NT's Security Future
In the past couple of months, I've explained what happens under the hood when
Windows NT 3.x and 4.0 authenticate a user ID. But, NT 5.0 will arrive soon, and
then everything you know will be wrong. Lots of things will change in NT 5.0. It
will use Kerberos authentication, which has been in the UNIX and Internet world
for a while. This month, let's see how Kerberos works and how it applies to NT
5.0 user authentication.
Suppose a user whose account name is Dawn has a PC with IP address 2.2.2.2,
and she wants to access data on a server \\DATAPLACE on the network. She and
\\DATAPLACE are on the same domain, which has a domain controller named
\\BIGDOG. How do Dawn, \\DATAPLACE, and \\BIGDOG interact to get Dawn to
her data?
Kerberos seeks to solve the authentication problem: User Dawn wants server
\\DATAPLACE to recognize her over the network, so she has to prove that she is
the person who owns domain user account Dawn. Of course, Dawn has a password to
her domain account, so \\DATAPLACE can authenticate Dawn by asking her, "What's
your domain password?" Once Dawn gives her password, \\DATAPLACE can ask
\\BIGDOG, "Is that really Dawn's password?" This method is not a good
idea because Dawn's password gets transmitted over the wire from Dawn's PC to
\\DATAPLACE, and then from \\DATAPLACE to \\BIGDOG. Anyone with a network
sniffer can capture Dawn's password. Kerberos improves on this method, however,
and handles user authentication without transmitting any clear-text passwords
across the network.
Kerberos Simplified
With Kerberos, both users and services have passwords. So, Dawn has a
password, and the file server service on \\DATAPLACE has a password, which is
for the file server service only. If, for example, Internet Information Server
(IIS) is running on \\DATAPLACE, the copy of IIS on \\DATAPLACE will have a
different password from the copy on the file server service. (I've simplified
this example to expose the big idea; I'll fill in the gaps later.)
When Dawn tries to access data on \\DATAPLACE, her file-sharing client
software goes first not to \\DATAPLACE, but to \\BIGDOG, where Dawn's software
requests a ticket to the file server module on \\BIGDOG. \\BIGDOG looks up
Dawn's password and \\BIGDOG's password and creates a Kerberos ticket.
\\DATAPLACE will use that ticket to authenticate Dawn.
First, \\BIGDOG creates a message ultimately for \\DATAPLACE, saying
something like, "If you got this message from a machine with IP address
2.2.2.2, you got this message from user Dawn." Second, \\BIGDOG takes that
message and encrypts it using \\DATAPLACE's password. Kerberos'
encryption method uses one string of characters to encrypt another string of
characters. Encrypting the message, "Meet me at 8 pm," using the
password "sentinel," might yield an encrypted message like "sk3knalef9m3poh."
The encryption method is symmetrical: The receiver can decrypt the message using
the same password as the sender; knowing that the password is sentinel and the
message is sk3knalef9m3poh is sufficient information to decrypt the message.
Third, \\BIGDOG takes that encrypted message and adds a plain-text message to
Dawn saying, "Give this to \\DATAPLACE." Fourth, \\BIGDOG takes the
whole message--the part encrypted in \\DATAPLACE's password and the plain-text
part--and encrypts it using Dawn's password. Then \\BIGDOG sends the ticket to
Dawn.
Dawn's PC receives the entire encrypted ticket. The PC knows Dawn's
password, so it decrypts the message, yielding a plain-text message saying, "Send
this to \\DATAPLACE," and a message encrypted with \\DATAPLACE's password.
Dawn can't tamper with the message for \\DATAPLACE because she doesn't have
\\DATAPLACE's password. Her machine then sends that message to \\DATAPLACE.
The security software in \\DATAPLACE sees that it's received a message from
a machine with IP address 2.2.2.2. It decrypts the message, which says, "If
you got this message from a machine with IP address 2.2.2.2, you got this
message from user Dawn." The message came from 2.2.2.2, so \\DATAPLACE is
now pretty sure that Dawn is on the other end of the line. It can look up the
access control list (ACL)/Security Descriptor on the share to see whether Dawn
is authorized to access the share.
Previous
Register
