Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Published byKylee Pratt Modified over 10 years ago

Similar presentations

Presentation on theme: "Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014."— Presentation transcript:

1 Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014

2 The Three As of Security Kerberos Basics Windows 2000 implementation of Kerberos Benefits of Kerberos in Windows 2000 Outline

3 The Three As of Security: Authentication --the capability of one entity to prove its identity to another entity ID (drivers license), user log on to OS Authorization – the process of discovering whether you have the rights or permissions to do what you have asked to do Permission (R,W,D), Right (add user, install application) Auditing –the process of checking to see whether sth. has been done the way it is supposed to have been done Audit trail

4 Windows 2000 Security Default authentication algorithm: Kerberos Microsofts implementation of Kerberos: the function of Kerberos is to provide authentication of users. Microsoft uses an empty field in Kerberos to provide security ID information that supports the authorization process.

5 Kerberos Basics -developed at MIT -three basic functions (message exchanges) a request and a reply The Authentication Service Exchange (Logon) The Ticket-Granting Service Exchange (Getting a Ticket to Ride) The Client/Server Authentication Exchange (Accessing a Resource)

6 Authentication Server (AS) Kerberos Key Distribution Center (KDC) Kerberos Authentication Server Request (KRB_AS_REQ) Kerberos Authentication Server Reply (KRB_AS_REP ) Ticket-Granting Server (TGS) Ticket-Granting Ticket (TGT) Kerberos Ticket-Granting Service Request (KRB_TGS_REQ) Kerberos Ticket-Granting Service Reply (KRB_TGS_REP) Kerberos Client/Server Request(KRB_AP_REQ) Kerberos Client/Server Reply(KRB_AP_REP) Kerberos Algorithms

7 Kerberos Components: Session key: a randomly generated, unique key used to encrypt parts of the message and to carry on encrypted conversations. Is generated by the AS and is provided to the client in the encrypted part of the response. Is provided to the destination server in the encrypted part of the ticket Ticket-Granting Server (TGS): Kerberos server that can validate a TGT and can provide tickets allowing access to resource or application servers Realm: a logical collection of Kerberos clients and servers. Its name is used by the client and server to identify the locations of the resources.

8 Kerberos Components Authentication Server(AS) Authenticator: contains information that can be used to verify that the response comes from a valid server in the realm and to prove to the server that the client knows the session key. Includes the clients current time and is encrypted by the client using the session key Kerberos ticket: a data structure that includes client credentials and session keys. Used to authenticate the client to the resource servers or to the TGT. Key Distribution Center (KDC): manages key database. Contains the user and server identification information, passwords, and other items.

9 Kerberos in Windows 2000 KDC implemented as a domain service includes AS and TGS Kerberos realm in Windows 2000 – Domain Each domain server has a KDC Active Directory backbone of Kerberos

10 Windows 2000 implementation of AS Exchange protocol: Obtaining a Logon Session Key 1.ID & password 2.Kerberos client: password to long-term key 3.DNS: domain controller for KDC 4.client to KDC: session key via KRB_AS_REQ 5.KDC:verify long-term key (Identity) 6.KDC:create session key 7.KDC to client:TGT & session key via KRB_AS_REP 8. Client: logon session key and TGT Client DNS Server 3 Where is the nearest KDC? 208.156.2.23 1 Cd71872398 TGT 2 8 6 208.156.2.23 5 4 KRB_AS_REQ 7 KRB_AS_REP

11 Windows 2000 implementation of TGS Exchange protocol: Getting a Ticket for a Particular Server 1,2. Read a file from Seascape Server, need a session ticket 3. Client encrypts the authenticator with logon session key 4. Client to KDC:KRB_TGS_REQ (TGT) 5. KDC decrypts TGT, validate authenticator 6,7. KDC: invent a session key, encrypt it with clients logon session key, create a ticket encrypted with Seascape servers long-term key 8. KDC to client: KRB_TGS_REP 9. Client decrypt the session key with its logon session key 2 Seascape Server Client 5 6,7 Cd71872398 TGT 1 2 Authenticator 3 208.156.2.23 4 KRB_TGS_REQ 8,10 KRB_TGS_REP 9

12 Windows 2000 implementation of CS Exchange protocol: Using the Session Ticket for Admission Client 2 Seascape Server 1 KRB_AP_REQ 3 KRB_AP_REP Cd71872398 TGT 4 Authenticator 1.client to server: KRB_AP_REQ authenticator encrypted with session ticket 2.Server decrypts the ticket, evaluates the authenticator 3. Server to client: KRB_AP_REP encrypts the time from the authenticator 4. Client compare the timestamp

13 Take a common file|open operation. In Windows Explorer, a user finds a file share. Active Directory directs the user to the location of the share. Next, the user finds an individual file and opens it. A request is made to the server from the client that contains a Kerberos ticket with the user's credential information included. The server receives the ticket and looks at the credentials. The operating system compares the credential information with the ACL on the file to determine if the user has access.

14 Kerberos enables cross-platform single-sign on across the enterprise

15 Benefits of Kerberos More efficient authentication to servers. the server does not need to go to a domain controller. It can authenticate the client by examining credentials presented by the client. Clients can obtain credentials for a particular server once and reuse them throughout a network logon session. Mutual authentication. Parties at both ends of a network connection can know that the party on the other end is who it claims to be. Delegated authentication. Kerberos protocol has a proxy mechanism that allows a service to impersonate its client when connecting to other services.

16 Simplified trust management. trust between the security authorities for Windows 2000 domains is by default two-way and transitive. many domains of a large network can be organized in a tree of transitive, mutual trust. Credentials issued by the security authority for any domain are accepted everywhere in the tree. Interoperability Microsofts implementation of the Kerberos protocol is based on standards-track specifications recommended to the Internet Engineering Task Force (IETF) which lays a foundation for interoperability with other networks where Kerberos version 5 is used for authentication. Benefits of Kerberos

Download ppt "Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Murad Kaplan 1. Network Authentication Protocol Uses private-key Cryptography Built on Needam/Schroeder Scheme Protects.

Murad Kaplan 1. Network Authentication Protocol Uses private-key Cryptography Built on Needam/Schroeder Scheme Protects.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

Similar presentations

Ads by Google