Presentation is loading. Please wait.

Presentation is loading. Please wait.

Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.

Published byMagdalene O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References."— Presentation transcript:

1 Netprog: Kerberos1 KERBEROS

2 Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References

3 Introduction It is a secure, single-sign-on, trusted third- party authentication service  Makes assumption that the connection between a client and service is insecure  Passwords are encrypted to prevent others from reading them  Clients only have to authenticate once during a pre-defined lifetime  Provides a way to authenticate clients to services to each other through a trusted third party

4 How did Kerberos get it’s name? The name "Kerberos" comes from a mythological three-headed dog that guarded the entrance to Hades Hades => Underworld (where hackers apparently live).

5 History Developed at MIT as a part of Project Athena in mid 1980s Currently, Kerberos is up to Version 5 Version 4 being the first version to be released outside of MIT. Adopted by several private companies as well as added to several operating systems. Its creation was inspired by client-server model

6 Components Principals Realms Key Distribution Centers (KDC’s) ◦ Authentication Service ◦ Ticket Granting Service

7 Components Principals: Each entity, such as clients or application servers, is represented as a principal Realms: Companies and organizations are composed of different departments, each with a different service named realm

8 Components Key Distribution Centers (KDC’s) ◦ composed of an Authentication Service and Ticket Granting Server ◦ has a database that houses all principals and their keys for a given realm ◦ at least one KDC per realm

9 Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service Susan’s Desktop Computer Think “Kerberos Server” Authentication Process

10 Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service Susan’s Desktop Computer Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)

11 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “I’d like to be allowed to get tickets from the Ticket Granting Server, please.

12 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”

13 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service myPassword XYZ Service TGT

14 Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a “Ticket- Granting Ticket”. The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication. The TGT contains no password information.

15 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “Let me prove I am Susan to XYZ Service. Here’s a copy of my TGT!” use XYZ TGT

16 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS You’re Susan. Here, take this.

17 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS I’m Susan. I’ll prove it. Here’s a copy of my legit service ticket for XYZ. Hey XYZ: Susan is Susan. CONFIRMED: TGS

18 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS Hey XYZ: Susan is Susan. CONFIRMED: TGS That’s Susan alright. Let me determine if she is authorized to use me.

19 Authorization checks are performed by the XYZ service… Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.

20 One remaining note: Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable. Until a ticket’s expiration, it may be used repeatedly.

21 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for XYZ. Hey XYZ: Susan is Susan. CONFIRMED: TGS use XYZ

22 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS Hey XYZ: Susan is Susan. CONFIRMED: TGS That’s Susan… again. Let me determine if she is authorized to use me.

23 Strengths 1.Passwords are never sent across the network unencrypted 2.Clients and applications services mutually authenticated 3.Tickets have a limited lifetime 4.Authentication through the AS only has to happen once 5.Shared secret keys between clients and services are more efficient than public-keys

24 Weaknesses and Solutions If TGT stolen, can be used to access network services. Only a problem until ticket expires in a few hours. Very bad if Authentication Server compromised. Physical protection for the server.

25 Applications :  Kerberos-aware applications are called Kerberized  Some kerberized applications are – Berkeley R-commands Telnet POP USC’s Win2000 network FTP

26 THANK YOU

Download ppt "Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References."

Similar presentations

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
Kerberos for Users Jeff Blaine 5/2006. What is Kerberos? Developed by MIT Shared secret-based strong 3 rd party authentication Provides single sign-on.

Kerberos for Users Jeff Blaine 5/2006. What is Kerberos? Developed by MIT Shared secret-based strong 3 rd party authentication Provides single sign-on.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah

Similar presentations

Ads by Google