Network Security Lecture 5b - 103426

NETWORK
SECURITY
KERBEROS AUTHENTICATION AND AUTHORIZATION PROTOCOL
What is Kerberos?
• Kerberos is a protocol for authenticating service requests between trusted hosts
across an untrusted network, such as the internet.
• Kerberos support is built on to all major computer operating systems, including Microsoft
Windows, Apple macOS, FreeBSD and Linux.
• The name was taken from Greek mythology; Kerberos (Cerberus) was a three-headed
dog who guarded the gates of Hades.
• The three heads of the Kerberos protocol represent the following:
• 1. the client or Kerberos principal;

• 2. the network resource(service principal), which is the application server that provides
access to the network resource; and
• 3. a key distribution center (KDC), which acts as Kerberos' trusted third-party
authentication service.
• Users, systems and services using Kerberos need only trust the KDC.
• It runs as a single process and provides two services: an authentication service and a
ticket granting service (TGS).
• KDC "tickets" provide mutual authentication, allowing nodes to prove their identity
to one another in a secure manner.
• Kerberos authentication uses conventional shared secret cryptography to prevent
packets traveling across the network from being read or changed.
• It also protects messages from eavesdropping and replay attacks.
• What does the Kerberos authentication protocol do?
• The original objective of Kerberos was to provide a way for users of the MIT network to
securely authenticate themselves to the systems they needed to use.
• It also enabled those users to be authorized to access those systems.
• At that time, networked systems typically authenticated users with a user ID and
password combination.
• Systems routinely transmitted passwords "in the clear," meaning unencrypted.
• Attackers with access to the network could easily eavesdrop on network transmissions,
intercept user IDs and passwords, and then attempt to access systems for which they were
not authorized.
• Kerberos developers set out to provide a network authentication protocol that could be
used to authenticate trusted hosts communicating over untrusted networks.
• In particular, they intended to provide system administrators a mechanism for
authenticating access to systems over an open network -- the internet.
• Kerberos was initially designed as the "Kerberos Authentication and Authorization

System“.
• The designers aimed to provide a foundation for ensuring that only authorized users can
get access to specific networked resources.
• They intended Kerberos' authentication as a means for supporting authorization.
• Kerberos was also designed to interface with secure accounting systems. This
provided the third "A" of the authentication, authorization and accounting (AAA) triad.
• As users wish to access services on servers.

• Three threats exist:
• User pretend to be another user.
• User alter the network address of a workstation.
• User eavesdrop on exchanges and use a replay attack.
• Kerberos provides a centralized authentication server to authenticate users to servers
and servers to users.
• Relies on conventional encryption, making no use of public-key encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
• There are three different sets of entities that use Kerberos:

• 1. Kerberos principals is any unique identity that Kerberos can assign a ticket to.
• For most users, a principal is the same as a user ID.
• It also includes hosts and services that can be assigned Kerberos tickets. Individual clients
are one type of Kerberos principal.
• The service principal is an identity assigned to an application service that is accessed
through Kerberos.
• 2. Kerberos application servers. Any system providing access to resources that need
client authentication through Kerberos.
• For example, application servers can include file and print services, terminal emulation,
remote computing and email.
• Kerberos Key Distribution Center - KDC. The Kerberos authentication process depends
on the following KDC components:
• Kerberos database. This maintains a record for each principal in the realm. This is the
centralized repository for Kerberos authentication information. It includes identifying
information of the principal and the systems and services for which that principal can be
authenticated to use.
• Kerberos authentication service. Network clients use this Kerberos service to authenticate
themselves to get a ticket granting ticket (TGT), also known as an authentication ticket.
• Kerberos ticket granting service. This Kerberos service accepts the TGT so that clients can
access their application servers.
• THE KERBEROS AUTHENTICATION PROCES

KERBEROS AUTHENTICATION AND
AUTHORIZATION PROTOCOL
• A simplified description of how Kerberos works follows; the actual process is more
complicated and may vary from one implementation to another:
• 1. Authentication server request. To start the Kerberos client authentication process, the
initiating client sends an authentication request in plain text to the Kerberos KDC
authentication server.
• The authentication server verifies that the client is in the KDC database and retrieves the
initiating client's private key.
• 2. Authentication server response. If the initiating client's username isn't found in the
KDC database, the client cannot be authenticated, and the authentication process stops.
Otherwise, the authentication server sends the client a TGT and a session key.
• 3. Service ticket request. Once authenticated by the authentication server, the client asks
for a service ticket from the TGS.
• This request must be accompanied by the TGT sent by the KDC authentication server.
• 4. Service ticket response. If the TGS can authenticate the client, it sends credentials and
a ticket to access the requested service.
• This transmission is encrypted with a session key specific to the user and service being
accessed.
• 5. Application server request. The client sends a request to access the application server.
This request includes the service ticket received in step 4. If the application server can
authenticate this request, the client can access the server.
• The service ticket sent by the TGS enables the client to access the service.
• The service ticket is timestamped, so a single ticket can be used for a specific period
without having to be re-authenticated.
• KERBEROS - IN PRACTICE
• Currently we have two Kerberos versions:
• Kerberos Version 4 and version 5
• Kerberos v5 is an Internet standard
• To use Kerberos:
• There is need to have a KDC on your network
• You also need to have Kerberised applications running on all participating systems
• major problem - US export restrictions
• A Kerberos realm is a set of managed nodes that share the same Kerberos database.
• Kerberos: Version 4 – Inter-realm Services is shown on the next slide

Network Security Lecture 5b - 103426

Uploaded by

Copyright:

Available Formats

Network Security Lecture 5b - 103426

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security Lecture 5b - 103426

Uploaded by

Copyright:

Available Formats

NETWORK

• 1. the client or Kerberos principal;

• Kerberos was initially designed as the "Kerberos Authentication and Authorization

• As users wish to access services on servers.

• There are three different sets of entities that use Kerberos:

• THE KERBEROS AUTHENTICATION PROCES

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.