Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Applications The Kerberos Protocol Standard

Published byMadisyn Seaford Modified over 10 years ago

Similar presentations

Presentation on theme: "Authentication Applications The Kerberos Protocol Standard"— Presentation transcript:

1 Authentication Applications The Kerberos Protocol Standard
Rabie A. Ramadan Lecture 7

2 Outline I. Introduction II. Introduction to Kerberos v4
III. Details of Kerberos v4 IV. Kerberos v5 V. Realms and Inter-Realm Authentication

3 Introduction Note: some of the slides and figures are taken from Dr. Jean-Anne presnetation

4 Introduction Open distributed environment
Workstation Introduction Open distributed environment Users at workstations wish to access servers distributed throughout the network Servers must restrict access to authorized users Servers must authenticate request for service

5 Introduction Workstation (your computer) can not be trusted to authenticate its user correctly to network services: Three threats exist: User pretends to be another user. User alters the network address of a workstation. User eavesdrops on exchanges and use a replay attack.

6 Solutions AS knows all the passwords of all users
Server (V) Authentication Server (AS) Client (C) AS knows all the passwords of all users AS shares unique secret Keys with each server

7 A Simple Authentication Dialogue
Server (V) Authentication Server (AS) Client (C) Security holes? Password sent as plain ASCII No time limits for tickets Man-in-the middle can steal the ticket and fake IDC ( simple, because it is sent as clear text).

8 More Secure Dialogue Idea: Introducing a Ticket Granting Server (TGS)
Kc’ : A key that is derived from the user password

9 Problems with the Previous Protocol
1. Lifetime associated with the ticket-granting ticket: If too short → the user is repeatedly asked for the password If too long → a greater opportunity to replay exists. The threat is that an opponent will steal the ticket and use it before it expires. 2. There may be a requirement for servers to authenticate themselves to users. The false server would then be in a position to act as a real server and capture any information from the user and deny the true service to the user. An opponent could eavesdrop on the network and capture a copy of the ticket-granting ticket and then wait for the legitimate user to log out. Then the opponent could forge the legitimate user's network address and send the message of step (3) to the TGS. This would give the opponent unlimited access to the resources and files available to the legitimate user. Therefore, a network service (the TGS or an application service) must be able to prove that the person using a ticket is the same person to whom that ticket was issued.

10 What is Kerberos? Network authentication protocol
Developed at MIT in the mid 1980s Relies on conventional encryption, making no use of public-key encryption. Available as open source or in supported commercial software Two versions: version 4 (passing slowly away) and 5 coexist.

11 Kerberos 4 Overview Stallings Fig Discuss in relation to Table 14.1 which details message exchanges.

12 Version 4: Authentication Dialogue
Authenticatorc

13 First Step : C to AS

14 Second step: AS to C

15 Third step: C to TGS

16 Fourth step: TGS to C

17 Fifth step: C to V

18 Sixth step: V to C

19 Kerberos Realms A Kerberos environment consists of:
a Kerberos server a number of clients, all registered with server application servers, sharing keys with server This is termed a realm typically a single administrative domain

20 Request for Service in Another Realm V.4
Users on one realm may need access to servers in other realms Please consult the book for more details

21 Difference Between Version 4 and 5
Encryption system dependence (v.4 DES) Message byte ordering (v.4 arbitrary; v.5 defined by ASN1 Standard) Ticket lifetime (v.4 21h max; v.5 arbitrary) Authentication forwarding to other hosts (v.4 no; v.5 yes), A client accesses a server. The server can not act on another server on behalf of the client) Inter-realm authentication: v.4 (v5. simpler)

22 Kerberos Version 5 Developed in mid 1990’s
Provides improvements over v4 addresses environmental shortcomings encryption algoithms, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm authentication Specified as Internet standard RFC 1510

23 New Fields in V5 Realm: Indicates realm of user
Options: Used to request that certain flags be set in the returned ticket Times: Used by the client to request the following time settings in the ticket: from: the desired start time for the requested ticket till: the requested expiration time for the requested ticket rtime: requested renew-till time Nonce: A random value to be repeated in message (2) to assure that the response is fresh and has not been replayed by an opponent

24 New Fields in V5 Subkey: The client's choice for an encryption key to be used to protect this specific application session. If this field is omitted, the session key from the ticket (Kc,v) is used. Sequence number: An optional field that specifies the starting sequence number to be used by the server for messages sent to the client during this session. Messages may be sequence numbered to detect replays.

25 Kerberos Limitations Every network service must be individually modified for use with Kerberos Doesn’t work well in time sharing environment Requires a secure Kerberos Server Requires a continuously available Kerberos Server Stores all passwords encrypted with a single key Assumes workstations are secure Scalability

Download ppt "Authentication Applications The Kerberos Protocol Standard"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden

Henric Johnson1 Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden
In this ppt file Kerberos Passwords and password management.

In this ppt file Kerberos Passwords and password management.
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
Authentication Applications

Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
NETWORK SECURITY.

NETWORK SECURITY.
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Similar presentations

Ads by Google