Kerberos: Strengths and Weaknesses
The Kerberos authentication model offers a number of advantages over more
traditional authentication schemes:
- User's passwords are never sent across the network, encrypted or in
plain text. Secret keys are only passed across the network in
encrypted form. Hence, a miscreant snooping and logging conversations on a
possibly insecure network cannot deduce from the contents of network
conversations enough information to impersonate an authenticated user or an
authenticated target service.
- Client and server systems mutually authenticate -- at each step of the
process, both the client and the server systems may be certain that they are
communicating with their authentic counterparts.
- Although the preceding discussion did not go into sufficient detail to
elucidate the fact, the tickets passed between clients and servers in the
Kerberos authentication model include timestamp and lifetime information.
This allows Kerberos clients and Kerberized servers to limit the duration of
their users' authentication. While the specific length of time for which a
user's authentication remains valid after his initial ticket issued is
implementation dependent, Kerberos systems typically use small enough ticket
lifetimes to prevent brute-force and replay attacks. In general, no
authentication ticket should have a lifetime longer than the expected time
required to crack the encryption of the ticket.
- Authentications are reusable and durable. A user need only
authenticate to the Kerberos system once (using his principal and
password). For the lifetime of his authentication ticket, he may then
authenticate to Kerberized services across the network without re-entering
his personal information.
- As a side-effect of the dual-key encryption scheme employed in the
Kerberos model, a service-session key is generated which constitutes a
shared secret between a particular client system and a particular service.
This shared secret may be used as a key for encrypting the conversation
between the client and the target service, further enhancing the security of
- Unlike many alternative authentication mechanisms, Kerberos is entirely
based on open Internet standards. A number of well-tested and
widely-understood reference implementations are available free of charge to
the Internet community. Commercial implementations based on the accepted
standards are also available.
- Unlike many of its proprietary counterparts, Kerberos has been
scrutinized by many of the top programmers, cryptologists and security
experts in the industry. This public scrutiny has ensured and continues to
ensure that any new weaknesses discovered in the protocol or its underlying
security model will be quickly analyzed and corrected.
The Kerberos model does, however, have certain weaknesses:
- In Kerberos IV (the version of Kerberos used by AFS and Zephyr)
all encryption is performed using the DES algorithm. While
DES was considered "unbreakable" at the time of the release of Kerberos IV,
it is now believed that a sufficiently motivated miscreant could, with only
modest computing resources, conceivably crack DES encryption in a relatively
short period of time. Some researchers have, in fact, been able to do just
that under certain specific circumstances. Since the trustability of
Kerberos authentication depends entirely on unbreakability of the underlying
encryption technology used by the system, this poses a threat to the
security of Kerberos IV. In the current release of Kerberos,
Kerberos V, support is provided for "plug-in" symmetric encryption
algorithms. Kerberos V systems can use, for example, the much more secure
triple-DES or IDEA encryption algorithms. The overall structure of Kerberos
V remains the same as that of Kerberos IV. Webauth, for example, used 3DES
keys to secure services (more on Webauth later... :-).
- Kerberos was designed for use with single-user client systems. In the
more general case, where a client system may itself be a multi-user system,
the Kerberos authentication scheme can fall prey to a variety of
ticket-stealing and replay attacks. The overall security of multi-user
Kerberos client systems (filesystem security, memory protection, etc.) is
therefore a limiting factor in the security of Kerberos authentication. No
amount of cleverness in the implementation of a Kerberos authentication
system can replace good system administration practices on Kerberos client
and server machines.
- Because Kerberos uses a mutual authentication model, it is necessary
for both client machines and service providers (servers) to be designed with
Kerberos authentication in mind. Many proprietary applications already
provide support for Kerberos or will be providing Kerberos support in the
near future. Some legacy systems and many locally-written and maintained
packages, however, were not designed with any third-party
authentication mechanism in mind, and would have to be re-written (possibly
extensively) to support Kerberos authentication.
- The Kerberos authentication model is vulnerable to brute-force attacks
against the KDC (the initial ticketing service and the ticket-granting
service). The entire authentication system depends on the trustability of
the KDC(s), so anyone who can compromise system security on a KDC system can
theoretically compromise the authentication of all users of systems
depending on the KDC. Again, no amount of cleverness in the design of the
Kerberos system can take the place of solid system administration practices
employed in managing the Kerberos KDC(s).