Kerberos Authentication Protocol
Upcoming SlideShare
Loading in...5

Kerberos Authentication Protocol






Total Views
Slideshare-icon Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Kerberos Authentication Protocol Kerberos Authentication Protocol Presentation Transcript

    • KerberosAuthenticationProtocolASHOK BASNET (066BCT505)BIBEK SUBEDI (066BCT506)DINESH SUBEDI (066BCT512)
    • What is Kerberos  Network authentication protocol  Developed at MIT in the mid 1980s  Available as open source or in supported commercial software
    • Kerberos vs Firewall  Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within.  Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
    • Why Kerberos  Sending usernames and passwords in the clear jeopardizes the security of the network.  Each time a password is sent in the clear, there is a chance for interception.
    • Architecture It consists of following 3 components1. Client2. Authentication Server or Key Distribution Server (KDC)3. ServerAnd has 3 main exchanges1. Authentication Service (AS) Exchange2. Ticket Granting Service (TGS) Exchange3. Client Server (CS) Exchange
    • AS Exchange Exchange between client and Authentication Server (KDC) Client sends KRB_AS_REQ msg to KDC specifying credentials it wants Server replies with msg KRB_AS_REP containing the ticket and session key The Session key is encrypted with client’s secret key The TGT is encrypted with server’s secret key The encryption type is DES by default
    • TGS Exchange Is used to obtain additional tickets for the servers. Doesn’t need client’s secret key for encryption Transparent to the user TGS must have access to all secret keys But encrypts the ticket using server’s secret key Client sends KRB_TGS_REQ to the TGS server Server replies KRB_TGS_REP to the client with ticket
    • CS Exchange Client contacts with the real server Client sends KRB_AP_REQ to the server specifying the service Server validates client by decrypting ticket with server’s secret key and decrypting authenticator with sessions key contained in ticket Server optionally replies with KRB_AP_REP
    • Implementation Athena Project at MIT Microsoft WIndows
    • Limitations Only provides authentication Central Authentication server Cannot migrate existing password hashes into the Kerberos database Authentication is only as good as the users password Assumes relatively secure hosts on an insecure network Strict time requirements Complicates virtual hosting