Security

Lock IT Down: Getting to know Kerberos

A basic primer on the inner workings of Kerberos


Any protocol named after the fierce mythological three-headed dog guarding hell’s gates is bound to be intimidating. But have no fear. All ye who enter need not abandon hope.

You’ll be hearing quite a bit about Kerberos (Latin spelling: Cerberus) in the months to come. The protocol plays a major role in Windows 2000’s security enhancement efforts.

Kerberos, though, isn't a Microsoft invention. It’s the MIT-developed standard network authentication protocol that uses secret-key cryptography to secure client-server applications by proving the identity of the client to the server, and vice versa.

No, Kerberos isn't new. In fact, some network administrators already know about it. But plenty don’t—hence this column. And since the protocol is new to the Windows platform, I'll introduce some basic concepts, features, and implications that may be unfamiliar to Windows 2000 systems engineers.

Kerberos basics
With small networks, it’s easy to maintain a list of usernames and passwords on a single server for authentication. But, as networks grow, it becomes necessary to store the list on increasing numbers of machines, each of which could be hacked for a list of passwords. Difficulty of administration also grows, as the list becomes larger and an increasing number of users change passwords and authenticate to the network.

On the other hand, if you’re running an enterprise network or operating a virtual private network over the Internet, users must know they are connecting to the service they believe they’re using. In other words, they need a method of identifying that the server they’re connecting to is the one it’s supposed to be and not another machine pretending to be it.

The need to manage passwords for thousands (and even millions) of users, as well as many services, drove Kerberos' development.

Here's how it works
Users know their own passwords. Services also have passwords. But, there's also an authentication service that stores both sets of passwords in one central database.

Once you have proven who you are to the authentication service, it issues a ticket containing the information needed to pass your request to the service (printer, e-mail, and so on) you have requested.

These tickets identify the user to the service. And because they are encrypted by the authentication service using the service's own encryption key, if the service can decrypt the ticket, it knows the ticket was originally issued by the authentication service and is valid. You can probably see some holes in this idea, and it's all a lot more complicated in real-world implementations, but that gives you the basic concept.

Hackers are prevented from copying your ticket and using it to impersonate you, since your ticket possesses a time limit and includes a date stamp. Windows 2000 provides support for Kerberos version 5. This version helps foil hackers by maintaining only a five-minute ticket lifetime, which helps ensure it’s used only once.

There’s one last—but important—point. Due to security considerations and the need to make the authentication scheme user-friendly, users don’t actually receive a ticket for services. Instead, they receive a ticket allowing them to get tickets.

When the user logs on to Windows 2000, the client gets and stores a valid ticket-granting ticket (a ticket that lets you get end-services tickets without submitting your password each time) from the key distribution center. In Windows 2000, a domain server fulfills the key distribution center role. The process of receiving a ticket-granting ticket is performed only once during each user session.

To gain access to an actual service, such as e-mail or a print server, the user sends the request with a copy of the ticket-granting ticket to the key distribution center. The key distribution center replies with an encrypted ticket for the actual service. The client then sends this service ticket to the service provider.

Think of it as needing a AAA club membership card, which you must show before you can purchase a AAA club tour—only with secret handshakes thrown in for good measure.

Since Kerberos is a standards-based protocol, you can access non-Windows 2000 servers using Kerberos authentication tickets.

Get more Kerberos information from the source
If you want background information about the free version of Kerberos from MIT, complete with information about known bugs, check out the MIT Web site . You can read a Kerberos FAQ , maintained by the U.S. Navy, or even take in a play that contains a good description of the tool: Just check the MIT site for a copy of “Designing an Authentication System: A Dialogue in Four Scenes.”

If you read the interesting exchange in "Designing an Authentication System: A Dialogue in Four Scenes," you’ll get an excellent, non-technical explanation of the development concepts behind Kerberos. It might also give you some ammunition when you have to present the case for Kerberos to upper management. And be prepared to make a case for it, as implementing Kerberos in Windows 2000 is no trivial task.

Active directory
To use Kerberos in Windows 2000, you must accept the overhead that comes with the Active Directory. This might be exactly what you've been waiting for, but not everyone will love Active Directory.

Directory services are just what they sound like; they manage the addresses of the various services users want to access. They also manage user access to various services by maintaining a database that indicates what services each user is authorized to access.

Another advantage of Active Directory is its ability to let users log on once per session, rather than requiring multiple password requests for each new task. If this sounds similar to the manner in which Kerberos functions, it’s no coincidence. In Windows 2000, Kerberos is integrated with Active Directory.

There are many other advantages to using Active Directory, most of which involve the centralized, simplified management of distributed resources. But along with the usual small inconveniences found in any new product, there is one gigantic disadvantage: the need to migrate to what Microsoft designates as "Native Mode."

Maximizing the new features in Windows 2000 requires that a network’s operating systems all be running the Windows 2000 platform. Thus, it will be necessary to integrate all current Windows NT 4 domains under Active Directory management. This will be a major project for some shops.

Migration tools for both Windows NT and NetWare networks are available, but they require careful testing. Even with the help of these utilities, the changeover will be no small task.

Bottom line
Kerberos can provide banking-grade security levels for your enterprise using Windows 2000. However, its configuration and management are complex, in part because you must migrate to Active Directory.

In addition to the other resources already listed, there is a Kerberos RFC, but be warned: It's not for the fainthearted. If you're new to Kerberos, do some other reading first. If you’re someone who loves the details, you can download the source code from MIT.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.


Make the most of your brilliant IT career
There's no reason not to get exactly what you want from TechRepublic. By becoming a volunteer member of AdminRepublic's Virtual Advisory Board, you can help guide our Web site by giving us your opinions on the topics and features you need as an elite member of the admin community.
Member responsibilities include:
  • Advising TechRepublic on topics of interest
  • Evaluating new features
  • Building the community to answer the concerns that you have
We are currently accepting applications for a limited number of openings. Don't wait any longer; apply now by sending us an e-mail. We'll send you an application and more information about our volunteer board.
This is an opportunity to play a pivotal role in creating something that will help propel you in your IT career. Plus it's another great thing to add to your resume!


 

Editor's Picks

Free Newsletters, In your Inbox