Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client.

Published byEsmond O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client."— Presentation transcript:

1 1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client (each request for service) prove it’s identity. n Does not require user to enter password every time a service is requested!

2 2 Kerberos Design n User must identify itself once at the beginning of a workstation session (login session). n Passwords are never sent across the network in cleartext (or stored in memory) n Every user has a password and every service has a password. n The only entity that knows all the passwords is the Authentication Server.

3 3 ServerServer ServerServer ServerServer KerberosDatabase ServerServer KerberosDatabase Ticket Granting Server Server Ticket Granting Server Server Authentication Authentication WorkstationWorkstation Kerberos Key Distribution Service

4 4 Secret Key Cryptography n The encryption used by current Kerberos implementations is DES, although Kerberos V5 has hooks so that other algorithms can be used. encryption encryption plaintextciphertext key key ciphertext plaintext decryption

5 5 Tickets n Each request for a service requires a ticket. n A ticket provides a single client with access to a single server. n Tickets are dispensed by the “Ticket Granting Server” (TGS), which has knowledge of all the encryption keys. n Tickets are meaningless to clients, they simply use them to gain access to servers.

6 6 Tickets (cont.) n The TGS seals (encrypts) each ticket with the secret encryption key of the server. n Sealed tickets can be sent safely over a network - only the server can make sense out of it. n Each ticket has a limited lifetime (a few hours).

7 7 Ticket Contents n Client name (user login name) n Server name n Client Host network address n Session Key for C S n Ticket lifetime n Creation timestamp

8 8 Session Key n Random number that is specific to a session. n Session Key is used to seal client requests to server. n Session Key can be used to seal responses (application specific usage).

9 9 Authenticators n Authenticators prove a client’s identity. n Includes: –Client user name. –Client network address. –Timestamp. n Authenticators are sealed with a session key.

10 10 Bootstrap n Each time a client wants to contact a server, it must first ask the 3rd party (TGS) for a ticket and session key. n In order to request a ticket from the TGS, the client must already have a TG ticket and a session key for communicating with the TGS!

11 11 Authentication Server n The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. n REQUEST: –login name –TGS name Since this request contains only well-known names, it does not need to be sealed.

12 12 Authentication Server n The AS finds the keys corresponding to the login name and the TGS name. n The AS creates a ticket: –login name –TGS name –client network address –TGS session key n The AS seals the ticket with the TGS secret key.

13 13 Authentication Server Response n The AS also creates a random session key for the client and the TGS to use. n The session key and the sealed ticket are sealed with the user (login name) secret key. TGS session key Ticket: login name TGS name net address TGS session key Sealed with user key Sealed with TGS key

14 14 Accessing the TGS n The client decrypts the message using the user’s password as the secret key. n The client now has a session key and ticket that can be used to contact the TGS. n The client cannot see inside the ticket, since the client does not known the TGS secret key.

15 15 n When a client wants to start using a server (service), the client must first obtain a ticket. n The client composes a request to send to the TGS: Accessing a Server TGS Ticket Authenticator Server Name sealed with TGS key sealed with session key

16 16 TGS response n The TGS decrypts the ticket using it’s secret key. Inside is the TGS session key. n The TGS decrypts the Authenticator using the session key. n The TGS check to make sure login names, client addresses and TGS server name are all OK. n TGS makes sure the Authenticator is recent.

17 17 TGS Response n Once everything checks out - the TGS: – builds a ticket for the client and requested server. The ticket is sealed with the server key. –creates a session key –seals the entire message with the TGS session key and sends it to the client.

18 18 Client accesses Server n The client now decrypts the TGS response using the TGS session key. n The client now has a session key for use with the new server, and a ticket to use with that server. n The client can contact the new server using the same format used to access the TGS.

19 19 Kerberos Summary n Every service request needs a ticket. n Tickets come from the TGS (except the ticket for the TGS!). n Workstations cannot understand tickets, they are encrypted using the server key. n Every ticket has an associated session key. n Tickets are reusable.

20 20 Kerberos Summary (cont.) n Tickets have a finite lifetime. n Authenticators are only used once (new connection to a server). n Authenticators expire fast ! n Server maintains list of authenticators (prevent stolen authenticators). n There is a lot more to Kerberos!!!

Download ppt "1 Kerberos n Part of project Athena (MIT). n Trusted 3rd party authentication scheme. n Assumes that hosts are not trustworthy. n Requires that each client."

Similar presentations

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
1 Kerberos Anita Jones November, 2006. 2 Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.

1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
A less formal view of the Kerberos protocol J.-F. Pâris.

A less formal view of the Kerberos protocol J.-F. Pâris.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
KERBEROS www.unix.org.ua/orelly/networking/puis/ch19_06.htm.

KERBEROS
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Similar presentations

Ads by Google