Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Kerberos Kerberos and Domain Authentication.

Published byPrimrose Freeman Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Kerberos Kerberos and Domain Authentication."— Presentation transcript:

1

2 Introduction to Kerberos Kerberos and Domain Authentication

3 Key Kerberos Concepts Microsoft Kerberos is: An authentication protocol Based on encrypted “tickets” with client credentials The default authentication package in Microsoft ® Windows ® 2000 The basis for transitive domain trusts Based on RFC 1510 and draft revisions More efficient than NTLM Extensible

4 Kerberos’ Goals  Authenticate User’s Identity User Principal Name (someone@microsoft.com) User Principal Name (someone@microsoft.com)  Securely Delivers User Credentials in “Ticket” Privilege Attribute Certificate (PAC) Privilege Attribute Certificate (PAC)  Privacy Through Encryption  Kerberos Uses Keys for Encryption  Kerberos Authenticator Prevents Packet Anti- Replay

5 Kerberos Terms Authentication Service (AS): This service runs on the Key Distribution Center (KDC) server. It authenticates a client logon and issues a Ticket Granting Ticket (TGT) for future authentication. Ticket Granting Service (TGS): This service runs on the KDC server. It grants tickets to TGT holding clients for a specific application server or resource. Ticket Granting Ticket (TGT): This ticket is received from the Authentication Service (SA) that contains the client’s Privilege Attribute Certificate (PAC). Ticket: This ticket is received from the TGS that provides authentication for a specific application server or resource. Session Key: This is the derived value used strictly for the immediate session between a client and a resource. Privilege Attribute Certificate (PAC): This is strictly used in Windows 2000 Kerberos authentication. Contains information such as the user’s Security ID (SID), group membership SIDs, and users’ rights on the domain.

6 Authentication Service (AS) Ticket Granting Service (TGS) Windows 2000 domain controller (KDC) Kerberos client \\AppServ 1. Request a ticket for TGS 2. Return TGT to client 3. Send TGT and request for ticket to \\AppServ 4. Return ticket for \\AppServ 5. Send session ticket to \\AppServ 6. (Optional) Send confirmation of identity to client Domain Authentication and Resource Access

7 Keys Used in Kerberos  Long-Term Symmetric Keys  Short-Term Symmetric Keys  Asymmetric Keys

8  RFC 1510 specifies UDP for transport.  Kerberos adds user credentials to messages called by the PAC.  Messages of less than 2,000 bytes, such as interaction with MIT KDC server or client, are sent over UDP.  Messages of 2,000 bytes or more, such as interaction with Microsoft KDC server or client, are sent over TCP. Kerberos and Internet Protocol (IP) Transport: UDP/TCP

9 Locating a KDC  The Kerberos KDC runs on every Windows 2000 domain controller.  Kerberos client queries for a domain controller:  Queries Netlogon if it is running  Queries DNS  Kerberos client attempts to contact three times, and then rediscovers KDCs.

10 Requesting a Ticket  Requests go to the KDC: TGT sends requests to the AS TGT sends requests to the AS Session ticket sends requests to the TGS Session ticket sends requests to the TGS  Contents of ticket requests: Names Names Times Times Encryption method Encryption method Properties Properties

11 The Authenticator  Authenticator Authenticates Ticket  Why Is This Necessary?  How Does This Work?  The Authenticator’s Time Stamp  Authenticator Field Contents

12 AS_REQ Message KDC (AS) Kerberos client From: aclient@microsoft.com To: krbtgt@microsoft.com Request ticket for: TGS DNS KDC query Message 1: The Authentication Server Request

13 AS_REP Message KDC (AS) Kerberos client From: krbtgt@microsoft.com To: aclient@microsoft.com Contains ticket for: TGS (TGT) Contains: Session key for TGS Ticket (TGT) encrypted with TGS server key Session key encrypted with user key Message 2: The Authentication Server Response

14 TGS_REQ Message KDC (TGS) Kerberos client From: aclient@microsoft.com To: krbtgt@microsoft.com Contains ticket: TGT Contains Authenticator Request ticket for: AppServ TGT encrypted with TGS server key Authenticator encrypted with TGS session key Message 3: The Ticket Granting Server Request

15 TGS_REP Message KDC (TGS) Kerberos client From: krbtgt@microsoft.com To: aclient@microsoft.com Contains ticket for: AppServ Contains: Session Key for AppServ Ticket encrypted with AppServ server key AppServ session key encrypted with TGS session key Message 4: The Ticket Granting Server Response

16 AP_REQ Message AppServ Kerberos client From: aclient@microsoft.com To: appserv@microsoft.com Contains ticket for: AppServ Contains Authenticator Contains: Mutual Authentication Request (optional) Ticket encrypted with AppServ server key Authenticator encrypted with AppServ session key Message 5: The Application Server Request

17 AP_REP Message AppServ Kerberos client From: appserv@microsoft.com To: aclient@microsoft.com Contains:Mutual Authentication Response Message encrypted with session key Message 6: The Optional Application Server Response

18 Authentication Service (AS) Ticket Granting Service (TGS) Windows 2000 domain controller (KDC) Username Password Long Term Symmetric Key (LTSK) Cache \\AppServ Client Logon AS_REQ E U (LTSK) (Authenticator), Username AS_REP E KDC (TGT), E U (SK) TGS_REQ E KDC (TGT), E SK (Authenticator), AppSrv TGS_REP E AppSrv (Ticket), E SK( C-K ) (SK C-A ) AP_REQ E AppSrv (Ticket), E SK C (Authenticator) AP_REP E SK C-A (time stamp) Legend LTSK: Long Term Symmetric Key SK: Session Key E: Encrypted C: Client K: KDC A: AppSrv

19 Kerberos Policy  Kerberos Policy Settings On a domain controller in your domain in Administrative Tools, click Domain Security Policy, click Windows Settings, click Security Settings, click Account Policies, and then click Kerberos Policy. Enforce logon restrictions: Yes Enforce logon restrictions: Yes Maximum lifetime that a user ticket can be renewed: 7 days Maximum lifetime that a user ticket can be renewed: 7 days Maximum service ticket lifetime: 60 minutes Maximum service ticket lifetime: 60 minutes Maximum tolerance for synchronization of computer clocks: 5 minutes Maximum tolerance for synchronization of computer clocks: 5 minutes Maximum TGT lifetime: 10 hours Maximum TGT lifetime: 10 hours

20 Kerberos Tools  KerbTray Displays ticket information Displays ticket information Runs on the taskbar Runs on the taskbar Lists or purges tickets Lists or purges tickets

21 Kerberos Tools (2)  NetDom Included with Microsoft ® Windows ® 2000 Server Included with Microsoft ® Windows ® 2000 Server Displays domain information Displays domain information Resets broken Kerberos transitive trusts Resets broken Kerberos transitive trusts

22 Review  Kerberos Concepts  Authentication  Resource Authentication  Kerberos Tools

23

Download ppt "Introduction to Kerberos Kerberos and Domain Authentication."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Windows Server 2003 建立網域間之信任關係

Windows Server 2003 建立網域間之信任關係
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

Similar presentations

Ads by Google