Kerberos Authentication Protocol And Wireless Protocols Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

A Network authentication protocol is called Kerberos, which is designed for providing strong authentication for client/server application using secret-key cryptography. Kerberos provides a single sign-on infrastructure which is ubiquitous, flexible, and unobtrusive, integration with other security framework is possible. (MIT Kerberos Consortium 2007).Several layers of encryption are involved in Kerberos protocol, Kerberos relies on secret shared authentication (Danseglio 2004). Kerberos Authentication is provided by Kerberos by verifying not only the identity of network users but also the validity of the network services themselves .The later features was designed for the prevention of users from attaching to "dummy" service created by malicious network attackers to trick users into revealing their passwords or other sensitive information . Mutual authentication verifies the users and the service that the user is attempting to use. Authentication mechanism used by Kerberos relies on Key distributing Center (KDC) for issuing tickets that allows client access to network resources (Snedaker 2004).

Unique information encrypted in the shared secret is an authenticator. Time stamp is used by Kerberos so that the authenticator is unique. The validity of the authenticator is for a single use only to minimize the possibility of someone attempting to use someone else's identity.

An attempt to reuse the authenticator cannot be achieved by Kerberos (Todd & Johnson 2001). The actual authentication is provided by authenticator which is the Kerberos object. Anyone possessing the corresponding session key can check the authenticator. Authenticator contents are a ticket flag that has "forwardable" flag set which is set by default and could be changed by appropriate settings of the "account is sensitive and cannot be delegated". Renewable flag is set on every ticket, after the expiration of the ticket, new ticket is not requested by the system. "Pre authenticated" flag is set for every ticket. "Initial" flag is set for every windows 2000 ticket (Clercq 2004).

Transaction of Kerberos involves three parties:-

The client: - Who is attempting to access the resources (Danseglio 2004).

The server: - Which contains the resources the client is attempting to access (Danseglio 2004). After getting a Kerberos ticket the resource server has enough information to authenticate the client (Clercq 2004).

The Key Distribution Center or KDC: - Which provides authentication services. In windows 2003 environment, every domain controller (DC) is a domain is also KDC (Danseglio 2004) .The authentication information is stored by KDC, database of users, servers and secret keys are stored by KDC. Since KDC stores a secret key for every user and server on a network maximum security is required (Sobh, Elleithy & Mahmood 2008). The verification of the principals is done by KDC which validates the clients are really who they say they are by using a ticket granting ticket (TGT) (Todd & Johnson 2001). The part of KDC which replies to the initial authentication from the client, when the user, not yet authenticated, must enter the password is the authentication server. In the KDC component the ticket granting server which distributes service tickets to client with a valid TGT, which guarantees the authenticity of the identity for obtaining the requested resources on the application server (MIT Kerberos Consortium 2007).

A session of Kerberos always begins with the user logging to the KDC. An important role is played by the KDC, because a session ticket is granted by it for each of the service the user wants to access. After getting the session ticket the related service can be accessed by the user for the total login time (Vugt 2009). Information is retrieved by KDC from the active directory and is placed in the TGT given to the client (Boswell 2003). Once the session ticket is requested by the client KDC copies the data authorization data field of the TGT into the session tickets (Todd & Johnson 2000).


User credentials are submitted by the client to the KDC in its local domain, to receive a Kerberos session ticket (Tulloch n.d).

The session ticket is presented by the client to the KDC in the root domain, of the local tree, which then grants the client a second session ticket for the root domain in the remote tree (Tulloch n.d).

The second ticket is presented by the client to the KDC in the domain, which then provides the client a third session ticket for the domain of the remote tree (Tulloch n.d).

The third ticket is finally presented to the KDC in the domain, which then allows access to the client (Tulloch n.d).

Mutual authentication by Kerberos ensures that client and the service authenticity. The client can spot whether the server it's communicating with is genuine by requesting for mutual authentication, where the server should demonstrate its identity by recovering the session key, encrypting a response, and sending it back to the client. If the communication server is not genuine, and doesn't possess the copy of the service key, which would in the failure from the servers send to send back a valid encrypted message and the client would disconnect (Garman 2003).While mutual authentication is enabled the client and the server must authenticate each other before communications can take place. Mutual authentication helps is reducing the risk of man in the middle attack. For a fully trusted active directory environment mutual authentication is designed. Mutual authentication cannot be enabled if the client in the management group resides in non trusted domain (Meyler, Fuller & Amaris 2007).


Wireless Protocols

IEEE 802.1x authentication was adopted by many vendors to address the weakness in WEP. Common method for port-based access control is enabling new authentication and key management method without changing the current network devices (Dubrawsky n.d). 802.1x provides authentication mechanism to devices wishing to attach to a LAN port, either establishing a point-to-point or prevention of access that port if authentication fails, 802.1x is used in most of the wireless access point which is based on extensible authentication protocol (EAP) (Abate 2009). A secure pair-wise master key (PMK) between the authenticator and supplicant can be negotiated through EAP in 802.1x authentication. EAP is an authentication framework which provides common functions and a negotiation of a desired authentication mechanism and not a specific authentication mechanism (Akyildiz & Wang 2009).

Description of 802.1x authentication steps

To be authenticated by the wireless AP the Supplicant sends request. Through computers, routers, switches 802.1x Supplicant provides client capability (Abate 2009).

The EAP payload is retrieved by the wireless AP from the 802.1x message, repackaging the authentication request and sending it to the authentication server via RADIUS protocol. The RADIUS server should be compatible with EAP and 802.1x standards. Acting as a middle man the authenticator relays EAP received in 802.1x packets to an authentication server using RADIUS to carry the EAP information (Abate 2009).

The request can be proxy by the server or it could be referred to the authentication database (Abate 2009).

Confirmation of the authentication is passed to the AP by the server (Abate 2009).

The information about the access grant is given to the supplicant by the AP (During this stage the AP is allowed access to resources located on the protected side of the network.) (Abate 2009).

PEAP protocol enables a mechanism to perform EAP negotiation safe from prying eyes. PEAP could be seen as a sort of welding together of EAP and TLS in an attempt to maintain the flexibility of EAP while overcoming its lack of inherent security protection. In PEAP the entire EAP negotiation is protected (Edney & Arbaugh 2004). Secured transport authentication data, including legacy password based protocol is provided by PEAP. This is achieved by PEAP by tunnelling user credentials over a TLS tunnel between PEAP clients and an authentication server. A server certificate and a client side username/password combination are only required by PEAP (Porter & Gough 2007).

Authentication within the Point-to-Point protocol (PPP) is provided by EAP.

Third party authentication packages that use PPP are integrated by EAP. Specific authentication method would be selected by EAP during the authentication phase which in turn allows the authenticator to request more information to select the authentication method. One or more peer-to-peer authentication can be defined by EAP. Flexible, link-layer security framework is provided by EAP (Flannagan 2003).Multiple authentication methods is allowed which includes token cards, one-time password, public key authentication and even Kerberos and RADIUS by EAP which is an extension of PPP. Implementations of EAP are too weak for practical use (Brenton & Hunt 2003).

Weakness with EAP:-

The indentify message is unprotected there is a possibility of it getting snooped, enabling the user identity who is trying to connect (Edney & Arbaugh 2004).

The success /fail message in EAP is unprotected which could be spoofed by an attacker (Edney & Arbaugh 2004).

The simple act of guessing keys and passwords until the correct one is found is defined as a brute force attack. It always works because the key space, no matter how big is always finite. Discovery of password by Brute force ususally involves stealing a copy of username and hashed password listing and then methodically encrypting possible passwords using the same hashing function (Flannagan 2003).

The devices or users need to identify themselves before their traffic is allowed onto the network, which is achieved by using EAP in 802.1x which is an authentication protocol (Porter 2006).

The problems that would occur after the implementation of WPA2-AES are:-

The client station stores the PSK which can be compromised if the client machine is lost or stolen (Lammle 2009).The key is stored on the client station, and if the client machine is stolen it would allows an intruder to login into the network even though he/she is not an authorized user.

In WPA2 the password is shared among the clients as in the case of WEP (Allsopp 2009).

The AES encryption requires very intensive computation that is used by WPA2, older models of 802.11a/g/b/ client and access points are incapable of supporting AES encryption (Flickenger & Weeks 2006). AES encryption requires advance hardware to support itself.

Problems associated with wireless network configured with 802.1x :-

The authentication packets sent and received by the clients are accessible by the attacker; if the authentication methods used are weak there is a possibility for an attacker to discover the authentication credentials (Bing n.d).

A man-in-the-middle can be executed by the attacker on the 802.1x authentication sequence. Anyone within the broadcast range have the ability to access on a wireless network.EAP methods such as TLS can be used to mitigate the risk against the man-in-the-middle attack(Bing n.d).

On a wireless network a denial-of-service attack can be executed by the attacker by sending packets to the wireless access point, asking it to drop the client connection (Bing n.d).

Disassociation message could be send to the wireless clients preventing them from disconnecting properly from the access point by sending an 802.1x EAPOL logoff message (Bing n.d).