Kerberos 2

7/27/2019 Kerberos 2

1/18

Kerberos

By: Vinay Pratap Singh

M.Tech - CIT-13/12


2/18

Kerberos

Network authentication protocol + Key Distribution Cente

Developed at MIT in the mid 1980s.

Available as open source or in supported commercial softw

Requires that each client (each request for service) prove

Does not require user to enter password every time a servrequested! .

Authentication service for interactive services like telnet,f

Here user prompted for password and must login in real t

Symmetric key encryption used.

It is fast and allows real time authentication.


3/18

Why Kerberos?

Authentication is a key feature in a multi user environme Sending usernames and passwords in the clear jeopardiz

security of the network.

Each time a password is sent in the clear, there is a chaninterception.

Kerberos Assumption

The workstations or machines are more or less secure i.e. no way for an attacker to intercept communication betweeand a client (user process).


4/18

Kerberos Design

user must identify himself once at the beginning of a workstation(login session).

passwords are never sent across the network in clear text (or stomemory)

every user has a password.

every service has a password.

the only entity that knows all the passwords is the authentication


5/18

Kerberos Requirements

Its requirements as:

Security: a network eavesdropper should not be able to obtarequired information for impresonating a user.

Reliability: services rely on the availability of Kerberos accesthus lack of availability of Kerberos is lack of availability of thservices. Kerberos should employ a distributed server architone system able to back up another.

Transparency: the user should not be aware that authenticattaking place, except for the entering of the password

Scalability: the system should have a modular, distributed ato support large number of clients and servers.

implemented using an authentication protocol based o

Needham-Schroeder Protocol


6/18

Kerberos 4

a basic third-party authentication scheme have an Authentication Server (AS)

users initially negotiate with AS to identify self,

AS provides a non-corruptible authentication credentgranting ticket TGT) .

have a Ticket Granting server (TGS)

users subsequently request access to other services fon basis of users TGT.


7/18


8/18

Tickets

Each request for a service requires a ticket.

A ticket provides a single client with access to a singTickets are dispensed by the ticket granting server

which has knowledge of all the encryption keys.

Tickets are meaningless to clients, they simply use tgain access to servers.

The tgs seals (encrypts) each ticket with the secretencryption key of the server.

Sealed tickets can be sent safely over a network - onserver can make sense out of it.

Each ticket has a limited lifetime (a few hours).


9/18

Tickets Contents

Client Name (User Login Name) Server Name

Client Host Network Address

Session Key For Client/Server

Ticket Lifetime Creation Timestamp


10/18

Kerberos 4


11/18

The Ticket Granting Tickets


12/18

The Ticket Granting Service


13/18

The Application Server


14/18


15/18

Kerberos Realms

a Kerberos environment consists of:

a Kerberos server

a number of clients, all registered with server

application servers, sharing keys with server

this is termed a realm

typically a single administrative domain if have multiple realms, their Kerberos servers must share k

trust

The use of multiple realms provides for the scalability of Ker


16/18


17/18

Weakness

Single point of failure. Requires synchronization of involved hosts clock

The administration protocol is not standardized.

Compromise of central server will compromise asecret keys. If stolen, TGT can be used to accessnetwork services of others.


18/18

Thank You !!

Documents

Kerberos 2