1. Kerberos  Kerberos was a 3-headed dog in Greek mythology Guarded the gates of the deadGuarded the gates of the dead Decided who might enterDecided who might enter Strong security!Strong security!

2. Kerberos  Three Parties are Present Kerberos serverKerberos server Applicant hostApplicant host Verifier hostVerifier host Verifier Kerberos Server Applicant

3. Kerberos  Kerberos Server shares a symmetric key with each host Key shared with the Applicant will be called Key AS (Applicant-Server)Key shared with the Applicant will be called Key AS (Applicant-Server) Key shared with verifier will be Key VSKey shared with verifier will be Key VS Applicant Verifier Kerberos Server Key ASKey VS

4. Kerberos  Applicant sends message to Kerberos server Logs in and asks for ticket-granting ticket (TGT)Logs in and asks for ticket-granting ticket (TGT)  Authenticates the applicant to the server Server sends back ticket-granting ticketServer sends back ticket-granting ticket TGT allows applicant to request connectionsTGT allows applicant to request connections Applicant Kerberos Server TGT RQ TGT

5. Kerberos  To connect to the verifier  Applicant asks Kerberos server for credentials to introduce the applicant to the verifier  Request includes the Ticket- Granting Tickets Applicant Kerberos Server Credentials RQ

6. Kerberos  Kerberos server sends the credentials Credential include the session Key AV that applicant and verifier will use for secure communicationCredential include the session Key AV that applicant and verifier will use for secure communication Encrypted with Key AS so that interceptors cannot read itEncrypted with Key AS so that interceptors cannot read it Applicant Kerberos Server Credentials= Session Key AV Service Ticket

7. Kerberos  Kerberos server sends the credentials Credential also include the Service Ticket, which is encrypted with Key VS; Applicant cannot read or change itCredential also include the Service Ticket, which is encrypted with Key VS; Applicant cannot read or change it Applicant Kerberos Server Credentials= Session Key AV, Service Ticket

8. Kerberos  Applicant sends the Service Ticket plus a Authenticator to the Verifier Service ticket contains the symmetric session key (Key AV)Service ticket contains the symmetric session key (Key AV) Now both parties have Key AV and so can communicate with confidentialityNow both parties have Key AV and so can communicate with confidentiality ApplicantVerifier Service Ticket (Contains Key AV) + Authenticator

9. Kerberos  Applicant sends the Service Ticket plus a Authenticator to the Verifier Authenticator contains information encrypted with Key AVAuthenticator contains information encrypted with Key AV  Guarantees that the service ticket came from the applicant, which alone knows Key AV  Service ticket has a time stamp to prevent replay Service Ticket (Contains Key AV) + Authenticator

10. Kerberos  Subsequent communication between the applicant and verifier uses the symmetric session key (Key AV) for confidentiality ApplicantVerifier Communication Encrypted with Key AV

11. Kerberos  The Service Ticket can contain more than Key AV  If the applicant is a client and the verifier is a server, service ticket may contain Verifier’s user name and passwordVerifier’s user name and password List of rights to files and directories on the serverList of rights to files and directories on the server Verifier

12. Kerberos  Is the basis for security in Microsoft Operating systems  Only uses symmetric key encryption for reduced processing cost