hash algorithm in kerberos Authentication process
hi all
and also we know when the domain joined client , we enter domain username and password, our password is encrypted via a hash algorithm. also we know that hash functions are MD5 , SHA1 , SHA2 ,...
1 ) which one of these algorithms , does kerberos protocol uses to encrypt our password?
2 ) so does a kerberos protocol component exist in all clients ( in addition to domain controller ?)
thanks in advance
January 16th, 2012 5:04pm
Hi.
Microsoft has release information about how Windows 2000 uses Kerberos in
RFC4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows. Also there is information in the microsoft technet article
Changes in Kerberos Authentication [Windows 7 & windows 2008R2].
<>
DES not enabled by default in Windows 7 and Windows Server 2008 R2
Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default in Windows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:
*AES256-CTS-HMAC-SHA1-96
*AES128-CTS-HMAC-SHA1-96
*RC4-HMAC
</>
So for which Windows version are we talking about?
Oscar Virot
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2012 6:36pm
Hi.
Microsoft has release information about how Windows 2000 uses Kerberos in
RFC4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows. Also there is information in the microsoft technet article
Changes in Kerberos Authentication [Windows 7 & windows 2008R2].
<>
DES not enabled by default in Windows 7 and Windows Server 2008 R2
Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default in Windows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:
*AES256-CTS-HMAC-SHA1-96
*AES128-CTS-HMAC-SHA1-96
*RC4-HMAC
</>
So for which Windows version are we talking about?
Oscar Virot
hi and thanks oscar. suppose my domain controller is win 2008 R2 and clients are win 7 .
oscar, is far as i know ,when a domain user want to logon , the his os encrypts his password via a one-way hashing algorythm. also the domain controller generates a "1 time usable session key" for that client and present that to client. then
client again encrypts his "password hash" via this session key and then present this "encrypted hash" to the domain controller.
so here is a question : if someone in the middle , captures the sesion key ( when dc is presenting it to client and also captures the password hash( when client is presenting to DC , the this rogue client in the middle, can encrypt the obtained password
hash with obtained session key and then present that to the DC , so DC thinks that is the real original client ( but in fact he is not ). so what security countermeasure exist for this ?
where can i find a good updated link which completely describe this process ?
thanks in advance
January 17th, 2012 1:23am
Hi.
Well kerberos is a old system that has proven secure in unix, thats why Windows started using it. If we read
Configuring Kerberos Policies.
<>
In a Windows 2000 Domain, Kerberos authentication is used by both client and a server in trying to determine each other's legitimacy. Kerberos works with private key cryptography. That is, both the Kerberos-enabled client and server share a secret key.
Kerberos authentication works as follows (assuming the client initiates contact with the server):
The client generates an authenticator that contains unique information about the client (for example, client name, client realm, the time on the client, a checksum of the data in the authenticator message, and so forth). Each authenticator is unique, because
of the time information it contains.
The client encrypts the authenticator with its copy of the secret key.
The client sends the encrypted authenticator to the server.
The server decrypts the authenticator with its copy of the secret key.
The server creates its own unique authenticator, which also contains a portion of the client's authenticator. That way, the server proves to the client that it received the client's authenticator, and it was able to decrypt the message, indicating that it
is the proper server that had access to the secret key.
Note that since all authenticators must be unique, they are valid one time only. Therefore, Kerberos protects the system from replay attacks. A replay attack (with normal user identification (ID)/password authentication) is when an outsider can collect authentication
data off of the network and replay it to the server. Since a user ID/password combination is good for many uses, the server cannot determine if the second authentication attempt is the valid user trying to open another session, or if it is an impostor trying
to break into the system. Since the user ID/password information in the replay is correct, the system will grant access to the impostor.
</>
Hope that helps, if you want more the
Wikipedia links to lots of RFC describing everything in more detail.Oscar Virot
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 2:21am
Hi.
Well kerberos is a old system that has proven secure in unix, thats why Windows started using it. If we read
Configuring Kerberos Policies.
<>
In a Windows 2000 Domain, Kerberos authentication is used by both client and a server in trying to determine each other's legitimacy. Kerberos works with private key cryptography. That is, both the Kerberos-enabled client and server share a secret key.
Kerberos authentication works as follows (assuming the client initiates contact with the server):
The client generates an authenticator that contains unique information about the client (for example, client name, client realm, the time on the client, a checksum of the data in the authenticator message, and so forth). Each authenticator is unique, because
of the time information it contains.
The client encrypts the authenticator with its copy of the secret key.
The client sends the encrypted authenticator to the server.
The server decrypts the authenticator with its copy of the secret key.
The server creates its own unique authenticator, which also contains a portion of the client's authenticator. That way, the server proves to the client that it received the client's authenticator, and it was able to decrypt the message, indicating that it
is the proper server that had access to the secret key.
Note that since all authenticators must be unique, they are valid one time only. Therefore, Kerberos protects the system from replay attacks. A replay attack (with normal user identification (ID)/password authentication) is when an outsider can collect authentication
data off of the network and replay it to the server. Since a user ID/password combination is good for many uses, the server cannot determine if the second authentication attempt is the valid user trying to open another session, or if it is an impostor trying
to break into the system. Since the user ID/password information in the replay is correct, the system will grant access to the impostor.
</>
Hope that helps, if you want more the
Wikipedia links to lots of RFC describing everything in more detail.
Oscar Virot
nice. thank you very much oscar
January 17th, 2012 2:55am