xref: /freebsd/crypto/heimdal/doc/whatis.texi (revision d3d381b2b194b4d24853e92eecef55f262688d1a)
1@c $Id$
2
3@node What is Kerberos?, Building and Installing, Introduction, Top
4@chapter What is Kerberos?
5
6@quotation
7@flushleft
8        Now this Cerberus had three heads of dogs,
9        the tail of a dragon, and on his back the
10        heads of all sorts of snakes.
11        --- Pseudo-Apollodorus Library 2.5.12
12@end flushleft
13@end quotation
14
15Kerberos is a system for authenticating users and services on a network.
16It is built upon the assumption that the network is ``unsafe''.  For
17example, data sent over the network can be eavesdropped and altered, and
18addresses can also be faked.  Therefore they cannot be used for
19authentication purposes.
20@cindex authentication
21
22Kerberos is a trusted third-party service.  That means that there is a
23third party (the kerberos server) that is trusted by all the entities on
24the network (users and services, usually called @dfn{principals}).  All
25principals share a secret password (or key) with the kerberos server and
26this enables principals to verify that the messages from the kerberos
27server are authentic.  Thus trusting the kerberos server, users and
28services can authenticate each other.
29
30@section Basic mechanism
31
32@ifinfo
33@macro sub{arg}
34<\arg\>
35@end macro
36@end ifinfo
37
38@tex
39@def@xsub#1{$_{#1}$}
40@global@let@sub=@xsub
41@end tex
42
43@ifhtml
44@macro sub{arg}
45@html
46<sub>\arg\</sub>
47@end html
48@end macro
49@end ifhtml
50
51@c ifdocbook
52@c macro sub{arg}
53@c docbook
54@c <subscript>\arg\</subscript>
55@c end docbook
56@c end macro
57@c end ifdocbook
58
59@quotation
60@strong{Note} This discussion is about Kerberos version 4, but version
615 works similarly.
62@end quotation
63
64In Kerberos, principals use @dfn{tickets} to prove that they are who
65they claim to be. In the following example, @var{A} is the initiator of
66the authentication exchange, usually a user, and @var{B} is the service
67that @var{A} wishes to use.
68
69To obtain a ticket for a specific service, @var{A} sends a ticket
70request to the kerberos server. The request contains @var{A}'s and
71@var{B}'s names (along with some other fields). The kerberos server
72checks that both @var{A} and @var{B} are valid principals.
73
74Having verified the validity of the principals, it creates a packet
75containing @var{A}'s and @var{B}'s names, @var{A}'s network address
76(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
77of the ticket (@var{life}), and a secret @dfn{session key}
78@cindex session key
79(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
80(@var{K@sub{B}}).  The actual ticket (@var{T@sub{AB}}) looks like this:
81(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
82@var{K@sub{AB}}@}@var{K@sub{B}}).
83
84The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
85name, the current time, the lifetime of the ticket, and the session key, all
86encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
87@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
88decrypts the reply and retains it for later use.
89
90@sp 1
91
92Before sending a message to @var{B}, @var{A} creates an authenticator
93consisting of @var{A}'s name, @var{A}'s address, the current time, and a
94``checksum'' chosen by @var{A}, all encrypted with the secret session
95key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
96@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
97received from the kerberos server to @var{B}.  Upon reception, @var{B}
98decrypts the ticket using @var{B}'s secret key.  Since the ticket
99contains the session key that the authenticator was encrypted with,
100@var{B} can now also decrypt the authenticator. To verify that @var{A}
101really is @var{A}, @var{B} now has to compare the contents of the ticket
102with that of the authenticator. If everything matches, @var{B} now
103considers @var{A} as properly authenticated.
104
105@c (here we should have some more explanations)
106
107@section Different attacks
108
109@subheading Impersonating A
110
111An impostor, @var{C} could steal the authenticator and the ticket as it
112is transmitted across the network, and use them to impersonate
113@var{A}. The address in the ticket and the authenticator was added to
114make it more difficult to perform this attack.  To succeed @var{C} will
115have to either use the same machine as @var{A} or fake the source
116addresses of the packets. By including the time stamp in the
117authenticator, @var{C} does not have much time in which to mount the
118attack.
119
120@subheading Impersonating B
121
122@var{C} can hijack @var{B}'s network address, and when @var{A} sends
123her credentials, @var{C} just pretend to verify them. @var{C} can't
124be sure that she is talking to @var{A}.
125
126@section Defence strategies
127
128It would be possible to add a @dfn{replay cache}
129@cindex replay cache
130to the server side.  The idea is to save the authenticators sent during
131the last few minutes, so that @var{B} can detect when someone is trying
132to retransmit an already used message. This is somewhat impractical
133(mostly regarding efficiency), and is not part of Kerberos 4; MIT
134Kerberos 5 contains it.
135
136To authenticate @var{B}, @var{A} might request that @var{B} sends
137something back that proves that @var{B} has access to the session
138key. An example of this is the checksum that @var{A} sent as part of the
139authenticator. One typical procedure is to add one to the checksum,
140encrypt it with the session key and send it back to @var{A}.  This is
141called @dfn{mutual authentication}.
142
143The session key can also be used to add cryptographic checksums to the
144messages sent between @var{A} and @var{B} (known as @dfn{message
145integrity}).  Encryption can also be added (@dfn{message
146confidentiality}). This is probably the best approach in all cases.
147@cindex integrity
148@cindex confidentiality
149
150@section Further reading
151
152The original paper on Kerberos from 1988 is @cite{Kerberos: An
153Authentication Service for Open Network Systems}, by Jennifer Steiner,
154Clifford Neuman and Jeffrey I. Schiller.
155
156A less technical description can be found in @cite{Designing an
157Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
158from 1988.
159
160These documents can be found on our web-page at
161@url{http://www.pdc.kth.se/kth-krb/}.
162