University Network Security: Kerberos Server Problems and Solutions

Verified

Added on 2020/02/24

AI Summary

This report provides a comprehensive overview of the Kerberos authentication server, developed at MIT, focusing on its role in network security. It begins by outlining the problems Kerberos faced, including secret-key cryptography issues, validation flaws, weak protocols, and cost concerns. The report then delves into the major threats associated with Kerberos, such as password migration, partial compatibility, security vulnerabilities, and the "all or nothing" approach. It further explores mitigation strategies to address these threats, recommending the implementation of automatic password migration systems, complete compatibility, enhanced security verification, and security verification systems to reduce risks. The report also compares Kerberos version 4 and version 5, highlighting differences in key salt algorithms, network address handling, encoding methods, ticket support, and cross-realm authentication. Finally, it recommends suitable organizations for Kerberos, particularly those operating in closed server environments, and discusses the three main approaches to user authentication within a network. The report concludes by emphasizing the advantages and disadvantages of Kerberos, while acknowledging its importance as a secure system.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: NETWORK SECURITY
Network Security
Name of the Student
Name of the University
Author’s Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1
NETWORK SECURITY
Table of Contents
Discussion....................................................................................................................................................2
1. Problems..............................................................................................................................................2
2. Threats and Mitigation........................................................................................................................3
3. Version 4 and Version 5 Differences....................................................................................................4
4. Recommended Organizations..............................................................................................................4
Conclusion...................................................................................................................................................4
References...................................................................................................................................................6

2
NETWORK SECURITY
Introduction
An authentication server namely Kerberos is grown as a portion of a project named Athena in
MIT. The main reason for developing Kerberos was that when a user will be having problem in network
in his computers, Kerberos can secure the files and folders of the user [3]. The operating system
provided to the users is able to reinforce certain access control policies and can identify the users.
However, recently this scenario has changed. There are three strategies that Kerberos is following; but
in open environment the strategies are not working.
The report outlines a brief description about the Kerberos authentication server. It covers the
problems that Kerberos were facing and the four major threats of Kerberos that are associated with
authentication of users over the internet and how Kerberos can reduce it [5]. This report further
discusses about the difference between version 4 and version 5 of Kerberos and recommendations of
which organization should use this server. The description is given in the following paragraphs.
Discussion
1. Problems
Kerberos was facing many problems as an authentication server. The problems are as follows:
i) Secret-Key Cryptography: Kerberos is developed to give strong authentication server for the
users using a secret key cryptography [4]. However, this idea got back fired. As it does not need the
utilization of any password and the handling depends on a trusted third party, the security became a
problem for it.
ii) Validation: Designing and implementation is not enough for a security system. Validation is
highly recommended [6]. Kerberos has serious flaws and they were not checked before its launch.
iii) Weak Protocol: Another major problem of Kerberos is its weak protocol. It is not as strong
and resistant as it should have been [1]. Thus attacks are possible with such weak protocols.
iv) Secured Time Services: Machine clocks are not always synchronized. Therefore,
authenticators do not depend on them much [2]. As Kerberos is made of time based protocols, it relies
on the secured time services and it becomes a huge problem.

3
NETWORK SECURITY
v) Cost: Kerberos is not at all cost effective and it incurs huge cost. Thus small organizations will
not be able to install it.
vi) Login Spoofing: This is another major problem in Kerberos [6]. False login or spoofing in login
is extremely common in Kerberos, which is dangerous for the authenticators.
2. Threats and Mitigation
The four basic threats that are associated with the authentication of user over internet are as
follows:
a) Migration: The main threat is the migration of user’s passwords from a basic database to the
Kerberos database of password, because no automatic system is present to undergo this job [4].
b) Partial Compatibility: It has compatibility but only partial with the PAM or Pluggable
Authentication Modules system.
c) Security: This is another major threat for Kerberos. It considers all users as trusted ones and
therefore provides the key to everyone [2].
d) All or Nothing: This is another threat for Kerberos. It is an all or nothing solution [3]. When
Kerberos is utilized over the network, all decrypted passwords that are transferred to the non Kerberos
server is at high risk.
The above threats however, can be reduced or solved. Kerberos can mitigate these threats with
certain steps. They are as follows:
A) Migration: This threat can be overcome by installing an automatic system in it, to migrate the
user’s passwords from the standard database to the Kerberos database of passwords [7].
B) Partial Compatibility: Kerberos should be compatible completely to avoid any kind of
complexities within it.
C) Security: All users cannot be trusted. Special system should be installed to verify the
authenticated users and thus Kerberos can mitigate security risks [5].
D) All or Nothing: Kerberos should install any security verification system that can reduce the
risk of transferring passwords to the non Kerberos servers.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4
NETWORK SECURITY
3. Version 4 and Version 5 Differences
There are various differences between Kerberos version 4 and version 5. They are as follows:
i) Key Salt Algorithm: Kerberos v4 utilizes the name of the principal partially whereas Kerberos
v5 utilizes the name of the principal completely [8].
ii) Network Address: Kerberos v4 comprises only some of the IP addresses and different
addresses for the network protocol types [4]. Whereas, v5 comprises many IP addresses and different
addresses for the network protocol types.
iii) Encoding: Kerberos v4 utilizes the receiver makes right system of encoding and v5 utilizes the
ASN 1 system of encoding [7].
iv) Ticket Support: Kerberos v4 has a satisfactory capability for ticket support and ticket support
of Kerberos v5 is well extended [1]. The facilities are postdating, forwarding and renewing the tickets.
v) Cross Realm Authentication Support: Kerberos v4 does not support such authentication.
However, v5 has a reasonable support for such authentication.
4. Recommended Organizations
Kerberos is an authentication server developed by MIT. It secures the files and folders of users
when their systems have problem in network. However, Kerberos have advantages and disadvantages. It
is recommended for all sorts of network oriented organizations [2]. Kerberos serves well in a closed
server environment, where all the systems are operated and owned by any one organization. There are
three approaches. First is to be dependable on every individual workstation to ensure the recognition
the users and to rely on the server to enforce security policies. The second strategy is to require the
authentication of the client systems to the servers and trust the client system about the identity of the
users [5]. The final approach is to require the user to prove the user’s identity for each service. Kerberos
is recommended for big companies because of the cost and complexities.
Conclusion
Therefore, from the above discussion it can be concluded that, Kerberos has many advantages
and disadvantages. In spite of the limitations Kerberos is a highly secured system developed by MIT. The
above report describes about the problems that Kerberos is facing for its protocols. The report also

5
NETWORK SECURITY
outlines the major threats of Kerberos and the ways to mitigate them. The report further describes the
difference between version 4 and version 5 of Kerberos and the recommended organizations for it.

6
NETWORK SECURITY
References
[1]C. Guivarch and S. Hallegatte, "2C or not 2C?", Global Environmental Change, vol. 23, no. 1, pp. 179-
192, 2013.
[2]K. Rao, Bharadwaj and N. Ram, "Application of Time Synchronization Process to Kerberos", Procedia
Computer Science, vol. 85, pp. 249-254, 2016.
[3]L. Thanh and N. Hải, "Developping Kerberos-role authentication protocol for resource management
system.", Journal of Computer Science and Cybernetics, vol. 20, no. 4, 2012.
[4]I. Downnard, "Public-key cryptography extensions into Kerberos", IEEE Potentials, vol. 21, no. 5, pp.
30-34, 2002.
[5]K. Bashir and M. Khalid Khan, "Modification in Kerberos Assisted Authentication in Mobile Ad-Hoc
Networks to Prevent Ticket Replay Attacks", International Journal of Engineering and Technology, vol. 4,
no. 3, pp. 307-310, 2012.
[6]J. Wang and Z. Kissel, Introduction to network security. .
[7]"Analysing the Combined Kerberos Timed Authentication Protocol and Frequent Key Renewal Using
CSP and Rank Functions", KSII Transactions on Internet and Information Systems, vol. 8, no. 12, 2014.
[8]J. Dastidar, "An Authentication Protocol based on Kerberos", International Journal of Engineering
Research and Applications, vol. 07, no. 07, pp. 70-74, 2017.