1b528cefcSMark Murray@node What is Kerberos?, Building and Installing, Introduction, Top 2b528cefcSMark Murray@chapter What is Kerberos? 3b528cefcSMark Murray 4b528cefcSMark Murray@quotation 5b528cefcSMark Murray@flushleft 6b528cefcSMark Murray Now this Cerberus had three heads of dogs, 7b528cefcSMark Murray the tail of a dragon, and on his back the 8b528cefcSMark Murray heads of all sorts of snakes. 9b528cefcSMark Murray --- Pseudo-Apollodorus Library 2.5.12 10b528cefcSMark Murray@end flushleft 11b528cefcSMark Murray@end quotation 12b528cefcSMark Murray 13b528cefcSMark MurrayKerberos is a system for authenticating users and services on a network. 14b528cefcSMark MurrayIt is built upon the assumption that the network is ``unsafe''. For 15b528cefcSMark Murrayexample, data sent over the network can be eavesdropped and altered, and 16b528cefcSMark Murrayaddresses can also be faked. Therefore they cannot be used for 17b528cefcSMark Murrayauthentication purposes. 18b528cefcSMark Murray@cindex authentication 19b528cefcSMark Murray 20b528cefcSMark MurrayKerberos is a trusted third-party service. That means that there is a 21b528cefcSMark Murraythird party (the kerberos server) that is trusted by all the entities on 22b528cefcSMark Murraythe network (users and services, usually called @dfn{principals}). All 23b528cefcSMark Murrayprincipals share a secret password (or key) with the kerberos server and 24b528cefcSMark Murraythis enables principals to verify that the messages from the kerberos 25b528cefcSMark Murrayserver are authentic. Thus trusting the kerberos server, users and 26b528cefcSMark Murrayservices can authenticate each other. 27b528cefcSMark Murray 28b528cefcSMark Murray@section Basic mechanism 29b528cefcSMark Murray 30b528cefcSMark Murray@ifinfo 31b528cefcSMark Murray@macro sub{arg} 32b528cefcSMark Murray<\arg\> 33b528cefcSMark Murray@end macro 34b528cefcSMark Murray@end ifinfo 35b528cefcSMark Murray 36b528cefcSMark Murray@tex 37b528cefcSMark Murray@def@xsub#1{$_{#1}$} 38b528cefcSMark Murray@global@let@sub=@xsub 39b528cefcSMark Murray@end tex 40b528cefcSMark Murray 41b528cefcSMark Murray@ifhtml 42b528cefcSMark Murray@macro sub{arg} 43b528cefcSMark Murray<\arg\> 44b528cefcSMark Murray@end macro 45b528cefcSMark Murray@end ifhtml 46b528cefcSMark Murray 47b528cefcSMark Murray@quotation 48b528cefcSMark Murray@strong{Note:} This discussion is about Kerberos version 4, but version 49b528cefcSMark Murray5 works similarly. 50b528cefcSMark Murray@end quotation 51b528cefcSMark Murray 52b528cefcSMark MurrayIn Kerberos, principals use @dfn{tickets} to prove that they are who 53b528cefcSMark Murraythey claim to be. In the following example, @var{A} is the initiator of 54b528cefcSMark Murraythe authentication exchange, usually a user, and @var{B} is the service 55b528cefcSMark Murraythat @var{A} wishes to use. 56b528cefcSMark Murray 57b528cefcSMark MurrayTo obtain a ticket for a specific service, @var{A} sends a ticket 58b528cefcSMark Murrayrequest to the kerberos server. The request contains @var{A}'s and 59b528cefcSMark Murray@var{B}'s names (along with some other fields). The kerberos server 60b528cefcSMark Murraychecks that both @var{A} and @var{B} are valid principals. 61b528cefcSMark Murray 62b528cefcSMark MurrayHaving verified the validity of the principals, it creates a packet 63b528cefcSMark Murraycontaining @var{A}'s and @var{B}'s names, @var{A}'s network address 64b528cefcSMark Murray(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime 65b528cefcSMark Murrayof the ticket (@var{life}), and a secret @dfn{session key} 66b528cefcSMark Murray@cindex session key 67b528cefcSMark Murray(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key 68b528cefcSMark Murray(@var{K@sub{B}}). The actual ticket (@var{T@sub{AB}}) looks like this: 69b528cefcSMark Murray(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life}, 70b528cefcSMark Murray@var{K@sub{AB}}@}@var{K@sub{B}}). 71b528cefcSMark Murray 72b528cefcSMark MurrayThe reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s 73b528cefcSMark Murrayname, the current time, the lifetime of the ticket, and the session key, all 74b528cefcSMark Murrayencrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}}, 75b528cefcSMark Murray@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A} 76b528cefcSMark Murraydecrypts the reply and retains it for later use. 77b528cefcSMark Murray 78b528cefcSMark Murray@sp 1 79b528cefcSMark Murray 80b528cefcSMark MurrayBefore sending a message to @var{B}, @var{A} creates an authenticator 81b528cefcSMark Murrayconsisting of @var{A}'s name, @var{A}'s address, the current time, and a 82b528cefcSMark Murray``checksum'' chosen by @var{A}, all encrypted with the secret session 83b528cefcSMark Murraykey (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}}, 84b528cefcSMark Murray@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket 85b528cefcSMark Murrayreceived from the kerberos server to @var{B}. Upon reception, @var{B} 86b528cefcSMark Murraydecrypts the ticket using @var{B}'s secret key. Since the ticket 87b528cefcSMark Murraycontains the session key that the authenticator was encrypted with, 88b528cefcSMark Murray@var{B} can now also decrypt the authenticator. To verify that @var{A} 89b528cefcSMark Murrayreally is @var{A}, @var{B} now has to compare the contents of the ticket 90b528cefcSMark Murraywith that of the authenticator. If everything matches, @var{B} now 91b528cefcSMark Murrayconsiders @var{A} as properly authenticated. 92b528cefcSMark Murray 93b528cefcSMark Murray@c (here we should have some more explanations) 94b528cefcSMark Murray 95b528cefcSMark Murray@section Different attacks 96b528cefcSMark Murray 97b528cefcSMark Murray@subheading Impersonating A 98b528cefcSMark Murray 99b528cefcSMark MurrayAn impostor, @var{C} could steal the authenticator and the ticket as it 100b528cefcSMark Murrayis transmitted across the network, and use them to impersonate 101b528cefcSMark Murray@var{A}. The address in the ticket and the authenticator was added to 102b528cefcSMark Murraymake it more difficult to perform this attack. To succeed @var{C} will 103b528cefcSMark Murrayhave to either use the same machine as @var{A} or fake the source 104b528cefcSMark Murrayaddresses of the packets. By including the time stamp in the 105b528cefcSMark Murrayauthenticator, @var{C} does not have much time in which to mount the 106b528cefcSMark Murrayattack. 107b528cefcSMark Murray 108b528cefcSMark Murray@subheading Impersonating B 109b528cefcSMark Murray 110b528cefcSMark Murray@var{C} can hijack @var{B}'s network address, and when @var{A} sends 111b528cefcSMark Murrayher credentials, @var{C} just pretend to verify them. @var{C} can't 112b528cefcSMark Murraybe sure that she is talking to @var{A}. 113b528cefcSMark Murray 114b528cefcSMark Murray@section Defense strategies 115b528cefcSMark Murray 116b528cefcSMark MurrayIt would be possible to add a @dfn{replay cache} 117b528cefcSMark Murray@cindex replay cache 118b528cefcSMark Murrayto the server side. The idea is to save the authenticators sent during 119b528cefcSMark Murraythe last few minutes, so that @var{B} can detect when someone is trying 120b528cefcSMark Murrayto retransmit an already used message. This is somewhat impractical 121b528cefcSMark Murray(mostly regarding efficiency), and is not part of Kerberos 4; MIT 122b528cefcSMark MurrayKerberos 5 contains it. 123b528cefcSMark Murray 124b528cefcSMark MurrayTo authenticate @var{B}, @var{A} might request that @var{B} sends 125b528cefcSMark Murraysomething back that proves that @var{B} has access to the session 126b528cefcSMark Murraykey. An example of this is the checksum that @var{A} sent as part of the 127b528cefcSMark Murrayauthenticator. One typical procedure is to add one to the checksum, 128b528cefcSMark Murrayencrypt it with the session key and send it back to @var{A}. This is 129b528cefcSMark Murraycalled @dfn{mutual authentication}. 130b528cefcSMark Murray 131b528cefcSMark MurrayThe session key can also be used to add cryptographic checksums to the 132b528cefcSMark Murraymessages sent between @var{A} and @var{B} (known as @dfn{message 133b528cefcSMark Murrayintegrity}). Encryption can also be added (@dfn{message 134b528cefcSMark Murrayconfidentiality}). This is probably the best approach in all cases. 135b528cefcSMark Murray@cindex integrity 136b528cefcSMark Murray@cindex confidentiality 137b528cefcSMark Murray 138b528cefcSMark Murray@section Further reading 139b528cefcSMark Murray 140b528cefcSMark MurrayThe original paper on Kerberos from 1988 is @cite{Kerberos: An 141b528cefcSMark MurrayAuthentication Service for Open Network Systems}, by Jennifer Steiner, 142b528cefcSMark MurrayClifford Neuman and Jeffrey I. Schiller. 143b528cefcSMark Murray 144b528cefcSMark MurrayA less technical description can be found in @cite{Designing an 145b528cefcSMark MurrayAuthentication System: a Dialogue in Four Scenes} by Bill Bryant, also 146b528cefcSMark Murrayfrom 1988. 147b528cefcSMark Murray 148b528cefcSMark MurrayThese documents can be found on our web-page at 149b528cefcSMark Murray@url{http://www.pdc.kth.se/kth-krb/}. 150