Kerberos

Kerberos
Kerberos provides a third method of securing the 802.11 over the air link. It is mainly used by Symbol
Technologies, Inc. with their Spectrum24 WLANs. Kerberos provides robust security, uninterrupted
network connectivity for voice and data devices, and addresses the security needs and concerns of
network managers.
Kerberos provides both user authentication and encryption key management, and can guard networks
from attacks on data in transmission, including interruption, interception, modification, and fabrication.
Kerberos was voted as the "mandatory-to-implement" security service for 802.11e authentication and
encryption key management. Kerberos provides confidentiality, authentication, integrity, access control,
and availability. Kerberos also works very well during handoffs between APs resulting in uninterrupted
application connectivity. Reauthentication to the network is very quick.
How Kerberos Works for 802.11 Kerberos is based on the key distribution model developed by Needham
and Schroeder.[31] Network authentication using Kerberos involves four processes: authentication
exchange, ticket-granting service exchange, user/server exchange, and secure communications between
user and server.[32] This is illustrated in Figure 4-18.
Figure 4-18: Kerberos authentication flow
Authentication Exchange The user sends a request to the AS for a ticket to the ticket-granting server
(TGS). The AS looks up the user in its database, finds the client's secret key, and then generates a
session key (SK1) for use between the client and the TGS.
The AS encrypts the session key using the user's secret key to form a message. The AS also uses the
TGS's secret key (known only to the AS and the TGS) to encrypt the session key and the user's name to
form a ticket-granting ticket (TGT). The TGT and the message are sent back to the user.
Ticket-Granting Service Exchange The user decrypts the message and recovers the session key. The
user creates an authenticator by encrypting the user's name, IP address, and a timestamp with the
session key. The user sends this authenticator, along with the TGT, to the TGS, requesting access to the
target server. The TGS decrypts the TGT to recover SK1 and then uses the SK1 inside the TGT to
decrypt the authenticator. It verifies information in the authenticator, the ticket, the user's network
address, and the timestamp. If everything matches, it lets the request proceed.
Then the TGS creates a new session key (SK2) for the user and target server to use, encrypts it using
SK1, and sends it to the user. The TGS also sends a ticket containing the user's name, a network
address, a timestamp, and an expiration time for the ticket—all encrypted with the target server's secret
key—and the name of the server.
User/Server Exchange The user decrypts the message and gets SK2. Finally ready to approach the
target server, the user creates a new authenticator encrypted with SK2. The user sends the session ticket
(already encrypted with the target server's secret key) and the encrypted authenticator. Because the
authenticator contains plaintext encrypted with SK2, it proves that the user knows the key. The encrypted
timestamp prevents an eavesdropper from recording both the ticket and authenticator and replaying them
later. The target server decrypts and checks the ticket, authenticator, user address, and timestamp. For
applications that require two-way authentication, the target server returns a message consisting of the
timestamp plus one, encrypted with SK2. This proves to the user that the server actually knew its own
secret key and thus could decrypt the ticket and the authenticator.
Secure Communications The target server knows that the user is who he or she claims to be, and the two
now share an encryption key for secure communications. Because only the user and target server share
this key, they can assume that a recent message encrypted in that key originated with the other party.
The Downfalls of Kerberos The following are inherent downfalls to the Kerberos authentication system:
l If an attacker is logged on the same computer at the same time as an authorized user, the cached
keys located on that computer are accessible to the attacker.
l The Kerberos system relies on the synchronization of the clocks located on the different machines. If
an intruder can mislead a host in terms of the correct time, the authentication ticket to the network
can be used repeatedly as a result of the nonexpiring timestamp.
l You must trust that all three machines (time/authenticator servers [KDC], the client, and the network
server) are void of an intruder.
l If a ticket is forwarded, the system must trust all of the other systems that the ticket has traveled
through before reaching the current server. However, the server where the ticket arrives cannot tell
where it has come from—it can only tell that it has been on other servers by a flag, which has been
set to one.
l Passwords can be guessed by plugging a password guess into the public encryption key algorithm.
l The longer a ticket is granted, the more likely it is to be stolen and used by an unauthorized user.
l In a wireless system using MAC address registration as an authentication method, if the NIC is
stolen, the card has the inherent authentication of the user that is tied to that NIC and will be granted
access to the network.[33]
Standards Kerberos V5 is standardized under RFC 1521.[34]
[14]Wi-Fi Alliance, "Overview—Wi-Fi Protected Access," www.wi-fi.com/OpenSection/pdf/Wi-
Fi_Protected_Access_Overview.pdf October 31, 2002.
[15]IEEE 802.1x, http://standards.ieee.org/getieee802/.
[16]Matthew Gast, 802.11b Wireless Networks: The Definitive Guide (Sebastopol, California: O'Reilly &
Associates, 2002), 100.
[17]The Unofficial 802.11 Security Web Page, http://www.drizzle.com/~aboba/IEEE/.
[18]Mishra, Arunesh, and Arbaugh, William A, "An Initial Security Analysis of the IEEE 802.1x Standard,
Feb. 06, 2002, http://www.cs.umd.edu/~waa/1x.pdf.
[19]Cisco Aironet Response to University of Maryland's Paper, "An Initial Security Analysis of the IEEE
802.1x Standard," March 2002, http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1680_pp.
htm.
[20]"Microsoft 802.1x Authentication Client," www.microsoft.com/windows2000/server/evaluation/news/
bulletins/8021xclient.asp December 13, 2002.
[21]"Open Source Implementation of IEEE 802.1x," www.openlx.org/.
[22]"Remote Authentication Dial-in User Service (RADIUS)," www.ietf.org/rfc/rfc2865.txt, and "Radius
Accounting," www.ietf.org/rfc/rfc2866.txt.
[23]Joshua Hill, "An Analysis of the RADIUS Authentication Protocol," www.untruth.org/~josh/security/
radius/radius-auth.html.
[24]Bernard Aboba and Ashwin Palakar, "IEEE 802.1x and RADIUS Security."
[25]"Radius Protocol and Best Practices," www.microsoft.com/windows2000/docs/RADIUS_Sec.doc.
[26]"PPP Challenge Handshake Authentication Protocol (CHAP)," www.ietf.org/rfc/rfc1994.txt.
[27]"Authentication with 802.1x and EAP Across Congested WAN Links," www.cisco.com/warp/public/cc/
pd/witc/ao350ap/prodlit/authp_an.htm.
[28]"PPP EAP-TLS Authentication Protocol," www.ietf.org/rfc/rfc2716.txt.
[29]"Protected EAP Protocol (PEAP)," www.globecom.net/ietf/draft/draft-josefsson-pppext-eap-tls-eap-02.
html.
[30]"Practical Steps to Secure Your Wireless LAN," a white paper from AirDefense, www.airdefense.com.
[31]R. M. Needham and M. D. Schroeder, "Using Encryption for Authentication in Large Networks of
Computers," Communications of the ACM 21, no. 12 (December 1978): 993-99.
[32]Russel Kay, "Kerberos," Computer World, www.computerworld.com/news/2000/
story/0,11280,46517,00.html, July 3, 2000.
[33]S. M. Bellovin and M. Merritt, "Limitations of the Kerberos Authentication System," Computer
Communication Review 20, no. 5 (1990): 119–132.
[34]The Kerberos Network Authentication Service (V5)," www.ietf.org/rfc/rfc1510.txt.