Understanding Kerberos Authentication Protocol

Slide Note
Embed
Share

Kerberos is a secure authentication protocol developed at M.I.T. to allow workstation users to access network resources securely. It involves three servers: Authentication Server (AS), Ticket-Granting Server (TGS), and the server performing the requested tasks. The AS verifies users, TGS issues tickets, and users authenticate themselves to access services. The process involves obtaining encrypted tickets, demonstrating identity, and proving authorization for requested services. This intuitive process ensures secure interactions within a network environment.

bri_pr
bri_pr Follow

Uploaded on Sep 28, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. KERBEROS

  2. Kerberos Kerberos was designed at M.I.T. to allow workstation users to access network resources in a secure way. Kerberos involves three servers in addition to Alice ( a client workstation): Autentication Server (AS):verifies users during the login Ticket-Granting Server (TGS): issues proof of identity tickets Bob the server: actually does the work Alice wants performed

  3. AS is responsible for handling a login request from a user. The AS maintains a database of secret keys; each entity on the network whether a client or a server shares a secret key known only to itself and to the AS. TGS distributes special messages, (tickets), that are used to convince a server that the client is really who he claims to be. A ticket is an encrypted data structure naming a user and a service that the user is allowed to obtain. It also contain a time value (time stamp) and some control information. 3

  4. The following is an intuitive description. The client authenticates itself to the Authentication Server and receives a ticket. (All tickets are time-stamped.) It then contacts the Ticket Granting Server, and using the ticket it demonstrates its identity and asks for a service. If the client is eligible for the service, then the Ticket Granting Server sends another ticket to the client. The client then contacts the Service Server, and using this ticket it proves that it has been approved to receive the service. 4

  5. User Login 1) A user workstation sends the user identity (Alice) to AS when the user logs on(1). 2) The AS verifies that the user is authorized. The AS generates the secret key, Ka, by hashing the password of the user found at the database. AS sends back a messages encrypted with Ka(the secret key of the client/user) to the client containing a key Ks and a ticket KTGS intended for the TGS. - Ks, for use in communication with Ticket Granting Server (Client/TGS Session Key). - KTGS(A,Ks) Ticket-Granting Ticket, which includes the client ID (A), the (Ks), and it is encrypted using the secret key KTGS , shared between AS and TGS 5

  6. Get a ticket After she logs in, Alice may tell the workstation that she wants to contact Bob the file server. The workstation then sends message (3) to TGS asking for a ticket to use with Bob. The message (3) is composed by: KTGS(A, Ks). the ID of the requested server,Bob. Ks(A,T) Using the key KTGS the TGS can obtain the session Key Ksused to decrypt Ks (A,T) and then proof that the sender is really A.

  7. The Alices client asks to Alice the password when the message from AS has been received . The password is used to generate Ka. If using Ka the message can be decrypted, then the user is authenticated by AS and Alice obtains the KS key and the ticket KTGS(A,Ks). The client deletes the Alice s password. So, the password is present in the client only a few millisecond. Note that the passwords are stored at the Kerberos server, not at the client, and that the passwords did not have to be passed across the network, even in encrypted form (security advantage).

  8. The TGS responds by creating a session key, KAB for Alice to use with Bob. Two versions of it are sent back. The first is encrypted with only KS, so Alice can reat it. The second is encrypted with Bob key, KB, so Bob can read it.(4) KS (B, KAB) KB (A, KAB) Alice can send KAB to Bob to establish a session with him. This exchange is also time stamped. KB(A, KAB), KAB(t) (5) The response is the proof to Alice that she is actually talking with Bob KAB(t+1) (6)

  9. The client decrypts the confirmation using KAB, and checks whether the timestamp is correctly updated. If so,then the client can trust the server and can start issuing service requests to the server. The server provides the requested services to the client. If Alice decides she needs to talk with another server, Carol, she simply repeats message (3) to the TGS, only now specifying C instead of B. The TGS will respond with a ticket encrypted with Kc that Alice can send to Carol and that Carol will accept as proof that it came from Alice. Alice can access servers all over the network in a secure way, and her password never as to go over the network.

  10. Authentication servers The servers offering services may belong to different domains, each of them with own AS and TGS. If a client wishes to access a server belonging to a different domain it is necessary to require to the local TGS a ticket that is accepted by the remote TGS. In order to achieve this result, the remote TGS must be registered on the local TGS as a local server. In this way, the local TGS can give to Alice a valid ticket for the remote TGS and Alice is able to obtain a ticket for the remote server. 10

  11. Kerberos was carefully designed to withstand attacks in distributed environment. No password communicated on the network Cryptographic protection against spoofing. Limited period of validity. Each ticket is issued for a limited period of time. The ticket contains a time stamp with wich a receiving server determines the ticket validity.(long attacks, such brute force cryptanalysis, are usually neutralized because the attacker does not have time to complete the attack). Time stamps to prevent reply attacks. Kerberos requires reliable access to a universal clock. Each user request to a server is stamped with the time of the request. This time is compared to the current time. The request is accepted only if the time is reasonably close to the current time. 11

  12. DRAWBACKS Single point of failure: Il requires continous availability of the central server. When the Kerberos server is down,no one can log on (multiple Kerberos servers). Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail with the Kerberos server clock. Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user. 12

Related


Understanding Kerberos Authentication in Network Security

Understanding Kerberos Authentication in Network Security

pcapp
Practical Aspects of Modern Cryptography: November 2016

Practical Aspects of Modern Cryptography: November 2016

stripling_d
Understanding Authentication Mechanisms and Security Vulnerabilities

Understanding Authentication Mechanisms and Security Vulnerabilities

lev_tre
Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

Understanding OSI Model and TCP/IP Protocol Suite in Computer Networking

gwendolyn
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

muey769
Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

harri
DAVA Drugs Authentication & Verification Application by National Informatics Centre

DAVA Drugs Authentication & Verification Application by National Informatics Centre

ruxt_322
Setting Up Multi-Factor Authentication at Moraine Park

Setting Up Multi-Factor Authentication at Moraine Park

leid_3
Evolution of User Authentication Practices: Moving Beyond IP Filtering

Evolution of User Authentication Practices: Moving Beyond IP Filtering

rin_fi
An Open-Source SPDM Implementation for Secure Device Communication

An Open-Source SPDM Implementation for Secure Device Communication

eley395
Understanding Mobile Computing and TCP/IP Protocol Suite

Understanding Mobile Computing and TCP/IP Protocol Suite

ambrosia
Understanding EIGRP: A Comprehensive Overview

Understanding EIGRP: A Comprehensive Overview

rebeca
Guide to Setting Up EU Login and Two-Factor Authentication

Guide to Setting Up EU Login and Two-Factor Authentication

wolfgang
Enhancing Security with Two-Factor Authentication in Funding & Tenders Portal

Enhancing Security with Two-Factor Authentication in Funding & Tenders Portal

torquil
Two-Step Authentication Implementation for Enhanced Security

Two-Step Authentication Implementation for Enhanced Security

lumina
Implementing 2FA for UW Azure AD: Best Practices and Options

Implementing 2FA for UW Azure AD: Best Practices and Options

adlai
Setting Up Two-Factor Authentication for HRMS Access

Setting Up Two-Factor Authentication for HRMS Access

japp320
Authentication and Authorization in Astronomy: A Deep Dive into ASTERICS

Authentication and Authorization in Astronomy: A Deep Dive into ASTERICS

anna_ght
Understanding OSI Model and TCP/IP Protocol Suite

Understanding OSI Model and TCP/IP Protocol Suite

marlie
Understanding SFTP Server Functionality with ACS 5.x by Mohammad Azharuddin AAA Team

Understanding SFTP Server Functionality with ACS 5.x by Mohammad Azharuddin AAA Team

aimenmo
Essential Elements of Clinical Trial Protocols

Essential Elements of Clinical Trial Protocols

rjmi
Adaptive Tree-based Convergecast Protocol

Adaptive Tree-based Convergecast Protocol

zofia
London Homeless Coalition (LHC) Death Communication Protocol

London Homeless Coalition (LHC) Death Communication Protocol

cinder
MAAP Protocol Overview in IEEE 1722: Address Acquisition and Message Format

MAAP Protocol Overview in IEEE 1722: Address Acquisition and Message Format

chace

More Related Content

IEEE 802.11-20/1761r1 Ranging Protocol for 11bd
IEEE 802.11-20/1761r1 Ranging Protocol for 11bd
Enhanced Family Court Police Disclosure Protocol for 2024
Enhanced Family Court Police Disclosure Protocol for 2024
Sync HotStuff: Practical Synchronous State Machine Replication
Sync HotStuff: Practical Synchronous State Machine Replication
Guideline for Submitting a New IRB Protocol
Guideline for Submitting a New IRB Protocol
Implementing Red Hat Identity Management (IPA) for Improved Identity Management and Access Control
Implementing Red Hat Identity Management (IPA) for Improved Identity Management and Access Control
Secure Usage of Kibana & ElasticSearch in Multi-User Environments
Secure Usage of Kibana & ElasticSearch in Multi-User Environments
Understanding Full Committee Review (FCR) vs. Designated Member Review (DMR) for New IACUC Members
Understanding Full Committee Review (FCR) vs. Designated Member Review (DMR) for New IACUC Members
Understanding the Nagoya Protocol on Access and Benefit Sharing
Understanding the Nagoya Protocol on Access and Benefit Sharing
Understanding the CEDAW Optional Protocol
Understanding the CEDAW Optional Protocol
Understanding TCP Protocol and Reliability in Networking
Understanding TCP Protocol and Reliability in Networking
Understanding User Datagram Protocol (UDP) in Unix and Network Programming
Understanding User Datagram Protocol (UDP) in Unix and Network Programming
Understanding Network Time Protocol (NTP) for Clock Synchronization in Distributed Systems
Understanding Network Time Protocol (NTP) for Clock Synchronization in Distributed Systems
Understanding the Key Articles of the Nagoya Protocol on Access to Genetic Resources and Benefit-Sharing
Understanding the Key Articles of the Nagoya Protocol on Access to Genetic Resources and Benefit-Sharing
Understanding NMEA Protocol in Maritime Technology
Understanding NMEA Protocol in Maritime Technology
Leveraging Evaluation Data for Data-Informed Decision-Making
Leveraging Evaluation Data for Data-Informed Decision-Making
Understanding the Raft Consensus Protocol
Understanding the Raft Consensus Protocol
Understanding Novell NetWare: A Comprehensive Overview
Understanding Novell NetWare: A Comprehensive Overview
Addressing 5G Signaling Protocol Vulnerabilities
Addressing 5G Signaling Protocol Vulnerabilities
Suicide Prevention & Postvention Protocol
Suicide Prevention & Postvention Protocol
Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava
Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava
Important Networking Concepts Overview
Important Networking Concepts Overview
Roughtime: Securing time for IoT devices
Roughtime: Securing time for IoT devices
Hospital-Based Rapid Methadone Initiation Protocol in Fentanyl Era
Hospital-Based Rapid Methadone Initiation Protocol in Fentanyl Era
Effective Protocol Deviation Management in Clinical Research
Effective Protocol Deviation Management in Clinical Research