xref: /netbsd-src/crypto/external/bsd/heimdal/dist/doc/whatis.texi (revision a5847cc334d9a7029f6352b847e9e8d71a0f9e0c) 
1@c Id
2@c $NetBSD: whatis.texi,v 1.1.1.2 2011/04/14 14:08:09 elric Exp $
3
4@node What is Kerberos?, Building and Installing, Introduction, Top
5@chapter What is Kerberos?
6
7@quotation
8@flushleft
9        Now this Cerberus had three heads of dogs,
10        the tail of a dragon, and on his back the
11        heads of all sorts of snakes.
12        --- Pseudo-Apollodorus Library 2.5.12
13@end flushleft
14@end quotation
15
16Kerberos is a system for authenticating users and services on a network.
17It is built upon the assumption that the network is ``unsafe''.  For
18example, data sent over the network can be eavesdropped and altered, and
19addresses can also be faked.  Therefore they cannot be used for
20authentication purposes.
21@cindex authentication
22
23Kerberos is a trusted third-party service.  That means that there is a
24third party (the kerberos server) that is trusted by all the entities on
25the network (users and services, usually called @dfn{principals}).  All
26principals share a secret password (or key) with the kerberos server and
27this enables principals to verify that the messages from the kerberos
28server are authentic.  Thus trusting the kerberos server, users and
29services can authenticate each other.
30
31@section Basic mechanism
32
33@ifinfo
34@macro sub{arg}
35<\arg\>
36@end macro
37@end ifinfo
38
39@tex
40@def@xsub#1{$_{#1}$}
41@global@let@sub=@xsub
42@end tex
43
44@ifhtml
45@macro sub{arg}
46@html
47<sub>\arg\</sub>
48@end html
49@end macro
50@end ifhtml
51
52@c ifdocbook
53@c macro sub{arg}
54@c docbook
55@c <subscript>\arg\</subscript>
56@c end docbook
57@c end macro
58@c end ifdocbook
59
60@quotation
61@strong{Note} This discussion is about Kerberos version 4, but version
625 works similarly.
63@end quotation
64
65In Kerberos, principals use @dfn{tickets} to prove that they are who
66they claim to be. In the following example, @var{A} is the initiator of
67the authentication exchange, usually a user, and @var{B} is the service
68that @var{A} wishes to use.
69
70To obtain a ticket for a specific service, @var{A} sends a ticket
71request to the kerberos server. The request contains @var{A}'s and
72@var{B}'s names (along with some other fields). The kerberos server
73checks that both @var{A} and @var{B} are valid principals.
74
75Having verified the validity of the principals, it creates a packet
76containing @var{A}'s and @var{B}'s names, @var{A}'s network address
77(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
78of the ticket (@var{life}), and a secret @dfn{session key}
79@cindex session key
80(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
81(@var{K@sub{B}}).  The actual ticket (@var{T@sub{AB}}) looks like this:
82(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
83@var{K@sub{AB}}@}@var{K@sub{B}}).
84
85The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
86name, the current time, the lifetime of the ticket, and the session key, all
87encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
88@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
89decrypts the reply and retains it for later use.
90
91@sp 1
92
93Before sending a message to @var{B}, @var{A} creates an authenticator
94consisting of @var{A}'s name, @var{A}'s address, the current time, and a
95``checksum'' chosen by @var{A}, all encrypted with the secret session
96key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
97@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
98received from the kerberos server to @var{B}.  Upon reception, @var{B}
99decrypts the ticket using @var{B}'s secret key.  Since the ticket
100contains the session key that the authenticator was encrypted with,
101@var{B} can now also decrypt the authenticator. To verify that @var{A}
102really is @var{A}, @var{B} now has to compare the contents of the ticket
103with that of the authenticator. If everything matches, @var{B} now
104considers @var{A} as properly authenticated.
105
106@c (here we should have some more explanations)
107
108@section Different attacks
109
110@subheading Impersonating A
111
112An impostor, @var{C} could steal the authenticator and the ticket as it
113is transmitted across the network, and use them to impersonate
114@var{A}. The address in the ticket and the authenticator was added to
115make it more difficult to perform this attack.  To succeed @var{C} will
116have to either use the same machine as @var{A} or fake the source
117addresses of the packets. By including the time stamp in the
118authenticator, @var{C} does not have much time in which to mount the
119attack.
120
121@subheading Impersonating B
122
123@var{C} can hijack @var{B}'s network address, and when @var{A} sends
124her credentials, @var{C} just pretend to verify them. @var{C} can't
125be sure that she is talking to @var{A}.
126
127@section Defence strategies
128
129It would be possible to add a @dfn{replay cache}
130@cindex replay cache
131to the server side.  The idea is to save the authenticators sent during
132the last few minutes, so that @var{B} can detect when someone is trying
133to retransmit an already used message. This is somewhat impractical
134(mostly regarding efficiency), and is not part of Kerberos 4; MIT
135Kerberos 5 contains it.
136
137To authenticate @var{B}, @var{A} might request that @var{B} sends
138something back that proves that @var{B} has access to the session
139key. An example of this is the checksum that @var{A} sent as part of the
140authenticator. One typical procedure is to add one to the checksum,
141encrypt it with the session key and send it back to @var{A}.  This is
142called @dfn{mutual authentication}.
143
144The session key can also be used to add cryptographic checksums to the
145messages sent between @var{A} and @var{B} (known as @dfn{message
146integrity}).  Encryption can also be added (@dfn{message
147confidentiality}). This is probably the best approach in all cases.
148@cindex integrity
149@cindex confidentiality
150
151@section Further reading
152
153The original paper on Kerberos from 1988 is @cite{Kerberos: An
154Authentication Service for Open Network Systems}, by Jennifer Steiner,
155Clifford Neuman and Jeffrey I. Schiller.
156
157A less technical description can be found in @cite{Designing an
158Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
159from 1988.
160
161These documents can be found on our web-page at
162@url{http://www.pdc.kth.se/kth-krb/}.
163