Network Security:

Network Security:

Kerberos

Tuomas Aura

T-110.5240 Network security

Aalto University, Nov-Dec 2012

Outline

Kerberos authentication

Kerberos in Windows domains

Kerberos authentication

Kerberos

Shared-key protocol for user login authentication

Uses passwords as shared keys

Solves security and scalability problems in password-based authentication in large domains

Based loosely on the Needham-Schroeder secret-key protocol

Kerberos v4 1988- at MIT

Kerberos v5 1993- [RFC 4120]

Updated protocol and algorithms ASN.1 BER message encoding

Implemented in Windows 2000 and later

Used in intranets: e.g. university Unix systems, corporate Windows domains

Kerberos architecture

1.–2. Authentication

3.–4. Ticket for a specific service 5.–6. Authentication to the service

KDC

TGS AS

Application server B

Client A

1. KRB_AS_REQ 2. KRB_AS_REP 3. KRB_TGS_REQ 4. KRB_TGS_REP

5. KRB_AP_REQ

6. KRB_AP_REP

ap_client.exe ap_server.exe

Kerberos terminology

Client-server computing model

Authentication for remote login sessions: e.g. interactive telnet, RPC Users and services are principals

Key distribution center (KDC)

Two components: authentication server (AS) and ticket-granting server (TGS)

Trusted by all principals to help in the authenticated key exchange

KDC shares a master key with each principal

Long-term secret that is used only for initial key exchange Usually derived by hashing a password [RFC3961]:

password for each user; also a password for each service

When user logs in, his workstation uses the password to obtain a ticket-granting-ticket (TGT) from AS

When client needs to access remote services, it uses TGT to request a service ticket from TGS for each server

(Note how the two-step process could be generalized to more steps)

Kerberos architecture (some details)

KDC

TGS AS

Application server B

Client A

1. KRB_AS_REQ 2. KRB_AS_REP 3. KRB_TGS_REQ 4. KRB_TGS_REP

5. KRB_AP_REQ

6. KRB_AP_REP

TGT

TGT, KAT Service ticket, KAB

Service ticket

ap_client.exe ap_server.exe krbtgt@RealmY

A@RealmY B@RealmY

1.–2. Authentication with password

→ client gets TGT and K_AT

3.–4. Authentication with TGT and K_AT

→ client gets

service ticket and K_AB 5.–6. Authentication with service

ticket and K_AB

→ client gets service access

Message type, version

Kerberos ticket

Same format for both TGT and service ticket

Credentials = ticket + key

ASN.1 encoding in Kerberos v5

“Encryption” also protects integrity, actually encryption and a MAC

Flags:

FORWARDABLE, FORWARDED,

PROXIABLE, PROXY, MAY-POST-DATE, POSTDATED, INVALID, RENEWABLE, INTINIAL, PRE-AUTHENT, HW-AUTHENT INITIAL flag indicates TGT

REALM, SNAME Server name and realm

FLAGS KEY

CNAME, CREALM Client name and realm

TRANSITED transit realms AUTH-TIME, END-TIME

CADDR

Client IP address (optional) AUTORIZATION-DATA

App-specific access constraints ^Enc

rypted with server’s master key

Kerberos protocol (more details)

Initial login of user A:

1. A → AS: Preauthentication, A, TGS, N_A1, Addr_A 2. AS → A: A, TGT, E_KA (K_A-TGS, N_A1, TGS, Addr_A)

Ticket request:

3. A → TGS: TGT, Authenticator_A-TGS, B, N_A2, Addr_A 4. TGS → A: A, Ticket, E_KA-TGS (K_AB, N_A2, B, Addr_A)

Authentication to server B:

5. A → B: Ticket, Authenticator_AB 6. B → A: AP_REP

K_A , K_TGS, K_B = master keys of A, TGS and B K_A-TGS = shared key for A and TGS

K_AB = shared key for A and B

TGT = B, E_KTGS (INITIAL, K_A-TGS, A, T_auth, T_expiry1, Addr_A)) Ticket = B, E_KB(K_AB, A, T_auth, T_expiry2, Addr_A))

Preauthentication = E_KA (¹ T_A) Authenticator_A-TGS = E_KA-TGS (² T_A) Authenticator_AB = E_KAB (³ T_A) AP_REP = E_KAB(⁴ T_A)

A, B = principal names T_x = timestamp

Addr_A = A’s IP addresses

Notes:

1234) ASN.1 encoding adds type tags to all messages

Encryption mode also protects message integrity

Crypto algorithms

Algorithms in older implementations were complex and potentially weak e.g.:

DES encryption

CRC-32 encrypted with DES in CBC mode for integrity

Latest algorithm specification [RFC3961]

recommends AES and HMAC

Encryption mode must protect message integrity

Can be implemented by appending an HMAC

Kerberos realms

Users and services registered to one KDC form a realm

name@realm, e.g. A@X, alice@asia.sales.contoso.com

Cross-realm trust:

Two KDCs X and Y share a key (krbtgt@Y is registered in KDC X and krbtgt@X in KDC Y) KDCs believe each other to be honest and competent to name users in their own realm

Cross-realm authentication:

Client A@X requests from TGS at realm X a ticket for TGS at realm Y The ticket is encrypted for krbtgt@Y (i.e. TGS at realm Y)

Client A@X requests from TGS at realm Y a ticket for server B@Y

Access control at several steps:

Local policy at each KDC about when to honor tickets from other realms

Local policy at B@Y about whether to allow access to users from other realms

ACLs at B@Y determine whether the users is allowed to access the particular resources

Possible to transit multiple realms → TRANSITED field in the ticket lists intermediate realms

Server B User A

Realm X Realm Y

Cross-realm trust User registration

12

Realm hierarchy

Large organizations can have a realm hierarchy

Hierarchy follows internet names

→ easy to find a path between realms

→ can filter cross-realm requests based on the names

Can add shortcut links or create even a fully connected graph between KDCs

E.g. Windows domain hierarchy

Compare with X.509 certification hierarchy: similarities, differences?

contoso.com

sales.contoso.com dev.contoso.com

euro.sales.contoso.com asia.sales.contoso.com

Bob David Alice

Charlie

Cross-realm trust User registration

Password guessing attacks

Kerberos is vulnerable to password guessing:

Sniffed KRB_AS_REQ or KRB_AS_REP can be used to test

candidate passwords → offline brute-force password guessing In Kerberos v4, anyone could request a password-encrypted TGT from AS → easy to obtain material for password cracking Preauthentication in Kerberos v5 prevents active attacks to obtain material for password cracking → must sniff it

Note: active vs. passive attacks

Misleading thinking: active attacks (e.g. MitM) are more difficult to implement than passive attacks (sniffing)

Reality: Active attacks can often be initiated by the attacker while passive attacks require attacker to wait for something to sniff → vulnerability to such active attacks is serious

!

!

PKINIT

Goal: take advantage of an existing PKI to bootstrap authentication in Kerberos

Replaces the KRB_AS_REQ / KRB_AS_REP exchange with a public-key protocol

Public-key authentication and encryption to obtain TGT Continue with standard Kerberos → transparent to TGS and application servers

No password, so not vulnerable to password guessing

Uses DSS signatures and ephemeral DH

Windows 2000 and later, now standard [RFC 4556]

Using the session key

Applications need to be modified i.e. “Kerberized” to use Kerberos for authentication

Authentication at the beginning of a session is of little value unless session data is protected with the session keys

Attacker could not initiate sessions but is could sniff, modify and spoof session data (e.g. Kerberized telnet)

Applications use the session key K_AB in any way they want

KRB_AP_REQ and KRB_AP_REP may include further key material (subkeys) that is sent encrypted under K_AB

Kerberos provides special messages for integrity protection and encryption:

KRB_SAFE: data, T_A, SN, addr_A, addr_B, MAC_KAB(…) KRB_PRIV: E_KAB(data, T_A, SN, addr_A, addr_B)

Access to these functions happens often through GSSAPI (called SSPI in Windows)

Another message KRB_CRED for sending credentials (ticket and secret key) for the purpose of delegation

Delegation

Server may need to perform tasks on the client’s behalf

Recursive RPC; agents operating when the user is no longer logged in;

batch processing at night

Alice can give her TGT or service ticket and key to David Controlling the use of delegated rights in applications:

Ticket may specify many allowed client IP addresses

Authorization-data field in ticket may contain app-specific restrictions It is safer to delegate a service ticket than TGT

Ticket flags related to delegation:

FORWARDABLE flag in TGT: the TGT can be used to obtain a new TGT with different IP addresses

PROXIABLE flag in TGT: the TGT can be used to obtain service tickets with a different IP address

Kerberos delegation is identity delegation

When B has A’s ticket and key, B can act as A and nobody can tell the difference → difficult to audit access; similar to sharing passwords Other protocols delegate only access rights, and the delegate can be identified

Kerberos in Windows domains

Thanks to Dieter Gollmann

Windows access control summary

The O/S stores security attributes for each processes (subject) in an access token

Token contains a list of privileges and SIDs (i.e. user and group identifiers)

Permissions are decided by comparing the list of SIDs against a DACLs on an object

The access token is local to the machine, created at login time, and never sent over the network

How to authorize access to resources managed by a Windows service (=daemon) on a remote server,

e.g. over remote procedure call (RPC)?

Network credentials

Alice’s user name, SID and network credentials are cached on the user workstation

username and password, or TGT and K_A-TGS

Alice’s processes can use her network credentials for remote login

Two authentication protocols: NTLM and Kerberos V5 (RFC 1510)

These authentication protocols do not reveal the password to the server

Applications can also ask the user for a different user name and credentials and store them

separately

20

Tokens and remote access

Access tokens are meaningful only to the local machine and cannot be sent over network

The server does not trust the client machine to tell who Alice is and which groups she belongs to

Instead, the client authenticates Alice to the server using her network credentials. The server creates a new login session and a new token (on the server) for Alice

The service may now assign the token to a process or thread (=impersonation)

The authentication protocols also

provide the server with Alice’s user and group SIDs

produce a session key for protecting data between the client and server

Encryption and authentication of session data is controlled by applications

Different secure session protocol exist for network logon, RPC, COM

Kerberos in Windows

Realm = Windows domain

Realm hierarchy = domain hierarchy KDC = domain controller (DC)

Information about users is stored in active directory (AD)

Kerberos authenticates “principals”, but which principals should be authenticated?

User name and a domain name (e.g. MYCOMPANY\Boss)?

Appropriate fields in the ticket for this are CNAME and CREALM Principals according to the access control model? Windows

puts the user SID and group SIDs in the field authorization-data

 This created a major controversy in the early 2000s, now standardized

Message type, version

Kerberos ticket in Windows

REALM, SNAME Server name and realm

FLAGS KEY

CNAME, CREALM Client name and realm

TRANSITED transit realms AUTH-TIME, END-TIME

CADDR

Client IP address (optional) AUTORIZATION-DATA

App-specific access constrains ^Enc

rypted with server’s master key

Username, domain

User and group SIDs

Related reading

William Stallings. Network security essentials:

applications and standards, 3rd ed. chapter 4.1; 4th ed.

chapter 4.1–4.2 (Kerberos v5 only)

William Stallings. Cryptography and Network Security, 4th ed.: chapters 14.1 (Kerberos v5)

Dieter Gollmann. Computer Security, 2nd ed.: chapter 12.4; 3rd ed. chapter 15.4

Kaufmann, Perlman, Speciner. Network security, 2nd ed.: chapter 14

Online:

How the Kerberos Version 5 Authentication Protocol Works,

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

Exercises

How does Kerberos fix the flaw in Needham-Schroeder secret-key protocol?

Find source code for a Kerberized client/server application (e.g. telnet) and see how it accesses Kerberos services

Why is Kerberos used on the intranets and TLS/SSL on the Internet? Could it be the other way?

Learn about Encrypted Key Exchange (EKE) and other

similar password-based authentication protocols. Which problem do they solve?

Should standard protocols include data fields or

messages for proprietary extensions? What are the

arguments for and against?