Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

Transcription

1 Kerberos Pehr Söderman Natsak08/DD2495 CSC KTH 2008

2 Project Athena Started 1983 at MIT workstations 1000 servers Unified enviroment Any user, any workstation, any server, anywhere... 2

3 Existing technology /etc/passwd.rlogin Telnet Scalability? 3

4 Goals of Kerberos Unified user-service authentication Fine, centralized, access controll Interdomain authentication Only authentication 4

5 Trust model Single authentication server All users/workstations/servers trusts the authentication server Authentication server may trust other authentication servers 5

6 Trust model Advantages Compromise of a host does not directly compromise other hosts Centralized management Disadvantages Makes no sense in isolated systems Hosts still have to be trustworthy... No protection against trojans/viruses/worms 6

7 Kerberos design goals No cleartext passwords on the network No client passwords on servers Minimize password exposure on workstation Compromise only impacts one client/server/user Minimize the need for the password (single sign-on) 7

8 Kerberos versions v1-3 are no longer used (and badly broken) v4 is still common (and broken) v5 is most commonly used We start with v4, then we take v5. 8

9 Parts of a Kerberos system Authentication Service (AS) Ticket Granting Service (TGS) Key distribution center (KDC) User Service Ticket Granting Ticket (TGT) Ticket Authenticator Kerberos Library 9

10 Tickets Fundamental concept in kerberos Contains information about: Owner Target Session key Lifetime Encrypted with target's key A ticket to Bob is encrypted with a key shared by Bob and the TGS 10

11 Important fields in tickets Name/Instance/Realm Timestamp (Unix time) Lifetime (8 byte, 5 min steps, max ca 21 hours) Session key (8 bytes, DES) 11

12 Network layer adress in tickets All tickets contain the NWK adress (IPv4) Prevents usage of tickets from other IP addresses. Doesn't work well with NAT Doesn't work well with IPv6 (or any other protocoll) Limited security advantages (spoofing) 12

13 Authenticator Proves ownership of a ticket Created by encrypting current time with the session key in the ticket Verified by decryption and comparison of timestamp to current time Prevents replay attacks Requires synchronized time (NTP) 13

14 Getting a TGT Type username, password and realm at workstation Workstation asks AS for TGT for Username AS creates session key, creates TGT, encrypts with master key generated from password KDC sends TGT to workstation Workstation decrypts TGT, gets session key. Can you see any problem? 14

15 Get a ticket Workstation sends request, TGT and Authenticator to TGS. TGS decrypts TGT, gets Session key. Uses session key to verify Authenticator TGS generates session key for Bob, creates ticket, encrypts with Bob's master key. TGS sends ticket and session key to bob secured with the session key from the TGT 15

16 Use a ticket Send request, ticket and authenticator to Bob Bob decrypts the ticket to get the Session key. Bob verifies the Authenticator Bob creates a new authenticator with time+1 and sends back (Why?) Bob allows you to access the service 16

17 Replicated KDC Limits the impact of KDC downtime Most KDC operations are read only One master copy of the KDC database must exist Replication is part of the kerberos protocol 17

18 Realms Administrative domains within kerberos Allows trust relationships between different organisations All tickets contain information about the realm of the owner and target. 18

19 Authentication in a different realm Locate the realm of the service Ask the KDC of your own realm for a ticket to the other realm KDC Ask the KDC of the target realm for a ticket Authenticate directly to the service with your ticket. 19

20 Homegrown cryptography Large warning flag Homegrown cipher modes Homegrown authentication codes Breaks some parts of Kerberos V4 badly Read: The perils of Unauthenticated Encryption Yu, Hartman, Raeburn 20

21 Kerberos V5 Used in Windows (Active Directory, RFC 3244) Used in many Unix systems Major overhaul of Kerberos v4 21

22 ASN.1 A way to describe data structures Extremely complex Used instead of the simple byte descriptions in Kerberos v4 Where ASN.1 is used, chaos follows Kerberos v5 is described in ASN.1 22

23 Changes to the cryptography Support for more ciphers (not only DES) Windows uses RC4 3DES, AES etc. are possible New, homegrown, cipher modes... 23

24 Changes to the names In Kerberos v4: Name, Instance, Realm In Kerberos v5: Name, Realm Multiple name fields are possible Longer names are possible More characters in names (for example. ) 24

25 Allow delegation by proxy A special request is done to the KDC for a new ticket Send a network adress instead of the one in the TGT KDC returns a ticket with the proxy adress Send the Ticket to the adress where it is to be used Use it as normally 25

26 Allow delegation by forwarding Request a TGT with a new adress Send the TGT to the new adress Use the TGT as usually 26

27 Renewable tickets Short lifetime of tickets in v4 (21 hours...) Long lifetime of tickets is risky Revocation is not practical Allow tickets to be renewed A ticket can be renewed as long as it is valid Each ticket has a last legal time 27

28 Postdated tickets Allows tickets to become valid in the future Useful for batch jobs Must be exchanged for a new ticket before it can be used (and after it becomes valid) 28

29 Inter-domain authentication Kerberos v4 requires direct trust between domains. Kerberos v5 allows any length of authentication path, using a similar method. Trust for other domains is up to the application... X.500 or DNS can be used as a hirarchy of domains to simplify trust arrangements 29

30 Prevent password guessing Kerberos v4 makes offline attacks trivial Kerberos v5 sends the current time encrypted with the master key to request a TGT (preauthenticator) Prevents requesting a TGT for somebody else Kerberos v5 has a flag to prevent tickets to be issued for password based users (Why?) 30

31 Public Key cryptography Not yet a standard Uses RSA to authenticate user and AS Signaling is done using a magic number in the pre-authenticator No changes to the rest of the kerberos protocol RFC

32 Weaknesses in Kerberos Broken cryptography (v4) Homegrown cryptography (v5) Simple offline attacks (v4) Single point of failure (v4, v5) Multiple users on one system (v4,v5) Replay attacks within timescrew (v4) 32

33 Kerberos vs SSL Requires trust at both ends Simple revocation Online trust center Keys on server Local domains Small overhead Trust at only one end is possible Complex revocation Offline trust center Local certificates Global systems Large overhead 33

34 Additional reading Limitations of the Kerberos authentication system (S. M. Bellovin, M. Merritt) The Perils of Unauthenticated Encryption: Kerberos Version 4 (Tom Yu, Sam Hartman, Kenneth Raeburn) The Evolution of the Kerberos Authentication System (John T. Kohl, B. Clifford Neuman, and Theodore Y. T'so) RFC 3244, RFC 4120, RFC 4556 and RFC