Kerberos Authentication Security

http://bit.ly/bLLyy3

Here are my notes on the Kerberos information security approach for single-sign-on authentication which originated from MIT.

Topics this page:

Site Map  
About this site  

Car horn

Authentication using Kerberos v5 PKI

Introduction to Kerberos by Wanda Scott

How it works: Windows 2000 Kerberos Authentication
810755
Microsoft's Introduction to the Windows 2000 Public-Key Infrastructure

[RFC 1510]

KerbTray.exe from the Resource Kit lists and purges tickets. Its icon appears on the task bar.

KerbList.exe from the Resource Kit views and deletes the Kerberos tickets granted to the current logon session.

The UNIX kdestroy command erases tickets to prevent reuse.

The KDC (Key Distribution Center) runs on every DC as a principal named krbtgt. A network that includes a Kerberos server is called a realm.

Novell NetWare 5 Secure Authentication Services (SAS) provides an infrastructure for Kerberos-based user authentication. It is part of Novell's NetWare BorderManager Authentication Services 3 Enhancement Pack.

Kerberos SubProtocols

Kerberos is named after a Greek mythological monster with three heads. So it's fitting that it involves 3 parties: a client, a service, and in the middle, the KDC. Kerberos authentication supports -- you guessed it -- 3 subprotocols.

SubProtocol	Process	Note
Preauthentication	User creates long term key
	When a user logs on with password, the Kerberos client running on the workstation converts that password to an encryption key, saves result in its credentials cache.
1. AS (Authentication Service) Exchange	1. The client sends a timestamp in a KRB_AS_REQ to the KDC. UNIX clients issue a kinit command to receive a ticket.
	2. If the KDC is sure the decrypted timestamp is within parameters, it invents a logon session key, for the TGS service and adds a copy into a TGT and sends them in a KRB_AS_REP to the client.
	The client decrypts it, extracts the TGT, and stores them in its credentials cache.
2. TGT (Ticket Granting Ticket) Exchange	3. Client sends a KRB_TGT_REQ to the KDC.
	4. If, after the KDC decrypts and evaluates the timed authenticator and finds it valid, the KDC assembles and sends a KRB_TGT_REP back to the client.
	The Client receives it, decrypts the service session key with its own logon session key, and extracts the TGT for the desired service for storage in its credentials cache.
3. CS (Client/Server) Exchange	5. The Client assembles and sends a time-stamped KRB_AP_REQ to the KDC.
	6. The service decrypts the TGT with its long term key. It then extracts the client's authentication data and authenticator stored in the TGT. If the timestamp in the authenticator is within acceptable limits, the service assembles and sends a KRB_AP_REP back to the client.
	Client receives it and decrypts the session key with the service session key and extracts. It then extracts the server's authenticator and makes sure its timestamp is within policy limits.

Kerberos Requests and Replies

KRB_AS_REQ

The Kerberos Authentication Service Request has two parts:
1. A Privilege Attribute Certificate (PAC), which contains the user's SID and SIDs of groups that user belongs and and a request for TGS (Ticket Granting Service).
2. preauthentication data that proves user knows the password. This is usually a timestamp encrypted with the user's long-term key.

KRB_AS_REP

The Kerberos Authenication Service Reply contains two credentials:
1. A logon session key encrypted with the user's long-term key.
2. A TGT containing another copy of the logon session key plus the user's authentication data. This the KDC encrypts with its own long-term key.

KRB_TGS_REQ

The Kerberos Ticket Granting Ticket Request is encrypted with the user's long-term key. It contains:
1. The user's UPN
2. An Authenticator containing the time from the user's machine, encrypted with the user's logon session key obtained from the KRB_AS_REP.
3. The TGT from the KRB_AS_REP returned to the KDC
4. The name of the service for which the user wants a ticket. If the client will be delegating authority to a back-end server through a front-end server, the request is also marked "FORWARDABLE"

KRB_TGS_REP

The Kerberos Ticket Granting Ticket Reply contains:
1. A service session key invented from the time on KDC's machine. This is encrypted with the user's logon session key from the KRB_AS_REP.
2. A TGT containing another copy of the session key plus the user's authorization data. This the KDC encrypts with the long-term key of the service requested.

KRB_AP_REQ

The Kerberos Application Request contains:
1. An Authenticator containing the time and encrypted with the session key for the service from the KRB_TGT_REP.
2. The TGT from the KRB_TGS_REP.
3. A flag indicating whether the client wants mutual authentication. (always Yes with Windows 2000).

KRB_AP_REP

The Kerberos Application Reply is encrypted with the service session key. It contains:
1. An Authenticator containing the time on the service server machine
2. The requesting client's authenticator from the KRB_AP_REQ.

[RFC 1510] specifies a maximum of 1,500 octents (2000 bytes) over UDP for transport. However, Windows 2000 clients communicate with KDC's using TCPs if packets are larger than 2,000 octets.

Session Keys are Short-Term Symmetric keys.

Enforcement of logon restrictions using Kerberos is determined by a Group Policy, which is set to "Yes" by default.

The starttime and endtime (expiration) which Tickets are valid are set based on a Group Policy

The Maximum lifetime that a user ticket can be renewed is by default 7 days.

By default, the Maximum lifetime for a service ticket is 60 minutes and 10 hours for a TGT.

By default, the Maximum tolerance for synchronization of computer clocks is 5 minutes.

NetDom, included in the Windows 2000 Server CD displays domain information and repairs corrupted transitive trust data.

Kerberos Defaults to IP Port 88

Even though you have a "block all" ipsec policy, ANYONE can still port scan your computer by binding their scanner to their local port 88. All traffic from any IP port 88 is ASSUMED to be Kerberos traffic and thus exempt from all ipsec filters.

To disable this feature, put value 1 in REG_DWORD: NoDefaultExempt in a registry setting added in Win2K SP1:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ IPSEC

IPSec Does Not Secure Kerberos Traffic Between Domain Controllers