Malgherini Tommaso Attacking and fixing the Microsoft Windows Kerberos login service.

Slides:



Advertisements
Similar presentations
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Advertisements

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Chapter 10 Real world security protocols
> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).
Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications
NETWORK SECURITY.
Kerberos and X.509 Fourth Edition by William Stallings
Active Directory and NT Kerberos Rooster JD Glaser.
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
KERBEROS
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
1 Kerberos Revised: June 21, 2006, Version 2 Team 2 Members John Casarella Dave Fronckowiak Larry Immohr Linda Liu Sandy Westcott.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
ECE454/CS594 Computer and Network Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Network Security: Kerberos Tuomas Aura. 2 Outline Kerberos authentication Kerberos in Windows domains.
Murad Kaplan 1. Network Authentication Protocol Uses private-key Cryptography Built on Needam/Schroeder Scheme Protects.
Akshat Sharma Samarth Shah
Off-the-Record Communication, or, Why Not To Use PGP
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.
Kerberos: A Network Authentication Tool Seth Orr University of Missouri – St. Louis CS 5780 System Administration.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)
1 KERBEROS: AN AUTHENTICATION SERVICE FOR OPEN NETWORK SYSTEMS J. G. Steiner, C. Neuman, J. I. Schiller MIT.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
Kerberos Guilin Wang School of Computer Science 03 Dec
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.
Kerberos in an ISP environment
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
KERBEROS SYSTEM Kumar Madugula.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
Cryptography and Network Security
Radius, LDAP, Radius used in Authenticating Users
CSCE 715: Network Systems Security
CS60002: Distributed Systems
Network Security – Kerberos
Kerberos Part of project Athena (MIT).
KERBEROS.
Presentation transcript:

Malgherini Tommaso Attacking and fixing the Microsoft Windows Kerberos login service

2 22 Kerberos – what it is (in short) Protocol for authentication inside an insecure network Client-server model, with a trusted third party for credentials distribution Based on simmetric cryptography and the Needham-Schroeder protocol

3 Most known implementations Kerberos MIT: The original implementation developed at MIT, released under BSD license. Windows Domain Controller: From Windows 2000 onwards Microsoft adopted Kerberos 5 as their default network authentication protocol. Initially only DES and RC4 were supported, from Windows Vista AES is used by default Heimdal: An alternative to the MIT implementation, developed in Sweden.

Notations C:Client AS:Authentication Service TGS:Ticket Granting Service V:Verifier ( == service server) L: Lifetime T A : Timestamp from As clock K A :Personal key of the entity A ( for the clients password => key ) k n : Session key N A : Nonce E K (x) :A message x encrypted with key K 4 ticket V =E K V (k n, C,L) authenticator k n =E k n (T A,[k m ])

Kerberos 5:How it works 5 C C AS TGS V V C,TGS,N C TGS_REQ AS_REP TGS_REP AP_REQ AS_REQ AP_REP ticket TGS,E K C (k 1,N C, L, TGS) ticket TGS, authenticator k 1,N C, L, V ticket V,E k 1 (k 2,N C, L, V ) ticket V, authenticator k 2 [E k 2 (T V )] (opt.)

Kerberos 5: Why its a good thing Single Sign-On, after the initial request to the TGS service, the ticket is cached and reused for each service request (no need to use a password anymore) Only the first request is encrypted with K c, temporary session keys are used for every following request. 6

Known attacks 1. KDC Spoofing Wed like to use kerberos with the physical login process on the network workstations. This happens by default on Windows domains since Windows 2000 and can be done on Unix/Linux with a specific PAM module, pam_krb5 But the LOGIN operation is not a service like the others The third exchange (AP_REQ/AP_REP) doesnt seem to have any sense here. Initially, the PAM module implemented only the first exchange The user inserted the password from which a key was derived. Then an AS_REQ request was made, and then the key was used to decrypt the AS_REP reply. If it decrypts correctly, it must be that the user knows the password....right? 7

Known attacks: 1.KDC Spoofing 8 C C Attacker AS K? KAKA C,TGS,N C AS_REP AS_REQ ticket * TGS,E K A (k 1,N C, L, TGS)

Known attacks: 1. KDC Spoofing - Mitigation 9 Publicly relesead in 2001 by Dug Song Solution adopted: insert also TGS_REQ/REP exchange in the login process For every workstation in the network a principal like: is created Secret keys for each of these services are exported in the respective machines After AS_REP is verified, the client machine asks for a ticket for the login service Since only the KDC and the client machine know the key, if the produced ticket decrypts correctly, the login is permitted

Known attacks: 1. KDC Spoofing - Sidenote 10 A final note about this attack: On *nix systems, secret keys are exported inside a keytab, a file with root-only access (for obvious reasons) If the pam_krb5 module is called from a non-root process, the ticket cannot be verified. PAM will fail back to using only AS_REQ/AS_REP, leaving the system vulnerable example of typical *nix process using PAM without root privilege: every kind of screensaver lock

Known attacks: 2. Replay Attack 11 It can be seen that in the message flow, the critical one is AP_REQ, since that alone in the end decides if the user gets authenticated Is it possible to reuse an old AP_REQ? Timestamp in the authenticator: old requests are dropped But Kerberos allows for a certain time window (5 min.) from the timestamp, inside which an authenticator can be accepted The lifetime for the ticket is much more longer, usually 24h.

Known attacks: 2. Replay Attack 12 C C Attacker V V AP_REQ AP_REP AP_REQ AP_REP ticket V, authenticator k 2 [E k 2 (T V )] ticket V, authenticator k 2 [E k 2 (T V )]

Known attacks: 2. Replay Attack – Mitigation 13 Known for a looong time (discussed in 91 USENIX Proceedings, for Kerberos IV). Both RFC 4120 and its predecessor, RFC 1510 specify that an already accepted authenticator MUST be rejected. Authenticator are cached for a certain time and maintained at least until the time window for its acceptance is expired So its just another boring theoretical attack? And if the attacker can actively delete legitimate requests and then uses the stolen authenticator for himself? This variant was demonstrated to be successful against the SMB service on a Windows 2000 SP 3 server in 2003 by Kasslin and Tikkanen.

The pass-the-ticket attack Weve seen that there is no AP_REQ/AP_REP exchange for the login service. Last message is TGS_REP... Could we reuse the ticket inside and old TGS_REP? IDEA: Spoofing the initial AS_REP + replay old ticket to complete the second step 14

The pass-the-ticket attack Phase 1: 15 C C Attacker AS TGS TGS_REQ TGS_REP ticket TGS, authenticator k 1, N 1, L, V ticket V,E k 1 (k 2,N 1, L, V )

The pass-the-ticket attack Phase 2: 16 C C Attacker AS TGS TGS_REQ AS_REP TGS_REP AS_REQ K? KAKA C,TGS,N 2 ticket * TGS,E K A (k 1,N 2, L, TGS) ticket * TGS, authenticator k 1,N 3, L, V ticket V,E k 1 (k 2,N 3, L, V )

...and such a thing can really work?? The attack was tested against the following platforms: Linux: KDC: GNU/Linux Debian 4.0, Kerberos MIT Client Workstation: GNU/Linux Gentoo, Kerberos MIT r6 Windows: KDC: Windows Server 2008 Client Workstation: Windows XP Service Pack 2 Windows Vista Enterprise Service Pack 1 Windows 7 Professional 17

18 Results: Kerberos MIT is not affected by the attack All Windows systems were found vulnerable(!!) The problem is that only the ticket is checked, we have no way to tell if the sender actually knows the key Why the MIT implementation is not vulnerable? Lets analyze whats happen inside their Kerberos and see how not only it resolves our problem, but also shows us how the login process can be implemented to make it much more compliant to the protocol

19 Kerberos MIT Instead of just verifying the ticket validity by decrypting it, the received credentials are used to internally simulate the last exchange AP_REQ/AP_REP An AP_REQ request is created using the session key contained in the non-ticket part of the TGS_REP message. Then, impersonating the verifier, the AP_REQ is decrypted using the key found inside the received ticket. The attacker just replayed that ticket and has no way of knowing the contained session key. This means that a different k n will be used for encryption and decryption, causing a decryption error and consequent failure of the login process GAME OVER

20 Kerberos MIT AS TG S C C TGS_REP: E k 1 (k 2,N 3,L,V),E K V (k 2,C,L) AP_REQ: Authenticator k 2,T V Extract_key(T V ) = k 2 Verify_ap_req(): decrypt(AP_REQ, k 2 ) ERROR!! AS_REQ TGS_REQ AS_REP TGS_REP AP_REQ/AP_REP TVTV

21 Conclusions Kerberos surely provides authentication in a very secure and scalable way. BUT! Very much attention must be paid to the actual implementation, especially when dealing with particular cases or situations for which Kerberos wasnt designed for. Weve seen a perfect example of this, an attack which targets a very specific service which allows for complete authentication bypass, due to an oversimplification of the implementation. The vulnerability was notified to CERT and Microsoft in February, who acknowledged the problem and will patch it with the next service pack. Proof-of-concept code was published in August and can be obtained here:

22 Kdcreplay.py "Pass the Ticket" attack (a m0t Studios production) Usage:./kdcreplay.py [opts] Options: -t set target machine ip (can be overriden in code) -k set kdc ip (same as above) -u set principal name (aka krb user, default="test") -p set principal password (will be used as principal secret key, default="password") -P skip service ticket sniffing and load dumped TGS_REP from file -d save sniffed TGS_REP to file -r set realm name -S skip tickets replay (kdc spoofing attack) -e set encryption type (for rc4win binary key has to be set, see code, default:3des ) -l set max number of as_rep to send -D lots of debug printing -s skip spoofing and replay (for debug purposes) -h read this

Bibliography and links 1.Kerberos: The Network Authentication Protocol, D. Song. 3.C. Neuman, T. Yu, S. Hartman, e K. Raeburn, RFC 4120: The Kerberos Network Authentication Service (V5), K. Jaganathan, L. Zhu, e J. Brezak, RFC 4757: The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows, E. Bouillon, Gaining access through kerberos, in PacSec, E. Bouillon, Taming the beast: Assess kerberos-protected networks, in Black Hat EU, S. M. Bellovin e M. Merritt, Limitations of the kerberos authentication system, in Usenix Proceedings, Dallas, TX, Linux-PAM. 9.Scapy CERT Coordination Center, Carnegie Mellon University, 11.K Kasslin and A. Tikkanen, Replay attack on Kerberos V and SMB, ack.pdf ack.pdf 23

Questions ? 24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.