-
Notifications
You must be signed in to change notification settings - Fork 0
/
krb_evol.lpt
1650 lines (1151 loc) · 65.7 KB
/
krb_evol.lpt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
The Evolution of the _K_e_r_b_e_r_o_s Authentication
Service
John T. Kohl
Digital Equipment Corporation
B. Clifford Neuman
Information Sciences Institute
University of Southern California
Theodore Y. Ts'o
Massachusetts Institute of Technology
_A_B_S_T_R_A_C_T
The Kerberos Authentication Service,
developed at MIT, has been widely adopted by other
organizations to identify clients of network ser-
vices across an insecure network and to protect
the privacy and integrity of communication with
those services. While Version 4 was a step up
from traditional security in networked systems,
extensions were needed to allow its wider applica-
tion in environments with different characteris-
tics than that at MIT. This paper discusses some
of the limitations of Version 4 of Kerberos and
presents the solutions provided by Version 5.
_1. _I_n_t_r_o_d_u_c_t_i_o_n
The Kerberos Authentication Service was developed by the
Massachusetts Institute of Technology (MIT) to protect the
__________________________
This paper is a revision of a paper presented at the
Spring 1991 EurOpen Conference, in Troms, Norway, and
will appear in an upcoming IEEE Computer Society Press
book edited by Frances Brazier and Dag Johansen.
The work described here was done while Kohl was at MIT,
and in part while Neuman was at the University of Wash-
ington.
June 17, 1992
- 2 -
emerging network services provided by Project Athena. Ver-
sions 1 through 3 were used internally. Although designed
primarily for use by Project Athena, Version 4 of the proto-
col has achieved widespread use beyond MIT. Models for
administration and use of computer services differ from site
to site and some environments require support that isn't
present in Version 4. Version 5 of the Kerberos protocol
incorporates new features suggested by experience with Ver-
sion 4, making it useful in more situations. Version 5 was
based in part upon input from many contributors familiar
with Version 4.
This paper begins by describing the Kerberos model and basic
protocol exchanges. Section 3 discusses the limitations of
Version 4 of Kerberos. The fourth section reviews new
features found in Version 5. Section 5 describes the imple-
mentation of Version 5 and support for converting existing
applications from Version 4. The paper concludes with
status and plans for future work.
_T_e_r_m_i_n_o_l_o_g_y _a_n_d _c_o_n_v_e_n_t_i_o_n_s
A _p_r_i_n_c_i_p_a_l is the basic entity that participates in authen-
tication. In most cases a principal represents a user or an
instantiation of a network service on a particular host.
Each principal is uniquely named by its _p_r_i_n_c_i_p_a_l _i_d_e_n_t_i_f_-
_i_e_r.
_E_n_c_r_y_p_t_i_o_n is the process of transforming data into a form
that cannot be understood without applying a second
transformation. The transformation is affected by an
_e_n_c_r_y_p_t_i_o_n _k_e_y in such a manner that the second transforma-
tion can only be applied by someone in possession of the
corresponding _d_e_c_r_y_p_t_i_o_n _k_e_y.
A _s_e_c_r_e_t-_k_e_y _c_r_y_p_t_o_s_y_s_t_e_m such as that defined by the Data
Encryption Standard (DES) [FIPS46] uses a single key for
both encryption and decryption. Such an encryption key is
called a _s_e_c_r_e_t key.
A _p_u_b_l_i_c-_k_e_y _c_r_y_p_t_o_s_y_s_t_e_m such as RSA [Riv78] uses different
keys for encryption and decryption. One of the keys in the
pair can be publicly known while the other must be kept
private. These keys are referred to as _p_u_b_l_i_c and _p_r_i_v_a_t_e
keys respectively.
_P_l_a_i_n_t_e_x_t is a message in its unencrypted form, either
before the encryption transformation has been applied, or
after the corresponding decryption transformation is com-
plete. _C_i_p_h_e_r_t_e_x_t is the encrypted form of a message, the
output of the encryption transformation.
In figures, encryption is denoted by showing the plaintext
surrounded by curly braces ({}) followed by a key (K) whose
June 17, 1992
- 3 -
subscript denotes the principals who possess or have access
to that key. Thus, "abc" encrypted under c's key is
represented as {abc}K9c8.
_2. _T_h_e _K_e_r_b_e_r_o_s Model
Kerberos was developed to enable network applications to
securely identify their peers. To achieve this, the client
(initiating party) conducts a three-party message exchange
to prove its identity to the server (the contacted party).
The client proves its identity by presenting to the server a
_t_i_c_k_e_t (shown in figures as T9c,s8) which identifies a princi-
pal and establishes a temporary encryption key that may be
used to communicate with that principal, and an _a_u_t_h_e_n_t_i_c_a_-
_t_o_r (shown in figures as A9c,s8) which proves that the client
is in possession of the temporary encryption key that was
assigned to the principal identified by the ticket. The
authenticator prevents an intruder from replaying the same
ticket to the server in a future session.
Tickets are issued by a trusted third party _K_e_y _D_i_s_t_r_i_b_u_t_i_o_n
_C_e_n_t_e_r (KDC). The KDC, proposed by Needham and Schroeder
[Nee78], is trusted to hold in confidence secret keys known
by each client and server on the network (the secret keys
are established out-of-band or through an encrypted chan-
nel). The key shared with the KDC forms the basis upon
which a client or server believes the authenticity of the
tickets it receives. A Kerberos ticket is valid for a fin-
ite interval called its _l_i_f_e_t_i_m_e. When the interval ends,
the ticket expires; any later authentication exchanges
require a new ticket from the KDC.
Each installation comprises an autonomously administered
_r_e_a_l_m and establishes its own KDC. Most currently-operating
sites have chosen realm names that parallel their names
under the Internet domain name system (e.g. Project Athena's
realm is ATHENA.MIT.EDU). Clients in separate realms can
authenticate to each other if the administrators of those
realms have previously arranged a shared secret.
_2._1. _T_h_e _i_n_i_t_i_a_l _t_i_c_k_e_t _e_x_c_h_a_n_g_e
Figure 1 shows the messages|- required for a client to prove
its identity to a server. The basic messages are the same
for Versions 4 and 5 of Kerberos though the details of the
encoding differ. A typical application uses this exchange
when it first establishes a connection to a server.
__________________________
|- For clarity, the figures show a simplified version of
the messages. Other message fields present in the ac-
tual messages are less relevant to the present discus-
sion.
June 17, 1992
- 4 -
Subsequent connections to the same server require only the
final message in the exchange (client caching eliminates the
need for the first two messages until the ticket expires).
linewid = 1.5i ellipsewid = .7i down KDC: ellipse "KDC" line
<- down 0.5i "1 " rjust move right 0.1i line <- up 0.5i " 2
" ljust move down 0.5i from KDC.s down Client: ellipse
"Client" right; arrow right 1i from Client.e "3" above
Server: ellipse "Server"
1. Client -> KDC: c, s, n
2. KDC -> Client: {Kc,s ,n}Kc ,{Tc,s}Ks
3. Client -> Server: {Ac}Kc,s ,{Tc,s}Ks
(In version 4, message 2 is {Kc,s ,n,{Tc,s} Ks}Kc)
Figure 1: _G_e_t_t_i_n_g _a_n_d _u_s_i_n_g _a_n _I_n_i_t_i_a_l _T_i_c_k_e_t
In the first message the client contacts the KDC, identifies
itself, presents a nonce (a timestamp or other non-repeating
identifier for the request), and requests credentials for
use with a particular server.
Upon receipt of the message the KDC selects a random encryp-
tion key K9c,s8, called the _s_e_s_s_i_o_n _k_e_y, and generates the
requested ticket. The ticket identifies the client, speci-
fies the session key K9c,s8, lists the start and expiration
times, and is encrypted in the key K9s8 shared by the KDC and
the server. Because the ticket is encrypted in a key known
only by the KDC and the server, nobody else can read it or
change the identity of the client specified within it. The
KDC next assembles a response, the second message, which it
sends to the client. The response includes the session key,
the nonce, and the ticket. The session key and nonce are
encrypted with the client's secret key K9c8 (in Version 4 all
fields are encrypted in K9c8).
Upon receiving the response the client decrypts it using its
secret key (usually derived from a password). After check-
ing the nonce, the client caches the ticket and associated
session key for future use.
In the third message the client presents the ticket and a
freshly-generated authenticator to the server. The authen-
ticator contains a timestamp and is encrypted in the session
key K9c,s8. Upon receipt the server decrypts the ticket using
the key it shares with the KDC (this key is kept in secure
storage on the server's host) and extracts the identity of
the client and the session key K9c,s8. To verify the identity
of the client, the sever decrypts the authenticator (using
the session key K9c,s8 from the ticket) and verifies that the
timestamp is current.
Successful verification of the authenticator proves that the
June 17, 1992
- 5 -
client possesses the session key K9c,s8, which it only could
have obtained if it were able to decrypt the response from
the KDC. Since the response from the KDC was encrypted in
K9c8, the key of the user named in the ticket, the server may
reasonably be assured that identity of the client is in fact
the principal named in the ticket.
If the client requests mutual authentication from the
server, the server responds with a fresh message encrypted
using the session key. This proves to the client that the
server possesses the session key, which it could only have
obtained if it was able to decrypt the ticket. Since the
ticket is encrypted in a key known only by the KDC and the
server, the response proves the identity of the server.
For greater detail on the messages in Version 4 of Kerberos
the reader is referred to [Ste88] and [Mil87]. Details
about Version 5 can be found in [Koh92].
_2._2. _T_h_e _a_d_d_i_t_i_o_n_a_l _t_i_c_k_e_t _e_x_c_h_a_n_g_e
To reduce the risk of exposure of the client's secret key K9c
8and to make the use of Kerberos more transparent to the
user, the exchange above is used primarily to obtain a
ticket for a special _t_i_c_k_e_t-_g_r_a_n_t_i_n_g _s_e_r_v_e_r (TGS). The
client erases its copy of the client's secret key once this
ticket-granting ticket (TGT) has been obtained,
The TGS is logically distinct from the KDC which provides
the initial ticket service, but the TGS runs on the same
host and has access to the same database of clients and keys
used by the KDC (see Figure 2). A client presents its TGT
(along with other request data) to the TGS as it would
present it to any other server (in an application request);
the TGS verifies the ticket, authenticator, and accompanying
request, and replies with a ticket for a new server. The
protected part of the reply is encrypted with the session
key from the TGT, so the client need not retain the original
secret key K9c8 to decrypt and use this reply. The client
then uses these new credentials as before to authenticate
itself to the server, and perhaps to verify the identity of
the server.
Once the authentication is established, the client and
server share a common session key K9c,s8, which has never been
transmitted over the network without being encrypted. They
may use this key to protect subsequent messages from disclo-
sure or modification. Kerberos provides message formats
which an application may generate as needed to assure the
integrity or both the integrity and privacy of a message.
June 17, 1992
- 6 -
linewid = 1.5i ellipsewid = .7i right KDC: ellipse "KDC"
move right 1i TGS: ellipse "TGS" line <-> dotted from KDC.ne
to TGS.nw "usually co-located " above move down 1i from
KDC.w right Client: ellipse "Client" move right 1i Server:
ellipse "Server" arrow from Client.nw to KDC.sw "1 " rjust
arrow from KDC.s to Client.n " 2" ljust arrow from
Client.ne to TGS.w "3 " rjust arrow from TGS.sw to Client.e
" 4" ljust arrow from Client.se to Server.sw "5" above
1. Client -> KDC: c, tgs, n
2. KDC -> Client: {Kc,tgs ,n}Kc ,{Tc,tgs}Ktgs
3. Client -> TGS: {Ac}Kc,tgs ,{Tc,tgs}Ktgs , s, n
4. TGS -> Client: {Kc,s,n}Kc,tgs ,{Tc,s}Ks
5. Client -> Server: {Ac}Kc,s ,{Tc,s}Ks
(In version 4, message 2 is {Kc,tgs ,n,{Tc,tgs}Ktgs}Kc,
and message 4 is {Kc,s ,n,{Tc,s}Ks}Kc,tgs)
Figure 2: _G_e_t_t_i_n_g _a _s_e_r_v_i_c_e _t_i_c_k_e_t
_3. _L_i_m_i_t_a_t_i_o_n_s _o_f _V_e_r_s_i_o_n _4
Version 4 of Kerberos is in widespread use, but some sites
require functionality that it doesn't provide, while others
have a computing environment or administrative procedures
that differ from that at MIT. As a result, work on Kerberos
Version 5 commenced in 1989, fueled by discussions with Ver-
sion 4 users and administrators about their experiences with
the protocol and MIT's implementation.
_3._1. _E_n_v_i_r_o_n_m_e_n_t_a_l _s_h_o_r_t_c_o_m_i_n_g_s
Kerberos Version 4 was targeted primarily for Project Athena
[Cha90], and as such in some areas it makes assumptions and
takes approaches that are not appropriate universally:
Encryption system dependence: The Version 4 protocol uses
only the Data Encryption Standard (DES) to encrypt mes-
sages. The export of DES from the USA is restricted by
the U.S. Government, making truly widespread use of
Version 4 difficult.
Internet protocol dependence: Version 4 requires the use of
Internet Protocol (IP) addresses, which makes it
unsuitable for some environments.
Message byte ordering: Version 4 uses a "receiver makes
right" philosophy for encoding multi-byte values in
network messages, where the sending host encodes the
value in its own natural byte order and the receiver
must convert this byte order to its own native order.
While this makes communication between two hosts with
the same byte order simple, it does not follow esta-
blished conventions and will preclude interoperability
June 17, 1992
- 7 -
of a machine with an unusual byte order not understood
by the receiver.
Ticket lifetimes: The valid life of a ticket in Version 4 is
encoded by a UNIX timestamp issue date and an 8-bit
lifetime quantity in units of five minutes, resulting
in a maximum lifetime of 211/4 hours. Some environ-
ments require longer lifetimes for proper operation
(e.g. a long-running simulation which requires valid
Kerberos credentials during its entire execution).
Authentication forwarding: Version 4 has no provision for
allowing credentials issued to a client on one host to
be forwarded to some other host and used by another
client. Support for this might be useful if an inter-
mediate server needs to access some resource with the
rights of the client (e.g. a print server needs access
to the file server to retrieve a client's file for
printing), or if a user logs into another host on the
network and wishes to pursue activities there with the
privileges and authentication available on the ori-
ginating host.
Principal naming: In Version 4, principals are named with
three components: name, instance, and realm, each of
which may be up to 39 characters long. These sizes are
too short for some applications and installation
environments. In addition, due to implementation-
imposed conventions the normal character set allowed
for the name portion excludes the period (.), which is
used in account names on some systems. These same con-
ventions dictate that the account name match the name
portion of the principal identifier, which is unaccept-
able in situations where Kerberos is being installed in
an existing network with non-unique account names.
Inter-realm authentication: Version 4 provides cooperation
between authentication realms by allowing each pair of
cooperating realms to exchange an encryption key to be
used as a secondary key for the ticket-granting ser-
vice. A client can obtain tickets for services from a
foreign realm's KDC by first obtaining a ticket-
granting ticket for the foreign realm from its local
KDC and then using that TGT to obtain tickets for the
foreign application server (see Figure 3). This pair-
wise key exchange makes inter-realm ticket requests and
verification easy to implement, but requires O(n829) key
exchanges to interconnect n realms (see Figure 4).
Even with only a few cooperating realms, the assignment
and management of the inter-realm keys is an expansive
task.
June 17, 1992
- 8 -
_3._2. _T_e_c_h_n_i_c_a_l _d_e_f_i_c_i_e_n_c_i_e_s
In addition to the environmental problems, there are some
technical deficiencies in Version 4 and its implementation.
Bellovin and Merritt [Bel90] provide detailed analyses of
some of these issues.
Double Encryption: As shown in Figure 1, the ticket issued
by the Kerberos server in Version 4 is encrypted twice
when transmitted to the client, and only once when sent
to the application server. There is no need to encrypt
it in the message from the KDC to the client, and doing
so can be wasteful of processing time if encryption is
computationally intensive (as will be the case for most
software-based encryption implementations; see [Mer90]
for discussion of fast software-based encryption
methods).
PCBC encryption: Kerberos Version 4 uses a non-standard mode
of DES to encrypt its messages. FIPS 81 [FIPS81]
describes the normal cipher-block-chaining (CBC) mode
of DES. Version 4 uses a modified Version called
plain- and cipher-block-chaining mode (PCBC). This
mode was an attempt to provide data encryption and
integrity protection in one operation. Unfortunately,
it allows an intruder to modify a message with a spe-
cial block-exchange attack which may not be detected by
the recipient [Koh89].
linewid = 1.5i ellipsewid = .9i right KDC: ellipse
"TGSlocal" move right 1i TGS: ellipse "TGSremote" move down
1i from KDC.w right Client: ellipse "Client" move right 1i
Server: ellipse "Serverremote" arrow from Client.nw to
KDC.sw "1 " rjust arrow from KDC.s to Client.n " 2" ljust
arrow from Client.ne to TGS.w "3 " rjust arrow from TGS.sw
to Client.e " 4" ljust arrow from Client.se to Server.sw
"5" above ellipsewid = .7i
1. Client -> TGSlocal: {Ac}Kc,tgs ,{Tc,tgs}Ktgs , tgsrem
2. TGSlocal -> Client: {Kc,tgsrem}Kc,tgs ,{Tc,tgsrem}Ktgsrem
3. Client -> TGSremote: {Ac}Kc,tgsrem ,{Tc,tgsrem}Ktgsrem, srem
4. TGSremote -> Client: {Kc,srem}Kc,tgsrem ,{Tc,srem}Ksrem
5. Client -> Serverremote: {Ac}Kc,srem ,{Tc,srem}Ksrem
(In version 4, message 2 is {Kc,tgsrem ,{Tc,tgsrem}Ktgsrem}Kc,tgs,
and message 4 is {Kc,srem ,{Tc,srem}Ksrem}Kc,tgsrem)
Figure 3: _G_e_t_t_i_n_g _a _f_o_r_e_i_g_n _r_e_a_l_m _s_e_r_v_i_c_e _t_i_c_k_e_t
linewid = 1.5i boxht = .3i boxwid = 1i EDU: box "EDU" at
-.1,0 MITEDU: box "MIT.EDU" at 1.6,1 boxwid = 1.2i BERK: box
"Berkeley.EDU" at 1.4,0 UMICH: box "UMICH.EDU" at -.3,1
boxwid = 1.5i IFSUMICH: box "IFS.UMICH.EDU" at .8,1.6 line
<-> from EDU.ne to BERK.nw line <-> from 1/4 <EDU.ne, EDU.n>
to MITEDU.sw line <-> from 1/2 <EDU.ne, EDU.n> to 4/5
June 17, 1992
- 9 -
<IFSUMICH.sw, IFSUMICH.s> line <-> from EDU.n to UMICH.s
line <-> from BERK.n to MITEDU.s line <-> from 1/2 <BERK.nw,
BERK.n> to IFSUMICH.s line <-> from 1/4 <BERK.nw, BERK.n> to
UMICH.se
line <-> from MITEDU.n to IFSUMICH.se line <-> from MITEDU.w
to UMICH.e
line <-> from IFSUMICH.sw to UMICH.n
Figure 4: _V_e_r_s_i_o_n _4 _r_e_a_l_m _i_n_t_e_r_c_o_n_n_e_c_t_i_o_n_s
Authenticators and replay detection: Kerberos Version 4 uses
an encrypted timestamp to verify the freshness of mes-
sages and prevent an intruder from staging a successful
replay attack. If an authenticator (which contains the
timestamp) is out of date or is being replayed, the
application server rejects the authentication. How-
ever, maintaining a list of unexpired authenticators
which have already been presented to a service can be
hard to implement properly (and indeed is not imple-
mented in the Version 4 implementation distributed by
MIT).
Password attacks: The initial exchange with the Kerberos
server encrypts the response with a client's secret
key, which in the case of a user is algorithmically
derived from a password. An intruder is able to record
an exchange of this sort and, without alerting any sys-
tem administrators, attempt to discover the user's
password by decrypting the response with each password
guess. Since the response from the Kerberos server
includes verifiable plaintext [Lom89], the intruder can
try as many passwords as are available and will know
when the proper password has been found (the decrypted
response will make sense).
Session keys: Each ticket issued by the KDC contains a key
specific to that ticket, called a session key, which
may be used by the client and server to protect their
communications once authentication has been esta-
blished. However, since many clients use a ticket mul-
tiple times during a user's session, it may be possible
for an intruder to replay messages from a previous con-
nection to clients or servers which do not properly
protect themselves (again, MIT's Version 4 implementa-
tion does not fully implement this protection for the
KRB_SAFE and KRB_PRIV messages). Additionally, there
are situations in which a client wishes to share a ses-
sion key with several servers. This requires special
non-standard application negotiations in Version 4.
June 17, 1992
- 10 -
Cryptographic checksum: The cryptographic checksum (some-
times called a message authentication code or hash or
digest function) used in Version 4 is based on the qua-
dratic algorithm described in [Jue85]. The MIT imple-
mentation does not perform this function as described;
the suitability of the modified version as a crypto-
graphic checksum function is unknown.
_4. _C_h_a_n_g_e_s _f_o_r _V_e_r_s_i_o_n _5
Version 5 of the protocol has evolved over the past two
years based on implementation experience and discussions
within the community of Kerberos users. Its final specifi-
cation has reached closure, and a description of the proto-
col is available [Koh92]. Version 5 addresses the concerns
described above and provides additional functionality.
_4._1. _C_h_a_n_g_e_s _b_e_t_w_e_e_n _V_e_r_s_i_o_n_s _4 _a_n_d _5
_U_s_e _o_f _e_n_c_r_y_p_t_i_o_n
To improve modularity and ease export-regulation considera-
tions for Version 5, the use of encryption has been
separated into distinct software modules which can be
replaced or removed by the programmer as needed. When
encryption is used in a protocol message, the ciphertext is
tagged with a type identifier so that the recipient can
identify the appropriate decryption algorithm necessary to
interpret the message.
Encryption keys are also tagged with a type and length when
they appear in messages. Since it is conceivable to use the
same key type in multiple encryption systems (e.g. different
variations on DES encryption), the key type may not map
one-to-one to the encryption type.
Each encryption algorithm is responsible for providing suf-
ficient integrity protection for the plaintext so that the
receiver can verify that the ciphertext was not altered in
transit. If the algorithm does not have such properties, it
can be augmented by including a checksum in the plaintext
before encryption. By doing this, we can discard the PCBC
DES mode, and use the standard CBC mode with an embedded
checksum over the plaintext. It is important to consider
the effects of chosen plaintext attacks when analyzing the
message integrity properties of candidate encryption algo-
rithms. Some potential weaknesses were found with encryp-
tion and checksum methods in initial drafts of the Version 5
protocol [Stu92]. These weaknesses were corrected in subse-
quent revisions.
June 17, 1992
- 11 -
_N_e_t_w_o_r_k _a_d_d_r_e_s_s_e_s
When network addresses appear in protocol messages, they are
similarly tagged with a type and length field so the reci-
pient can interpret them properly. If a host supports mul-
tiple network protocols or has multiple addresses of a sin-
gle type, all types and all addresses can be provided in a
ticket.
_M_e_s_s_a_g_e _e_n_c_o_d_i_n_g
Network messages in Version 5 are described using the
Abstract Syntax Notation One (ASN.1) syntax [ISO8824] and
encoded according to the basic encoding rules [ISO8825].
This avoids the problem of independently specifying the
encoding for multi-byte quantities as was done in Version 4.
It makes the protocol description look quite different from
Version 4, but it is primarily the presentation of the mes-
sage fields that changes; the essence of the Kerberos Ver-
sion 4 protocol remains.
_T_i_c_k_e_t _c_h_a_n_g_e_s
The Kerberos Version 5 ticket has an expanded format to
accommodate the required changes from the Version 4 ticket.
It is split into two parts, one encrypted and the other
plaintext. The server's name in the ticket is plaintext
since a server with multiple identities, e.g. an inter-
realm TGS, may need the name to select a key with which to
decrypt the the remainder of the ticket (the name of the
server is bookkeeping information only and its protection is
not necessary for secure authentication). Everything else
remains encrypted. The ticket lifetime is encoded as a
starting time and an expiration time (rather than a specific
lifetime field), affording nearly limitless ticket life-
times. The new ticket also contains a new flags field and
other new fields used to enable the new features described
later.
_N_a_m_i_n_g _p_r_i_n_c_i_p_a_l_s
Principal identifiers are multi-component names in Kerberos
Version 5. The identifier is encoded in two parts, the
realm and the remainder of the name. The realm is separate
to facilitate easy implementation of realm-traversal rou-
tines and realm-sensitive access checks. The remainder of
the name is a sequence of however many components are needed
to name the principal. The realm and each component of the
remainder are encoded as separate ASN.1 GeneralStrings, so
there are few practical restrictions on the characters
available for principal names.
linewid = 1.5i boxht = .3i boxwid = 1.2i down EDU: box "EDU"
move down .5i BERK: box "Berkeley.EDU" move left .5i from
BERK.w MITEDU: box "MIT.EDU" move right .5i from BERK.e
June 17, 1992
- 12 -
UMICH: box "UMICH.EDU" move down .5i from UMICH.s boxwid =
1.5i IFSUMICH: box "IFS.UMICH.EDU" line <-> from EDU.sw to
MITEDU.n line <-> from EDU.s to BERK.n line <-> from EDU.se
to UMICH.n line <-> from UMICH.s to IFSUMICH.n arrowwid =
.1i arrowht = .15i line <-> dashed from MITEDU.s to
IFSUMICH.w "shortcut link " rjust # reset to defaults
arrowwid = 0.05i arrowht = 0.1i
Figure 5: _A _V_e_r_s_i_o_n _5 _h_i_e_r_a_r_c_h_y _o_f _r_e_a_l_m_s
_I_n_t_e_r-_r_e_a_l_m _s_u_p_p_o_r_t
In Version 5, Kerberos realms cooperate through a hierarchy
based on the name of the realm (see Figure 5). A source
realm is interoperable with a destination realm if it shares
an inter-realm key directly with the destination realm, or
if it shares a key with an intermediate realm that is itself
interoperable with the destination realm. Each realm
exchanges a different pair of inter-realm keys with its
parent node and each child. These keys are used in a common
encryption system to obtain tickets for each successive
realm along the path. This arrangement reduces the number
of key exchanges to O(log(n)).
When an application needs to contact a server in a foreign
realm, it "walks" up and down the tree toward the destina-
tion realm, contacting each realm's KDC in turn, asking for
a ticket-granting ticket to the foreign realm. In most
cases, the KDC will issue a ticket for the next node in the
proper direction on the tree. If a realm has established a
"shortcut" spanning link with some realm further in the
path, it issues a ticket-granting ticket for that realm
instead. This way every realm can interoperate, and
heavily-traveled paths can be optimized with a direct link.
When a ticket for the end service is finally issued, it will
contain an enumeration of all the realms consulted in the
process of requesting the ticket. An application server
which applies strict authorization rules is permitted to
reject authentication which passes through certain untrusted
realms.
_4._2. _N_e_w _p_r_o_t_o_c_o_l _f_e_a_t_u_r_e_s _i_n _V_e_r_s_i_o_n _5
In addition to the changes discussed above, several new
features are supported in Version 5.
_T_i_c_k_e_t_s
Version 5 tickets contain several additional timestamps and
a flags field. These changes allow greater flexibility in
the use of tickets than was available in Version 4.
Each ticket issued by the KDC using the initial ticket
June 17, 1992
- 13 -
exchange is flagged as such. This allows servers such as a
password changing server to require that a client present a
ticket obtained by direct use of the client's secret key K9c
8instead of one obtained using a TGT. Such a requirement
prevents an attacker from walking up to an unattended but
logged in workstation and changing another user's password.
Tickets may be issued as renewable tickets with two expira-
tion times, one for a time in the near future, and one
later. The ticket expires as usual at the earlier time, but
if it is presented to the KDC in a renewal request before
this earlier expiration time, a replacement ticket is
returned which is valid for an additional period of time.
The KDC will not renew a ticket beyond the second expiration
indicated in the ticket. This mechanism has the advantage
that although the credentials can be used for long periods
of time, the KDC may refuse to renew tickets which are
reported as stolen and thereby thwart their continued use.
A similar mechanism is available to assist authentication
during batch processing. A ticket issued as postdated and
invalid will not be valid until its post-dated starting time
passes and it is replaced with a validated ticket. The
client validates the ticket by presenting it to the KDC as
described above for renewable tickets.
Authentication forwarding can be implemented by contacting
the KDC with the additional ticket exchange and requesting a
ticket valid for a different set of addresses than the TGT
used in the request. The KDC will not issue such tickets
unless the presented TGT has a flag set indicating that this
is a permissible use of the ticket. When the entity on the
remote host is granted only limited rights to use the
authentication, the forwarded credentials are referred to as
a _p_r_o_x_y (after the proxy used in legal and financial
affairs). Proxies are handled similarly to forwarded tick-
ets, except that new proxy tickets will not be issued for a
ticket-granting service; they will only be issued for appli-
cation server tickets.
In certain situations, an application server (such as an X
Window System server) will not have reliable, protected
access to an encryption key necessary for normal participa-
tion as a server in the authentication exchanges. In such
cases, if the server has access to a user's ticket-granting
ticket and associated session key (which in the case of
single-user workstations may well be the case), it can send
this ticket-granting ticket to the client, who presents it
and the user's own ticket-granting ticket to the KDC. The
KDC then issues a ticket encrypted in the session key from
the server's ticket-granting ticket; the application server
has the proper key to decrypt and process this ticket. The
details of such an exchange are presented in [Dav90].
June 17, 1992
- 14 -
_A_u_t_h_o_r_i_z_a_t_i_o_n _d_a_t_a
Kerberos is concerned primarily with authentication; it is
not directly concerned with the related security functions
of authorization and accounting. To support the implementa-
tion of these related functions by other services, Version 5
of Kerberos provides a mechanism for the tamper-proof
transmission of authorization and accounting information as
part of a ticket. This information takes the form of res-
trictions on the use of a ticket. The encoding of each res-
triction is not a concern of the Kerberos protocol, but is
instead defined by the authorization or accounting mechanism
in use. Restrictions are carried in the _a_u_t_h_o_r_i_z_a_t_i_o_n _d_a_t_a
field of the ticket.
When a ticket is requested, restrictions are sent to the KDC
where they are inserted into the ticket, encrypted, and thus
protected from tampering. In the protocol's most general
form, a client may request that the KDC include or add such
data to a new ticket. The KDC does not remove any authori-
zation data from a ticket; the TGS always copies it from the
TGT into the new ticket, and then adds any requested addi-
tional authorization data. Upon decryption of a ticket, the
authorization data is available to the application server.
While Kerberos makes no interpretation of the data, the
application server is expected to use the authorization data
to appropriately restrict the client's access to its
resources.
Among other uses, the _a_u_t_h_o_r_i_z_a_t_i_o_n _d_a_t_a field can be used
in a proxy ticket to create a capability. The client
requesting the proxy from the KDC specifies any authoriza-
tion restrictions in the authorization data, then securely
transmits the proxy and session key to another party, which
uses the ticket to obtain limited service from an applica-
tion server. Neuman [Neu91] discusses possible uses of the
_a_u_t_h_o_r_i_z_a_t_i_o_n _d_a_t_a field in detail.
The Open Software Foundation's Distributed Computing
Environment uses the _a_u_t_h_o_r_i_z_a_t_i_o_n _d_a_t_a field for the gen-
eration of privilege attribute certificates (PACs).
Privilege information is maintained by a privilege server.
When a PAC is requested by a client the privilege server
requests a Kerberos ticket identifying the privilege server
itself, but restricting the groups to which the client
belongs and specifying a DCE specific user ID. The ticket
is then returned to the client which uses it to assert its
DCE user ID and prove membership in the listed groups. In
essence, the privilege server grants the client a proxy
authorizing the client to act as the privilege server to
assert the listed DCE user ID and membership in the listed
groups. If the ticket did not include restrictions, it
would indicate that the client was the privilege server,
allowing the client to assert any user ID and membership in
June 17, 1992
- 15 -
any group.
_P_r_e-_a_u_t_h_e_n_t_i_c_a_t_i_o_n _d_a_t_a
In an effort to complicate the theft of passwords, the Ker-
beros Version 5 protocol provides fields in the initial- and
additional-ticket exchanges to support password alternatives
such as hand-held authenticators (devices which have inter-
nal circuitry used to generate a continually changing pass-
word). In the initial ticket exchange, these fields can be
used to alter the key K9c8 in which the reply is encrypted.
This makes a stolen password useless since fresh information
from a physical device is needed to decrypt a response. The
field can also be used to prove the client's identity to the
KDC before any ticket is issued. Doing this makes it a lit-
tle more difficult for an attacker to obtain a message that
can be used to verify password guesses.
This pre-authentication data field is used by the client in
the additional ticket exchange to pass the ticket-granting
ticket to the KDC; since it is a variable-length array,
other values may be sent in the additional-ticket exchange.
_S_u_b_s_e_s_s_i_o_n _k_e_y _n_e_g_o_t_i_a_t_i_o_n
Tickets are cached by clients for later use. To avoid prob-
lems caused by the reuse of a ticket's session key across
multiple connections, a server and client can cooperate to
choose a new _s_u_b_s_e_s_s_i_o_n _k_e_y which is used to protect a sin-
gle connection. This subsession key is discarded once the
connection is closed.
Negotiation of subsession keys allows an application to pro-
tect the privacy of messages broadcast to several reci-
pients. The application can individually negotiate with
each recipient to use a common subsession key before begin-
ning the broadcasts.
_S_e_q_u_e_n_c_e _n_u_m_b_e_r_s
Kerberos provides two message formats for applications to
protect their communications. The KRB_SAFE message uses a
cryptographic checksum to insure data integrity. The
KRB_PRIV message uses encryption to insure integrity and
privacy. In Version 4 these messages included as control
information a timestamp and the sender's network address.
With Version 5, an application may elect to use a timestamp
(as before) or a sequence number. If the timestamp is used,
the receiver must record the known timestamps to avoid
replay attacks; if a sequence number is used the receiver
must verify that the messages arrive in the proper order
without gaps. There are situations where one choice makes
applications simpler (or even possible) to implement; see
the discussions in [Koh92].
June 17, 1992
- 16 -
_5. _I_m_p_l_e_m_e_n_t_a_t_i_o_n _f_e_a_t_u_r_e_s
_5._1. _T_h_e _b_a_s_e _i_m_p_l_e_m_e_n_t_a_t_i_o_n