Scribd
Upload
11 views16 pages

IS Lec4

The document provides an overview of Kerberos, a network authentication protocol that allows secure client-server communication through a trusted third party. It details the protocol's history, its operational steps, strengths, and weaknesses, including the use of encrypted tickets and mutual authentication. Additionally, it highlights the importance of understanding Kerberoasting attacks, which target the Kerberos protocol to compromise sensitive information.

Uploaded by

engr.shaizaakhtar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views16 pages

IS Lec4

The document provides an overview of Kerberos, a network authentication protocol that allows secure client-server communication through a trusted third party. It details the protocol's history, its operational steps, strengths, and weaknesses, including the use of encrypted tickets and mutual authentication. Additionally, it highlights the importance of understanding Kerberoasting attacks, which target the Kerberos protocol to compromise sensitive information.

Uploaded by

engr.shaizaakhtar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Anum Hasan

Information Security
BESE-27

Lecture 4
Lecture Outline
• Key management
• Kerberos
• Digital Certificate
Kerberos
Introduction to Kerberos
• Kerberos provides a way to authenticate clients and
services to each other through a trusted third party (KDC).

• Kerberos makes the assumption that the connection


between a client and service is insecure.

• Passwords are encrypted to prevent others from reading


them.

• Clients only have to authenticate once during a pre-


defined lifetime (ticket).
History

• Kerberos was designed and developed at MIT by Project Athena.

• Currently, Kerberos is up to Version 5.

• Version 4 being the first version to be released outside of MIT.

• Kerberos has been adopted by several private companies as well as


added to several operating systems.
Kerberos v4 Overview
 A basic third-party authentication scheme

 Have an Authentication Server (AS)


 users initially negotiate with AS to identify themselves
 AS provides a non-corruptible authentication credential
(ticket granting ticket TGT)

 Have a Ticket Granting server (TGS)


 users subsequently request access to other services from
TGS on basis of users TGT

 Using a complex communication protocol that uses DES


How does Kerberos work?
• Instead of client sending password to application
server:
– Request Ticket from authentication server
– Ticket and encrypted request sent to application server

• How to request tickets without repeatedly sending


credentials?
– Ticket granting ticket (TGT)
The Kerberos Protocol

• Suppose a client C wants to communicate with a server S in a


Kerberos version 5 realm.
Step 1:
• The first step is for the client to authenticate itself with the
Kerberos Authentication Service and request a Ticket Granting
Ticket.
C AS
C, KC-AS(TGS, N1)

• This requests a ticket for client (C) for the Ticket Granting
Service (TGS), with N1 as a timestamp nonce.
The Kerberos Protocol

Step 2:
• When the Authentication Service receives the request, it
decrypts the request and verifies the client’s identity. It then
generates a session key for the client and Ticket Granting
Service to use, as well as a ticket. It sends back:
C AS
KC-AS(KC-TGS, KAS-TGS(TGT),N1)
where

TGT = (C, TGS, T1, L1, KC-TGS)


T1, L1 are the ticket’s timestamp and lifespan

• Since this is encrypted with C’s secret key, only the client can
make use of it, and only the Authentication Service could have
sent it.
The Kerberos Protocol

Step 3:
• Client decrypts the response to get a session key for the Ticket
Granting Service (KC-TGS) and a ticket-granting ticket
(KAS-TGS(TGT) ).
• When the client needs to contact the server S, it creates a fresh
authenticator (AUTH) and requests a ticket from the Ticket
Granting Service:
C TGS
KC-TGS(AUTH), KAS-TGS(TGT), S, N2

where

AUTH=(C, N3)
The Kerberos Protocol
Step 4:
• The Ticket Granting Service decrypts the ticket-granting ticket
and obtains the session key (KAS-TGS(TGT)) within it.
• TGS decrypts the authenticator and compares client identifiers
in the authenticator and ticket.
• TGS generates a new session key for the client and server, as
well as a service ticket, and sends:
C TGS
KC-TGS(KC-S, KS-TGS(STK),N2)

where
STK = (C, S, T2, L2, KC-S)
T2, L2 are the ticket’s timestamp and lifespan

• Since this is encrypted with the session key, only the client can
make use of it, and only the Ticket Granting Service could have
sent it.
The Kerberos Protocol

Step 5:
• The client decrypts the response from the TGS to get the session
key for the server and a service ticket to use with it.
• When the client needs to contact the server S, it creates a fresh
authenticator (AUTH) and sends this, along with the service
ticket, and its request R:

C S
KC-S(AUTH), KS-TGS(STK), R, N4

where

AUTH=(C, N5)
The Kerberos Protocol

Step 6:
• The server decrypts the service ticket and obtains the session
key within it.
• The server decrypts the authenticator and compares client
identifiers in the authenticator and ticket.
• The server executes request R and replies with answer A, and
the nonce in the client’s request.
C S
KC-S(A, N4)

• Since this is encrypted with the session key, only the client can
make use of it, and only server could have sent it. The session
key can be used for additional requests in this session, and then
destroyed.
The Kerberos Protocol

C AS TGS S
C, KC-AS(TGS, N1)

KC-AS(KC-TGS, KAS-TGS(TGT),N1)

KC-TGS(AUTH), KAS-TGS(TGT), S, N2

KC-TGS(KC-S, KS-TGS(STK),N2)

KC-S(AUTH), KS-TGS(STK), R, N4

KC-S(A, N4)
Strengths
1. Passwords are never sent across the network unencrypted. This
prevents attackers from being able to read the most important data sent
over the network.

2. Clients and applications services mutually authenticate. Mutual


authentication allows for both ends to know that they truly know whom
they are communicating with.

3. Tickets have a limited lifetime, so if they are stolen, unauthorized use is


limited to the time frame that the ticket is valid.
Weaknesses

1. Kerberos only provides authentication for clients and services.

2. Kerberos 4 uses DES, which has been shown to be vulnerable to


brute-force-attacks with little computing power. However,
Kerberos 5 know uses AES.

3. The principal-key database on the KDC has to be hardened or


else bad things can happen.

1. Single point of failure KDC

Important: study about kerberoasting


attack A Kerberoasting attack is a hacking technique targeting Microsoft's Kerberos authentication
protocol, which is used to verify user identities in a network (like in Windows domains).
In short, a Kerberoasting attack is all about stealing and cracking service tickets to reveal
sensitive passwords, which can lead to unauthorized access within a network.
Kerberos FAST, Managed Service Accounts

You might also like