Kerberos - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Kerberos

Description:

When you log into a workstation (login session) on windows NT (2000) at our lab, ... SKAS will expire within some time period. Ticket-granting-tickets ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 10
Provided by: Xuka9
Category:

less

Transcript and Presenter's Notes

Title: Kerberos


1
Kerberos
  • A secret key based authentication service
  • Trusted hosts (running kerberos) but insecure
    networks
  • Scenario
  • When you log into a workstation (login session)
    on windows NT (2000) at our lab, type login name
    and password
  • If you want to access remote resources, such as
    files on firebird, , retype your name and
    password each time
  • Kerberos versions
  • v1,v2,v3 already disappeared
  • v4 is widespread used, but there are some
    security flaws
  • v5 is the most recent version, more complicated

2
Kerberos
  • Kerberos solution
  • Once you log into a workstation after
    authentication, you can access remote resources
    without any more input of username and password
  • The kerberos software on the workstation will
    finish the authentication automatically on behalf
    of you

3
The initial Kerberos protocol
  • A trusted central server (called authentication
    server)
  • Every user (or a client, or a machine) shares a
    secret key with the server
  • the hashed password is stored at the server
  • derived from users hashed password
  • Server can authenticate a user based on the
    shared secret key (in fact the password)

4
The initial Kerberos protocol (cont.)
  • When a user Alice want to communicate with
    another user Bob (when you want to access
    resources on another machine)
  • A secret key used by Alice and Bob will be
    generated by authentication server and
    distributed to Alice and Bob as follows
  • A?S A, B, Na
  • S?A Na, B, Kab, Kab, AKbsKas
  • A?B Kab, AKbs
  • B?A NbKab
  • A?B Nb-1Kab
  • The Kab, AKbs is called Ticket

5
terminology
  • Authentication server (a trusted server)
  • Principal a user, a client program running on
    behalf of a user, a resource, a service, or a
    server program on behalf of a user or a resource.
  • There is a shared secret between each principal
    and server
  • we may say a user communicates with another
    user, or a user accesses a resource on a remote
    machine or a client requires a service provided
    by a server.
  • Ticket a key along with other information
    encrypted with another key, the ticket is used to
    get security service.
  • Issued by ticket-granting-server
  • Ticket-granting-ticket (TGT) a key is encrypted
    with another key, TGT is used to get tickets.
  • Issued by authentication server
  • Ticket-granting-server issue tickets

6
Problems with initial protocol
  • Typed password need to be stored at the
    workstation for the entire session
  • Why? Alice need different services or conversions
    in her session
  • Problem The password may be stolen.
  • Alice obtains a session key SKAS from
    authentication server after username and password
    are authenticated,
  • Alice discards its password but stores SKAS in
    workstation.
  • Alice uses SKAS to obtain tickets whenever Alice
    needs to communicate with another person or a
    service on another machine.
  • SKAS will expire within some time period.

7
Ticket-granting-tickets
  • When authentication server sends SKAS to Alice,
    it also sends a ticket-granting-ticket (TGT) to
    Alice
  • Alice, SKAS, valid-timeKTGS
  • Purposes of TGT
  • Separate authentication from ticket granting,
  • Called Ticket-Granting-Server (TGS)
  • From TGT, the authentication server will know
    SKAS , so does not need to visit key database.
  • TGS may be separate from authentication server
    and there may be multiple TGSs.

8
Architecture of Kerberos
Request for TGT
Authentication Server (Ticket- Grating-server)
A, SKAS, TGTKTGSKas
Alice
Na,A,B, TGTKTGS
Key DB
Na, B, Kab, Kab, AKbsSKAS
Kab, AKbs
Bob
DataKab
Note1. TGT Alice, SKAS, valid-timeKTGS
2. KAS is derived from (hashed) password
3. Alice discards its KAS after
authentication 4. Alice can use TGT to get
multiple tickets 5. TGS may separate
from authentication server and there may have
multiple TGSs.
9
Kerberos limitation
  • password guessing attacks
  • Kerberos has no control over the workstations or
    machines where the user is entering his password.
    It assumes that an attacker has no opportunity to
    position himself between the user and the client
    to obtain the password
  • only protect messages from software that has been
    written or modified to use it
  • secret key distribution
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Kerberos" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!