12

Kerberos is an authentication protocol that is famously built using only symmetric ciphers.

As a direct result of this, there are several attacks possible, such as

  • AS-REP Roasting
  • AS-REQ Roasting
  • Kerberoasting
  • Silver Tickets
  • Golden Tickets

While some attacks require specific conditions (e.g. AS-REP Roasting requires disabling pre-authentication), other attacks like AS-REQ Roasting cannot be prevented at all.

It seems odd to me to use symmetric cryptography for a task that just screams "Please use asymmetric cryptography for this!". Is there something I am missing? What are the reasons for choosing symmetric ciphers?

  • Does this answer your question? [Kerberos three transactions -- why not just use two?](https://security.stackexchange.com/questions/191986/kerberos-three-transactions-why-not-just-use-two) That question goes into a little more detail about transactions (instead of attacks), but it does cover why symmetric instead of asymmetric. – Fire Quacker Mar 13 '20 at 16:57

1 Answers1

12

Full disclosure: I was the Program Manager overseeing Kerberos for a while, and am currently a developer actively working on it at Microsoft.

What you're describing is not strictly accurate. Kerberos as originally spec'ed does rely on symmetric crypto for authentication. However, there are widely used extensions to this spec that enables support for PKI authentication and defeats client *-roasting. Windows for instance uses the PKINIT extension for smart card auth and Windows Hello.

Additionally, the weakness is not that secrets are symmetric, but that the secrets are often user-generated which means easily guessable or they've chosen a weak cipher suite. Switching to an asymmetric crypto-based protocol just moves the problem from "how do I generate keys" to "how do I store and protect keys". In practice both are equally difficult problems for different reasons.

Asymmetric keys also don't solve golden ticket-like problems. If you're in the position to steal the krbtgt symmetric secret, what stops you from stealing the asymmetric secret? Not a lot. If you're in the position to protect an asymmetric key, why aren't you in a position to protect a symmetric key? In fact many systems today use symmetric secrets for protecting these types of tokens, such as session cookies or refresh tokens because of the performance benefit. Making it asymmetric doesn't directly improve things (though app architecture could dictate otherwise).

Silver ticket problems do benefit from moving to asymmetric because a service would never need to know the private key, which reduces the likelihood of it leaking.

However, in doing so you give up a guarantee of mutual authentication. Symmetric algorithms have the property that because both parties know the secret there's mutual authentication (the system falls part when multiple parties know it). With asymmetric keys there's no guarantee the party that receives the ticket is actually who they say they are. You need to explicitly authenticate both parties now, which can be done by adding another asymmetric key, but now you have at least doubled the total number of keys required in this exchange. You're still stuck protecting a secret on both sides.

The alternative of switching to another protocol is also practically difficult to accomplish. There are systems that simply will never move, and the systems that will move will do so over many many years. This requires involving lots of standards bodies, software implementers, and companies, and convincing them all that is best. That's not to say it's impossible or even a bad idea. Just that the effort required to do so and succeed is enormous.

Alternatively you can make minor adjustments to how Kerberos is used today and have Really Good (tm) security.

  • Ditch Passwords (smart cards, Windows Hello, FIDO, etc.)
  • Use strongly generated service account passwords (gMSA, etc.)
  • Disable weak ciphers (DES, RC4)
  • Enable compound authentication (armoring)
Steve
  • 15,155
  • 3
  • 37
  • 66
  • Thank you very much for the comprehensive answer. I didn't know about the PKINIT extension at all. And yes, I am aware it's not easy to switch from one system to another, even if there are compelling reasons to do so - the countless Windows XP and even Windows 98 machines I see locked away in internal network are evidence enough. Again, thank you for your answer. I'll add a bounty in 2 days when I can. –  Mar 13 '20 at 17:36