ECS401: Cryptography and

Network Security

Module 5: Authentication Protocols

Lecture 43
Outline of the lecture
• Kerberos
• Introduction
• Working of Kerberos
• Step 1: Login
• Step 2: Obtaining a Service Granting Ticket (SGT)
• Step 3: User Contacts Bob for Accessing the Server

2
Introduction
Many real-life systems use an authentication protocol called Kerberos.

The basis for Kerberos is another protocol, called Needham-Shroeder.

Designed at MIT to let workstations allow network resources in a secure manner, the name Kerberos signifies a multi-
headed dog in Greek mythology (apparently used to keep outsiders away).

Version 4 of Kerberos is found in most practical implementations. However, Version 5 is also in use now.

3
The Working of Kerberos
There are four parties involved in the Kerberos protocol:

The job of AS is to authenticate every

user at the login time. AS shares a
Authentication unique secret password with every
Server (AS) user.
Alice The client Verifies
workstation. (authenticates)
the user during
login.
The job of TGS is to certify to the
servers in the network that a user is
really who he/she claims to be.
Bob The server
Ticket Granting offering services
Server (TGS) such as network
Issues tickets to printing, file
certify proof of sharing or an
identity. application For proving this, the mechanism of
program. tickets (which allow entry into a server,
just as a ticket allows parking a car or
entering a music concert) is used.
4
The Working of Kerberos
There are three primary steps in the Kerberos protocol.

Step 1: Login
To start with, Alice, the user, sits down at an arbitrary public workstation and enters her name. The workstation sends her
name in plain text to the AS, as shown in Figure 1.

Figure 1: Alice sends a login request to

AS 5
The Working of Kerberos
Step 1: Login
In response, the AS performs
several actions. It first creates a
package of the user name (Alice)
and a randomly generated session
key (KS).
The workstation destroys the
password of Alice from its
memory immediately to prevent
an attacker from stealing it. Note
that Alice cannot open the TGT, as
it is encrypted with the key of the
TGS.
It encrypts this package with the
symmetric key that the AS shares
with the Ticket Granting Server
(TGS). The output of this step is
called the Ticket Granting Ticket
(TGT).
After this message is received, Alice’s
workstation asks her for the password.
When Alice enters it, the workstation
generates the symmetric key (KA)
derived from the password (in the
same manner as AS would have done
earlier) and uses that key to extract the
session key (KS) and the Ticket
Granting Ticket (TGT).
Note that the TGT can be opened
only by the TGS, since only it
possesses the corresponding
symmetric key for decryption.
The AS then combines the TGT
with the session key (KS), and
encrypts the two together using a
symmetric key derived from the
password of Alice (KA). Note that
the final output can, therefore, be
opened only by Alice.
6
 The Working of
Kerberos

7
Figure: AS sends back encrypted session key and TGT to Alice
The Working of Kerberos
Step 2: Obtaining a Service Granting Ticket (SGT)

Now, let us assume that after a successful login, Alice wants to make use of Bob—the email server—for
some email communication.
For this, Alice would inform her workstation that she needs to contact Bob. Therefore, Alice needs a ticket
to communicate with Bob.
At this juncture, Alice’s workstation creates a message intended for the Ticket Granting Server (TGS), which
contains the following items:

The current time

The TGT as in step 1.
The id of the server
stamp, encrypted
(Bob) whose services
with the same session
Alice is interested in.
key (KS).

This is shown in Figure 2. 8

 The Working of Kerberos
Step 2: Obtaining a
Service Granting Ticket
(SGT)

Figure 2: Alice sends a request 9

for an SGT to the TGS
The Working of Kerberos
Step 2: Obtaining a Service Granting Ticket (SGT)
As we know, the TGT is encrypted with the secret key
of the Ticket Granting Server (TGS). Therefore, only the
TGS can open it. This also serves as a proof to the TGS
that the message indeed came from Alice. Why?

This is because, if you remember, the TGT was created

by the AS (remember that only the AS and the TGS
know the secret key of TGS). Furthermore, the TGT and
the KS were encrypted together by the AS with the
secret key derived from the password of Alice.

Therefore, only Alice could have opened that package,

and retrieved the TGT.

Once the TGS is satisfied of the credentials of Alice,

the TGS creates a session key KAB, for Alice to have
secure communication with Bob. TGS sends it twice to
Alice: once combined with Bob’s id (Bob) and
encrypted with the session key (KS), and a second
time, combined with Alice’s id (Alice) and encrypted
10
with Bob’s secret key (KB). This is shown in Figure 3.
 The Working of
Kerberos
Step 2: Obtaining a Service
Granting Ticket (SGT)

Figure 3: TGS sends response back to Alice 11

The Working of Kerberos
Step 2: Obtaining a Service Granting Ticket (SGT)

Note that an attacker, Tom, can try and obtain the first message in this step sent
by Alice, and attempt a replay attack.

However, this would fail as the message from Alice contains the encrypted time
stamp.

Tom cannot replace the time stamp, because he does not have the session key
(KS). Even if Tom attempts a reply attack really quickly, all that he will get back is
the above message from TGS, which Tom cannot open, as he does not have
access to either Bob’s secret key or the session key (KS).

12
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

Since this exchange is This will ensure that

also desired to be only Bob can access
secure, Alice can KAB. Furthermore, to
Alice can now send
simply forward KAB guard against replay
KAB to Bob in order to
encrypted with Bob’s attacks, Alice also
enter into a session
secret key (which she sends the time stamp,
with him.
had received from the encrypted with KAB to
TGS in the previous Bob. This is shown in
step) to Bob. Figure 4.

13
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

14
Figure 4: Alice sends KAB securely to
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

Since only Bob has his secret key, he uses it to first obtain the information (Alice + KAB).
From this, it gets the key KAB, which he uses to decrypt the encrypted time stamp value.
Now how would Alice know if Bob received KAB correctly or not?

In order to satisfy this query, Bob now adds 1 to the time stamp sent by Alice, encrypts the
result with KAB and sends it back to Alice.

This is shown in Figure 5. Since only Alice and Bob know KAB, Alice can open this packet,
and verify that the timestamp incremented by Bob was indeed the one sent by her to Bob
in the first place.
15
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

16
Figure 5: Bob acknowledges the receipt of
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

The TGS will do the needful, as

Now, Alice and Bob can communicate
securely with each other. They would
use the shared secret key KAB to
encrypt messages before sending,
and also to decrypt the encrypted
messages received from each other.
An interesting point here is that if
Alice now wants to communicate with
another server, say Carol, she simply
needs to obtain another shared key
from the TGS, only now specifying
Carol instead of Bob, in her message.
explained earlier. The outcome is that
Alice can now access all the resources
of the network in a similar manner,
each time obtaining a unique ticket
(secret key) from the TGS to
communicate with a different
resource.

Only for the first time that she wants

Of course, if Alice wants to continue
communicating with Bob alone, she
need not obtain a new ticket every
time.
to communicate with a server is when
she needs to contact TGS and obtain a
ticket. Also, Alice’s password never
leaves her workstation, adding to the
security.
17
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

Since Alice needs to authenticate or sign on only once, this mechanism is called Single Sign On (SSO).

Alice need not prove her identity to every resource in the network individually. She needs to authenticate
herself only to the central AS only once. That is good enough for all the other servers/network resources to
be convinced of Alice’s identity.

18
The Working of Kerberos
Step 3: User Contacts Bob for Accessing the Server

Clearly, not every server in the

world would trust a single AS and
TGS. Therefore, the designers of
Kerberos provide a support for
In fact, Microsoft’s passport multiple realms, each having its
technology on the Internet is also own AS and TGS.
based on this philosophy.
Microsoft Windows NT also uses
SSO is a very important concept the Kerberos mechanism heavily.
for corporate networks, because This is also why once you log on to
they grow over a period of time, a Windows NT workstation, you
with multiple authentication can access your emails and other
mechanisms and diverse secret resources without requiring
implementations. These can be explicit logons, as long as the
segregated into a single, uniform correct mappings are done by the
authentication mechanism using system administrator.
SSO.
19