KERBEROS
CONTENTS Introduction What is Kerberos? Where does the name Kerberos came from? Why Kerberos? What does Kerberos do? Kerberos software components How Kerberos works? Kerberos names Kerberos database Kerberos from the outside looking in Kerberos issue and open problems Effectiveness of Kerberos Kerberos status How widespread is deployment? Advantages and Disadvantages Commercial support for Kerberos MIT Kerberos team Conclusion References
INTRODUCTION WHAT IS KERBEROS? A NETWORK AUTHENTICATION PROTOCOL WHAT IS KERBEROS? KERBEROS IS A TRUSTED THIRD-PARTY AUTHENTICATION SERVICE BASED ON THE MODEL PRESENTED BY NEEDHAM AND_SCHROEDER.
Where does the name “Kerberos” came from? The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. “CERBERUS” is the Latin spelling of the Greek “Kerberos”, and according to the OED is pronounced like “Serberus”, but that is quite at odds with the Greek, as the initial consonant is a “k”.MIT project Athena chose to use the Greek spelling and pronunciation.
WHY KERBEROS? SECURE THE DATA RELIABLE SERVICE TRANSPERANCY SCALABILITY
WHAT DOES KERBEROS DO? Kerberos keeps a database of its clients and their private keys. Kerberos provides three distinct levels of protection. Kerberos provides safe messages.
KERBEROS SOFTWARE COMPONENTS KERBEROS APPLICATION LIBRARY ENCRYPTION LIBRARY DATABASE LIBRARY DATABASE ADMINISTRATION PROGRAMS ADMINISTRATION SERVER AUTHENTICATION SERVER DB PROPOGATION SOFTWARE USER PROGRAMS
Requesting a Kerberos Service Getting the Initial Kerberos Ticket Getting Kerberos Server Tickets HOW KERBEROS WORKS
Flow of Authentication Information Logging on to the workstation P W A O S R S D ENTRY 3 1 User name TGT,TGS 2 Authentication Server Workstation
4 TGT 5 Session key requested S E I O N key TICKET User name NT address Service name Time stamp Session key 4 TGS Session key TGT Ticket, 2 copies of session key Workstation 5 Ticket Granting Server Application Server
8 Workstation Application Server Verifying the request 6 Ticket Session Key 6 Ticket 7 Random number Random Number 8 Workstation Application Server Session Key
KERBEROS NAMES Key referral between Domains Key referral between Trusted Domains
KERBEROS DATABASE The KDBM Server The kadmin and kpasswd Programs Kerberos Database Replication
Kerberos from the Outside Looking In Kerberos User's Eye View Kerberos From the Programmer's Viewpoint The Kerberos Administrator's Job
Kerberos Issues and open Problems How to decide the correct lifetime for a ticket? How to allow proxies? How to guarantee workstation integrity?
HOW EFFECTIVE IS KERBEROS?
KERBEROS STATUS A prototype version of Kerberos went into production in September of 1986. Since January of 1987, Kerberos has been Project Athena's sole means of authenticating its 5,000 users, 650 workstations, and 65 servers. In addition, Kerberos is now being used in place of .rhosts files for controlling access in several of Athena's timesharing systems.
HOW WIDESPREAD IS DEPLOYMENT?
ADVANTAGES AND DISADVANTAGES
COMMERCIAL SUPPORT FOR KERBEROS CyberSafe Corporation Email: info@cybersafe.com InterSoft International, Inc. Email:http://web.mit.edu/kerberos/www/support@securenetterm.com Email:http://web.mit.edu/kerberos/www/sales@securenetterm.com
THE MIT KERBEROS TEAM Jeff Schiller ('79) Ted Ts'o ('90) Tom Yu ('96) MIT Team Members Jeff Schiller ('79) Ted Ts'o ('90) Tom Yu ('96) Ken Raeburn ('88) Paul Hill Marshall Vale Miroslav Jurisic Alexis Ellwood Danilo Almeida
CONCLUSION
REFERENCES www.krbcore@mit.edu http://web.mit.edu/kerberos www.cisco.com www.orw.gor www.info@cybersafe.com www.support@securenetterm.com www.sales@securenetterm.com www.cybersafecorporation.com www.crypto_publish.org.com www.decewg@es.net www.tytso@mit.edu The Kerberos newsgroup Kerberos on the Macintosh comp.protocols.kerberosFAQ
THANK 'U'