Before you start
Objectives: Learn which protocols are used to protect the authentication process itself.
Prerequisites: you have to know what authentication is.
Key terms: authentication protection, Kerberos, authentication, PAP, CHAP, EAP
Protecting Authentication
To protect authentication itself, we need to implement some type of protocol. For example, this can be Kerberos, PAP, CHAP, EAP, etc. All of these protection mechanisms are examples of Single Sign-On examples. Single sign-on lets users to log on once to access many different systems and resources. The advantage of this is easier account administration. Also, it requires less time to access resources since users need to authenticate one time (they don’t have to retype username and password for different resources), which is great from the users perspective. However, this means less security from the administrative perspective.
Kerberos
Kerberos is a trusted third party authentication protocol which was developed at MIT. Kerberos is used only for protecting authentication credentials as they are transmitted over network. It has no other purpose, it doesn’t provide any type of data protection. Kerberos uses symetric key cryptography to provide end to end security for log on credentials. Kerberos authenticates users (principals) to other entities on the network. It also supports mutual authentication. That means that clients can authenticate the servers and servers authenticate clients. This helps eliminating man in the middle attacks. Kerberos shares a different secret key with every entity on the network. The knowledge of that secret key equals proof of identity. That means that if we hold a kerberos key, than we have an identity inside a Kerberos realm. Kerberos manages identity by issuing tickets. Ticket is actually a renamed secret key. Kerberos also includes timestamps in those tickets so that once the keys expire, they can’t be reused. Keys are generated using a one way has function on the password submitted by the client. So, the user account and the password are transformed into the ticket sent back to the client for use. All authentication communication is encrypted, but it’s just the authentication. Kerberos is very scalable for large environments.
The way Kerberos works, is that we have a Key Distribution Center (KDC). KDC is the primary component of Kerberos solution. When a client first logs in to the network, it types in its user name and password, which is then sent to the KDC. Once the KDC verifies that users credentials are valid, it creates a Ticket Granting Ticket (TGT), which is nothing more than a password from the client that has been hashed, and which is then sent back to the client. The client is now authorized and is allowed in Kerberos realm to access resources. Once the client access the resource, it requests a service ticket from the KDC. If the KDC validates the TGT from the client, it issues him the ST (service ticket). The ST gives the user the ability to communicate with the server that hosts the resource that the user wants. The server takes the ST and confirms that it’s still valid with the KDC. If the ST is valid, it will respond to the client with the data that was requested. Once the data is being sent, the Kerberos is not involved any more.
Kerberos has several weaknesess. Because of the original design, Kerberos has a single point of failure, which is the KDC. We only have a single KDC in our environment, and if it is down, no authentication can take place. KDC also has to be able to handle a lot of requests because it is the one place where all clients and all servers communicate with in order to authenticate. Tickets are temporarily stored locally on the client, and there for can be compromised if they are not destroyed after use. One way to help prevent password guessing attacks in KDC systems is to perform a preauthentication. Preauthentication means that we deploy additional authentication server that a client must authenticate with first in order to gain access to the KDC. At this point, only authenticated clients can request TGT from the KDC. Whenever a user changes its password, the KDC needs to be updated as well.
Directory Services
Directory Services is another form of Single sign-on system. One example of directory service is Active Directory from Microsoft. Directory Services provide the mechanisms and controls for implementing single sign-on. With this, users can access resources in a predefined environment by entering credentials only once.
PAP, CHAP and EAP
We can also protect authentication credentials by using PAP, CHAP and EAP. PAP, which stands for Password Authentication Protocol, transmits logon credentials in plain text. It doesn’t offer real security, however it still is an authentication protocol.
Next is the Challenge Handshake Authentication Protocol (CHAP), which requires a challenge / response dialog, and in that way ensure communication between a client and a server. If this goes well, user credentials are transmited over the network to the authentication server. Credentials are hashed using MD5 hash algorithm. During the log on session, CHAP periodically reauthenticates clients automatically to make sure that the user is still present. CHAP authentication is not replayable.
The third type of protocol is Extensible Authentication Protocol (EAP). EAP is a framework for other protocols to be installed, and in that way allows customized solutions in different environments.