Diffie-Hellman Encryption

In this scheme are two constants, PROOT and HEXMODULUS. The particular values chosen for these constants for the DES authentication protocol are:

const PROOT = 3;
const HEXMODULUS =	/* hex */
 "d4a0ba0250b6fd2ec626e7efd637df76c716e22d0944b88b";

The way this scheme works is best explained by an example. Suppose there are two people, A and B, who want to send encrypted messages to each other. A and B each generate a random secret key that they do not disclose to anyone. Let these keys be represented as SK(A) and SK(B). They also publish in a public directory their public keys. These keys are computed as follows:

PK(A) = (PROOT ** SK(A)) mod HEXMODULUS
PK(B) = (PROOT ** SK(B)) mod HEXMODULUS

The ** notation is used here to represent exponentiation.

Now, both A and B can arrive at the common key between them, represented here as CK(A,B), without disclosing their secret keys.

A computes:

CK(A, B) = (PK(B) ** SK(A)) mod HEXMODULUS

while B computes:

CK(A, B) = (PK(A) ** SK(B)) mod HEXMODULUS

These two computations can be shown to be equivalent: (PK(B)**SK(A)) mod HEXMODULUS = (PK(A)**SK(B)) mod HEXMODULUS. Drop the mod HEXMODULUS parts and assume modulo arithmetic to simplify the process:

PK(B) ** SK(A) = PK(A) ** SK(B)

Then replace PK(B) by what B computed earlier and likewise for PK(A).

((PROOT ** SK(B)) ** SK(A) = (PROOT ** SK(A)) ** SK(B)

which leads to:

PROOT ** (SK(A) * SK(B)) = PROOT ** (SK(A) * SK(B))

This common key CK(A,B) is not used to encrypt the timestamps used in the protocol. It is used only to encrypt a conversation key that is then used to encrypt the timestamps. This approach uses the common key as little as possible, to prevent a break. Breaking the conversation key is a far less serious compromise, because conversations are comparatively short lived.

The conversation key is encrypted using 56-bit DES keys, yet the common key is 192 bits. To reduce the number of bits, 56 bits are selected from the common key as follows. The middle-most 8 bytes are selected from the common key, and then parity is added to the lower-order bit of each byte, producing a 56-bit key with 8 bits of parity.

AUTH_KERB Authentication

To avoid compiling Kerberos code into the operating system kernel, the kernel used in the S implementation of AUTH_KERB uses a proxy RPC daemon called kerbd. The daemon exports three procedures.

• KGETKCRED is used by the server-side RPC to check the authenticator presented by the client.

• KSETKCRED returns the encrypted ticket and DES session key, given a primary name, instance, and realm.

• KGETUCRED is UNIX specific. It returns the user's ID, the group ID, and groups list, assuming that the primary name is mapped to a user name known to the server.

The best way to describe how Kerberos works is to use an example based on a service currently implementing Kerberos: the network file system (NFS). The NFS service on server s is assumed to have the well-known principal name nfs.s. A privileged user on client c is assumed to have the primary name root and an instance c. Note that, unlike AUTH_DES, when the user's ticket-granting ticket has expired, kinit() must be reinvoked. NFS service for Kerberos mounts fail until a new ticket-granting ticket is obtained.

NFS Mount Example

This section follows an NFS mount request from start to finish using AUTH_KERB. Because mount requests are executed as root, the user's identity is root.c.

Client c makes a MOUNTPROC_MOUNT request to the server s to obtain the file handle for the directory to be mounted. The client mount program makes an NFS mount system call, handing the client kernel the file handle, mount flavor, time synchronization address, and the server's well-known name, nfs.s. Next the client kernel contacts the server at the time synchronization host to obtain the client-server time bias.

The client kernel makes the following RPC calls.

1. KSETKCRED to the local kerbd to obtain the ticket and session key,

2. NFSPROC_GETATTR to the server's NFS service, using the full name credential and verifier. The server receives the calls and makes the KGETKCRED call to its local kerbd to check the client's ticket.

The server's kerbd and the Kerberos library decrypt the ticket and return, among other data, the principal name and DES session key. The server checks that the ticket is still valid, uses the session key to decrypt the DES-encrypted portions of the credential and verifier, and checks that the verifier is valid.

The possible Kerberos authentication errors returned at this time are:

• AUTH_BADCRED is returned if the verifier is invalid because the decrypted win in the credential and win +1 in the verifier do not match, or the timestamp is not within the window range.

• AUTH_REJECTEDCRED is returned if a replay is detected.

• AUTH_BADVERF is returned if the verifier is garbled.

If no errors are received, the server caches the client's identity and allocates a nickname, which is a small integer, to be returned in the NFS reply. The server then checks if the client is in the same realm as the server. If so, the server calls KGETUCRED to its local kerbd to translate the principal's primary name into UNIX credentials. If the previous name is not translatable, the user is marked anonymous. The server checks these credentials against the file system's export information. Consider these three cases:

1. If the KGETUCRED call fails and anonymous requests are allowed, the UNIX credentials of the anonymous user are assigned.

2. If the KGETUCRED call fails and anonymous requests are not allowed, the NFS call fails with the AUTH_TOOWEAK.

3. If the KGETUCRED call succeeds, the credentials are assigned, and normal protection checking follows, including checking for root permission.

Next, the server sends an NFS reply, including the nickname and server's verifier. The client receives the reply, decrypts and validates the verifier, and stores the nickname for future calls. The client makes a second NFS call to the server, and the calls to the server described previously are repeated. The client kernel makes an NFSPROC_STATVFS call to the server's NFS service, using the nickname credential and verifier described previously. The server receives the call and validates the nickname. If it is out of range, the error AUTH_BADCRED is returned. The server uses the session key just obtained to decrypt the DES-encrypted portions of the verifier and validates the verifier.

The possible Kerberos authentication errors returned at this time are:

• AUTH_REJECTEDVERF, which is returned if the timestamp is invalid, a replay is detected, or if the timestamp is not within the window range

• AUTH_TIMEEXPIRE, which is returned if the service ticket is expired

If no errors are received, the server uses the nickname to retrieve the caller's UNIX credentials. Then it checks these credentials against the file system's export information, and sends an NFS reply that includes the nickname and the server's verifier. The client receives the reply, decrypts and validates the verifier, and stores the nickname for future calls. Last, the client's NFS mount system call returns, and the request is finished.

KERB Authentication Protocol

The following example of AUTH_KERB has many similarities to the one for AUTH_DES, shown in the following code example. Note the differences.

Example B-3 AUTH_KERB Authentication Protocol

#define AUTH_KERB 4
/*
 * There are two kinds of credentials: one in which the client
 * sends the (previously encrypted)
Kerberos ticket, and one in
 * which it uses its "nickname" (just an unsigned integer) 
 * given to it by the server. The client must use its full name
 * in its first transaction with the server, in which the server
 * returns to the client its nickname. The client may use
 * its nickname in all further transactions with the server
 * (until the ticket expires). There is no requirement to use
 * the nickname, but it is wise to use it for performance reasons.
 */
enum authkerb_namekind {
 	AKN_FULLNAME = 0,
 	AKN_NICKNAME = 1
 };
 
/*
 * A fullname contains the encrypted service ticket and the
 * window. 	The window is actually a lifetime
 * for the credential. If the time indicated in the verifier
 * timestamp plus the window has passed, then the server should
 * expire the request and not grant it. To insure that requests
 * are not replayed, the server should insist that timestamps be
 * greater than the previous one seen, unless it is the first
 * transaction. In the first transaction, the server checks
 * instead that the window verifier is one less than the window.
 */
struct authkerb_fullname {
 	KTEXT_ST ticket;              /* Kerberos service ticket */
 	unsigned long window;        /* encrypted window */
};                             
/*
 * A credential is either a fullname or a nickname
 */
union authkerb_credswitch(authkerb_namekind akc_namekind){
 	case AKN_FULLNAME:
 		authkerb_fullname akc_fullname;
 	case AKN_NICKNAME:
 		unsigned long akc_nickname;
};
 
/*
 * A timestamp encodes the time since midnight, January 1, 1970.
 */
struct timestamp {
 	unsigned long seconds;      /* seconds */
 	unsigned long useconds;     /* and microseconds */
};
 
/*
 * Verifier: client variety
 
 */
struct authkerb_verf_clnt {
 	timestamp akv_timestamp;   /* encrypted timestamp */
 	unsigned long akv_winverf;  /* encrypted window verifier */
};
 
/*
 * Verifier: server variety
 * The server returns (encrypted) the same timestamp the client
 * gave it minus one second. It also tells the client its
 * nickname to be used
in future transactions (unencrypted).
 */
struct authkerb_verf_svr {
 	timestamp akv_timeverf;    /* encrypted verifier */
 	unsigned long akv_nickname; /* new nickname for clnt */
};