Docstoc

ppt of Kerberos

Document Sample
ppt of Kerberos Powered By Docstoc
					   Network authentication protocol
   Developed at MIT in the mid 1980s
   Available as open source or in
    supported commercial software
   Shared secret-based strong 3rd party
    authentication
       allows users access to services distributed
        through network
       without needing to trust all workstations
       rather all trust a central authentication server
   A computer network authentication
    protocol
   Provides a centralized
    authentication server to
    authenticate users to servers and
    servers to users in a secure manner
   Relies on conventional encryption,
    making no use of public-key
    encryption
   Prevents eavesdropping or replay
    attack
   Two versions: version 4 and 5
   Version 4 makes use of DES
  Sending usernames and passwords in the
   clear jeopardizes the security of the network.
 Each time a password is sent in the clear,
   there is a chance for interception.
3 Threats:
       Pretending to be another user from the workstation
       Sending request from the impersonated workstation
       Replay attack to gain service or disrupt operations
Solution
   Building elaborate authentication
    protocols at each server
   A centralized authentication server
    (Kerberos)
   Passwords never sent across network in
    Kerberos
   a basic third-party authentication scheme
   have an Authentication Server (AS)
     users initially negotiate with AS to identify self
     AS provides a non-corruptible authentication
       credential (ticket granting ticket TGT)
   have a Ticket Granting Server (TGS)
     users subsequently request access to other
       services from TGS on basis of users TGT
1.Authenticate
2.Receive TGT
 Using TGT

3.Request Service Ticket
4.Receive Service Ticket
5.Get Service
Domain Authentication and Resource Access
               1. Request a ticket for TGS
                                                               Authentication
                        2. Return TGT to client
                                                                Service (AS)

               3. Send TGT and request for ticket to AppServ
                                                                  Ticket
                4. Return ticket for AppServ
Kerberos                                                         Granting
 client                                                          Service
                                                                  (TGS)
           5. Send session ticket to AppServ
           6. (Optional) Send confirmation of identity to client




               AppServ
                                            Ticket
                                           Granting
XYZ Service     Represents something       Service
                requiring Kerberos
                authentication (web
                server, ftp server, ssh       Key
                server, etc…)             Distribution
                                            Center


                                           Authen-
                                           Tication
                                           Service

               Susan’s
               Desktop
Susan         Computer
                                                        Ticket
                                                       Granting
XYZ Service                                            Service


                                                          Key
                         “I’d like to be allowed to   Distribution
                         get tickets from the           Center
                         Ticket Granting Server,
                         please.
                                                       Authen-
                                                       Tication
                                                       Service

               Susan’s
               Desktop
Susan         Computer
                                                 Ticket
                                                Granting
XYZ Service                                     Service
              “Okay. I locked this box with
              your secret password. If you
              can unlock it, you can use its       Key
              contents to access my Ticket     Distribution
              Granting Service.”                 Center


                                                Authen-
                                                Tication
                                                Service

                Susan’s
                Desktop
Susan          Computer
                           Ticket
                          Granting
XYZ Service               Service


                             Key
                         Distribution
                           Center


                          Authen-
              TGT         Tication
                          Service

               Susan’s
               Desktop
Susan         Computer
  Because Susan was able to open the box
T (decrypt a message) from the Authentication
G Service, she is now the owner of a “Ticket-
T Granting Ticket”.



   The Ticket-Granting Ticket (TGT) must be
   presented to the Ticket Granting Service in
   order to acquire “service tickets” for use with
   services requiring Kerberos authentication.


   The TGT contains no password information.
                 “Let me prove I am
                 Susan to XYZ Service.     Ticket
                                          Granting
XYZ Service      Here’s a copy of my      Service
                 TGT!”

                                             Key
                                         Distribution
                                           Center


                                          Authen-
                                          Tication
                    TGT
                                          Service

               Susan’s
               Desktop
Susan         Computer
                                             Hey XYZ:
                                           Susan is Susan.     Ticket
                                          CONFIRMED: TGS
                                                              Granting
  XYZ Service                                                 Service
                           You’re Susan.
                           Here, take this.
                                                                 Key
                                                             Distribution
                                                               Center


                                                              Authen-
                                                              Tication
                      TGT
                                                              Service

                 Susan’s
                 Desktop
Susan           Computer
                                                     Ticket
                                                    Granting
XYZ Service              I’m Susan. I’ll prove
                                                    Service
                          it. Here’s a copy of
                         my legit service ticket
                                for XYZ.
                                                       Key
                                                   Distribution
                                                     Center


                                                    Authen-
                 Hey XYZ:
                                                    Tication
               Susan is Susan.   TGT
              CONFIRMED: TGS                        Service

                         Susan’s
                         Desktop
Susan                   Computer
                       That’s Susan alright. Let me
                            determine if she is
                                                        Ticket
                         authorized to use me.
                                                       Granting
XYZ Service                                            Service

       Hey XYZ:
     Susan is Susan.                                      Key
    CONFIRMED: TGS                                    Distribution
                                                        Center


                                                       Authen-
                  Hey XYZ:
                                                       Tication
                Susan is Susan.   TGT
               CONFIRMED: TGS                          Service

                          Susan’s
                          Desktop
Susan                    Computer
One remaining note:


Tickets (your TGT as well as service-specific
tickets) have expiration dates configured by your
local system administrator(s). An expired ticket is
unusable.


Until a ticket’s expiration, it may be used
repeatedly.
                                                     Ticket
                        ME AGAIN! I’ll prove it.    Granting
XYZ Service                                         Service
                        Here’s another copy of
                         my legit service ticket
                               for XYZ.
                                                       Key
                                                   Distribution
                                                     Center


                                                    Authen-
                 Hey XYZ:
                   Hey XYZ:                         Tication
               Susan is Susan.
                Susan is Susan.
                                  TGT
              CONFIRMED: TGS                        Service
               CONFIRMED: TGS

                        Susan’s
                        Desktop
Susan                  Computer
                       That’s Susan… again. Let
                         me determine if she is
                                                    Ticket
                         authorized to use me.
                                                   Granting
XYZ Service                                        Service

       Hey XYZ:
     Susan is Susan.                                  Key
    CONFIRMED: TGS                                Distribution
                                                    Center


                                                   Authen-
                  Hey XYZ:
                                                   Tication
                Susan is Susan.   TGT
               CONFIRMED: TGS                      Service

                          Susan’s
                          Desktop
Susan                    Computer
         Once per user logon session


TICKETtgs=EKtgs [Kc.tgs,               KERBEROS
IDc,ADc,IDtgs,TS2, LIFETIME2 ]

                 1- IDc + IDtgs +TS1



              2- EKc
              [Kc.tgs,IDtgs,TS2,
              LIFETIME2,TICKETtgs]
             Once per type of service
                                                      KERBEROS
TICKETtgs=EKtgs [Kc.tgs,IDc,ADc,IDtgs,
TS2, LIFETIME2 ]
AUTHENc=EKc.tgs[IDc,ADc,TS3]
TICKETv=EKv[Kc.v, IDc, ADc, IDv, TS4,
LIFETIME4 ]

           3- TICKETtgs + AUTHENc + IDv


                   4-EKc.tgs[ Kc.v,IDv,TS4,TICKETv]
         Once per service session


         5- TICKETv+ AUTHENc


           6- EKc.v[TS5+1]

TICKETv=EKv [Kv.c, IDc, ADc, IDv, TS4, LIFETIME4]
AUTHENc=EKc.v [IDc,ADc,TS5]
   a Kerberos environment consists of:
     a Kerberos server
     a number of clients, all registered with
       server
     application servers, sharing keys with
       server
   this is termed a realm
     typically a single administrative domain
   if have multiple realms, their Kerberos servers
    must share keys and trust
   Kerberos server in each realm shares a secret
    key with other realms.
   It requires
     Kerberos server in one realm should trust the one in
      other realm to authenticate its users
     The second also trusts the Kerberos server in the first
      realm
   For scalability it’s advantageous to
    divide the network into realms each
    with its own AS and TGS
   Realms registered with Remote TGS,
    RTGS. Access service will now require
     User request for RTGS from TGS,
     User request for Service from RTGS
                                  7-request for remote service



             4-Ticket for remote TGS


                       5-Request ticket for remote server
6-Ticket for remote server
   User's passwords are never sent across the
    network, encrypted or in plain text
   Secret keys are only passed across the
    network in encrypted form
   Client and server systems mutually
    authenticate
   It limits the duration of their users'
    authentication.
   Authentications are reusable and durable
   Kerberos has been scrutinized by many of
    the top programmers, cryptologists and
    security experts in the industry
   developed in mid 1990’s
   provides improvements over v4
     addresses environmental shortcomings
         encryption alg, network protocol, byte order,
          ticket lifetime, authentication forwarding,
          interrealm auth
       and technical deficiencies
         double encryption, non-std mode of use,
          session keys, password attacks
   specified as Internet standard RFC 1510