Kerberos Security in Windows 2000
Zubair Alexander takes a look at Kerberos 5, Windows 2000's primary authentication protocol, and explains how Kerberos security works.
January 30, 2000
When it comes to security, Windows 2000 (Win2K) offers many improvements over Windows NT. Probably the biggest advance has been in the OS's primary authentication protocol. NT LAN Manager (NTLM) has been primary authentication protocol for all versions of NT. Win2K supports NTLM and Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication protocols. But Win2K's primary authentication protocol is Kerberos 5, which takes its name from Cerberus, Greek mythology’s three-headed dog that guarded the gates of Hades. Let's take a closer look at Kerberos 5 and how Kerberos security works in Win2K.
Kerberos emerged from an MIT project called Athena, which ran from the 1980s through the early 1990s. Athena's purpose was to establish a method to design and implement distributed computing environments. The project sought to improve upon traditional authentication methods and develop a strong authentication method that was less susceptible to hackers who monitor network packets and capture passwords. Instead of sending clear-text passwords over the wire, Kerberos uses encryption to authenticate clients and grant access to resources on the network. Kerberos refers to several things: Kerberos is the Authentication Service (AS), the protocol that AS uses, and the code that implements AS. Kerberos version 5 authentication issues tickets for accessing services on the network. Kerberos is also an Internet standard (see Request for Comments—RFC—1510).
The Kerberos security protocol uses the Data Encryption Standard (DES) shared-secret key concept for authentication. A secret key can be either private (known to one party only) or shared (known to two or more parties). In Kerberos, both the client and the Kerberos service share the encrypted password, which is known as a session key. The Kerberos service issues the ticket (or certificate) that contains, among other things, the user’s name, a session key, and the expiration time for the ticket. If the ticket expires during an active session, the Kerberos service informs the client and the server that the ticket has expired and generates a new session key so that the session can resume. The initial ticket lets Win2K authenticate the client on the network so that the client can access resources anywhere on the enterprise network using one logon and password.
Kerberos consists of several subprotocols and can operate across domains. The key distribution center (KDC), the Kerberos authentication service, runs as a service on each domain controller. The Kerberos client resides on each Win2K client and server. The Kerberos protocol consists of three main components:
The AS, the central database containing all the information about the users
The principle (or client)
The verifier (or server)
Kerberos clients can prove their identity to the server without sending passwords across the wire. Let’s say that a client wants to access a shared folder on a resource server, such as a file server. Here’s how the process works:
A client requests authentication from an authentication server, such as a domain controller.
The server creates two copies of the session key and sends them to the client in an encrypted message that contains the client’s private key and resource server’s encrypted private key. The session key contains a time-stamp that prevents someone from capturing packets with a protocol analyzer and playing them back to fool the server.
The client sends copies of the session key to the resource server, which uses its private key to open the encrypted key.
The verified client can now communicate with the server because both the client and the server have the shared-secret session key.
In an optional step, the client might ask Kerberos to verify the server as well.
Win2K's Kerberos security model has several advantages over earlier authentication protocols, including
Transitive-trust relationships for authentication between domains—Kerberos services accept authentication credentials that any Kerberos service in a domain tree issues, or any domain tree in a forest issues. (A domain tree is a hierarchical organization of domains. A forest consists of one or more domain trees.) The trusts are transitive and hierarchical; if Domain A trusts B, and B trusts C, then A also trusts C.
Efficient authentication—Any Win2K server can verify a client’s credentials without checking with the Kerberos service on the domain controller.
Mutual client and server authentication—Kerberos doesn't authenticate just the client; the client can request that Kerberos verify the server as well.
Delegated authentication—If the client transaction needs to go through multiple servers, the verifying server can authenticate the client to the requested server on behalf of the client. You can set up an unlimited number of consecutive servers to delegate authentication.
Kerberos represents a major change in the way an OS authenticates clients on a Windows network. Kerberos interoperability lets Win2K authenticate even non-Microsoft clients from other platforms (e.g., UNIX), as long as the clients implement Kerberos 5. Kerberos offers enhanced security, efficient authentication, and flexibility. It’s amazing what a three-headed dog can do!
About the Author
You May Also Like