It then opens Box 3 with the session key to extract the piece of paper with the current time on it. These items demonstrate the identity of the user. The timestamp is put in Box 3 to prevent someone else from copying Box 2 (remember, these are simply electronic messages) and using it to impersonate the user at a later time. Because clocks don't always work in perfect synchrony, a small amount of leeway (about five minutes is typical) is given between the timestamp and the current time. In addition, the service maintains a list of recently sent authenticators, to make sure that they aren't resent in quick order. You may wonder how the service is able to open Box 2, if there isn't anyone ``back there'' to type in a password. Well, the service key isn't derived from a password. Instead, it's randomly generated, then stored in a special file called a service key file. This file is assumed to be secure, so that no one can copy the file and impersonate the service to a legitimate user.