Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.

Published byFrederica Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software."— Presentation transcript:

1 Kerberos

2 What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software

3 Why Kerberos? Sending usernames and passwords in the clear breech in the security of the network. Each time a password is sent in the clear, there is a chance for interception.

4 Firewall vs. Kerberos? Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within. Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.

5 Design Requirements Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won’t use it). Protect against intercepted credentials.

6 Cryptography Approach Private Key: Each party uses the same secret key to encode and decode messages. Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is imperative.

7 How does Kerberos work? Instead of client sending password to application server: ◦ Request Ticket from authentication server ◦ Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? ◦ Ticket granting ticket (TGT)

8 How does Kerberos work?: Ticket Granting Tickets

9 How does Kerberos Work?: The Ticket Granting Service

10 How does Kerberos work?: The Application Server

11 Applications Authentication Authorization Confidentiality Within networks and small sets of networks

12 Weaknesses and Solutions If TGT stolen, can be used to access network services. Only a problem until ticket expires in a few hours. Subject to dictionary attack. Timestamps require hacker to guess in 5 minutes. Very bad if Authentication Server compromised. Physical protection for the server.

13 The Competition: SSL

14 Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service Susan’s Desktop Computer Think “Kerberos Server” and don’t let yourself get mired in terminology.

15 Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service Susan’s Desktop Computer Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)

16 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “I’d like to be allowed to get tickets from the Ticket Granting Server, please.

17 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”

18 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service myPassword XYZ Service TGT

19 Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”. The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication. The TGT contains no password information.

20 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “Let me prove I am Susan to XYZ Service. Here’s a copy of my TGT!” use XYZ TGT

21 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS You’re Susan. Here, take this.

22 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS I’m Susan. I’ll prove it. Here’s a copy of my legit service ticket for XYZ. Hey XYZ: Susan is Susan. CONFIRMED: TGS

23 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS Hey XYZ: Susan is Susan. CONFIRMED: TGS That’s Susan alright. Let me determine if she is authorized to use me.

24 Authorization checks are performed by the XYZ service… Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.

25 One remaining note: Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable. Until a ticket’s expiration, it may be used repeatedly.

26 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for XYZ. Hey XYZ: Susan is Susan. CONFIRMED: TGS use XYZ

27 Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS Hey XYZ: Susan is Susan. CONFIRMED: TGS That’s Susan… again. Let me determine if she is authorized to use me.

Download ppt "Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software."

Similar presentations

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
A less formal view of the Kerberos protocol J.-F. Pâris.

A less formal view of the Kerberos protocol J.-F. Pâris.
Kerberos for Users Jeff Blaine 5/2006. What is Kerberos? Developed by MIT Shared secret-based strong 3 rd party authentication Provides single sign-on.

Kerberos for Users Jeff Blaine 5/2006. What is Kerberos? Developed by MIT Shared secret-based strong 3 rd party authentication Provides single sign-on.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
KERBEROS www.unix.org.ua/orelly/networking/puis/ch19_06.htm.

KERBEROS
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah

Similar presentations

Ads by Google