View
227
Download
0
Category
Preview:
Citation preview
7/27/2019 Kerberos 2
1/18
Kerberos
By: Vinay Pratap Singh
M.Tech - CIT-13/12
7/27/2019 Kerberos 2
2/18
Kerberos
Network authentication protocol + Key Distribution Cente
Developed at MIT in the mid 1980s.
Available as open source or in supported commercial softw
Requires that each client (each request for service) prove
Does not require user to enter password every time a servrequested! .
Authentication service for interactive services like telnet,f
Here user prompted for password and must login in real t
Symmetric key encryption used.
It is fast and allows real time authentication.
7/27/2019 Kerberos 2
3/18
Why Kerberos?
Authentication is a key feature in a multi user environme Sending usernames and passwords in the clear jeopardiz
security of the network.
Each time a password is sent in the clear, there is a chaninterception.
Kerberos Assumption
The workstations or machines are more or less secure i.e. no way for an attacker to intercept communication betweeand a client (user process).
7/27/2019 Kerberos 2
4/18
Kerberos Design
user must identify himself once at the beginning of a workstation(login session).
passwords are never sent across the network in clear text (or stomemory)
every user has a password.
every service has a password.
the only entity that knows all the passwords is the authentication
7/27/2019 Kerberos 2
5/18
Kerberos Requirements
Its requirements as:
Security: a network eavesdropper should not be able to obtarequired information for impresonating a user.
Reliability: services rely on the availability of Kerberos accesthus lack of availability of Kerberos is lack of availability of thservices. Kerberos should employ a distributed server architone system able to back up another.
Transparency: the user should not be aware that authenticattaking place, except for the entering of the password
Scalability: the system should have a modular, distributed ato support large number of clients and servers.
implemented using an authentication protocol based o
Needham-Schroeder Protocol
7/27/2019 Kerberos 2
6/18
Kerberos 4
a basic third-party authentication scheme have an Authentication Server (AS)
users initially negotiate with AS to identify self,
AS provides a non-corruptible authentication credentgranting ticket TGT) .
have a Ticket Granting server (TGS)
users subsequently request access to other services fon basis of users TGT.
7/27/2019 Kerberos 2
7/18
7/27/2019 Kerberos 2
8/18
Tickets
Each request for a service requires a ticket.
A ticket provides a single client with access to a singTickets are dispensed by the ticket granting server
which has knowledge of all the encryption keys.
Tickets are meaningless to clients, they simply use tgain access to servers.
The tgs seals (encrypts) each ticket with the secretencryption key of the server.
Sealed tickets can be sent safely over a network - onserver can make sense out of it.
Each ticket has a limited lifetime (a few hours).
7/27/2019 Kerberos 2
9/18
Tickets Contents
Client Name (User Login Name) Server Name
Client Host Network Address
Session Key For Client/Server
Ticket Lifetime Creation Timestamp
7/27/2019 Kerberos 2
10/18
Kerberos 4
7/27/2019 Kerberos 2
11/18
The Ticket Granting Tickets
7/27/2019 Kerberos 2
12/18
The Ticket Granting Service
7/27/2019 Kerberos 2
13/18
The Application Server
7/27/2019 Kerberos 2
14/18
7/27/2019 Kerberos 2
15/18
Kerberos Realms
a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
this is termed a realm
typically a single administrative domain if have multiple realms, their Kerberos servers must share k
trust
The use of multiple realms provides for the scalability of Ker
7/27/2019 Kerberos 2
16/18
7/27/2019 Kerberos 2
17/18
Weakness
Single point of failure. Requires synchronization of involved hosts clock
The administration protocol is not standardized.
Compromise of central server will compromise asecret keys. If stolen, TGT can be used to accessnetwork services of others.
7/27/2019 Kerberos 2
18/18
Thank You !!
Recommended