Presentation is loading. Please wait.

Presentation is loading. Please wait.

KERBEROS LtCdr Samit Mehra (05IT 6018). What is Kerberos? Motivation Why Kerberos? Firewall Vs Kerberos Kerberos assumptions How does Kerberos work? Weakness.

Similar presentations


Presentation on theme: "KERBEROS LtCdr Samit Mehra (05IT 6018). What is Kerberos? Motivation Why Kerberos? Firewall Vs Kerberos Kerberos assumptions How does Kerberos work? Weakness."— Presentation transcript:

1 KERBEROS LtCdr Samit Mehra (05IT 6018)

2 What is Kerberos? Motivation Why Kerberos? Firewall Vs Kerberos Kerberos assumptions How does Kerberos work? Weakness and solutions Conclusion

3 WHAT IS KERBEROS? NETWORK AUTHENTICATION PROTOCOL DEVELOPED AT MIT IN THE MID 1980s AVAILABLE AS OPEN SOURCE OR IN SUPPORTED COMMERCIAL SOFTWARE REQUIRES THAT EACH CLIENT (EACH REQUEST FOR SERVICE) PROVE ITS IDENTITY. DOES NOT REQUIRE USER TO ENTER PASSWORD EVERY TIME A SERVICE IS REQUESTED!

4 WHAT IS KERBEROS? Contd AUTHENTICATION SERVICE FOR INTERACTIVE SERVICES LIKE TELNET,FTP etc. HERE USER PROMPTED FOR PASSWORD AND MUST LOGIN IN REAL TIME SYMMETRIC KEY ENCRYPTION USED IT IS FAST AND ALLOWS REAL TIME AUTHENTICATION

5

6 MOTIVATION WITHOUT KNOWLEDGE OF IDENTITY OF PERSON REQUESTING AN OPERATION DIFFICULT TO DECIDE IF IT SHOULD BE ALLOWED. TRADITIONAL AUTHENTICATION METHODS ARE NOT SUITABLE FOR USE IN COMPUTER NETWORKS WHERE ATTACKERS CAN MONITOR NETWORK TRAFFIC AND INTERCEPT PASSWORDS. USE OF STRONG AUTHENTICATION METHODS IS IMPERATIVE.

7 MOTIVATION IN A COMMON DISTRIBUTED ARCHIETECTURE THREE APPROACHES TO SECURITY ENVISAGED: RELY ON INDIVIDUAL CLIENT WORK STATIONS TO ASSURE IDENTITY OF USER. REQUIRE CLIENT SYSTEMS TO AUTHENTICATE THEMSELVES TO SERVERS. REQUIRE USER TO PROVE IDENTITY FOR EACH SERVICE INVOKED.

8 MOTIVATION IN A CLOSED ENVIRONMENT WHERE ALL SYSTEMS OWNED AND OPERATED BY SINGLE ORGANISATION FIRST OR SECOND APPROACH MAY SUFFICE. BUT IN AN OPEN ENVIRONMENT THIRD APPROACH (SUPPORTED BY KERBEROS) NEEDED TO PROTECT USER INFORMATION AND RESOURCES HOUSED ON SERVER.

9 WHY KERBEROS? AUTHENTICATION IS A KEY FEATURE IN A MULTI USER ENVIRONMENT. SENDING USERNAMES AND PASSWORDS IN THE CLEAR JEOPARDIZES THE SECURITY OF THE NETWORK. EACH TIME A PASSWORD IS SENT IN THE CLEAR, THERE IS A CHANCE FOR INTERCEPTION.

10 FIREWALL Vs KERBEROS FIREWALLS MAKE A RISKY ASSUMPTION: THAT ATTACKERS ARE COMING FROM THE OUTSIDE. IN REALITY, ATTACKS FREQUENTLY COME FROM WITHIN. KERBEROS ASSUMES THAT NETWORK CONNECTIONS (RATHER THAN SERVERS AND WORK STATIONS) ARE THE WEAK LINK IN NETWORK SECURITY.

11 KERBEROS ASSUMPTIONS THE USER WONT USE SIMPLE PASSWORDS LIKE HIS OWN USER NAME ETC… WHICH CAN BE EASILY BROKEN BY A PASSWORD CRACKER …IN FACT NO AUTHENTICATION MECHANISM TILL DATE CAN COPE FOR PASSWORD GUESSING. THE WORKSTATIONS OR MACHINES ARE MORE OR LESS SECURE I.E. THERE IS NO WAY FOR AN ATTACKER TO INTERCEPT COMMUNICATION BETWEEN A USER AND A CLIENT (USER PROCESS).

12 KERBEROS DESIGN USER MUST IDENTIFY HIMSELF ONCE AT THE BEGINNING OF A WORKSTATION SESSION (LOGIN SESSION). PASSWORDS ARE NEVER SENT ACROSS THE NETWORK IN CLEARTEXT (OR STORED IN MEMORY)

13 KERBEROS DESIGN (CONT.) EVERY USER HAS A PASSWORD. EVERY SERVICE HAS A PASSWORD. THE ONLY ENTITY THAT KNOWS ALL THE PASSWORDS IS THE AUTHENTICATION SERVER.

14 ServerServer ServerServer ServerServer ServerServer KerberosDatabase Ticket Granting Server Server Ticket Granting Server Server Authentication Authentication WorkstationWorkstation Kerberos Key Distribution Service

15 SECRET KEY CRYPTOGRAPHY THE ENCRYPTION USED BY KERBEROS IMPLEMENTATIONS IS DES, ALTHOUGH KERBEROS V5 ALLOWS OTHER ALGORITHMS CAN BE USED. ENCRYPTION PLAINTEXTCIPHERTEXT KEY CIPHERTEXT PLAINTEXT DECRYPTION

16 HOW DOES KERBEROS WORK? INSTEAD OF CLIENT SENDING PASSWORD TO APPLICATION SERVER: –REQUEST TICKET FROM AUTHENTICATION SERVER –TICKET AND ENCRYPTED REQUEST SENT TO APPLICATION SERVER HOW TO REQUEST TICKETS WITHOUT REPEATEDLY SENDING CREDENTIALS? –TICKET GRANTING TICKET (TGT)

17 AUTHENTICATION SERVER THE CLIENT SENDS A PLAINTEXT REQUEST TO THE AS ASKING FOR A TICKET IT CAN USE TO TALK TO THE TGS. REQUEST: –LOGIN NAME –TGS NAME SINCE THIS REQUEST CONTAINS ONLY WELL- KNOWN NAMES, IT DOES NOT NEED TO BE SEALED.

18 AUTHENTICATION SERVER THE AS FINDS THE KEYS CORRESPONDING TO THE LOGIN NAME AND THE TGS NAME. THE AS CREATES A TICKET: –LOGIN NAME –TGS NAME –CLIENT NETWORK ADDRESS –TGS SESSION KEY THE AS SEALS THE TICKET WITH THE TGS SECRET KEY.

19 AUTHENTICATION SERVER RESPONSE THE AS ALSO CREATES A RANDOM SESSION KEY FOR THE CLIENT AND THE TGS TO USE. THE SESSION KEY AND THE SEALED TICKET ARE SEALED WITH THE USER (LOGIN NAME) SECRET KEY. TGS session key Ticket: login name TGS name net address TGS session key Sealed with user key Sealed with TGS key

20 ACCESSING THE TGS THE CLIENT DECRYPTS THE MESSAGE USING THE USERS PASSWORD AS THE SECRET KEY. THE CLIENT NOW HAS A SESSION KEY AND TICKET THAT CAN BE USED TO CONTACT THE TGS. THE CLIENT CANNOT SEE INSIDE THE TICKET, SINCE THE CLIENT DOES NOT KNOW THE TGS SECRET KEY.

21 TICKET GRANTING TICKETS

22 WHEN A CLIENT WANTS TO START USING A SERVER (SERVICE), THE CLIENT MUST FIRST OBTAIN A TICKET. THE CLIENT COMPOSES A REQUEST TO SEND TO THE TGS: ACCESSING A SERVER TGS Ticket Authenticator Server Name sealed with TGS key sealed with session key

23 TGS RESPONSE THE TGS DECRYPTS THE TICKET USING ITS SECRET KEY. INSIDE IS THE TGS SESSION KEY. THE TGS DECRYPTS THE AUTHENTICATOR USING THE SESSION KEY. THE TGS CHECK TO MAKE SURE LOGIN NAMES, CLIENT ADDRESSES AND TGS SERVER NAME ARE ALL OK. TGS MAKES SURE THE AUTHENTICATOR IS RECENT.

24 TGS RESPONSE ONCE EVERYTHING CHECKS OUT - THE TGS: BUILDS A TICKET FOR THE CLIENT AND REQUESTED SERVER. THE TICKET IS SEALED WITH THE SERVER KEY. CREATES A SESSION KEY SEALS THE ENTIRE MESSAGE WITH THE TGS SESSION KEY AND SENDS IT TO THE CLIENT.

25 CLIENT ACCESSES SERVER THE CLIENT NOW DECRYPTS THE TGS RESPONSE USING THE TGS SESSION KEY. THE CLIENT NOW HAS A SESSION KEY FOR USE WITH THE NEW SERVER, AND A TICKET TO USE WITH THAT SERVER. THE CLIENT CAN CONTACT THE NEW SERVER USING THE SAME FORMAT USED TO ACCESS THE TGS.

26 THE APPLICATION SERVER

27 TICKETS EACH REQUEST FOR A SERVICE REQUIRES A TICKET. A TICKET PROVIDES A SINGLE CLIENT WITH ACCESS TO A SINGLE SERVER.

28 TICKETS (cont.) TICKETS ARE DISPENSED BY THE TICKET GRANTING SERVER (TGS), WHICH HAS KNOWLEDGE OF ALL THE ENCRYPTION KEYS. TICKETS ARE MEANINGLESS TO CLIENTS, THEY SIMPLY USE THEM TO GAIN ACCESS TO SERVERS.

29 TICKETS (cont.) THE TGS SEALS (ENCRYPTS) EACH TICKET WITH THE SECRET ENCRYPTION KEY OF THE SERVER. SEALED TICKETS CAN BE SENT SAFELY OVER A NETWORK - ONLY THE SERVER CAN MAKE SENSE OUT OF IT. EACH TICKET HAS A LIMITED LIFETIME (A FEW HOURS).

30 TICKET CONTENTS CLIENT NAME (USER LOGIN NAME) SERVER NAME CLIENT HOST NETWORK ADDRESS SESSION KEY FOR CLIENT/SERVER TICKET LIFETIME CREATION TIMESTAMP

31 SESSION KEY RANDOM NUMBER THAT IS SPECIFIC TO A SESSION. SESSION KEY IS USED TO SEAL CLIENT REQUESTS TO SERVER. SESSION KEY CAN BE USED TO SEAL RESPONSES (APPLICATION SPECIFIC USAGE).

32 AUTHENTICATORS AUTHENTICATORS PROVE A CLIENTS IDENTITY. INCLUDES: –CLIENT USER NAME. –CLIENT NETWORK ADDRESS. –TIMESTAMP. AUTHENTICATORS ARE SEALED WITH A SESSION KEY.

33 RECAP EACH TIME A CLIENT WANTS TO CONTACT A SERVER, IT MUST FIRST ASK THE 3RD PARTY (TGS) FOR A TICKET AND SESSION KEY. IN ORDER TO REQUEST A TICKET FROM THE TGS, THE CLIENT MUST ALREADY HAVE A TG TICKET AND A SESSION KEY FOR COMMUNICATING WITH THE TGS!

34 THE TICKET GRANTING SERVICE

35 KERBEROS SUMMARY EVERY SERVICE REQUEST NEEDS A TICKET. TICKETS COME FROM THE TGS (EXCEPT THE TICKET FOR THE TGS!). WORKSTATIONS CANNOT UNDERSTAND TICKETS, THEY ARE ENCRYPTED USING THE SERVER KEY. EVERY TICKET HAS AN ASSOCIATED SESSION KEY. TICKETS ARE REUSABLE.

36 KERBEROS SUMMARY (cont.) TICKETS HAVE A FINITE LIFETIME. AUTHENTICATORS ARE ONLY USED ONCE (NEW CONNECTION TO A SERVER). AUTHENTICATORS EXPIRE FAST ! SERVER MAINTAINS LIST OF AUTHENTICATORS (PREVENT STOLEN AUTHENTICATORS). THERE IS A LOT MORE TO KERBEROS!!!

37 WEAKNESSES AND SOLUTIONS IF TGT STOLEN, CAN BE USED TO ACCESS NETWORK SERVICES. ONLY A PROBLEM UNTIL TICKET EXPIRES IN A FEW HOURS. SUBJECT TO DICTIONARY ATTACK. TIMESTAMPS REQUIRE HACKER TO GUESS IN 5 MINUTES. VERY BAD IF AUTHENTICATION SERVER COMPROMISED. PHYSICAL PROTECTION FOR THE SERVER.

38 YOUR SECURITY IS IN YOUR OWN HANDS ….

39 REFERENCES CRYPTOGRAPHY AND NETWORK SECURITY – WILLIAM STALLINGS THE MORONS GUIDE TO KERBEROS – VERSION UNDERSTANDING KERBEROS V5 AUTHENTICATION PROTOCOL FABRICE KAH GIAC SECURITY ESSENTIALS CERTIFICATION (GSEC) - NOVEMBER 2003 THE KERBEROS NETWROK AUTHENTICATION SERVICE (V5) – J KOHL, C NEWMAN – 1993 KERBEROS: AN AUTHENTICATION SERVICE FOR COMPUTER NETWORKS B. CLIFFORD NEUMAN AND THEODORE TS'O – 2001B. CLIFFORD NEUMAN THEODORE TS'O - THE KERBEROS HOMEPAGEhttp://www.kerberos.isi.edu/

40 QUESTIONS??? THANK YOU….


Download ppt "KERBEROS LtCdr Samit Mehra (05IT 6018). What is Kerberos? Motivation Why Kerberos? Firewall Vs Kerberos Kerberos assumptions How does Kerberos work? Weakness."

Similar presentations


Ads by Google