This post is a short review of the Kerberos article published in IEEE Communications in 1994 by B. Clifford Neuman and Theodore Ts’o.
The authors propose Kerberos, a distributed authentication service still widely in use today. It prevents impersonation attacks and provides support for integrity and confidentiality of network communications. The ticket-granting service is at the center of the Kerberos system, and allows the user to prove its identity to multiple application server by entering her password once.
Kerberos is motivated by the need for an alternative to passwords as an authentication mechanism in real-time systems. Indeed, passwords are inconvenient for users and prone to eavesdropping. This led to bad practices like authentication by assertion: the identity of users is asserted by applications and transmitted to servers.
Kerberos is based on the Needham and Schroeder protocol . Other approaches exist for authentication on networks. For instance, one-time passcodes use a different code each time the principal proves its identity. Such passwords/codes cannot be exploited by attackers since they cannot be reused. This is implemented in physical tokens using cryptographic hash functions. Another example, public-key cryptography can be applied to authentication problems [1, 2, 4, 5].
The Kerberos system is described with three parties: (1) a client running on behalf of the principal, (2) a server that needs to verify the principal’s identity, and (3) an authentication server. The authentication protocol can be split in two steps: (1) the authentication request and response, and (2) the application request and response.
Authentication request and response — When looking to authenticate, a client obtains a session key and a ticket from the authentication server by sending its identity and the server identity. The session key is an encryption key. The ticket is a certificate issued by an authentication server, encrypted using the server key to prevent the client from tampering it. It includes the session key, the principal’s name, and an expiration time.
Application request and response — The client then forwards the ticket along with an authenticator to the server for verification. The authenticator, which is encrypted with the session key, contains the current time and a checksum among other things. The verifier can decrypt the ticket to obtain the session key, and then uses that session key to decrypt the authenticator. It then verifies the checksum and timestamp contained in the authenticator.
To provide single sign-on, the complete protocol introduces a ticket granting service. When the user first logs in, it receives a ticket granting ticket from this service using the two protocol steps described above. The principal uses this ticket to authenticate itself to additional application servers. Instead of entering the password to obtain a ticket from the authentication server, it uses the ticket granting ticket, which is valid for a short duration of time (e.g., a couple of hours).
The Kerberos system is also designed to be distributed across multiple realms, with one authentication server each. Each pair of authentication servers shares a cross-realm key, and uses it to verify ticket granting tickets. However, as this is not scalable, support for multi-hop cross-realm authentication allows ticket granting tickets to be hierarchically verified.
The limitations of Kerberos include vulnerabilities to password guessing attacks and key logging. We can also point that the DES cipher used in this paper is no longer secure.
The Kerberos system is a distributed authentication system that allows principals to authenticate themselves to multiple application servers over insecure computer networks, while only using a single password.
- W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, November 1976.
- S. T. Kent. Internet privacy enhanced mail. Communications of the ACM, 36(8):48–60, August 1993.
- R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers. Communication of the ACM, 21(12):993–999, December 1978.
- R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
- R. K. Smart. The X.509 extended file system. In Proceedings of the ISOC Symposium on Network and Distributed System Security, February 1994.