An authentication server namely Kerberos is grown as a portion of a project named Athena in MIT. The main reason for developing Kerberos was that when a user will be having problem in network in his computers, Kerberos can secure the files and folders of the user . The operating system provided to the users is able to reinforce certain access control policies and can identify the users. However, recently this scenario has changed. There are three strategies that Kerberos is following; but in open environment the strategies are not working.
The report outlines a brief description about the Kerberos authentication server. It covers the problems that Kerberos were facing and the four major threats of Kerberos that are associated with authentication of users over the internet and how Kerberos can reduce it . This report further discusses about the difference between version 4 and version 5 of Kerberos and recommendations of which organization should use this server. The description is given in the following paragraphs.
Kerberos was facing many problems as an authentication server. The problems are as follows:
i) Secret-Key Cryptography: Kerberos is developed to give strong authentication server for the users using a secret key cryptography . However, this idea got back fired. As it does not need the utilization of any password and the handling depends on a trusted third party, the security became a problem for it.
ii) Validation: Designing and implementation is not enough for a security system. Validation is highly recommended . Kerberos has serious flaws and they were not checked before its launch.
iii) Weak Protocol: Another major problem of Kerberos is its weak protocol. It is not as strong and resistant as it should have been . Thus attacks are possible with such weak protocols.
iv) Secured Time Services: Machine clocks are not always synchronized. Therefore, authenticators do not depend on them much . As Kerberos is made of time based protocols, it relies on the secured time services and it becomes a huge problem.
v) Cost: Kerberos is not at all cost effective and it incurs huge cost. Thus small organizations will not be able to install it.
vi) Login Spoofing: This is another major problem in Kerberos . False login or spoofing in login is extremely common in Kerberos, which is dangerous for the authenticators.
Threats and Mitigation
The four basic threats that are associated with the authentication of user over internet are as follows:
a) Migration: The main threat is the migration of user’s passwords from a basic database to the Kerberos database of password, because no automatic system is present to undergo this job .
b) Partial Compatibility: It has compatibility but only partial with the PAM or Pluggable Authentication Modules system.
c) Security: This is another major threat for Kerberos. It considers all users as trusted ones and therefore provides the key to everyone .
d) All or Nothing: This is another threat for Kerberos. It is an all or nothing solution . When Kerberos is utilized over the network, all decrypted passwords that are transferred to the non Kerberos server is at high risk.
The above threats however, can be reduced or solved. Kerberos can mitigate these threats with certain steps. They are as follows:
A) Migration: This threat can be overcome by installing an automatic system in it, to migrate the user’s passwords from the standard database to the Kerberos database of passwords .
B) Partial Compatibility: Kerberos should be compatible completely to avoid any kind of complexities within it.
C) Security: All users cannot be trusted. Special system should be installed to verify the authenticated users and thus Kerberos can mitigate security risks .
D) All or Nothing: Kerberos should install any security verification system that can reduce the risk of transferring passwords to the non Kerberos servers.
Version 4 and Version 5 Differences
There are various differences between Kerberos version 4 and version 5. They are as follows:
i) Key Salt Algorithm: Kerberos v4 utilizes the name of the principal partially whereas Kerberos v5 utilizes the name of the principal completely .
ii) Network Address: Kerberos v4 comprises only some of the IP addresses and different addresses for the network protocol types . Whereas, v5 comprises many IP addresses and different addresses for the network protocol types.
iii) Encoding: Kerberos v4 utilizes the receiver makes right system of encoding and v5 utilizes the ASN 1 system of encoding .
iv) Ticket Support: Kerberos v4 has a satisfactory capability for ticket support and ticket support of Kerberos v5 is well extended . The facilities are postdating, forwarding and renewing the tickets.
v) Cross Realm Authentication Support: Kerberos v4 does not support such authentication. However, v5 has a reasonable support for such authentication.
Kerberos is an authentication server developed by MIT. It secures the files and folders of users when their systems have problem in network. However, Kerberos have advantages and disadvantages. It is recommended for all sorts of network oriented organizations . Kerberos serves well in a closed server environment, where all the systems are operated and owned by any one organization. There are three approaches. First is to be dependable on every individual workstation to ensure the recognition the users and to rely on the server to enforce security policies. The second strategy is to require the authentication of the client systems to the servers and trust the client system about the identity of the users . The final approach is to require the user to prove the user’s identity for each service. Kerberos is recommended for big companies because of the cost and complexities.
Therefore, from the above discussion it can be concluded that, Kerberos has many advantages and disadvantages. In spite of the limitations Kerberos is a highly secured system developed by MIT. The above report describes about the problems that Kerberos is facing for its protocols. The report also outlines the major threats of Kerberos and the ways to mitigate them. The report further describes the difference between version 4 and version 5 of Kerberos and the recommended organizations for it.
C. Guivarch and S. Hallegatte, "2C or not 2C?", Global Environmental Change, vol. 23, no. 1, pp. 179-192, 2013.
K. Rao, Bharadwaj and N. Ram, "Application of Time Synchronization Process to Kerberos", Procedia Computer Science, vol. 85, pp. 249-254, 2016.
L. Thanh and N. H?i, "Developping Kerberos-role authentication protocol for resource management system.", Journal of Computer Science and Cybernetics, vol. 20, no. 4, 2012.
I. Downnard, "Public-key cryptography extensions into Kerberos", IEEE Potentials, vol. 21, no. 5, pp. 30-34, 2002.
K. Bashir and M. Khalid Khan, "Modification in Kerberos Assisted Authentication in Mobile Ad-Hoc Networks to Prevent Ticket Replay Attacks", International Journal of Engineering and Technology, vol. 4, no. 3, pp. 307-310, 2012.
J. Wang and Z. Kissel, Introduction to network security. .
"Analysing the Combined Kerberos Timed Authentication Protocol and Frequent Key Renewal Using CSP and Rank Functions", KSII Transactions on Internet and Information Systems, vol. 8, no. 12, 2014.
J. Dastidar, "An Authentication Protocol based on Kerberos", International Journal of Engineering Research and Applications, vol. 07, no. 07, pp. 70-74, 2017.