KerberosAuthenticationProtocolASHOK BASNET (066BCT505)BIBEK SUBEDI (066BCT506)DINESH SUBEDI (066BCT512)
What is Kerberos    Network authentication protocol    Developed at MIT in the mid 1980s    Available as open source or...
Kerberos vs Firewall    Firewalls make a risky assumption: that attackers     are coming from the outside. In reality, at...
Why Kerberos    Sending usernames and passwords in the clear     jeopardizes the security of the network.    Each time a...
Architecture    It consists of following 3 components1.   Client2.   Authentication Server or Key Distribution Server (KD...
AS Exchange   Exchange between client and Authentication Server    (KDC)   Client sends KRB_AS_REQ msg to KDC specifying...
TGS Exchange   Is used to obtain additional tickets for the servers.   Doesn’t need client’s secret key for encryption ...
CS Exchange   Client contacts with the real server   Client sends KRB_AP_REQ to the server specifying the    service   ...
Implementation   Athena Project at MIT   Microsoft WIndows
Limitations   Only provides authentication   Central Authentication server   Cannot migrate existing password hashes in...
Kerberos Authentication Protocol
Kerberos Authentication Protocol
Upcoming SlideShare
Loading in …5
×

Kerberos Authentication Protocol

7,988 views
7,427 views

Published on

Published in: Education

Kerberos Authentication Protocol

  1. 1. KerberosAuthenticationProtocolASHOK BASNET (066BCT505)BIBEK SUBEDI (066BCT506)DINESH SUBEDI (066BCT512)
  2. 2. What is Kerberos  Network authentication protocol  Developed at MIT in the mid 1980s  Available as open source or in supported commercial software
  3. 3. Kerberos vs Firewall  Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within.  Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
  4. 4. Why Kerberos  Sending usernames and passwords in the clear jeopardizes the security of the network.  Each time a password is sent in the clear, there is a chance for interception.
  5. 5. Architecture It consists of following 3 components1. Client2. Authentication Server or Key Distribution Server (KDC)3. ServerAnd has 3 main exchanges1. Authentication Service (AS) Exchange2. Ticket Granting Service (TGS) Exchange3. Client Server (CS) Exchange
  6. 6. AS Exchange Exchange between client and Authentication Server (KDC) Client sends KRB_AS_REQ msg to KDC specifying credentials it wants Server replies with msg KRB_AS_REP containing the ticket and session key The Session key is encrypted with client’s secret key The TGT is encrypted with server’s secret key The encryption type is DES by default
  7. 7. TGS Exchange Is used to obtain additional tickets for the servers. Doesn’t need client’s secret key for encryption Transparent to the user TGS must have access to all secret keys But encrypts the ticket using server’s secret key Client sends KRB_TGS_REQ to the TGS server Server replies KRB_TGS_REP to the client with ticket
  8. 8. CS Exchange Client contacts with the real server Client sends KRB_AP_REQ to the server specifying the service Server validates client by decrypting ticket with server’s secret key and decrypting authenticator with sessions key contained in ticket Server optionally replies with KRB_AP_REP
  9. 9. Implementation Athena Project at MIT Microsoft WIndows
  10. 10. Limitations Only provides authentication Central Authentication server Cannot migrate existing password hashes into the Kerberos database Authentication is only as good as the users password Assumes relatively secure hosts on an insecure network Strict time requirements Complicates virtual hosting

×