Comparison between Kerberos Version 4 And Version 5
Kerberos Version 4 is the important topic of the Subject Information and Network Security.
Moreover, The environmental shortcomings of Kerberos version 4 and their corresponding improvements in version 5 are listed below:
- Encryption system dependence: Version 4 requires the use of DES whereas version 5 includes a ciphertext tag with an encryption type identifier so that any encryption technique may use.
- Internet protocol dependence: Version 4 requires the use of Internet Protocol (IP) addresses. Version 5 allows any network address type to be used.
- Message byte ordering: In version 4, the sender of a message employs a byte ordering of its own choosing but in version 5, all message structures \defined using Abstract Syntax Notation One (ASN.1) and Basic Encoding Rules (BER), which provide an unambiguous byte ordering.
- Ticket lifetime: Lifetime values in Kerberos Version 4 encoded in an 8-bit, each unit of 5 minutes. Thus, the maximum lifetime that can express 28 x 5 = 1280 minutes or a little over 21 hours. In version 5, tickets include an explicit start time and end time, allowing tickets with arbitrary lifetimes.
- Authentication forwarding: Version 4 does not allow credentials issued to one client to forward to some other host and used by some other client. For example, a client issues a request to a print server that then, cannot access the client’s file from a file server. Using the client’s credentials for access. Version 5 provides this capability.
- Inter-realm authentication: In Kerberos Version 4, interoperability among realms requires many Kerberos-to Kerberos relationships but version 5 supports a method that requires fewer relationships.
Technical deficiencies of Kerberos version 4 and its alternate in Kerberos Version 5 are:
- Double encryption: The tickets provided to clients encrypted twice. once with the secret key of the target server and then again with a secret key known to the client. The second encryption is not necessary and computationally wasteful.
- PCBC encryption: Encryption in version 4 makes use of a nonstandard model of DES known as propagating cipher block chaining (PCBC) which vulnerable to attack. Version 5 allows the standard CBC mode to use for encryption.
- Session keys: Each ticket includes a session key used for encrypting messages. However, because the same ticket may use repeatedly, a replay attack possible. In version 5, it is possible for a client and server to negotiate a subsession key. Which is to use only for that one connection.
- Password attacks: Both versions are vulnerable to a password attack. The message from the AS to the client includes material encrypted with a key based on the client’s password. An opponent can capture this message and attempt to decrypt it by trying various passwords. Thus the opponent can discover the client’s password and may subsequently use it to gain authentication credentials from Kerberos.