Net Work Security: Kerberos and Key Management - Essay Example

Topic: KERBEROS AND KEY MANAGEMENT (Name) (Grade/Course) (Institution) (Tutor's Name) 5 April 2008 Kerberos comes from a Greek word which means a three headed dog who guards the doors of the underworld. As used in this project, Kerberos is an authentication protocol which was developed by MIT. Kerberos is usually embedded in windows 2000 as a default for its authentication. This access provider protocol stands for authentication, access control and auditing. But only the authentication is available currently in the market while the other segments (access control and auditing) are not supported. Also it is possible for Kerberos to provide packet authentication, confidentiality services and integrity. If summed the Kerberos stands for two entities that wants to have services and a third which mediates. It was developed after students in MIT who usually used cross domain were unable to secure their services. What is a time stamp? A time stamp is usually the current time of an event or when an issue takes place and usually recorded by a computer. There are computer mechanisms such as the Network Time Protocol (NTP) that usually maintains accurate current time which is calibrated within a minute fraction. This allows an accurate and freely communication between computers when dealing with applications and requests. Its application is direct when there is a wide variety of synchronization. This is like when assigning a sequence orders for an event so that if there is a failure, then the transaction becomes void. Also the time stamp shows the time that a certain command or instruction takes place. An example is when IP telephony uses the real time Transport protocol (RTP) which usually assigns a sequential timestamps to voice packets so that they can be buffered by the receiver, reassembled and delivered without error. Usually any kind of program that a programmer programs has an interface for a time stamp which the operating system can use during the execution of the program. How time stamp works Before the time stamp starts performing, Kerberos grants a TGT to a client after accessing and checking the user name and password, whether they are the same: these they get it from information stored in the KDC database. In windows the KDC database is in the active directory. An authenticator is then created which contains the time stamp of the TGT (ticket), a certificate (license) and a public key. Since Kerberos depends on the time stamp for its security, then the time stamp must be encrypted. When the server (Machine B) gets the ticket, it decrypts the time stamp and uses the time stamp own time and compares it with its own time. If it checks out and sees that the differences are within the allowed time interval, then the authentication is successful. This time interval in windows is called a time skew. The time in the time stamp is then compared with the current authenticator and if there is a discrepancy then it indicates that it’s a replay, and then the authentication is denied. On the other hand if the time skew is exceeded but the time stamp is not exceeded, then the time stamp will be adjusted and will allow for authentication. The server (machine B) will then return the public key to the client and the client is then authorized. (But only the time stamp in the ticket is corrected or adjusted but doesn't change client time. If there is a difference between the client machine and the real time then authentication will fail).   For windows and active directory the time skew is usually 5 minutes. This shows that the time difference between domain controllers must be within five minutes to operate comfortable. Why use time Stamp This is the reduction of the number of messages that are needed for authentication. Its use in Kerberos allows the elimination of one message from the protocol and two messages if mutual authentication is not required. This is mostly important when there is round trip latency and can cause a misunderstanding. Its application as a nonce allows a one way authentication when there is only one direction communication with the server. Risks Associated With Timestamps To facilitate the real authenticator, a user must authenticate so as to get an authenticator that contains client’s identity and a time stamp. To prevent an attacker from accessing information the time stamp in the authenticator is checked against current time. If the time stamp is not within stipulated time it will be rejected. This means that for Kerberos to function well, it must be synchronized. There is danger when using loosely synchronized clocks which is a potential for replays of an authenticator to be sent to a service. This happens when a network listener get access to the information (enciphered message) and resends it causing havoc to both the server and client. This also means that an intruder can access the message before the user access it. Another issue is that Kerberos usually relies on one central time which is in the server. If this time server fails, then all information and applications or processes are affected. Introduction to Session Key In windows operating system there is a database that contains substantial information about the computer and its users, it’s normally called registry. This information includes hardware, OS, users and installed applications, desktop settings and customization preference. This registry stores this information in hierarchical style (structured tree). Each end point or node in this tree contains a key, and on each key there can be additional information and keys which are called sub keys. This key contains printable characters but don't support backlashes or wild cards. Information about the server is also available in the registry and is normally indicated by OLE. This OLE information must be enough to locate and start a server. If information about the OLE control is not present it will have to create or auto register itself, if its location can be found along the DLL search path. The license that OLE uses is stored in the registry. These licenses are stored in different and specific GUID. VB4 takes care of all registration automatically and it’s hard to modify this information. Running (RacMgr32), which is abbreviation for Remote Automation Connection Manager which usually contains VB4 enterprise edition which adds additional keys for RPC protocol, remote machine name and RPC authentication level. When RacMgr32 is run localserver32 is created. This recently created key then points to remote automation proxy which is in the local machine and then it initiates conversation with AutMgr utility which runs in the remote machine. To change information in the server RacReg OLE Automation server code is used. The RegConnectRegistry function can be used programmatically to connect to remote registry and get access from their registers. From the three heads of Kerberos; Key Distribution Center (KDC), the client (Machine A) and the server, The KDC normally performs two things: the Authentication service and the ticket granting service. To access a server there are three steps that A must follow to access B. These are: 1. Authentication service exchange. 2. Ticket granting service exchange. 3. Client / server exchange. 1. Authentication Service Exchange. When a user logs into a machine A they have to provide their user names and passwords in order to be verified by the AS part of the KDC. In its capacity KDC has all details that concern all users. Once the KDC accepts the validity and authenticity of the user, it issues a Ticket to Get Tickets (TGT) which is valid for the local domain. This TGT has a life span of 10 hours and can be easily renewed if the user is still logged on without any need to issue users password. How it works: Usually the AS identifies or introduces the client to KDC in plain text. In other times there is a preauthentication a time stamp is encrypted using the user’s password hash. When the information reaches KDC and checks out and sees the time is valid then it knows that the message isn't a replay of a previous request. In other measures the preauthentication features may not be used if there are features that are not supported by the security.   After KDC approves and accepts the client’s request it will reply with a message called AS reply which will contain TGT encrypted with a key which KDC can decrypt and a session key for future communications. The TGT is then presented to TGS by the client for tickets. The following codes are used: 2. AS_REQ this is the initial user authentication request. It’s then directed to AS in KDC. 3. AS_REP this is the reply of Authentication server to previous request. In it there is TGT and session key. I) TGS Exchange. When the user shows the TGT to the TGS of the KDC, it will know that there are services that are required. Then in the KDC, the TGS authenticates the clients TGT. After this it creates a ticket and a session key which supports both the client and the remote server. On the client machine this information known as service ticket is cached. After the clients TGT is presented its read by TGS using its own key. When TGS accepts and approves the client’s request, a service ticket is then generated with each ticket for client and the targeted server. The client will have to use its own TGS key which was retrieved from the AS reply. It then activates the target server in the client / server exchange indicating that there is something that is coming. The following codes are used: 3. TGS_REQ this is the request to TGS for a service ticket. It contains the TGT obtained and authenticator which is generated by client and is encrypted by the session key. 4. TGS_REP -it’s the reply from Ticket Granting Server. In it is the requested service ticket encrypted with the secret key of the service and a service session key which is generated by TGS and encrypted using session key. I) Client / Server Exchange After the client user gets the client / server service ticket, it establishes a session with server service. The server will then be able to decrypt this incoming information from TGS with the help of its long term key with the KDC. This service ticket is used for authentication for the client and it establishes a service session (between server and client). If the tickets lifetime expires (after ten hours), the ticket has to be renewed. The following code is used: AP_REG this is the request that a client sends to a server to request for service. It contains service ticket, an authenticator generated by the user which is encrypted by the service session key. AP_REP is the reply an application server provides to the client to prove that it is really the server the client is expecting. From these we see that a TGT and a service ticket are required for access to services on remote computers or local system. After the log on window appears and a password has being issued, the other details continue at the background. A token access is then created for users who are contained in the same security level. The token will be attached to users log on session and then it’s inherited by kind of activities that are pursued. To the above steps as shown by the following diagrams; Tickets Tickets are things that clients present to an application server to show the authenticity of their identity. They are usually issued by authentication server and encrypted using secret key. This means that only the machine uses it but the clients don’t know the contents of this request. Normally tickets contain the following information: 1. User name 2. The principal service 3. IP address of the client machine 4. Tickets time validity 5. Tickets maximum lifespan 6. Session key There are various types of tickets: 2. Renewable Tickets.    A ticket can be returned to the KDC for its renewal. This is only possible if the time span of the ticket has not expired and has not surpassed the renewal time. This is usually so because there are some kinds of jobs that take a long period of time to be completed. I) Initial Tickets    This is the ticket that is available directly from AS. On the other hand the service tickets that are issued by TGS aren't initial but in other cases the Kerberos may decide that the service ticket should be initial for security purposes. Forwardable Tickets    This is when the initial TGT is used in another machine. Forwardable tickets are applicable in such situation. Why different session keys Session keys are information that contains information of the desired objective with the server. It is encrypted the users passwords for requests while for services it’s encrypted by the administrator (server). They are referred to as long term keys since they don't change with session changes. When a user wants to communicate privately with the service, the KDC (the mediator) will issue a session key. This session key changes every time because the user and server must be in terms and to show that the communicator is the real authenticator. The information in the session key must be linked to what the user wants and what the server provides. This then shows that there is a frequent communication between the user and the server. Mutual Authentication Process The client which is the first system usually creates a challenge code which is made up of random numbers. This code (which contains random numbers) is then sent to the server (machine B) which then generates a response to the received code. Using this response and it also creates a challenge code of its own (random numbers) are then sent back to the client system (machine A). The client system (machine A) checks the validity and accuracy of the response of the server (machine B) and it sends a response code to the challenge code it had initially received. After the server (machine B) receives the response, it then proceeds to verify it. If the information received is okay and everything is okay it then informs the client that they are mutually authenticated. Protocol Transition and Constrained Delegation There are additional features that are in window server 2003 that were not there in windows 2000. These additions are the protocol transition and constrained delegation. Protocol transition usually allows a service which uses Kerberos to get a Kerberos service ticket on behalf of a principal Kerberos to the service without requiring the principal to initially authenticate to the KDC with any kind of credential. On the other hand constrained delegation extension usually allows a service to get service tickets which are normally under delegated user’s identity to a subset of other services. This is after it has been presented with a service ticket which is obtained either through the TG_REQ protocol or in the protocol transition extension. The introduction of constrained delegation extension to window server 2003 is best explained by the limitations in windows 2000 implementation. Has in windows 2000 the KDC cannot limit the services in which Kerberos principal’s identity can be delegated. Also windows 2000 cannot restrict a user to some specified application subset of service accounts that are trustworthy for delegation. The delegation constrained is then used to configure service accounts so that they delegate only to specific subsets of the service accounts. Definition Authentication Server (AS) This is the part of the KDC which usually replies to initial authentication requests from client (machine A), the user presents a username and password. If authentication request is accepted then AS issues a TGT. This ticket is the entrance for any other thing that the user wants without entering the password again within a time frame. Ticket Granting Server This is a part of KDC that distributes or assigns tickets to user with valid TGT. This shows that TGS is an application server which issues tickets as a service. From these we see that TGT provides the tickets while TGS provides the services. From the above definitions we see that the difference between AS and TGS is that the real function for AS is to provide the tickets that will later be presented to TGS to provide the wanted service. Their relationship is that they have to issue some alerts so that access will be granted. They both use tickets to pass any kind of information. Kerberos in a mixed environment      In Kerberos when used in windows it is called a domain while in UNIX it is called a realm. This means that specific users who are within a certain realm must stay in that realm like domains in windows. Then the realm is made up of KDC and all services and applications that use Kerberos. These applications are known as kerberized applications. The information is saved in a credential cache when UNIX clients are configured to get Kerberos tickets from windows domain controller by the use of kinit to which point’s windows KDC as a primary KDC. This means that after configuration users in both UNIX domain and windows domains can access information at the same time. This is achieved from account mapping which provide access control and authentication information to windows server so that users in Kerberos realm can use. Shortcomings of Kerberos Everything that has an advantage has also a disadvantage. The success of Kerberos and its designed security are curtailed by the following short comings. 3. It doesn't address “Denial of service” kind of attacks. There are times when an intruder can prevent an application from participating in proper authentication steps. Its detection and solutions are best left to users and administrators. 4. The issue of principals should keep their passwords and user names secret. An intruder uses this key to access other services as a masquerade. 5. Prevention of password guessing is not solved by Kerberos when users chooses a poor password, this makes it possible for attackers and intruders to successfully mount an off line dictionary attack. Kerberos is a program that authenticates protocols that take care of the network. This prevention and authentication of client/server application is achieved through secret key cryptography. This is because most information that passes through networks, for example, internet is not secure. These among others are reasons that are associated to sniffers who tap information. This then prevents the users' self privacy and servers to deal with users needs without speculation that there are people watching from outside. On the other hand some security measures like firewalls take care of outside intruders but they don't know that even inside, there are intruders. They also restrict permissions for users to use the internet and also limit their access to the internet. The development of Kerberos was to limit the problems that are associated to other programs that provide security such as the firewalls. Kerberos usually uses cryptography of passwords and enables users to go and access unsecured networks without any itch. It also offers responsibilities like securing and crypting information that are passed to users. This means that Kerberos is an answer to problems that are associated with the security of the networks. It provides all means that are possible to ensure favorable working conditions for both the user and the servers. The security of applications is guaranteed since the users who have accessed a certain file can be known. This also can be used to check the accountability of users in certain organizations as related to business. There frequency to a certain service and their implications to such a service. Conclusion Kerberos is among the first protocols that were widely used for authentication and also it possessed the delegation property. It supports the three pillars for security that is authentication, authorization and auditing. Also Kerberos serves among others window server 2003. It is able to support many applications to use the authentication protocol. It also supports constrained delegation and mutual authentication which gives designers increased flexibility and security since the applications supports different authentication process or mechanisms. The constrained delegation reduces prying eyes to the areas that are not perceived friendly. Also the transitional protocol saves frequent request for access to some specific areas. This then means that Kerberos represents a unique partnership of various security tools and uses DNS, KDC, AD and PKI. This then makes it successful tool which accepts dependency with regard to the other components. This means that each component may have its own story which leads to a compromise. Hence, failure in one makes Kerberos fall short of its promise. References B. Clifford Neuman and Theodore Ts'o, Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9) pp33–38. September 1994. Bellovin, M. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989. Brian, T. Kerbores: A Network Authentication System, London: Addison-Wesley Professional, 1999. Drew, H. Drew Heywoods Windows 2000 Network Services, New York: Sam Publishers, 2001. Jason, G. Kerbores: The definitive Guide, New York: McGraw-Hill Osborne Media, 2003. John T. Kohl, B. Clifford Neuman, and Theodore Y. T'so, The Evolution of the Kerberos Authentication System. Distributed Open Systems, pp78–94. IEEE Computer Society Press, 1994. Meyn, P. Control Techniques for Complex Networks, London: Cambridge University Press, 2007. Michael, H. Writing Secure Code, New York: Microsoft Press, 2003. Randal, K. AIX 5L Administration, California: Peachpit Press, 2002. Rashi, G. Microsoft Windows 2000 security, London: Premier Press, 2002. Roderick, W. Advanced Linux Networking, Briston: Addison Wesley, 2002. Schoun, R. MAC OS X System Administration Reference, Apple Training Series, 2006. Shapiro, E. Macroeconomic Analysis, New York: Macmillan Company, 2003. William, B. Inside Windows Server 2003, New York: New Riders, 2003. Rolf, O. Security Technology for the World Wide Web, Norwood: Artech House Publishers, 2003. Read More