The KDC should support no applications, users, or protocols other than Kerberos. (That is, everything except Kerberos has been removed from this machine.) Ideally, this system will not support remote network access except by means of the Kerberos services it offers. If the KDC itself is to be remotely administered, the necessary operations must be accomplished over a special, secure channel that cannot be compromised. (Of course, kadmin — the Kerberos administrative tool — operates using Kerberos private messages.)

If the KDC is compromised, its shared secrets are at risk and it security services cannot be trusted. However, such an attack is far from easy. Kerberos uses the DES for encryption operations; the entire KDC data base is encrypted using the master key. To successfully attack the KDC, an intruder would need to access the KDC or otherwise obtain a copy of the KDC’s data base. For example, a wiretapper could grab a copy of the KDC’s data base as it is being propagated to a Kerberos slave KDC server. Because this transfer is done using Kerberos private messages under a randomly generated key that only the KDC and the slave KDC server share expressly for this transaction, such a wiretapper would first have to break that encryption to get at the message traffic that contained the data base being propagated. The intruder would then need to mount a successful cryptanalysis attack against the master key to obtain the data base.

Although contemporary experience with DES shows that successful attacks are possible, they are far too expensive and computationally intensive for anyone but such organizations as the National Security Agency (NSA) to attempt. Perfecting a mechanism to protect Kerberos from such a cryptanalytic attack is impractical for any but the most sophisticated and best funded government intelligence organizations.

The Kerberos protocol does not restrict the type of encryption that is used, and it may include any number of different encryption methods. In fact, design efforts are underway to include public key-based encryption in Kerberos. In any case, a public key-based Kerberos would be subject to the same type of attacks as the current, DES-based implementation.

FUTURE DEVELOPMENTS

As it matures, Kerberos is being incorporated into everything from the most mundane network application software to such specialized network hardware as access control devices for PCs and routers, terminal servers, and modems. It is also coming to be incorporated into some of the most advanced network applications. As operating system functions become distributed, effective authentication and security services have become even more critical. As a consequence of widespread attacks on TCP/IP’s highly distributed Network File System, for example, authentication for it has become mandatory (even though it is not widely used). Kerberos has increasing appeal to the implementors and integrators of distributed systems because it is well tested and readily available.

The continuing search for distributed system security solutions has revealed many alternatives to Kerberos, including systems based on RSA Data Security’s Public Key Cryptography Standards (PKCS) and those based on the Open System Foundation’s (OSF) Distributed Management Environment (DME) and its associated Distributed Computing Environment (DCE). Implementations based on PKCS do not yet offer interoperability between their respective environments, let alone with other authentication schemes. A consortium of European companies (including Bull, ICL, and Seimans Nixdorf) is working on a standard called Secure European System for Applications in a Multivendor Environment (SESAME). SESAME is still in the standards development stage.

The obvious questions that arise when considering a network security system are:

•  When will it be widely available?

•  What will it cost to implement?

•  Will it be interoperable?

•  Will it stand the test of time?

While the authors cannot answer these questions for other network security systems, they believe that Kerberos has already answered these questions in the affirmative. There have been no known successful attacks against Kerberos, and production experience shows that the methods for protecting Kerberos described in this chapter are both feasible and effective. In short, Kerberos has become a de facto network standard; it is well understood, well tested, and implementations are available from a variety of sources on a wide range of platforms.