Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing an Authentication System Kerberos; mans best three-headed friend?

Similar presentations

Presentation on theme: "Designing an Authentication System Kerberos; mans best three-headed friend?"— Presentation transcript:

1 Designing an Authentication System Kerberos; mans best three-headed friend?

2 What is Kerberos? Kerberos is a network authentication protocol. Its also the name of the three-headed dog in Greek mythology. Yes, it really is spelt with a K. Questions? No? Good.

3 Background Early 1980s: Timesharing via dumb terminals Central processing and storage Crap for games

4 Solution? Replace terminals with workstations Network all the machines Use servers for storage and services

5 Eek! Security! Problem: How does the server know who you are? Authentication by assertion? Solution: Add username & password verification

6 Multi-password badness Problem: Changing your password Password stored in multiple locations Just remembering the damn thing Sounds like we need a network authentication protocol -)

7 No, its not Sharon Heres where it starts to get clever: Users have passwords Services have passwords Theres an auth service that knows all passwords. Well call it charon

8 Charon: first draft Alice wants her mail. She asks charon for a ticket. Charon encrypts her username as ticket. Alice hands ticket to mail service.

9 Username squiggle? The ticket currently contains: Problem: How does the service know if its decrypted the ticket properly? Solution: Fix the ticket

10 Stop, thief! Problem: Whats to stop someone stealing your ticket? Solution: Add another field to the ticket

11 But I already typed it in…! Problem: We have to enter our password once per service Solution: We add a ticket-granting service, well call it bob.

12 Bob? Eh? Heres how it works: You request a ticket from charon for bob. You can now repeat steps 2&3 for as many services as you like. This ticket is called the ticket-granting ticket. Catchy eh?

13 I saw that! Problem: The password is still being sent in plain text. Eek. Solution: Tweak more stuff.

14 Thievery, again Problem: Someone can steal your ticket, and fake your username and address after youve fled home. Solution: Add an expiry time to the ticket.

15 Twas nae me, officer Problem: Someone could use your ticket before it expires. Well, lets look at whats happening.

16 It honestly wasnt Solution: Add a session key. Charon creates a random password for the session and adds it to the reply.

17 So, um, hows this work? Like this: Alice sends 2 things to the mail service: –The service ticket –Her username and address, encrypted with the session key (a.k.a., the authenticator)

18 And thats pretty much it, folks. My thanks to Bill Bryant This Man Needs Sleep Notes to self: replay, bones, lanman, agnosticism, forwarding, mutual auth

Download ppt "Designing an Authentication System Kerberos; mans best three-headed friend?"

Similar presentations

Ads by Google