Notable Features of the Kerberos Protocol

B.

Kerberos is a network authentication protocol.

It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

It has the following characteristics: It is secure: it never sends a password unless it is encrypted.

Only a single login is required per session.

Credentials defined at login are then passed between resources without the need for additional logins.

The concept depends on a trusted third partya Key Distribution Center (KDC)

The KDC is aware of all systems in the network and is trusted by all of them.

It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.

Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS).A client that wishes to use a service has to receive a ticket from the TGSa ticket is a time-limited cryptographic messagegiving it access to the server.Kerberos also requires an Authentication Server (AS) to verify clients.The two servers combined make up a KDC.

Within the Windows environment,Active Directory performs the functions of the KDC.

The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication.

Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 "The Kerberos Network Authorization Service (V5)".

Kerberos Authentication Step by Step Step 1: The user logs on to the workstation and requests service on the host.

The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT)

Step 2: The Authorization Server verifies the users access rights in the user database and creates a TGT and session key.

The Authorization Sever encrypts the results using a key derived from the users password and sends a message back to the user workstation.

The workstation prompts the user for a password and uses the password to decrypt the incoming message.

When decryption succeeds, the user will be able to use the TGT to request a service ticket.

Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, realm name and a timestamp.

The user proves his identity by sending an authenticator encrypted with the session key received in Step 2

Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server.

The ticket contains the client name and optionally the client IP address.

It also contains the realm name and ticket lifespan.

The TGS returns the ticket to the user workstation.

The returned message contains two copies of a server session keyone encrypted with the client password, and one encrypted by the service password.

Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator.

The service authenticates the request by decrypting the session key.

The server verifies that the ticket and authenticator match, and then grants access to the service.

This step as described does not include the authorization performed by the Intel AMT device, as described later.

Step 6: If mutual authentication is required, then the server will reply with a server authentication message.

The Kerberos server knows "secrets" (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information.

These "secrets" are used to encrypt all of the messages shown in the figure above.

To prevent "replay attacks," Kerberos uses timestamps as part of its protocol definition.

For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible.

In other words, both computers need to be set to the same time and date.

Since the clocks of two computers are often out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client's clock and server's clock.

If the difference between a client's clock and the server's clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic.

The maximum difference is usually set to five minutes.

Note that if a client application wishes to use a service that is "Kerberized" (the service is configured to perform Kerberos authentication), the client must also be Kerberized so that it expects to support the necessary message responses.

For more information about Kerberos, see http://web.mit.edu/kerberos/www/

References: Introduction to Kerberos Authentication from Intel and http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1.3.5.3 and http://www.ietf.org/rfc/rfc4120.txt.

The Kerberos protocol is a network authentication protocol that provides a secure way for clients and servers to authenticate each other over a non-secure network. The protocol uses a trusted third-party authentication server, called the Key Distribution Center (KDC), to authenticate clients and servers and establish a shared secret key for secure communication.

Let's go through each of the options and see which one is NOT true about the Kerberos protocol:

A. Only a single login is required per session. This statement is true. In Kerberos authentication, a client only needs to authenticate once to the KDC at the beginning of the session. After the initial authentication, the client receives a ticket-granting ticket (TGT) that can be used to obtain service tickets for accessing different services within the network. The TGT is valid for a certain period of time, and the client can use it to request multiple service tickets without needing to re-authenticate to the KDC.

B. The initial authentication steps are done using public key algorithm. This statement is false. The Kerberos protocol does not use a public key algorithm for the initial authentication steps. Instead, it uses a shared secret key that is known only to the client and the KDC. The client sends a request to the KDC for a TGT, and the KDC responds with a TGT encrypted using the shared secret key. The client then decrypts the TGT using the shared secret key to obtain a session key for encrypting future communication with the KDC.

C. The KDC is aware of all systems in the network and is trusted by all of them. This statement is generally true. The KDC maintains a database of all the users and services within the network and their corresponding secret keys. It is trusted by all the systems in the network to provide secure authentication and authorization services.

D. It performs mutual authentication. This statement is true. Kerberos protocol provides mutual authentication, meaning both the client and the server authenticate each other during the authentication process. After the client has obtained a TGT from the KDC, it uses this to request a service ticket from the KDC for the specific service it wants to access. The service ticket is encrypted with a session key that is shared between the client and the service. The client sends the service ticket to the service, which decrypts it using the session key to authenticate the client. This mutual authentication ensures that both parties can verify each other's identities before exchanging sensitive information.

Therefore, the option that is NOT true about the Kerberos protocol is B, "The initial authentication steps are done using public key algorithm." The Kerberos protocol uses a shared secret key for initial authentication, not a public key algorithm.