USC/ISI Technical Report number ISI/RS-94-399

Kerberos: An Authentication
Service for Computer Networks

B. Clifford Neuman and Theodore Ts'o

Authentication, Integrity, Confidentiality, and Authorization

Because these differences affect performance, it is important to understand the requirements of an application when choosing a method. For example, authentication for electronic mail may require support for multiple recipients and non-repudiation, but can tolerate greater latency. In contrast, poor performance would cause problems for authentication to a server responding to frequent queries.

Other security services include confidentiality and authorization. Confidentiality is the protection of information from disclosure to those not intended to receive it. Most strong authentication methods optionally provide confidentiality. Authorization is the process by which one determines whether a principal is allowed to perform an operation. Authorization is usually performed after the principal has been authenticated, and may be based on information local to the verifier, or based on authenticated statements by others.

The remainder of this article will concentrate on authentication for real-time, interactive services that are offered on computer networks. We use the term real-time loosely to mean that a client process is waiting for a response to a query or command so that it can display the results to the user, or otherwise continue performing its intended function. This class of services includes remote login, file system reads and writes, and information retrieval for applications like Mosaic.

Why Kerberos

While more convenient for the user, authentication by assertion hardly qualifies as authentication at all. Examples include the Berkeley R-command suite and the IDENT protocol. With authentication by assertion, applications assert the identity of the user and the server believes it. Such authentication is easily thwarted by modifying the application. This may require privileged access to the system, which is easily obtained on PCs and personal workstations. While most uses of authentication by assertion require that a connection originate from a ``trusted'' network address, on many networks, addresses are themselves simply assertions.

Stronger authentication methods base on cryptography are required. When using authentication based on crytography, an attacker listening to the network gains no information that would enable it to falsely claim another's identity. Kerberos is the most commonly used example of this type of authentication technology. Unfortunately, strong authentication technologies are not used as often as they should be, although the situation is gradually improving.

The Kerberos Authentication Service

Limitations of Kerberos

To be useful, Kerberos must be integrated with other parts of the system. It does not protect all messages sent between two computers; it only protects the messages from software that has been written or modified to use it. While it may be used to exchange encryption keys when establishing link encryption and network level security services, this would require changes to the network software of the hosts involved.

Kerberos does not itself provide authorization, but V5 Kerberos passes authorization information generated by other services. In this manner, Kerberos can be used as a base for building separate distributed authorization services [14].

How Kerberos works

The remainder of this section describes the Kerberos protocol. The description is simplified for clarity; additional fields are present in the actual protocol. Readers should consult RFC 1510 [10] for a more thorough description of the Kerberos protocol.

Kerberos Encryption

Encryption in the present implementation of Kerberos uses the data encryption standard (DES). It is a property of DES that if ciphertext (encrypted data) is decrypted with the same key used to encrypt it, the plaintext (original data) appears. If different encryption keys are used for encryption and decryption, or if the ciphertext is modified, the result will be unintelligible, and the checksum in the Kerberos message will not match the data. This combination of encryption and the checksum provides integrity and confidentiality for encrypted Kerberos messages.

The Kerberos Ticket

The Kerberos ticket is a certificate issued by an authentication server, encrypted using the server key. Among other information, the ticket contains the random session key that will be used for authentication of the principal to the verifier, the name of the principal to whom the session key was issued, and an expiration time after which the session key is no longer valid. The ticket is not sent directly to the verifier, but is instead sent to the client who forwards it to the verifier as part of the application request. Because the ticket is encrypted in the server key, known only by the authentication server and intended verifier, it is not possible for the client to modify the ticket without detection.

Application request and response

Figure 1: Basic Kerberos authentication protocol (simplified)

Upon receipt of the application request, the verifier decrypts the ticket, extracts the session key, and uses the session key to decrypt the authenticator. If the same key was used to encrypt the authenticator as used to decrypt it, the checksum will match and the verifier can assume the authenticator was generated by the principal named in the ticket and to whom the session key was issued. This is not by itself sufficient for authentication since an attacker can intercept an authenticator and replay it later to impersonate the user. For this reason the verifier additionally checks the timestamp to make sure that the authenticator is fresh. If the timestamp is within a specified window (typically 5 minutes) centered around the current time on the verifier, and if the timestamp has not been seen on other requests within that window, the verifier accepts the request as authentic. A discussion of the benefits and drawbacks to the use of timestamps in authentication protocols can be found in [15].

At this point the identity of the client has been verified by the server. For some applications the client also wants to be sure of the server's identity. If such mutual authentication is required, the server generates an application response by extracting the client's time from the authenticator, and returns it to the client together with other information, all encrypted using the session key.

Authentication request and response

In its response, the authentication server returns the session key, the assigned expiration time, the random number from the request, the name of the verifier, and other information from the ticket, all encrypted with the user's password registered with the authentication server, together with a ticket containing similar information, and which is to be forwarded to the verifier as part of the application request. Together, the authentication request and response and the application request and response comprise the basic Kerberos authentication protocol.

Obtaining additional tickets

The ticket granting exchange of the Kerberos protocol allows a user to obtain tickets and encryption keys using such short-lived credentials, without re-entry of the user's password. When the user first logs in, an authentication request is issued and a ticket and session key for the ticket granting service is returned by the authentication server. This ticket, called a ticket granting ticket, has a relatively short life (typically on the order of 8 hours). The response is decrypted, the ticket and session key saved, and the user's password forgotten.

Subsequently, when the user wishes to prove its identity to a new verifier, a new ticket is requested from the authentication server using the ticket granting exchange. The ticket granting exchange is identical to the authentication exchange except that the ticket granting request has embedded within it an application request, authenticating the client to the authentication server, and the ticket granting response is encrypted using the session key from the ticket granting ticket, rather than the user's password.

Figure 2 shows the complete Kerberos authentication protocol. Messages 1 and 2 are used only when the user first logs in to the system, messages 3 and 4 whenever a user authenticates to a new verifier, and message 5 is used each time the user authenticates itself. Message 6 is optional and used only when the user requires mutual-authentication by the verifier.

Figure 2: Complete Kerberos Authentication Protocol (simplified)

Protecting application data

As described so far, Kerberos provides only authentication: assurance that the authenticated principal is an active participant in an exchange. A by-product of the Kerberos authentication protocol is the exchange of the session key between the client and the server. The session key may subsequently be used by the application to protect the integrity and privacy of communications. The Kerberos system defines two message types, the safe message and the private message to encapsulate data that must be protected, but the application is free to use a method better suited to the particular data that is transmitted.

Additional Features

Kerberos Infrastructure and Cross-Realm Authentication

To prove its identity to a server in a remote realm, a Kerberos principal obtains a ticket granting ticket for the remote realm from its local authentication server. This requires the principals's local authentication server to share a cross-realm key with the verifier's authentication server. The principal next uses the ticket granting exchange to request a ticket for the verifier from the verifier's authentication server, which detects that the ticket granting ticket was issued in a foreign realm, looks up the cross-realm key, verifies the validity of ticket granting ticket, and issues a ticket and session key to the client. The name of the client, embedded in the ticket, includes the name of the realm in which the client was registered.

With Version 4, it was necessary for an authentication server to register with every other realm with which cross-realm authentication was required. This was not scalable; complete interconnection required the exchange of n^2 keys where n was the number of realms.

In contrast, Version 5 supports multi-hop cross-realm authentication, allowing keys to be shared hierarchically. With V5, each realm shares a key with its children and parent, i.e. the ISI.EDU realm shares a key with the EDU realm which also shares keys with MIT.EDU, USC.EDU and WASHINGTON.EDU. If no key is shared directly by ISI.EDU and MIT.EDU, authentication of the client bcn@ISI.EDU to a server registered with the MIT.EDU realm proceeds by obtaining a ticket granting ticket for EDU from the ISI.EDU authentication server, using that ticket granting ticket to obtain a ticket granting ticket for the MIT.EDU realm from the EDU authentication server, and finally obtaining a ticket for the verifier from the MIT.EDU authentication server.

The list of realms that are transited during multi-hop cross-realm authentication is recorded in the ticket and the verifier accepting the authentication makes the final determination about whether the path that was followed should be trusted. Shortcuts through the hierarchy are supported and can improve both the trust in and the performance of the authentication process.

This hierarchical organization of realms is similar to the hierarchical organization of certification authorities and certificate servers for public-key cryptography [3]. As with the public key certification hierarchy, the utility of the authentication infrastructure supporting authentication between parties not previously known to one another depends in part on the availability of authentication servers for realms near the top of the hierarchy. Unfortunately, political and legal ambiguity has the potential to slow the establishment of these realms. In the mean time, pairwise relationships between regions of the hierarchy (shortcuts) are important. A discussion of the tradeoffs available when establishing realms for large organizations can be found in [5].

Obtaining and Using Kerberos

Setting up the authentication server

Initial passwords for a site's users must be registered with the authentication server. If the number of users is small, initial registration is best achieved in person in front of an accounts administrator who can check a driver's license, passport, or other physical document.

At sites with a large number of users and limited staff devoted to system administration, less cumbersome and less secure procedures for initial registration may present an acceptable tradeoff. For example, if users regularly log on to a trusted system, the login program can be modified to register the passwords of non-registered users after verifying that the password is valid. While simpler than in-person registration, such bootstrapping techniques must be used with caution since they rely initially on the security of a weaker authentication system.

Kerberos Utilities

Using ``Kerberized'' applications

It is generally necessary to modify the client/server protocol when Kerberizing an application unless the protocol designer has already made provisions for an authentication exchange. The application program must generate and send a Kerberos application request to the application server during the protocol initialization phase, and the server must verify the Kerberos authentication information. The request must be transmitted within the client/server protocol. The Kerberos library provides routines that generate and verify these messages.

More recent implementations of Kerberos provide a Generic Security Services Application Programmer Interface (GSSAPI) [12]. The GSSAPI provides a standard programming interface which is authentication mechanism independent. This allows the application programmer to design an application and application protocol which can used alternative different authentication technologies, including Kerberos. The use of the GSSAPI in application programs is recommended wherever possible.

Because it is a generic authentication interface, the GSSAPI does not support all of the functionality provided by Kerberos. For example, Kerberos's notion of user-to-user authentication is not currently supported. Hence, an application programmer will not always be able to use the GSSAPI in all cases, and may have to use the Kerberos API in order to use some features.

Other approaches for improving security

One-time passcodes

One-time passcode devices are not by themselves sufficient for securing distributed systems because the information needed to verify the passcode might not be present on all servers with which the client interacts during a session, and because it is not practical to require entry of the passcode on every server access. However, one-time passcode methods can be combined with Kerberos so that knowledge of both the passcode and a password-based encryption key are required to successfully complete the initial authentication exchange. Commercial products that combine one-time passcodes with Kerberos are available.

Public-key Cryptography

While public-key encryption is well suited for use in authentication by store and forward applications such as electronic mail [9], and it is required by applications where a signature is verified by many readers [17], performance is a problem for high-performance servers that perform many authentication operations. With the RSA [16] algorithm, the most accepted algorithm for public key cryptography, the private key operation (signing or decrypting a message) is expensive.

Work is underway to add public-key support to Kerberos, where it can be confined to the initial request for a ticket granting ticket, allowing users with registered public keys (perhaps for privacy enhanced mail) to obtain Kerberos tickets for application servers supporting Kerberos authentication. Subsequent exchanges, especially the application request, would use conventional cryptography for better performance. Public-key encryption may also be used by authentication servers to exchange conventional cross-realm keys on-demand between authentication servers, with the cost amortized over many requests.

Summary

Acknowledgments

The major sponsors of Project Athena were Digital Equipment Corporation and IBM. Neuman's security efforts are funded in part by the Advance Research Projects Agency under NASA Cooperative Agreement NCC-2-539 and other awards, and by CyberSafe Corporation (formerly Open Computing Security Group). The views and conclusions contained in this paper are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any of the funding organizations. Figures and descriptions in this paper were provided by the authors and are used with permission.

References

1. S. M. Bellovin and M. Merritt. Limitations of the kerberos authenication system. Computer Communication Review, 20(5):119-132, October 1990. postscript
2. G. A. Champine, D. E. Geer, Jr., and W. N. Ruh. Project Athena as a distributed computer system. IEEE Computer, 23(9):40-51, September 1990.
3. S. Chokhani. Towards a national public key infrastructure. IEEE Communications Magazine, 32(9): 70-74, September 1994.
4. Computer Emergency Response Team. Ongoing network monitoring attacks. CERT Advisory CA-94:01, 3 February 1994. text
5. CyberSafe Corporation. Deploying Kerberos for large organizations. Technical Report 94-47, CyberSafe Corporation, 1605 NW Sammamish Rd, Suite 310, Issaquah, WA 98027-5378 USA. tr-request@cybersafe.com.
6. D. E. Denning and G. M. Sacco. Timestamps in key distribution protocols. Communication of the ACM, 24(8):533-536, August 1981.
7. W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644-654, November 1976.
8. B. Jaspan. Kerberos users' frequently asked questions. Periodically posted to Usenet newsgroup comp.protocols.kerberos, April 1994. html
9. S. T. Kent. Internet privacy enhanced mail. Communications of the ACM, 36(8):48-60, August 1993.
10. J. T. Kohl and B. C. Neuman. The Kerberos network authentication service. Internet RFC 1510, September 1993. text
11. J. T. Kohl, B. C. Neuman, and T. Y. T'so. The evolution of the Kerberos authentication system. In Distributed Open Systems, pages 78-94. IEEE Computer Society Press, 1994. text , postscript
12. J. Linn. Generic security service application program interface. Internet RFC 1508, September 1993. text
13. R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers. Communication of the ACM, 21(12):993-999, December 1978.
14. B. C. Neuman. Proxy-based authorization and accounting for distributed systems. In Proceedings of the 13th International Conference on Distributed Computing Systems, pages 283-291, May 1993. postscript, compressed postscript
15. B. C. Neuman and S. G. Stubblebine. A note on the use of timestamps as nonces. Operating Systems Review, 27(2):10-14, April 1993. compressed postscript
16. R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(2):120-126, February 1978.
17. R. K. Smart. The X.509 extended file system. In Proceedings of the ISOC Symposium on Network and Distributed System Security, February 1994.
18. J. G. Steiner, B. C. Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of the Winter 1988 Usenix Conference, pages 191-201, February 1988. text , postscript