Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Similar presentations


Presentation on theme: "Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder."— Presentation transcript:

1 Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2

2 PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder Paper published in 1978 Using Encryption for Authentication in Large Networks of Computers

3 Needham-Schroeder Describes a authentication scheme Contained Authentication Server Clients contact Auth Server for permission to access network service Encryption using keys to secure data

4 Kerberos 4 Very similar to Needham-Schreoder Network time used to decrease network traffic Ticket Granting Ticket (TGT)

5 Kerberos 4 in a Nutshell Client contacts KDC to get a Ticket Granting Ticket (TGT) so that it may access services in the future Think of this as logging in KDC authenticates client, and returns a TGT, which is used by the client for all future requests

6 Kerberos 4 in a Nutshell Client receives TGT and caches it locally When client needs to access a service (SMB) the client sends a message with the TGT to request Service Ticket The KDC authenticates the TGT and creates a session key for the client and the service to use for encryption. The KDC then encrypts the session key for the service with the services key and sends that to the client

7 Kerberos 4 in a Nutshell The client then sends the session key encrypted with the services key to the service The service decrypts the message from the client and then begins the session

8 Kerberos 4 AS_REQ Client Principle Client Timestamp TGS (KDC) principle Requested lifetime Initial request from client to server Client principle - jdoe@REALM.ORGjdoe@REALM.ORG Client timestamp - 7:00am 9/9/2004 TGS principle - server@REALM.ORGserver@REALM.ORG Requested lifetime - 8 hours

9 Kerberos 4 AS_REP Users copy of session key TGS (KDC) principle Ticket Lifetime TGT Server reply for a AS_REQ Session key - randomly generated number TGS (KDC) principle - server@REALM.ORGserver@REALM.ORG Ticket lifetime - 8 hours Ticket Granting Ticket (TGT) - encrypted with TGS (KDC) key Entire structure encrypted with users key

10 Kerberos 4 TGT TGS copy of session key user principle Ticket Lifetime KDC timestamp Client IP address Fourth component of a AS_REP Session key - randomly generated number (matches users) user principle - jdoe@REALM.ORGjdoe@REALM.ORG Ticket lifetime - 8 hours KDC timestamp - 7:00am 9/9/2004 Client IP Address This structure is encrypted with the TGS key

11 Kerberos 4 TGS Request Service principle TGT Authenticator Requested lifetime Client requesting to use service (SMB) Service principle - smb.smbserver@REALM.ORG TGT - encrypted data structure that authenticates client Authenticator - data structure encrypted with session key from authentication server. This prevents replay attacks Requested lifetime - usually 8 hours

12 Kerberos 4 TGS Reply copy of session key Service principle Ticket lifetime Service Ticket Authentication Server (KDC) reply to client service request Session key - session key to be used with the service Service principle - smb.smbserver@REALM.ORG Ticket lifetime - usually 8 hours Service Ticket - data structure encrypted with services key This structure is encrypted with session key from Authentication Server (received in AS_REP)

13 Kerberos 4 Service Ticket copy of session key User principle Ticket lifetime KDC timestamp Client IP Address This ticket is sent by the client to the service being requested Session key - session key to be used with the client User principle - jdoe@REALM.ORG Ticket lifetime - usually 8 hours KDC timestamp - 7:00am 9/9/2004 This structure is encrypted with service key

14 Kerberos 5 Same functionality as version 4 Implementation is vastly different than 4 Switched to ASN.1 to describe protocol Flexible encryption model

15 Pre-Authentication Prevent off-line or brute force attacks Kerberos 4 Handed TGT to anyone Client must prove identity before receiving TGT Client encrypts timestamp with key and sends to KDC


Download ppt "Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder."

Similar presentations


Ads by Google