Deep Dive into - Kerberos

Ishan A B Ambanwela

Contents

1.What is Kerberos

2.Design Objectives

3.Cons

4.Common Terms Explained

5.Kerberos Work Flow

6.Kerberos in Practical

What is Kerberos

● Computer network authentication protocol● Developed in MIT in mid 1980s as a part of

Project Athena● Named After three-headed guard dog of Hades● Current Version 5 was released under MIT

license in 2005 (RFC4120)

Design Objectives

● Allows to communicate over non-secure network

● Based on tickets● Designed for client-server model● Interoperability● Trust no one (mutual authentication client/server)● Protected against Eavesdropping & Replay

attacks

Cons

● Single point of failure● Strict time requirements● Symmetric cryptography● Unique Kerberos keys● Complications in virtual hosting and clusters● Requires user accounts● strict separation of domains● administration protocol is not standardized

Some Common Terms

● KDC - Key Distribution Center● AS - Authentication service● AD - Active Directory● Key - parameter which determines the functional

output of a cryptographic algorithm● Ticket - Piece of information which carries the identity● Session - semi-permanent interactive information

interchange

Kerberos - Terms

● TGT – Ticket Granting Ticket– Used to prove users own identity

● ST – Service Ticket – Allows a user to use a service

– Used to securely pass the identity of the user to which the ticket is issued between KDC and the application server

● Authenticator– Proves that the user presenting the ticket is the user to which the ticket

was issued

– Proof that user knows the session key

– Prevents replay attacks

Key Distribution Center

Client

Authentication Server

Ticket Granting Server

Resource Server

Username

Password

Username

(clear

text)A. Session Key (SK)

Generate Client Secret Key (CSK)

B. Username, NA, Validity Period, Session Key (SK)

CSK

TGSSK

TGS Secret Key

ClientSecretKey

(CSK)

One wayHash

AB

A. Session Key (SK)CSK

Decode

+ Service ID (clear text)

C. Username, TimestampSK

C

B. Username, NA, Validity Period, Session Key (SK)

TGSSK

Decode

C. Username, TimestampSK

D. Client/Server Ticket, Username, NA, Validity Period, Client/Server Session Key (CSSK)

E. Timestamp+1, Client/Server Session Key (CSSK)

RSSK

SK

RS Secret Key

E

D

F. Username, Timestamp’SK

F

Decode D F

G. Timestamp’+1, ResourceCSSK

E. Timestamp+1, Client/Server Session Key (CSSK)

SK

G. Timestamp’+1, ResourceCSSK

Kerberos – Work flow

Kerberos in Practical

Java Example for Requesting a Kerberos Ticket in Client

Kerberos in Practical : background knowledge

● JAAS - Java Authentication and Authorization Service– LoginModule (javax.security.auth.spi.LoginModule)

● Classes implementing this contain the actual code for authentication● various mechanisms to authenticate

– LoginContext (javax.security.auth.login.LoginContext)● Starts authentication process by creating a Subject

– Subject (javax.security.auth.Subject)● a single user, entity or system

– Principal (java.security.Principal)● It encapsulates features or properties of a subject

– Credentials

Browser Based Kerberos Ticket Validation

Kerberos in Practical : background knowledge

● GSSAPI – Generic Security Service Application Program Interface

– IETF Standard

● SPNEGO– Simple and Protected GSSAPI Negotiation Mechanism

– a pseudo mechanism used by client-server software to negotiate the choice of security technology

Browser Based Kerberos Authentication Example :Sample Requests and Responses

Special Thanks

● Praboda Disanayaka– For Providing Kerberos Work flow Slide

● Vicknesh Subramaniyam– For Providing Sample HTTP Requests/Responses

Q&A

Discussion

Thank you and Good Luck :-)