10.2SmartCards
Traditionally,Kerberoshasreliedsolelyononeofthethree
factorsofauthentication,namely,somethingyouknow.As
discussedearlyoninChapter2,thesecurityofauthentication
systemscanbegreatlyenhancedbyrequiringmorethanone
factortograntauthentication.Smartcardsprovideanother
factor(whatyouhave),andsomeKerberosimplementations
supporttheuseofsmartcardsforinitialauthentication.
Theuseofsmartcardssolvesoneofthemostproblematic
issueswithKerberos;namelyitsdependenceonusersto
choose(andremember)goodpasswords.Traditionally,the
user'slong-termkeyisapassword,whichissomethingtheuser
mustchooseandmemorize.Thehumanbrainisnotoriously
pooratproducingandconsequentlyrememberingrandom
sequences,sopasswordsaretypicallysomethingeasily
rememberedbytheuser.Asaconsequence,passwordshave
lowentropy,andmostfalltodictionaryattacks.TheuseofpreauthenticationintheinitialAuthenticationServerexchange
mitigatesthisrisksomewhat,butadeterminedattackerwho
cansniffKerberosprotocolexchangesoverthenetworkcanstill
obtainencryptedmaterialonwhichtoperformadictionary
attack.
Inaddition,smartcardslimittheexposureofthesensitive
cryptographickeysusedthroughouttheKerberosprotocol.
Secretkeysstoredonmachineharddisks,suchaskeytabfiles,
arevulnerabletoattack.Eventhoughfilesystemprotectionis
designedtopreventunauthorizedusersfromreadingsensitive
files,softwarebugspersistthat,whenexploited,provide
attackerswithadministrativeaccesstotheentirecomputer,
includinganyencryptionkeysstoredwithin.
Smartcardssolvethisproblembystoringthekeymaterial
internallyonthesmartcarditself,andneverallowingthekey
materialtoleavethesmartcard.Instead,thesmartcardhas
enoughprocessingpowertoperformthecryptographic
functionsnecessarytogenerateandrespondtoKerberos
authenticationmessages.Storingthekeymaterialonthesmart
cardandsecuringthesmartcardfromunauthorizedaccess
meansthatanattackerwhohascontrolovertheuser's
workstationcanneverretrievetheencryptionkeysstoredinside
ofthesmartcard.ThisalsomitigatesTrojanhorsetechniques,
whereaprogrammasqueradingastheKerberosloginprogram
acquiresunwittingusers'passwords.
Sinceasmartcardisaphysicaldevice,itneedsaninterfaceto
thehostcomputerthesmartcardreader.Smartcardreaders
canconnecttothehostcomputerthroughseveralphysical
means,includingserial,USB,andforlaptops,PCMCIAslots.
Becauseoftherequirementforspecializedhardwareconnected
tothehostmachine,smartcardsarecurrentlyonlypractically
deployableinanorganization'snetwork.
Attacksonsmartcardsaredifficult,astheyaresmallphysical
devicesdesignedtoresistattack.Itrequiresadeterminedand
well-fundedadversarytocarryoutanattachonasmartcard.
Analysesofthesmartcard'spowerusageandtiminghavebeen
developedthatgreatlyreducethesearchspaceofpossible
encryptionkeysduringabrute-forceattackonakeystored
insideofasmartcard.Sincetheamountofcalculationsneeded
toperformencryptionalgorithmsdependsonthesizeand
contentoftheencryptionkey,theseattacksanalyzetheminute
differencesinpowerandtimeasthesmartcardperformsthese
operationsonvariousdata.Determinedattackerscannarrow
downthepossibleencryptionkeysbasedonthisanalysisand
ondetailedknowledgeofthealgorithmsinvolved.
Incidentally,thetimingattackhasbeendemonstratedasa
usefulagainstontraditionalsoftware-basedencryptionsoftware
aswell;asecurityadvisoryissuedin2003warnedusersthat
thepopularOpenSSLsoftwarepackageexposestiming
informationthatmaybeenoughforanadversarytoderivethe
privateencryptionkeysonaserver.Thisgoestoshowthatyou
canneverbeparanoidenoughwhenimplementing
cryptographicsystems.
10.2.1SmartCardsandtheKerberosProtocol
SmartcardsaretypicallydeployedaspartofaPublicKey
Infrastructure.Whenanewuserisenabled,apublickeypairis
generatedfortheuser,thepublickeyissignedbythe
certificateauthority,andtheresultingkeypairandcertificate
areplacedontothesmartcard'smemory.Thesmartcardis
thenissuedtotheuser.
WhentheuserusesasmartcardtoauthenticatetoaKerberos
realm,heinsertsthesmartcardintothesmartcardreader
connectedtohiscomputer.Thecomputerpromptstheuserfor
aPIN,whichisthensenttothesmartcard.ThePINunlocksthe
portionofthememorythathousestheuser'spublickeypair,to
lessenthedamageifthesmartcardislostorstolen.Oncethe
cardhasbeenunlockedinthisway,PKINITisusedtoobtain
initialticketsfortheuser.Theonlydifferenceisthattheactual
decryptionoftheinitialASresponsefromtheKDCisperformed
onthesmartcarditself,sothatthepublickeypairisnever
directlyaccessibletothehostcomputer.
Chapter2.PiecesofthePuzzle
Inthepreviouschapter,weexaminedtheideasandhistory
behindtheKerberosnetworkauthenticationsystem.Nowwe'll
begintodiscoverhowKerberosworks.Insteadofintroducing
theseconceptsasthey'reneededinthenextchapter,Ifeelthat
itiseasiertounderstandthenitty-grittydetailsofKerberos
whenyouhaveaworkingbackgroundinthesurrounding
terminology.Toemphasizetheimportanceofasolid
understandingintheseconcepts,Ihavesetasidethischapter
tointroduceyoutotheessentialconceptsandterminologythat
surroundtheuseandadministrationofaKerberos
authenticationsystem.Whileyoumaybefamiliarwithsomeof
theseconcepts,we'regoingtoexamineeachoneinturnand
describehowitrelatestoKerberos.
Kerberosisacomplexsystem,withmanyparts.Itrequiresthe
properfunctioningofmanyseparatesoftwarecomponents,and
witheachcomesasetoftermsandconceptsthatunderliethe
entiresystem.Acompleteintroductiontoalloftheseconcepts
iscriticaltotheunderstandingofthewhole.
Afterallofthesetermshavebeenintroduced,we'llfinishoffby
puttingallofthepiecestogetherandsetthestageforthe
detaileddescriptionoftheKerberosprotocolsinChapter3.For
thosewhosimplywishtoimplementaKerberosrealmandnot
worryaboutthelow-leveldetailsoftheprotocol,thischapter
willprepareyoutoskipdirectlytoChapter4.
Chapter3.Protocols
Theprevioustwochaptersintroducedthemajorconceptsthat
underlietheKerberosauthenticationsystem,andpresenteda
short,high-leveldiscussionofhowKerberosperformsitsmagic.
Thischaptercontinuesthatdiscussionbydrillingdownintothe
nitty-grittyoftheKerberosprotocolandpresentingitona
fundamentallevel.
Creatingaprotocolthatverifiestheidentityoftwoendpointson
anetworkgivenanunderlyingnetworkthatprovidesno
securityisadauntingtask.Kerberoswasdesignedunderthe
assumptionthatattackerscanread,copy,andcreatenetwork
trafficatwill.
Asyounowknow,therearetwoversionsofKerberosthatare
currentlyinwideusage:Kerberos4andKerberos5.This
chaptercoverstheprotocoldetailsofboth.Whiletheconcepts
andprotocoldesignofbothKerberos4and5areverysimilar,
therearemajordifferencesbetweentheirbyte-levelprotocol
andimplementation.
TheoriginalKerberos4protocolwasneverpublishedapartfrom
theKerberos4sourcedistribution.Assuch,theKerberos4
sourcecodefromMITistheonlyofficialdocumentationofthe
Kerberos4protocol.Ontheotherhand,thenewerKerberos5
protocolisextensivelydocumentedinRFC1510,andalso
throughaseriesofdocumentsthatarecollectivelyknownas
theKerberosClarifications.
ThebasicoperationofKerberosisbasedonapaperpublished
in1978byNeedhamandSchroeder.SincetheNeedhamand
SchroederprotocolisthebasisuponwhichKerberosisbuilt,we
willbeginourdiscussionthere.
Chapter4.Implementation
Thepreviouschaptersdiscussedtheconceptsandtheorythat
formthebasisoftheKerberosauthenticationsystem.Now,
armedwithasolidbackground,we'rereadytotackletheactual
implementationofaKerberosauthenticationsystemfromstart
tofinish.ThischapterpreparesyoutoinstalltheKerberosKDCs
inyournetworkandalsotheKerberoslibrariesonserversand
clientmachines.WewillcontinuetheprocessinChapter7by
detailinginstallationprocessesforKerberizedapplication
software.
Chapter7.Applications
EstablishingaKerberosrealmandcreatingKDCsforyourrealm
isonlythebeginningofcreatingaKerberos-based
authenticationinfrastructure.ToenjoythebenefitsofKerberos,
you,asthenetworkadministrator,alsohavetoinstallKerberosenabledservicesandclientsoftware.Thischapterillustrates
howtoenableKerberossupportinseveralpopularserver
packagesandthecorrespondingclientprograms.