ECS401: Cryptography and
Network Security
Module 5: Authentication Protocols
Lecture 43
Outline of the lecture
• Kerberos
• Introduction
• Working of Kerberos
• Step 1: Login
• Step 2: Obtaining a Service Granting Ticket (SGT)
• Step 3: User Contacts Bob for Accessing the Server
2
Introduction
Many real-life systems use an authentication protocol called Kerberos.
The basis for Kerberos is another protocol, called Needham-Shroeder.
Designed at MIT to let workstations allow network resources in a secure manner, the name Kerberos signifies a multi-
headed dog in Greek mythology (apparently used to keep outsiders away).
Version 4 of Kerberos is found in most practical implementations. However, Version 5 is also in use now.
3
The Working of Kerberos
There are four parties involved in the Kerberos protocol:
The job of AS is to authenticate every
user at the login time. AS shares a
Authentication unique secret password with every
Server (AS) user.
Alice The client Verifies
workstation. (authenticates)
the user during
login.
The job of TGS is to certify to the
servers in the network that a user is
really who he/she claims to be.
Bob The server
Ticket Granting offering services
Server (TGS) such as network
Issues tickets to printing, file
certify proof of sharing or an
identity. application For proving this, the mechanism of
program. tickets (which allow entry into a server,
just as a ticket allows parking a car or
entering a music concert) is used.
4
The Working of Kerberos
There are three primary steps in the Kerberos protocol.
Step 1: Login
To start with, Alice, the user, sits down at an arbitrary public workstation and enters her name. The workstation sends her
name in plain text to the AS, as shown in Figure 1.
Figure 1: Alice sends a login request to
AS 5
The Working of Kerberos
Step 1: Login
It encrypts this package with the
In response, the AS performs
symmetric key that the AS shares Note that the TGT can be opened
several actions. It first creates a
with the Ticket Granting Server only by the TGS, since only it
package of the user name (Alice)
(TGS). The output of this step is possesses the corresponding
and a randomly generated session
called the Ticket Granting Ticket symmetric key for decryption.
key (KS).
(TGT).
After this message is received, Alice’s
The workstation destroys the workstation asks her for the password. The AS then combines the TGT
password of Alice from its When Alice enters it, the workstation with the session key (KS), and
memory immediately to prevent generates the symmetric key (KA) encrypts the two together using a
an attacker from stealing it. Note derived from the password (in the symmetric key derived from the
that Alice cannot open the TGT, as same manner as AS would have done password of Alice (KA). Note that
it is encrypted with the key of the earlier) and uses that key to extract the the final output can, therefore, be
session key (KS) and the Ticket
TGS. opened only by Alice.
Granting Ticket (TGT).
6
The Working of
Kerberos
7
Figure: AS sends back encrypted session key and TGT to Alice
The Working of Kerberos
Step 2: Obtaining a Service Granting Ticket (SGT)
Now, let us assume that after a successful login, Alice wants to make use of Bob—the email server—for
some email communication.
For this, Alice would inform her workstation that she needs to contact Bob. Therefore, Alice needs a ticket
to communicate with Bob.
At this juncture, Alice’s workstation creates a message intended for the Ticket Granting Server (TGS), which
contains the following items:
The current time
The id of the server
stamp, encrypted
The TGT as in step 1. (Bob) whose services
with the same session
Alice is interested in.
key (KS).
This is shown in Figure 2. 8
The Working of Kerberos
Step 2: Obtaining a
Service Granting Ticket
(SGT)
Figure 2: Alice sends a request 9
for an SGT to the TGS
The Working of Kerberos
Step 2: Obtaining a Service Granting Ticket (SGT)
As we know, the TGT is encrypted with the secret key
of the Ticket Granting Server (TGS). Therefore, only the
TGS can open it. This also serves as a proof to the TGS
that the message indeed came from Alice. Why?
This is because, if you remember, the TGT was created
by the AS (remember that only the AS and the TGS
know the secret key of TGS). Furthermore, the TGT and
the KS were encrypted together by the AS with the
secret key derived from the password of Alice.
Therefore, only Alice could have opened that package,
and retrieved the TGT.
Once the TGS is satisfied of the credentials of Alice,
the TGS creates a session key KAB, for Alice to have
secure communication with Bob. TGS sends it twice to
Alice: once combined with Bob’s id (Bob) and
encrypted with the session key (KS), and a second
time, combined with Alice’s id (Alice) and encrypted
10
with Bob’s secret key (KB). This is shown in Figure 3.
The Working of
Kerberos
Step 2: Obtaining a Service
Granting Ticket (SGT)
Figure 3: TGS sends response back to Alice 11
The Working of Kerberos
Step 2: Obtaining a Service Granting Ticket (SGT)
Note that an attacker, Tom, can try and obtain the first message in this step sent
by Alice, and attempt a replay attack.
However, this would fail as the message from Alice contains the encrypted time
stamp.
Tom cannot replace the time stamp, because he does not have the session key
(KS). Even if Tom attempts a reply attack really quickly, all that he will get back is
the above message from TGS, which Tom cannot open, as he does not have
access to either Bob’s secret key or the session key (KS).
12
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
Since this exchange is This will ensure that
also desired to be only Bob can access
secure, Alice can KAB. Furthermore, to
Alice can now send
simply forward KAB guard against replay
KAB to Bob in order to
encrypted with Bob’s attacks, Alice also
enter into a session
secret key (which she sends the time stamp,
with him.
had received from the encrypted with KAB to
TGS in the previous Bob. This is shown in
step) to Bob. Figure 4.
13
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
14
Figure 4: Alice sends KAB securely to
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
Since only Bob has his secret key, he uses it to first obtain the information (Alice + KAB).
From this, it gets the key KAB, which he uses to decrypt the encrypted time stamp value.
Now how would Alice know if Bob received KAB correctly or not?
In order to satisfy this query, Bob now adds 1 to the time stamp sent by Alice, encrypts the
result with KAB and sends it back to Alice.
This is shown in Figure 5. Since only Alice and Bob know KAB, Alice can open this packet,
and verify that the timestamp incremented by Bob was indeed the one sent by her to Bob
in the first place.
15
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
16
Figure 5: Bob acknowledges the receipt of
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
The TGS will do the needful, as
Now, Alice and Bob can communicate An interesting point here is that if explained earlier. The outcome is that
securely with each other. They would Alice now wants to communicate with Alice can now access all the resources
use the shared secret key KAB to another server, say Carol, she simply of the network in a similar manner,
encrypt messages before sending, needs to obtain another shared key each time obtaining a unique ticket
and also to decrypt the encrypted from the TGS, only now specifying (secret key) from the TGS to
messages received from each other. Carol instead of Bob, in her message. communicate with a different
resource.
Only for the first time that she wants
Of course, if Alice wants to continue to communicate with a server is when
communicating with Bob alone, she she needs to contact TGS and obtain a
need not obtain a new ticket every ticket. Also, Alice’s password never
time. leaves her workstation, adding to the
security.
17
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
Since Alice needs to authenticate or sign on only once, this mechanism is called Single Sign On (SSO).
Alice need not prove her identity to every resource in the network individually. She needs to authenticate
herself only to the central AS only once. That is good enough for all the other servers/network resources to
be convinced of Alice’s identity.
18
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server
Clearly, not every server in the
world would trust a single AS and
TGS. Therefore, the designers of
Kerberos provide a support for
In fact, Microsoft’s passport multiple realms, each having its
technology on the Internet is also own AS and TGS.
based on this philosophy.
Microsoft Windows NT also uses
SSO is a very important concept the Kerberos mechanism heavily.
for corporate networks, because This is also why once you log on to
they grow over a period of time, a Windows NT workstation, you
with multiple authentication can access your emails and other
mechanisms and diverse secret resources without requiring
implementations. These can be explicit logons, as long as the
segregated into a single, uniform correct mappings are done by the
authentication mechanism using system administrator.
SSO.
19