Windows Server Reference Guide

The Keys to Kerberos Authentication

Last updated Oct 22, 2004.

The geography of our world—its surface features, the shape of its continents, the depths of its valleys, the majesty of its canyons—are largely a product of water. Earth is a massive object in space, yet its share of gravity is exactly the same per cubic centimeter as for every other massive object in space. Water's association with gravity is long-standing. With gravity's aid and assistance, water relentlessly seeks the lowest point, even when momentarily dissuaded by the electrostatic force and the pull of the moon. As a result of these simple dynamics, the topography and layout of our home planet has the shape, structure, and texture that we so wistfully characterize in poetry and song.

Water is both the single most creative and single most destructive element in the evolution of our planet. Yet this powerful agent whose unyielding pursuit of, for lack of a better term, "the bottom," gave rise to the Grand Canyon, the Great Lakes, and Mount St. Helens, has no mind of its own. Because we as a species are mastering the ways of water, we've been able to convert Oklahoma—a one-time scraggly desert that, left to its own devices, would never have escaped the ill effects of having once served as the ocean floor—into some of the most fertile and productive land on the planet, in just four generations.

In constructing the Arkansas River Navigation System, the Hoover Dam, and the Panama Canal, the US Army Corps of Engineers never once, to my knowledge, hired para-psychologists to speculate on what goes on in the "mind of water." Hydrological systems fail over time because water, by nature, is corrosive. In time, water exploits the weakest links in the system and eventually, inevitably, erodes them until the system succumbs to failure. All without the aid of a neurology, a psychology, a pseudo-intellect, a sociology, a counter-cultural phenomenon, or a talk show circuit. A corrosive force need not be smart to be efficient.

Navigational systems, computing systems, and communications systems are all networks. You can tell how strong any network is by studying its resistance to stress and its tolerance of failure. When discussing security as a feature, the best architects don't re-imagine their network as something it's not: a castle or a fortress or an onion or a haphazard reassembly of its basic components into a configuration that's easier to explain to screenplay producers. The best concepts in network security have come about with the help of a basic supposition that exploitation, disingenuousness, stress, erosion, and obsolescence are all basic dynamic agents that are unyielding, ever-present, and to a great extent, homogenous. Any further examination of these agents in order to isolate and diagnose some behavioral pattern, is as fruitless as interviewing a glass of water.

Dialog with a Three-Headed Dog

The best concepts in securing a computer network have come about as a result of accepting corrosive agents as given, and developing reliable dependencies between network components so that they strengthen one another, strengthen the network, and resist corrosion. Malicious use, in short, happens. If a well-designed network does its job, most or all of the malicious use that does exist will be ineffective, as will most or all of the erroneous use—which, in network design, is actually a far greater problem.

The Kerberos Network Authentication Service is one concept that concentrates on making malicious and erroneous use ineffective in compromising the network. The Kerberos concept is not software nor even an implementation of protocols, but a basic conceptual framework for establishing secure interaction between software components in distributed systems, such as the Component Object Model (COM) used by Windows. Microsoft began formally implementing Kerberos authentication with Windows 2000.

The Kerberos concept is a dialog between the client component that requests services, and the server component that provides them. "Services" is how Kerberos broadly describes the functions that software performs, although it doesn't serve as a protocol explaining how a client should phrase its request for services, nor how a server should phrase its response. Instead, Kerberos explains an exchange of data between server and client that lead both components to trust each other into believing that they are what they say they are. To accomplish this, Kerberos brings in a third party, the authenticator. This party serves as a mediator, as well as a central database for registering identities associated with the other components. Using this database, client and server quiz each other about what they are capable of finding out about one another, until they pass each other's tests to their mutual satisfaction.

Engineers at MIT came up with the basic foundation for Kerberos in 1988, literally as a dialog in itself, written in stage theatrical format, featuring two network engineers impressing one another as they come up with a theoretical secure authentication concept in stages. This little play probably encapsulates the content of some of the real discussions that MIT engineers may have actually had with one another. In so doing, it reveals the mindset of those engineers as they conceived this authentication system. They weren't fighting a war. They weren't arming themselves with iron-clad metaphors and adrenaline-pumping paradigms. They weren't psychoanalyzing the factors in society that lead ordinary, innocent people to grow up and become "hackers"—or just to become "hackers." They were challenging one another to come up with a system foolproof enough to withstand being compromised by each other.

Demolishing the Fortress Mindset

Modern fiction depicts the act of breaking into a computer network as getting past various virtual safeguards, checkpoints, firewalls, gateways, and logins. Movies resort to various methods of communicating their story to the viewer; I recall seeing a scene from one where we actually enter the mind—specifically, travel into the brain, through a little Carl Sagan-like shuttlecraft—of a certain intrepid misadventurer imagining himself penetrating the walls of a castle with a blaster ray gun, on his way to secure a treasure chest in the center. One he gets past the key checkpoint, he announces to his girlfriend and to us, "I'm in!" This is how we know he's made it, mainly in order to advance the plot. (Somebody in Hollywood read the white paper on Castle Defense System.) There are a number of fully employed security analysts whose concepts of network security resemble more these movies than anything MIT ever designed.

The Kerberos framework does not presume the existence of any physical security barriers on the network whatsoever. It would be nice if they were there, but rather than presuming they've been breached, it actually doesn't pay attention to them whatsoever. Physical barriers may be provided, if at all, on another tier of network architecture.

What Kerberos assumes is that, at some point, a client component will communicate with something masquerading as a server component, or a server with something masquerading as a certain client. Data will be exchanged. Network traffic will occur. Barriers will be transgressed. Kerberos' objective is to make certain that what gets passed to and from a non-authentic component is meaningless and, therefore, harmless. It accomplishes this by relying on strong cryptography.

The introduction of mitigation between components, and cryptography to encrypt messages, was initially foreign to the basic principles of COM. In the original COM model, all components were authentic because the operating system's Registry said they were. In the revised version, the users of software (people, not components) were the only agents requiring authentication; but computers were practically rogues with their own accounts and their own carte blanche. So as long as a user identified himself, supposedly, any malicious use could be traced back to his or her account. Assuming, of course, she wasn't capable of changing her account status to that of a computer the moment she was "in."

Merging the all-trusting environment of COM with the trust-but-verify environment of Kerberos has been a Herculean task for Microsoft. The company has learned a great deal. That it has had the degree of success it has had in migrating from a Hollywood to a Cambridge mindset, is astonishing.

References

• "Kerberos Authentication Technical Resource." Article on Microsoft.com.

• "The Kerberos Network Authentication Service" by J. Kohl, C. Newman. RFC 1510 from the Internet Engineering Task Force.

Books and E-books

• Don Jones, Mark Rouse. "Understanding Microsoft's Security Philosophy in Windows Server 2003." Excerpted chapter from Microsoft Windows Server 2003 Delta Guide from SAMS Publishing.