Kerberos Version 4

#Kerberos Version 4 operations could be summarised as the following equations:

$$ \begin{align} C \rightarrow AS:& ID_C || ID_{tgs} || TS_1\\ AS \rightarrow C:& E_{K_C}[K_{c,tgs} || ID_{tgs} || TS_2 || \text{Lifetime}_2 || \text{Ticket}_{tgs} ]\\ C \rightarrow TGS:& ID_V || \text{Ticket}_{tgs} || \text{Authenticator}_C\\ TGS \rightarrow C:& E_{K_C, tgs} [K{c,v} || ID_V || TS_4 || \text{Ticket}_V]\\ C \rightarrow V:& \text{Ticket}_V || \text{Authenticator}_{C'}\\ V \rightarrow C:& E_{K_{C,V}} [TS_5 + 1] \end{align} $$

Where:

$C$ is the client
$AS$ is the Authentication Server
$ID$ for $C$ is the identity of the client, otherwise it is a request from the client to access a server
$tgs$ or $TGS$ stands for Ticket Granting Server
$TS$ is the timestamp when the client has initiated the request
$E$ is the encryption algorithm using the $K$ key
$\text{Lifetime}$ is the lifetime of the issued ticket
$\text{Ticket}_{tgs}$ is a ticket granted to client to access TGS, which is defined as $E_{K_{tgs}} [K_{c,tgs} || ID_C || AD_C || ID_{tgs} || TS_2 || \text{Lifetime}_2]$
$AD$ contains the device the client used initially produced the request.
$V$ is the server intended to be used by the client
$\text{Authenticator}_C$ is defined as $E_{K_{c,tgs}} [ID_C || AD_C || TS_3]$, which is generated by client to validate the $\text{Ticket}_{tgs}$
$\text{Ticket}_V$ is a ticket granted to client to access the server, which is defined as $E_{K_V} [K_{C,V} || ID_C || AD_C || ID_V || TS_4 || \text{Lifetime}_4]$
$\text{Authenticator}_{C'}$ is defined as $E_{K_{c,v}} [ID_C || AD_C || TS_5]$, which is generated by client to validate the $\text{Ticket_{V}$

However, Version 4 is not without flaws. There is a double encryption on the tickets provided to the client ($\text{Ticket}_{tgs}$ and $\text{Ticket}_{V}$). The encryption scheme used by V4 is not secure at all (PCBC, which is a non-standard Data Encryption Standard (DES)#). It is vulnerable to an attack which involves the interchange of the ciphertext blocks. (Version 5 prevents it by providing Cipher Block Chaining (CBC)# mode for encryption). In addition, the same ticket could be used by the client to access a server which is at risk of potential Replay Attack using an old session key. (V5 allows the use of a subsession key, which will be invalid after one connection)

Links to this page

Kerberos Version 5

Kerberos Version 5 is developed to replace Kerberos Version 4 to address some of its deficiencies.

Other than that, there are some differences between Version 5 and Version 4#. Firstly, Version 4 depends solely on the use of Data Encryption Standard (DES) whereas Version 5 accepts any kind of encryption scheme or technique. Furthermore, V4 requires the use of IP Address# only whereas V5 allows any type of network address such as Media Access Control Address (MAC)# to be used. In V4, the sender of the message could choose its own message byte ordering, but the message structure is standardised using Abstract Syntax Notation One (ANS.1) and Basic Encoding Rules (BER) in V5. Moreover, the ticket lifetime is now indicated using explicit start and end time in V5, in contrast to the encoded 8-bit lifetimes values (up to 1280 minutes) in V4. Additionally, authentication forwarding is allowed in V5, but it is not in V4. Last but not least, the interopability (the degree of two things could be used together) among $N$ realms requires $O(N^2)$ Kerberos-to-Kerberos relationships in V4. V5 has a method that requires fewer relationships than in V4.
Kerberos

Depending on the versions of the Kerberos protocol, it has slight differing variables in influencing what information has been in the encrypted messages. See Kerberos Version 4#.

Kerberos is a protocol utilising #Symmetric Cryptography to provide Security Service# in Application Layer#. It is done by authenticate the user in order to gain temporary access to internal or remote resources. There are currently two versions of Kerberos implementation: Version 4# and Version 5#. Regardless of the version, three components make up the structure of Kerberos which is used to guard the network: Authentication#, Accounting and Auditing. It has two main ~~components~~ servers: Authentication Server and Ticket Granting Server.