KerberosV4

DilipMeena
1291/06
Ece4

Kerberos, v4 and v5

Provides a complete protocol for authentication and

ecure communications for hosts connected by a data
communications network

Provides

secure "tickets" to hosts that can be used

to initiate a secure message exchange

Standard

message formats for encrypted and signe

messages, or signed plaintext messages
Formats

for encoding expiration time, names, ...

Allows

"read-only" slave KDC's (distributed KDCs)

2

eberos uses Mediated Authenticatio

(with a Key Distribution Center, KDC
)
Bob

Jack
Kbob

Kalice

Alice

Mary

Tom

KDC
Paul
Peter

Dick
Jip

Trudi Harry

Alice
(human)
logs on
to
Alice,
(PC)

Alice
Alice PC
Key
{Ka,{TGT;Kk};
hashes
Dist.
Kak}
Alice's
Ctr
passwork
Alice wants
gen.s
to get a
Bob,{TGT;Kk},
DES Key,
Kab,
{time;Ka}
Kalice=Ka{Bob,Kab,Ticket has
Kk
-Bob; Ka}

Bob has
Shared
Secret Key
with KDC,
Kbob

{time; Kab},
{Kab,Alice; Kbob} ="Ticket"
{time + 1, Kab}

After the 1st exchange with the KDC, Alice has a

session key, Ka, and a "Ticket-Granting Ticket"
that she can use to request "Tickets" from KDC
PC
erases Alice's password and Kak from disk and RAM.
Time(stamp) is used as nonce (seconds after 1/1/1970)
4

Host

Slave
KDC
Host
Host

Host

Host

Slave
KDC
Host
Host

Master
KDC{db;Kmaster} Slave
KDC
Host

Host

Slave Host
Slave
KDC
Realm KDC

Host

Replicated

KDCs (slaves) are read only.

Entire

Host-KDC dasebase is downloaded periodically

KDC
(Hatter)

KDC
(Lion)

Lion

1
Alice
Realm
Wonderland

2
3

Dorothy

Lion can also be a

"principal" in
Wonderland (with the
Queen's OK)

Realm
Oz

Alice wants to talk to Dorothy

7

Plaintext
Cipher Block ChainingP(CBC)

IV

m1

m2

m3

(+)

(+)

(+)

c1

c2

c3

Key

The 1st 64-bit message segment is XOR'ed with

an initial vector (IV). Each following message
segment is XOR'ed with the preceding ciphertex
and plaintext segments-for privacy & integrity
.
8

Kerberos Message Integrity Check

(Message Digest)
MIC is Hash(<Ksession,message>)

he Hash algorithm was never published (but

source code can be obtained)

is based on a checksum algorithm designed

by Juneman to use mod 2^31-1 (prime), but
changed to use 2^63-1 (not prime).

Cryptographers worry that it might be

breakable, or reversible (to get Ksession).
9

Network Layer (IP) Addresses in Ticket

Only 4 bytes available, so limited to Internet

Protocol (Novel, IBM, Appletalk, IPv6... longer)

Makes "spoofing" harder, IP address must be

tolen from network as well as Ticket from Alic

revents delegation, giving the ticket to anothe

host to represent you (which is allowed by
Kerberos V5)
10

Password security
OriginallyUNIXstoredahashofeachUserspasswordina
globallyreadableaccount.Thiscanbeattackedbyhashing
allcommonwordsforareverselookuptable.

Do not send in clear except over short secure channels

Choose

had to guess passwords, enforce.

Force

changing passwords periodically

Avoid

keeping password in memory longer than

necessary to generate the user's master key (w KDC)
Send

hash of (key+nonce) to KDC for authentication

Add
salt before hashing passwords for pw database

Add
realm name to password before hashing for pw db
11

Message Security and Integrity

nly exchange messages with authenticated hos

evelop a session key and separate MIC key

sing initial password exchange

ncrypt Diffie-Hellman exchanges to prevent

ucket Brigade (man-in-middle) attacks.

se MICs, especially with self-synchronizing

encryptions (e.g., PCBC) which survive
permutations of message blocks.

et "random" numbers from true sources

otect Master KDC Key and hashed-key databa

12

EntropyofData,H

Bonus

H=sum[i=1tok]{Pi*log2(1/Pi)}
(bitsofinformationpersymbol)
Where:
k=numberofstates(orsymbols)
Pi=probabilityoftheithstate(ni/N)
Ifthesymbolsarebinarynumberswith8bits:
H=8>completedisorderorrandomness
H<8>someorder(ASCIItext,H=45bits)
13