7.5 KERBERIZE THE ECHO PROTOCOL
EXERCISE 7.5: KERBERIZE THE ECHO PROTOCOL
We didn’t show any code for a Kerberized echo protocol. We’ve left that for you to figure out. We have already set up some of the pieces you need, however. In real Kerberos, a Kerberized service has to be registered with the TGS. We have already done that. Our TGS code has “echo” in the service database with a password “sunshine”.
You will need to modify the echo client and echo server to use the session key from the TGS instead of deriving the session keys from a password. You can treat the session key from the TGS as key material and still use the HKDF to derive the write key and read key (two sub-session keys, as Kerberos would call them).
Many Kerberized implementations accept the ticket along with the request, and you can do the same here. In other words, send the Kerberos message along with the (encrypted) data to be echoed. Because you are sending a human-readable message, you can use the null terminator to indicate the end of the echo message and the beginning of the Kerberos message, if that’s easiest. Alternatively, you could do something more complicated like transmit the Kerberos message first, perpended by its length, with the human-readable echo message as a trailer.
The server will also need to be modified to accept a password for deriving its key with the TGS. The server already has a password given as a parameter. You could simply change it to derive its Kerberos key instead of the read and write keys. Also, make sure to use the appropriate derivation function. The read and write keys will need to be derived in the
data_receivedmethod after the ticket is received and decrypted. You can leave out the optional Kerberos response to the echo client.Finally, you will have to figure out a way to get the Kerberos ticket data to the echo client. You can either build the echo client protocol directly into your Kerberos client or find some other way to transfer it.
In protocol notation, this is what we have to build:
\[A \rightarrow S: \{A, t_4\}K_{A, S}, \{A, K_{A, S}, t_3\}K_S\] \[S \rightarrow A: \{t_4\}K_{A, S}\] \[A \rightarrow S: \{\text{"hello world"}\}K_\text{alice's write key}\] \[S \rightarrow A: \{\text{"hello world"}\}K_\text{service's write key}\]