Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Published byLee Francis Modified over 9 years ago

Similar presentations

Presentation on theme: "Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling."— Presentation transcript:

1 Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2

2 The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling different so there is no confusion

3 Time Share Computing One large computer Account information in one location NO encryption (dumb terminals) No shared media for communication Dedicated serial lines No need to trust (since admin owns everything)

4 Time Share Computing

5 Client/Server Shared medium (network) Nodes can be unknown Power shifted from administrators to users Trust no one, admin know only controls half

6 Client/Server

7 Project Athena May 1983 5 year charter of a consortium of computer vendors Notable technologies from Athena Kerberos X Windows Hesiod name service Moira distributed network administration

8 Basic of Kerberos Secure Single-sign-on Trusted third party Mutual authentication

9 What happened to version 1, 2, 3? Used internally by MIT Never released into the wild Various limitations Mostly for testing

10 Three A’s Authentication Authorization Auditing

11 Authentication Process of verifying the identity of a user. User is required to give information Factors of authentication What the user knows What the users has What the user is

12 Example: Drivers License Authentication is that it is issued from an authoritative source State Country Your Picture

13 What the User Knows Most common Secret password User defined password Random password

14 What the User Has Less common Some type of device RSA SecurID Randomly generates key Key matches key on authentication server Smart Cards

15 What the User Is Less common Biometrics Fingerprint scanning Retina scanning Voiceprint recognition Face recognition

16 Authorization Granting or denying access to specific resources based on identity Access Control Lists Authorization is dependent on solid authentication! NFS Server trusts client, user “authenticated” by UID Easy to spoof, ACLs are almost worthless

17 Example: Drivers License Authorization is what you have rights to drive Standard Commercial Motorcycle Etc.

18 Auditing Records authentication and authorization Reactive system (does not stop attacks, just records them ;-)

19 Privacy and Integrity Encryption Protect data from unwanted parties Message Integrity Ensure the message was not tampered MD5 SHA1 CRC-32

20 Terminology Realms, Principles, Instances Keys, Salts, Passwords Key Distribution Center Tickets

21 Realms, Principles, Instances Realms Administrative control unique to each Kerberos installation Convention is DNS domain in uppercase REALM.ORG EXAMPLE.COM Realm names are case sensititive

22 Realms, Principles, Instances Principles Every user and service has a principle Every principle has a long term key associated with it Password or passphrase Global unique name User or service name combined with realm name Three components [username].[optional instance]@[realm] (Kerberos 4) [component]/[component]/[component]/…@[realm] (Kerberos 5)

23 Realms, Principles, Instances Principles Kerberos 4 Examples dsinema@REALM.ORG dsinema.admin@REALM.ORG smb.server@REALM.ORG Kerberos 5 Examples dsinema@REALM.ORG dsinema/admin@REALM.ORG smb/server.realm.org@REALM.ORG smb/server.differentrealm.org/REALM.ORG

24 Realms, Principles, Instances Instances Used in two situations Service principles Special principles for administrative purposes Example Admins can have two principles One for day to day (dsinema@REALM.ORG)dsinema@REALM.ORG One for administrative tasks (dsinema/admin@REALM.ORG)

25 Keys, Salts, Passwords Keys Are shared between at least two parties End user, service, or KDC String2key converts password to encryption key Salt is added before password is hashed Kerberos 5 default “salt” is realm name

26 The Key Distribution Center (KDC) Three components Principle database Authentication server Ticket Granting Server

27 The Key Distribution Center (KDC) Principle Database Stores principles and associated keys Stores other information Password lifetimes Last password change MIT stores in lightweight database

28 The Key Distribution Center (KDC) Authentication Server Issues Ticket Granting Ticket (TGT) Passwords never cross wire TGT encrypted with users password TGT can then be used to request service tickets TGT provides “single-sign-on”

29 The Key Distribution Center (KDC)

30 Ticket Granting Server (TGS) Takes two pieces of data Principle name of service requested Users Ticket Granting Ticket (TGT) TGS verifies TGT, then issues a service ticket to the user

31 Tickets Encrypted data structure Requesting principle name Service principle name Ticket lifetime IP Addresses the ticket can be used from Session key (shared secret) for user/service communication

32 Tickets Service Tickets User requests from TGS Session Key for communication Data encrypted with service key, which contains the Session key All is encrypted with user key

33 Tickets

Download ppt "Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling."

Similar presentations

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Similar presentations

Ads by Google