Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Published byMakenna Gulling Modified over 10 years ago

Similar presentations

Presentation on theme: "Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos."— Presentation transcript:

1 Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos

2 Computer Science CSC 474Dr. Peng Ning2 The Authentication Problem Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network. Restrict access to authorized users and to be able to authenticate requests for service.

3 Computer Science CSC 474Dr. Peng Ning3 Can we rely on workstation for authentication service? Three threats: –A user may gain access to a particular workstation and pretend to be another user operating from that workstation. –A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. –A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations.

4 Computer Science CSC 474Dr. Peng Ning4 Authentication Service Provided by Kerberos A centralized authentication service –Authenticate users to services –Authenticate services to users –Servers are relieved of the burden of maintaining authentication information. Facts about Kerberos –Rely exclusively on conventional encryption. Public key based Kerberos has been considered. –Stateless: Kerberos server doesnt need to maintain the state information about any entities being authenticated.

5 Computer Science CSC 474Dr. Peng Ning5 Requirements for Kerberos Secure –A network eavesdropper should not be able to obtain the necessary to impersonate a user. Reliable –Kerberos should be highly available and should employ a distributed server architecture. Transparent –The user shouldnt be aware that authentication is taking place. Scalable –The system should be capable of supporting large numbers of clients and servers.

6 Computer Science CSC 474Dr. Peng Ning6 The Kerberos Protocol Outline of the introduction to the Kerberos protocol –A simple authentication protocol –A more secure authentication protocol –Kerberos Version 4 authentication protocol

7 Computer Science CSC 474Dr. Peng Ning7 A Simple Authentication Protocol Use an authentication server (AS) Basic idea: use a ticket to authenticate a user to a server. Protocol 1.C AS: ID C || P C || ID V 2.AS C:Ticket 3.C V:ID C || Ticket –Ticket = E K V [ID C || AD C || ID V ]

8 Computer Science CSC 474Dr. Peng Ning8 A Simple Authentication Protocol (Contd) Advantages –A centralized authentication service Weaknesses –A user needs to enter a password for every different service. –Password is transmitted in plaintext.

9 Computer Science CSC 474Dr. Peng Ning9 A More Secure Authentication Protocol A new server: ticket-granting server (TGS) Protocol –Once per user logon session 1)C AS:ID C || ID tgs 2)AS C:E K C [Ticket tgs ] –Once per type of service 3)C TGS:ID C || ID V || Ticket tgs 4)TGS C:Ticket V –Once per service session 5)C V:ID C || Ticket V –Ticket tgs = E K tgs [ID C || AD C || ID tgs || TS 1 || lifetime 1 ] –Ticket V = E K V [ID C || AD C || ID V || TS 2 || lifetime 2 ]

10 Computer Science CSC 474Dr. Peng Ning10 A More Secure Authentication Protocol (Contd) Ticket-granting ticket (TGT): Ticket tgs. Service-granting ticket: Ticket V. Weaknesses –Replay attack: No authentication of the valid ownership of the tickets. –No authentication of the servers. What are the components in the tickets? What are the components in the tickets? Why do we have them? Why do we have them?

11 Computer Science CSC 474Dr. Peng Ning11 Kerberos Version 4 Protocol Basic idea to address the previous weaknesses –Session key Authentication of the valid ownership of the tickets Provide authentication of servers.

12 Computer Science CSC 474Dr. Peng Ning12 Kerberos Version 4 Protocol (Contd) Authentication Service Exchange: to obtain ticket- granting ticket 1)C AS: ID C || ID tgs || TS 1 2)AS C: E K C [K C,tgs || ID tgs || TS 2 || Lifetime 2 || Ticket tgs ] –Ticket tgs = E K tgs [K C,tgs || ID C || AD C || ID tgs || TS 2 || Lifetime 2 ]

13 Computer Science CSC 474Dr. Peng Ning13 Kerberos Version 4 Protocol (Contd) Ticket-Granting Service Exchange: to obtain service-granting ticket 3)C TGS: ID V || Ticket tgs || Authenticator c 4)TGS C: E K C,tgs [K C,V || ID V || TS 4 ||Lifetime 4 || Ticket V ] –Ticket tgs = E K tgs [K C,tgs || ID C || AD C || ID tgs || TS 2 || Lifetime 2 ] –Ticket V = E K V [K C,V || ID C || AD C || ID V || TS 4 || Lifetime 4 ] –Authenticator c = E K C,tgs [ID C || AD C || TS 3 ]

14 Computer Science CSC 474Dr. Peng Ning14 Kerberos Version 4 Protocol (Contd) Client/Server Authentication Exchange: to obtain service 5)C V: Ticket V || Authenticator c 6)V C: E K C,V [TS 5 + 1] –Ticket V = E K V [K C,V || ID C || AD C || ID V || TS 4 || Lifetime 4 ] –Authenticator c = E K C,V [ID C || AD C || TS 5 ]

15 Computer Science CSC 474Dr. Peng Ning15 The Whole Picture Keberos Authentication Server (AS) Ticket-Granting Server (TGS) Server 1. Request TGT 2. TGT + session key 3. Request SGT 4. Ticket + session key 5. Request service 6. Server authenticator

16 Computer Science CSC 474Dr. Peng Ning16 Kerberos Deployment The Kerberos server must have the user ID and hashed password of all participating users in its database. The Kerberos server must share a secret key with each server. Kerberos are physically secured Kerberos libraries are distributed on all nodes with users, applications, and other Kerberos- controlled resources

17 Computer Science CSC 474Dr. Peng Ning17 Replicated Kerberos Multiple replica of Kerberos - availability and performance Keeping Kerberos databases consistent –Single master Kerberos as the point of direct update to principals database entries –Updated database is downloaded from the master to all replica Kerberos –Periodic download or on-demand

18 Computer Science CSC 474Dr. Peng Ning18 Kerberos Realms and Multiple Kerberi Kerberos realm – A full-service Kerberos environment consists of a Kerberos server, a number of clients, and a number of application servers Inter-realm authentication –The Kerberos server in each interoperating realm shares a secret key with the server in the other realm. The two Kerberos servers are registered with each other.

19 Computer Science CSC 474Dr. Peng Ning19 Inter-realm Authentication AS TGS AS TGS client server Realm A Realm B Kerberos 1. Request ticket for local TGS 2. Ticket for local TGS 3. Request ticket for remote TGS 4. Ticket for remote TGS 5. Request ticket for remote server 6. Ticket for remote server 7. Ticket for remote server 8. Remote server authenticator

Download ppt "Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos."

Similar presentations

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.4 Public Key Infrastructure (PKI) Acknowledgment: Slides revised from.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.4 Public Key Infrastructure (PKI) Acknowledgment: Slides revised from.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 3.1 Overview of Authentication.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 3.1 Overview of Authentication.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden

Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Authentication Applications

Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
KERBEROS www.unix.org.ua/orelly/networking/puis/ch19_06.htm.

KERBEROS
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security

Similar presentations

Ads by Google