ADDING PERFECT FORWARD SECRECY TO KERBEROS

Kerberos system is a powerful and widely implemented authentication system. Despite this fact it has several problems such as the vulnerability to dictionary attacks which is solved with the use of public key cryptography. Also an important security feature that is not found in Kerberos is perfect forward secrecy. In this work the lack of this feature is investigated in Kerberos in its original version. Also a public key based modification to Kerberos is presented and it is shown that it lacks the prefect forward secrecy too. Then some extensions are proposed to achieve this feature. The extensions are based on public key concepts (Diffie-Hellman) with the condition of keeping the password based authentication; this requires little modifications to the original Kerberos. Four extensions are proposed; two of them modify the (Client-Authentication Server) exchange achieving conditional perfect forward secrecy , while the remaining two modify the Client-Server exchange achieving perfect forward secrecy but with increased overhead and delay.


ABSTARCT
Kerberos system is a powerful and widely implemented authentication system.Despite this fact it has several problems such as the vulnerability to dictionary attacks which is solved with the use of public key cryptography.Also an important security feature that is not found in Kerberos is perfect forward secrecy.In this work the lack of this feature is investigated in Kerberos in its original version.Also a public key based modification to Kerberos is presented and it is shown that it lacks the prefect forward secrecy too.Then some extensions are proposed to achieve this feature.The extensions are based on public key concepts (Diffie-Hellman) with the condition of keeping the password based authentication; this requires little modifications to the original Kerberos.Four extensions are proposed; two of them modify the (Client-Authentication Server) exchange achieving conditional perfect forward secrecy, while the remaining two modify the Client-Server exchange achieving perfect forward secrecy but with increased overhead and delay.

KERBEROS V5
It is well known that Kerberos is based on symmetric encryption and trusted third party.Figure (1) shows the exchanges of the original Kerberos v5.The client (C) shares with the authentication server (AS) a long term key; and truly speaking the secret is a password (K U shared between the "User" on the client machine and AS).
 The password is used to encrypt a timestamp and sent by the client to AS which decrypts and checks for time synchronization, this step is used to authenticate the user. AS sends a key (K C,TGS ) to be used between the client (C) and ticket granting server (TGS), this key is sent encrypted using K U .AS also sends the client a ticket granting ticket (TGT) which contains the same key, (K C,TGS ), encrypted using a long term key shared between AS and TGS.Steps 1 and 2 represent the authentication phase exchange. The next phase, steps 3 and 4, are carried between the client (C) and TGS.In this phase the client authenticates itself to TGS by sending a timestamp encrypted using K C,TGS .The client also sends the ticket TGT granted by AS, also it sends the name of the server S that it wants to communicate with. TGS decrypts the ticket TGT using the key shared with AS (K AS,TGS ), and it extracts the key K C,TGS .Then it decrypts the message sent by the client and checks the timestamp to see the authenticity of client.Then TGS creates a session key (K C,S ) to be used between C and S. In this exchange the key (K C,TGS ) is used to authenticate C to TGS in step 3 and used in step 4 to encrypt the session key K C,S .TGS also sends the client a ticket (TKT S ) to be used with the server (S).This ticket TKT S contains the same key, (K C,S ), encrypted using a long term key shared between TGS and S.  Steps 5 and 6 represent the last phase at which the exchange occurs between the client and server.In step 5 the client authenticates itself to the server by sending a timestamp encrypted under the session key (K C,S ).The client also sends TKT S to the server.
 The server decrypts TKT and extracts the key (K C,S ), and use this key to check the authenticity of client message.Then the server authenticates itself to client by sending a timestamp encrypted under the same session key.
Since the client passes through steps 3 and 4 for each server it wants to contact, the key (K C,TGS ) is sometimes called a multisession key, because K C,TGS is used to encrypt many session keys.The concept of perfect forward secrecy is lost by encrypting the session keys using the multisession keys, and by encrypting the multisession keys using the password derived keys.So the compromise of multisession key causes the compromise of all session keys encrypted under it.Also the compromise of the password derived key (K U ) causes the compromise of the multisession key and consequently the session keys.[Zhu and Tung, 2006] is an extension to Kerberos v5 that uses public key cryptography to avoid shared secrets between a client and AS; it modifies the authentication exchange but not other parts of the basic Kerberos v5 protocol.The long-term shared key (K U ) in the traditional exchange is typically derived from a password, which limits the strength of the authentication to the user's ability to choose and remember good passwords; PKINIT does not use K U and thus avoids this problem.

Authentication
In PKINIT, the client (C) and AS each has a pair of public-private key (PK C , SK C ) and (PK AS , SK AS ).Cert C and Cert AS are certificates that prove the authenticity of PK C and PK AS because they are signed by a trusted Certificate Authority.PKINIT can operate in two modes namely public key encryption mode and Diffie-Hellman mode.The keys are used during the authentication phase only.But they are used in different ways according to the mode.The Diffie-Hellman mode is investigated here and shown in Figure (2) because it achieves conditional perfect forward secrecy.
Diffie-Hellman [Diffie and Hellman,1976] key agreement provided the first solution to allow two parties, without shared keys, to establish a secret key by exchanging messages over unsecured channel.But it does not achieve authentication.Authentication is achieved here using the certificates.The key (K C,TGS = g ab ) cannot be derived from Diffie-Hellman (D-H) exponents g a and g b which are sent publicly.Which means that AS will not send the key to the client encrypted under any key.So the compromise of the client's long term key (SK C ) will not help to get the key (K C,TGS ).This provides perfect forward secrecy.But (K C,TGS ) is also found in TGT encrypted under the long term key (K AS,TGS ) shared between AS and TGS.This yields the fact that the compromise of (K AS,TGS ) causes (K C,TGS ) to be compromised, meaning that perfect forward secrecy is not achieved.That's why we call it conditional perfect forward secrecy, because under the assumption that (K AS,TGS ) is shared between two well protected servers, the possibility of compromise is small but not impossible.This extension involves several time consuming operations at both the client side and AS side because the goal was to deal with dictionary attacks on passwords.

PROPOSED EXTENSIONS
The PKINIT using Diffie-Hellamn achieves conditional perfect forward secrecy, but it involves many public key operations and the requirement of certificate authority.This adds many changes to the original Kerberos.In the following sections some extensions are proposed to achieve perfect forward secrecy or conditional perfect forward secrecy with as little changes to Kerberos as possible.The extensions also consider the reduction of public key operations as possible.Four extensions are proposed, two of them modify the Client-AS exchange achieving conditional perfect forward secrecy, while the remaining two modify the Client-Server exchange achieving perfect forward secrecy.The solutions assume the password based authentication even that it has some weaknesses, but it stills the main authentication approach in most systems, so certificates are avoided.By that we minimize the changes made to Kerberos which simplifies its implementation in the future.The first extension group changes the exchange between the client and the authentication server (AS); this group has two extensions which are presented in part A and B below.
A) The extension uses the same concept of PKINIT with Diffie-Hellman but without the use of certificates.Figure (3) shows this extension, where only steps 1 and 2 are modified.The idea is to get (K C,TGS ) without being sent encrypted under a long term key.To accomplish this, the client generates private information (a) and sends public information (g a ).AS generates (b) and sends (g b ).Then both calculate g ab , while no one other than the two can find this value because the publicly known info is only g a and g b , this achieves perfect forward secrecy.h(g a ) represents the hash of g a , and is sent encrypted under K U such that AS can be sure of the authenticity of g a .On the other hand h(g a ,g b ) is sent encrypted under K U to prove the authenticity of g b to the client, and to acknowledge the reception of g a .The hash is sent instead of the information itself because it is smaller in size.The size of the hash output depends on the algorithm used and not on the size of input information.Some hash functions that can be used are MD5, SHA-1, and SHA-2.The recommended one is the SHA-2 in its various sizes.Also the National Institute of Standards and Technology (NIST) has launched a public competition to develop a new cryptographic secure hash algorithm, which NIST is naming "SHA-3" which is expected to be finally presented in year 2012 [William, 2008].
Like PKINIT in previous section, this approach achieves conditional perfect forward secrecy, since K C,TGS is sent encrypted using K AS,TGS inside the TGT.Since certificates are not required it gives some advantages concerning the computational load on the two parties, and the communication cost.The time consuming operations are given below: Client Side  Evaluating g a . Evaluating g ab .4).This adds additional security in the sense that D-H security is based on the concept that knowing (g a ) and (g b ) it is impossible to find g ab .Here, (g a ) and (g b ) are not public so the problem becomes harder on the adversary.This modification keeps the same advantages of the previous solution with small increase in computational time caused by the encryption and decryption of (g a ) and (g b ).Since (g a ) is sent encrypted under K U then AS will be sure of the authenticity of (g a ), so it is not necessary to calculate h(g a ) and send it encrypted under the same key.In the same manner in the second step it is not required to send the hash of (g b ) encrypted under K U .The message in the first step is smaller in size than in the previous extension by the size of h(g a ).On the other hand the second step is of same size as previous extension because h(g a ,g b ) has the same size as h(g a ) by the definition of hash functions.

Changing The Client-Server Exchange (Second Extension Group)
This group changes the messages exchanged between the client and the server, it also has two possible algorithms presented in A and B below.

A)
In this algorithm the steps 1 to 4 of the handshake are kept the same as the original Kerberos.The change occurs in the handshaking between the client and server to get the session key as shown in figure ( 5).Here the session key is derived using D-H which adds perfect forward secrecy, because the session key cannot be compromised when any one of (K U , K C,TGS , K AS,TGS , K TGS,S ,or K C,S ) is compromised.This is more secure than the previous one due to perfect forward secrecy and due to the fact the session key is only known by the two communicating parties, client and server.Where the role of other parties (AS and TGS) is only authenticating the client.While in previous cases the AS and TGS are involved in the generation of the session keys.
The hash values are used as in subsection 4.1 to achieve message authenticity of g a and g b and to acknowledge the reception of g a .The computational load on the client is the same as in previous section.But the overhead in computation is now on the server and not on AS as above.6).The Diffie-Hellman computations are the same as in part A, but the data to be symmetrically encrypted is larger in size which means more computational time.But this time increase is very small when compared with public key operations.

COMPARISON BETWEEN FIRST AND SECOND GROUP
To make the comparison the two groups presented in section 4.1 and 4.2, the following assumptions are considered: M clients, N servers, one AS, and one TGS.Figure (7) shows the keys generated for each client.The comparison will be taken from security and performance perspectives.

From A Security Perspective
For the first proposed extension the K C,TGS is generated using D-H, K C,TGS = g ab .This key is the base for all the keys for each client (K C1,S1 , K C1,S2 ,…, K C1,SN , and session keys), so the compromise of K U1 will not compromise the derived keys because K C1,TGS is not dependent on it.But this extension achieves conditional perfect forward secrecy because K C1,TGS is sent encrypted inside the TGT encrypted under K AS,TGS so the compromise of the later key compromises K C1,TGS and then all other keys (K C1,S1 , K C1,S2 ,…, K C1,SN , and session keys) are compromised.The compromise of K AS,TGS is not always considered a problem since it may be difficult to achieve because it is shared between AS and TGS which can be highly secured.And in many cases these two parties are implemented in the same server which reduces the risk of compromise.A possible enhancement is to periodically change this shared key, thus compromise of K AS,TGS will compromise only the keys created during the period of validity of this key (before it changes).This is not a difficult change since it involves two parties only, AS and TGS.
For the second extension, the session key is the one generated using D-H while all other keys remain as in the original Kerberos, K= g ab .So the compromise of any key (K U , K C,TGS , K AS,TGS , or K C,S ) will not compromise the session key K.This gives perfect forward secrecy. Each client will evaluate g a and g ab once for the entire login time, so it sums to 2 operations by each client. AS will evaluate g b and g ab once for each client which means 2M operations. All other parties have no comparable computational load.

AS
For the second extension where the final session key between client and server is g ab :  Each client will evaluate g a and g ab once for each server, which gives 2N operations by each client. AS and TGS have no comparable computations. Each server will evaluate g b and g ab once for each client, then each server has to do 2M operations.
It is clear that the first extension has overall lower computations than the second extension.The first has less load on both the clients and servers, with higher load on the AS.So in general the first case outperforms the second one, keeping in mind that the former gives only conditional perfect forward secrecy, while the later gives perfect forward secrecy.But there are three main points that must be taken into account.
The first point that must be considered is that the first extension has a high load on the AS, but in the second extension the load is the same as in original Kerberos, and it is negligible when compared with public key operations.The high load on AS can be a serious problem in some situations, because AS may become a bottleneck.This case can happen on the system startup, where all clients try to authenticate themselves to AS at the same time.
The second point is the fact that not all clients will communicate with all servers.So the load in first extension is mainly on AS and is highly constant at 2M.While in second extension the load is mainly on clients and servers.The load on client depends on its communication demand, i.e. load increases linearly with the number of server it needs to connect.The load on server depends on the clients' demands, i.e. load increases linearly with the number of clients needing to communicate with that server.And in general it is not likely that these communication requests occur simultaneously, i.e. the requests are generally randomly distributed in time and among servers.As opposed to the requests to AS which may happen simultaneously.This distribution gives a reduced effect on the servers at any moment.
The last point is that the second group of extensions gives the clients and servers the flexibility to agree to use the extension or stay in the original Kerberos mode.This is a per session decision between client and server to achieve perfect forward secrecy or to achieve higher performance with lower security.
Fig.1Original Kerberos v5 Exchange PKINIT Public-Key Kerberos PKINIT[Zhu and Tung, 2006] is an extension to Kerberos v5 that uses public key cryptography to avoid shared secrets between a client and AS; it modifies the authentication exchange but not other parts of the basic Kerberos v5 protocol.The long-term shared key (K U ) in the traditional exchange is typically derived from a password, which limits the strength of the authentication to the user's ability to choose and remember good passwords; PKINIT does not use K U and thus avoids this problem.
Side  Evaluating g a . Digital signature creation using SK C . Digital signature verification of Cert AS . Digital signature verification using PK AS . Evaluating g ab .AS Side  Digital signature verification of Cert C . Digital signature verification using PK C . Evaluating g b . Evaluating g ab . Digital signature creation using SK AS .

Fig. 2
Fig. 2 Diffie Hellman based PKINIT exchange Changing The Client-AS Exchange (First Extension Group)The first extension group changes the exchange between the client and the authentication server (AS); this group has two extensions which are presented in part A and B below.

Fig. 3
Fig.3Client-AS Modified Kerberos Proposed Exchange B) A simple modification to the previous extension is to send the public D-H exponents (g a ) and (g b ) encrypted under K U , as shown in figure (4).This adds additional security in the sense that D-H security is based on the concept that knowing (g a ) and (g b ) it is impossible to find g ab .Here, (g a ) and (g b ) are not public so the problem becomes harder on the adversary.This modification keeps the same advantages of the previous solution with small increase in computational time caused by the encryption and decryption of (g a ) and (g b ).Since (g a ) is sent encrypted under K U then AS will be sure of the authenticity of (g a ), so it is not necessary to calculate h(g a ) and send it encrypted under the same key.In the same manner in the second step it is not required to send the hash of (g b ) encrypted under K U .The message in the first step is smaller in size than in the previous extension by the size of h(g a ).On the other hand the second Fig. 4 Client-AS Modified Kerberos Proposed Exchange With Encrypted Public Exponents Fig. 5 Client-Server Modified Kerberos Proposed Exchange

Fig. 6
Fig. 6 Client-Server Modified Kerberos Proposed Exchange With Encrypted Public Exponents

Fig. 7
Fig. 7 Key Generation Steps in Environment With M Clients, N Servers, one AS, and one TGS