Windows Security Kerberos PowerPoint Presentation Ticket

Document Sample
Windows Security Kerberos PowerPoint Presentation Ticket Powered By Docstoc
					Windows 2000 Security
              --Kerberos

      COSC513 Project
         Sihua Xu
     December 19, 2010
         Outline

•The Three A’s of Security
•Kerberos Basics
•Windows 2000 implementation of Kerberos
•Benefits of Kerberos in Windows 2000
              The Three A’s of Security:
•Authentication --the capability of one entity to prove its
identity to another entity
ID (driver’s license), user log on to OS
•Authorization – the process of discovering whether you
have the rights or permissions to do what you have asked
to do
Permission (R,W,D), Right (add user, install application)
•Auditing –the process of checking to see whether sth. has
been done the way it is supposed to have been done
Audit trail
       Windows 2000 Security
Default authentication algorithm: Kerberos
Microsoft’s implementation of Kerberos:
•the function of Kerberos is to provide
authentication of users.
•Microsoft uses an empty field in Kerberos to
provide security ID information that supports the
authorization process.
                Kerberos Basics
-developed at MIT
-three basic functions (message exchanges)
    a request and a reply
•   The Authentication Service Exchange
    (Logon)
•   The Ticket-Granting Service Exchange
    (Getting a Ticket to Ride)
•   The Client/Server Authentication Exchange
    (Accessing a Resource)
Kerberos Algorithms
                      Authentication Server (AS)
                      Kerberos Key Distribution Center (KDC)
                      Kerberos Authentication Server Request
                      (KRB_AS_REQ)
                      Kerberos Authentication Server Reply
                      (KRB_AS_REP )
                      Ticket-Granting Server (TGS)
                      Ticket-Granting Ticket (TGT)
                      Kerberos Ticket-Granting Service Request
                      (KRB_TGS_REQ)
                      Kerberos Ticket-Granting Service Reply
                      (KRB_TGS_REP)
                      Kerberos Client/Server Request(KRB_AP_REQ)
                      Kerberos Client/Server Reply(KRB_AP_REP)
                           Kerberos Components:


Realm: a logical collection of Kerberos clients and servers. Its name is used by the
client and server to identify the locations of the resources.



Session key:a randomly generated, unique key used to encrypt parts of the message and
to carry on encrypted conversations. Is generated by the AS and is provided to the client in the
encrypted part of the response. Is provided to the destination server in the encrypted part of
the ticket


Ticket-Granting Server (TGS): Kerberos server that can validate a TGT
and can provide tickets allowing access to resource or application servers
                      Kerberos Components
 Authentication Server(AS)

Authenticator: contains information that can be used to verify that the response
comes from a valid server in the realm and to prove to the server that the client knows the
session key. Includes the client’s current time and is encrypted by the client using the
session key


Kerberos ticket:a data structure that includes client credentials and session
keys. Used to authenticate the client to the resource servers or to the TGT.


Key Distribution Center (KDC):manages key database. Contains the
user and server identification information, passwords, and other items.
Kerberos in Windows 2000
      KDC implemented as a domain service
            includes AS and TGS
      Kerberos realm in Windows 2000 – Domain
            Each domain server has a KDC
      Active Directory
            backbone of Kerberos
Windows 2000 implementation of AS Exchange protocol:
         Obtaining a Logon Session Key
    1                     3
               Where is the nearest KDC?              1.ID & password
    Client                                  DNS
                      208.156.2.23         Server    2.Kerberos client: password to
2       8                                            long-term key
                           4
                      KRB_AS_REQ
                                                      3.DNS: domain controller for
Cd71872398                                            KDC
                  7
   TGT                                                4.client to KDC: session key via
             KRB_AS_REP
                                                      KRB_AS_REQ
                                       5
                              6                     5.KDC:verify long-term key (Identity)
                                                    6.KDC:create session key
                                                     7.KDC to client:TGT & session key via
                        208.156.2.23                 KRB_AS_REP

                                                    8. Client: logon session key and TGT
     Windows 2000 implementation of TGS Exchange protocol:
                Getting a Ticket for a Particular Server
                                                     1,2. Read a file from Seascape Server,
                                              2            need a session ticket
       Client
                                          Seascape
                                                     3. Client encrypts the authenticator
                                           Server
 1        2                                                with logon session key
              9
                      8,10                           4. Client to KDC:KRB_TGS_REQ
Cd71872398        KRB_TGS_REP                              (TGT)
   TGT                                               5. KDC decrypts TGT, validate
              3                      5                    authenticator
                                    6,7              6,7. KDC: invent a session key, encrypt
     Authenticator
                                                           it with client’s logon session key,
                                                           create a ticket encrypted with
                                208.156.2.23               Seascape server’s long-term key
                                                     8. KDC to client: KRB_TGS_REP
                                                     9. Client decrypt the session key with
                                                           its logon session key
 Windows 2000 implementation of CS Exchange protocol:
             Using the Session Ticket for Admission
                     1
                KRB_AP_REQ
   Client                          2      1.client to server: KRB_AP_REQ
                               Seascape
                                                     authenticator encrypted
                                Server
                3 KRB_AP_REP              with session ticket
                                          2.Server decrypts the ticket,
                4                         evaluates the authenticator
Cd71872398
   TGT                                    3. Server to client: KRB_AP_REP
                                          encrypts the time from the
              Authenticator               authenticator
                                          4. Client compare the timestamp
Take a common file|open operation. In Windows Explorer, a user finds a file share.
Active Directory directs the user to the location of the share. Next, the user finds an
individual file and opens it. A request is made to the server from the client that
contains a Kerberos ticket with the user's credential information included. The
server receives the ticket and looks at the credentials. The operating system
compares the credential information with the ACL on the file to determine if the
user has access.
Kerberos enables cross-platform single-sign
on across the enterprise
            Benefits of Kerberos

More efficient authentication to servers.
           the server does not need to go to a domain controller. It can
authenticate the client by examining credentials presented by the
client. Clients can obtain credentials for a particular server once and
reuse them throughout a network logon session.

Mutual authentication.
Parties at both ends of a network connection can know that the party
on the other end is who it claims to be.

Delegated authentication.
Kerberos protocol has a proxy mechanism that allows a service to
impersonate its client when connecting to other services.
   Benefits of Kerberos
Simplified trust management.
trust between the security authorities for
Windows 2000 domains is by default two-way and
transitive. many domains of a large network can be
organized in a tree of transitive, mutual trust.
Credentials issued by the security authority for any
domain are accepted everywhere in the tree.

Interoperability
Microsoft’s implementation of the Kerberos protocol is
based on standards-track specifications recommended
to the Internet Engineering Task Force (IETF) which
lays a foundation for interoperability with other
networks where Kerberos version 5 is used for
authentication.

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:49
posted:12/19/2010
language:English
pages:16
Description: Windows Security Kerberos PowerPoint Presentation Ticket