Forum

CWSP Study Guide - Kerberos Section - Error?

3 posts by 3 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: October 31, 2009:
  • By ozgur23
    Reply

    Hi,

    I'm reading Ch12 from CWSP Study Guide ed2. In page 337, under title "Client to TGS Server: Initial Exchange", it explains the process basically as the following:

    - User provides user ID/pswd pair on the client station.
    - Client uses this pswd to generate his secret key by one-way hashing operation.

    .. so far it is OK, here the confusion starts ..

    - Client sends a request to TGS using client ID, pswd or hash is not sent. If the client is in the AS database, TGS returns an encrypted session key using secret key of the client and a TGT. Client decrypts the "session key" using his secret key. Then, session key is used for communication to TGS.

    I think there is a mistake here. Because AS was supposed to be the first place that client has talked to, in order to get the TGT before talking to TGS (this is also how it is explained in Figure 12.6 in page 336). So, TGS "in bold" above must be AS.

    I downloaded errata from McGraw webpage but this doesn't exist. What do you think?

    Below is from another resource:

    1.The client sends a cleartext message of the user ID to the AS requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.) The AS generates the secret key by hashing the password of the user found at the database (e.g. Active Directory in Windows Server).

    2.The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client:

    Message A: Client/TGS Session Key encrypted using the secret key of the client/user.

    Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.

    3.Once the client receives messages A and B, it decrypts message A to obtain the Client/TGS Session Key. This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.

  • By (Deleted User)
    Reply

    The Kerberos protocol was named after the Greek mythological character "Cerberus" which was a three-headed dog.

    We have a saying the the south.... "That dog won't hunt!"

    In other words, I would not spend a lot of time studying Kerberos for the CWSP exam. It really is no longer a testable subject in relation to Wi-Fi security. Years ago, Symbol had a "Kerberized" appliance solution which is how the topic become testable in CWSP years ago.

    The Sybex CWSP Study Guide that comes out in JAN/2010 will not even mention the topic.

  • By dave1234
    Reply

    Hi Ozgur

    You are correct. The text should say AS instead of TGS. However, this is a common ???¡é?¡é?????¡­?¡°problem???¡é?¡é???????? in the world of Kerberos, and may not necessarily be a "misprint" per se.

    When the first Kerberos systems were introduced back in the 80???¡é?¡é?????¡é???¡és, two separate servers were often used for the Authentication Service and the Ticket-Granting Service. These formed part of the KDC [ Key Distribution Center]

    As time went on, both services [ AS and TGS ] tended to be ???¡é?¡é?????¡­?¡°put???¡é?¡é???????? on one single server.

    From reading a bunch of documents and books on Kerberos, I have found that there is a tendency to refer to the AS and TGS as just the TGS. This happens often in documentation.

    The link at the bottom gives one of the best descriptions I have ever seen on how Kerberos works and also why it is the way it is. The descriptions of some of the areas apply to other systems outside of Kerberos and are very well laid out and interesting [ well, as well as Ticket Granting Tickets can be !! ]. Personally, I think it???¡é?¡é?????¡é???¡és one of the best technical decriptions of a complex system that I have seen so far.

    Kerberos is very important in the Windows world, and is worth getting to know for general wired security purposes.

    The ???¡é?¡é?????¡­?¡°original???¡é?¡é???????? Kerberos was a nasty three-headed dog that guarded the gates of Hades in Greek Mythology. MIT [ who developed Kerberos ] used the name because of the three ???¡é?¡é?????¡­?¡°heads???¡é?¡é???????? of the system: Applicant, Verifier and KDC.

    http://en.wikipedia.org/wiki/Cerberus


    There are some really good decriptions of Kerberos V4 and V5 in this book:

    http://www.amazon.com/Network-Security-Private-Communication-Public/dp/0130614661

    It laso contains loads of other good security ???¡é?¡é?????¡­?¡°stuff???¡é?¡é????????. Not much on wireless though in this edition.

    http://web.mit.edu/Kerberos/dialogue.html

    Dave

Page 1 of 1
  • 1