Kerberos

2,185 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,185
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
175
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Kerberos

  1. 1. KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks
  2. 2. Introduction <ul><li>Kerberos </li></ul><ul><ul><li>Network Authentication Protocol </li></ul></ul><ul><ul><li>Mutual Network Authentication </li></ul></ul><ul><li>Project Athena </li></ul><ul><ul><li>Collaborative effort amongst MIT, Digital, and IBM </li></ul></ul><ul><ul><li>Support interoperability within large scale networks </li></ul></ul><ul><ul><li>Heterogeneous coherence </li></ul></ul>
  3. 3. Kerberos in the field <ul><li>AFS Apache (with the mod_auth_kerb module) </li></ul><ul><li>Apache 2 (using libapache-mod-auth-kerb) </li></ul><ul><li>Cisco routers and switches running IOS </li></ul><ul><li>Coda File System </li></ul><ul><li>Eudora </li></ul><ul><li>Mac OS X </li></ul><ul><li>Microsoft Windows (2000 and later) uses as default authentication protocol Mulberry , an e-mail client developed by Cyrusoft, Inc. </li></ul><ul><li>NFS (since NFSv3) </li></ul><ul><li>OpenSSH (with Kerberos v5 or higher) </li></ul><ul><li>PAM (with the pam_krb5 module) </li></ul><ul><li>Samba since v3.x </li></ul><ul><li>SOCKS (since SOCKS5) </li></ul><ul><li>Netatalk </li></ul><ul><li>The X Window System implementations </li></ul><ul><li>Indirectly, any software that allows the use of SASL for authentication, such as OpenLDAP , Dovecot IMAP4 and POP3 server, Postfix mail server </li></ul><ul><li>The Kerberos software suite also comes with kerberos-enabled clients and servers for rsh , FTP , and Telnet </li></ul><ul><li>Any Java based software (since 1.4.2) using JAAS/JGSS can use Kerberos for security </li></ul>
  4. 4. Problem <ul><li>Network Resources </li></ul><ul><ul><li>Multiple network resources </li></ul></ul><ul><ul><li>Heterogeneous resources </li></ul></ul><ul><ul><li>Identity/Credential management </li></ul></ul><ul><ul><li>Security risks associated with individual authentication </li></ul></ul><ul><li>Result? – Administrative Nightmare </li></ul>
  5. 5. Solution <ul><li>Kerberos </li></ul><ul><ul><li>Ticket based authentication system </li></ul></ul><ul><ul><li>Protocol - supports variance in local implementations </li></ul></ul><ul><ul><li>Innovation – password is a shared secret . </li></ul></ul><ul><ul><li>Harnesses the speed and security of symmetric encryption </li></ul></ul><ul><li>Caveat </li></ul><ul><ul><li>Authentication server and Ticket granting server need to be trusted by both the client and the service </li></ul></ul>
  6. 6. Under the Hood <ul><li>User </li></ul><ul><ul><li>PC, Workstation, PocketPC </li></ul></ul><ul><li>Authentication Server </li></ul><ul><ul><li>Issues a Ticket Granting Ticket (TGT) </li></ul></ul><ul><li>Ticket Granting Server (TGS) </li></ul><ul><ul><li>Issues tickets for Network Services </li></ul></ul><ul><li>Network Service/Resource </li></ul>
  7. 7. Authentication Server <ul><li>Issues a Ticket Granting Ticket (TGT) </li></ul><ul><li>User sends their username to server </li></ul><ul><li>Server responds with TGT encrypted with user’s password </li></ul><ul><li>User enters password on client – if correct the TGT is successfully decrypted </li></ul>
  8. 8. Ticket Granting Server <ul><li>Logically different from the AS, but may reside on the same server </li></ul><ul><li>User contacts when a network service is desired </li></ul><ul><li>Service ticket request encrypted with session key provided by the AS in the TGT, not user’s password </li></ul><ul><li>TGS authenticates ticket and issues a ticket for the resource as well as the encryption key to use with communication with the service </li></ul>
  9. 9. Network Service <ul><li>Client sends resource ticket and authenticator to the service encrypted with client/service key </li></ul><ul><li>Service verifies both and issues a return message with a modified version of the timestamp the client sent in the authenticator encrypted with client/service key </li></ul><ul><li>Client views message – if timestamp is modified correctly then service is genuine and ready to process request. </li></ul>
  10. 10. Authentication Walkthrough <ul><li>A user enters a username and password on the client. </li></ul><ul><li>The client performs a one-way hash on the entered password, and this becomes the secret key of the client. </li></ul><ul><li>The client sends a clear-text message to the AS requesting services on behalf of the user. Sample Message: &quot;User XYZ would like to request services&quot;. Note: Neither the secret key nor the password is sent to the AS. </li></ul>
  11. 11. Authentication Walkthrough (cont.) <ul><li>The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client: </li></ul><ul><ul><li>Message A: Client/TGS session key encrypted using the secret key of the user. </li></ul></ul><ul><ul><li>Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key ) encrypted using the secret key of the TGS. </li></ul></ul><ul><li>Once the client receives messages A and B, it decrypts message A to obtain the client/TGS session key . This session key is used for further communications with TGS. (Note: The client cannot decrypt the Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS. </li></ul>
  12. 12. Authentication Walkthrough (cont.) <ul><li>When requesting services, the client sends the following two messages to the TGS: </li></ul><ul><ul><li>Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service. </li></ul></ul><ul><ul><li>Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the client/TGS session key . </li></ul></ul><ul><li>Upon receiving messages C and D, the TGS decrypts message D (Authenticator) using the client/TGS session key and sends the following two messages to the client: </li></ul><ul><ul><li>Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key ) encrypted using the service's secret key. </li></ul></ul><ul><ul><li>Message F: Client/server session key encrypted with the client/TGS session key . </li></ul></ul>
  13. 13. Authentication Walkthrough (cont.) <ul><li>Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages: </li></ul><ul><ul><li>Message E from the previous step (the client-to-server ticket , encrypted using service's secret key). </li></ul></ul><ul><ul><li>Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using client/server session key . </li></ul></ul><ul><li>The SS decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client: </li></ul><ul><ul><li>Message H: the timestamp found in client's recent Authenticator plus 1, encrypted using the client/server session key . </li></ul></ul><ul><li>The client decrypts the confirmation using the client/server session key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server. The server provides the requested services to the client. </li></ul>
  14. 14. Kerberos Operation
  15. 15. Questions and Discussion

×