Presented By:
Vidula Shukla
M.Tech., Computer Science & Engineering

Dept. of Computer Science & Engineering
Sagar Inst. o...
Overview
 Introduction
 Motivation
 Requirement
 Kerberos Version 4

 Kerberos Realms
 Kerberos V4 V/s V5
 Kerberos...
Introduction
 Authentication: can be defined as determining an

identity to the required level of assurance.
 Authentica...
Introduction to Kerberos
 An authentication service developed for Project Athena at

MIT
 Provides
 strong security on ...
Why Kerberos is needed ?
Problem: Not trusted workstation to identify
their users correctly in an open distributed environ...
Why Kerberos is needed ? Cont.
Solution:
 Building elaborate authentication protocols at

each server
 A centralized aut...
Requirements for KERBEROS
 Secure:
 An opponent does not find it to be the weak link
 Reliable:
 The system should be ...
KERBEROS VERSION 4
 Version 4 is most widely used version
 Version 4 uses of DES
 Version 4 build up to the full protoc...
 Problem:

An opponent can pretend to be another client and
obtain unauthorized privileges on server machine.
 Solution ...
Kerberos Version 4: Dialog 1- Simple

Ticket=E(kv[IDc,ADc,IDv])
10

7/10/2013

KERBEROS
 Problem:

1. the no. of times the password should be entered
should be minimized.
2. Plaintext transmission of password
...
Kerberos Version 4 : Dialog 2-More Secure
ticketTGS=EKtgs[IDc,ADc,IDtgs,TS1,LifeTime1
]
Once per user logon session

Once ...
Kerberos Version 4 : Dialog 2
- More Secure Cont.
Once per service session

5- TicketV+ IDc

TicketV=EKv[IDc,ADc,IDv,Ts2,L...
 Problem:

Lifetime associated with ticket granting ticket
2. Requirement for servers to authenticate themselves to
user....
Kerberos: The Version 4 Authentication Dialog
Once per user logon session

ticketTGS=EKtgs
[Kc.tgs, IDc,ADc,IDtgs,TS2, Lif...
Kerberos: The Version 4 Authentication Dialog
Cont.
Once per type of service

ticketTGS=EKtgs
[Kc.tgs,IDc,ADc,IDtgs, TS2, ...
Kerberos: The Version 4 Authentication Dialog
Cont.
Once per service session

5- TicketV+ AuthenticatorC
6- EKc.v[TS5+1]
T...
Tickets:
 Contains information which must be considered

private to the user
 Allows user to use a service or to access ...
Authenticators
 Proves the client’s identity
 Proves that user knows the session key
 Prevents replay attack
 Used onl...
Kerberos Overview

7/10/2013

KERBEROS

20
Kerberos Realms
 A single administrative domain includes:
 a Kerberos server
 a number of clients, all registered with ...
Inter-realm Authentication:
 Kerberos server in each realm shares a secret key with

other realms.
 It requires
 Kerber...
Request for Service in another realm:

7/10/2013

KERBEROS

23
KERBEROS Version 5 versus Version4
 Environmental shortcomings of Version 4:
 Encryption system dependence: DES
 Messag...
KERBEROS Version 5 versus Version4
 Technical deficiencies of Version 4:
 Double encryption

 Session Keys
 Password a...
New Elements in Kerberos Version 5
 Realm
 Indicates realm of the user
 Options
 Times
 From: the desired start time ...
Kerberos Version 5 Message Exchange:1


To obtain ticket-granting ticket:

(1)C  AS : Options || IDc || Realmc || IDtgs ...
Kerberos Version 5 Message Exchange:2
 To obtain service-granting ticket :
(3)C  TGS : Options || IDv || Times || Nonce2...
Kerberos Version 5 Message Exchange:3
 To obtain service

(5) C  S : Options || Ticket v|| Authenticator c
(6) S  C : E...
Kerberos : Strengths
 User's passwords are never sent across the

network, encrypted or in plain text

 Secret keys are ...
Conclusion
 Kerberos is an authentication service using convention

encryption
 Kerberos the solution to network securit...
THANK YOU

7/10/2013

KERBEROS

32
Upcoming SlideShare
Loading in …5
×

Kerberos : An Authentication Application

4,023 views
3,718 views

Published on

Network security with authentication application . Kerberos is one of them.

Published in: Education, Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,023
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
265
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • C = clientAS = Authentication serverV = ServerIDc = Identifier of user on CIdv = Identifier of VPc = Password of user on CAdc = Network address of Ckv=Secret Key between AS and V (Server)
  • The ticket is encrypted with a secret key (Kv) known only to TGS and the server , preventing alteration.
  • C -> AS : IDc + IDtgs + TS1AS -> C : E(Kc, [Kc,tgs + IDtgs + TS1 + Lifetime2 + Ticket tgs ])C -> TGS :
  • Kerberos : An Authentication Application

    1. 1. Presented By: Vidula Shukla M.Tech., Computer Science & Engineering Dept. of Computer Science & Engineering Sagar Inst. of Research & Technology Bhopal
    2. 2. Overview  Introduction  Motivation  Requirement  Kerberos Version 4  Kerberos Realms  Kerberos V4 V/s V5  Kerberos Version 5  Strength  Conclusion 7/10/2013 KERBEROS 2
    3. 3. Introduction  Authentication: can be defined as determining an identity to the required level of assurance.  Authentication Application : Deals with the authentication function that have been developed to support application-level authentication 7/10/2013 KERBEROS 3
    4. 4. Introduction to Kerberos  An authentication service developed for Project Athena at MIT  Provides  strong security on physically insecure network  a centralized authentication server which authenticates   Users to servers Servers to users  Relies on conventional encryption rather than public-key encryption 7/10/2013 KERBEROS 4
    5. 5. Why Kerberos is needed ? Problem: Not trusted workstation to identify their users correctly in an open distributed environment 3 Threats:    7/10/2013 Pretending to be another user from the workstation Sending request from the impersonated workstation Replay attack to gain service or disrupt operations KERBEROS 5
    6. 6. Why Kerberos is needed ? Cont. Solution:  Building elaborate authentication protocols at each server  A centralized authentication server (Kerberos) 7/10/2013 KERBEROS 6
    7. 7. Requirements for KERBEROS  Secure:  An opponent does not find it to be the weak link  Reliable:  The system should be able to back up another  Transparent:  An user should not be aware of authentication  Scalable:  The system supports large number of clients and severs 7/10/2013 KERBEROS 7
    8. 8. KERBEROS VERSION 4  Version 4 is most widely used version  Version 4 uses of DES  Version 4 build up to the full protocol by looking at several hypothetical dialogues  Version 5 corrects some of the security deficiencies of Version 4 7/10/2013 KERBEROS 8
    9. 9.  Problem: An opponent can pretend to be another client and obtain unauthorized privileges on server machine.  Solution : Server must be able to confirm the identities of client who request service. 7/10/2013 KERBEROS 9
    10. 10. Kerberos Version 4: Dialog 1- Simple Ticket=E(kv[IDc,ADc,IDv]) 10 7/10/2013 KERBEROS
    11. 11.  Problem: 1. the no. of times the password should be entered should be minimized. 2. Plaintext transmission of password  Solution : 1. Ticket-granting Server; Issues ticket to user who have been authenticated to AS 2. The client can use this ticket to request multiple service granting ticket. 7/10/2013 KERBEROS 11
    12. 12. Kerberos Version 4 : Dialog 2-More Secure ticketTGS=EKtgs[IDc,ADc,IDtgs,TS1,LifeTime1 ] Once per user logon session Once per type of service 4-TicketV 7/10/2013 KERBEROS 12
    13. 13. Kerberos Version 4 : Dialog 2 - More Secure Cont. Once per service session 5- TicketV+ IDc TicketV=EKv[IDc,ADc,IDv,Ts2,Lifetime2] 7/10/2013 KERBEROS 13
    14. 14.  Problem: Lifetime associated with ticket granting ticket 2. Requirement for servers to authenticate themselves to user. 1. 7/10/2013 KERBEROS 14
    15. 15. Kerberos: The Version 4 Authentication Dialog Once per user logon session ticketTGS=EKtgs [Kc.tgs, IDc,ADc,IDtgs,TS2, LifeTi me2 ] 7/10/2013 KERBEROS KERBEROS 15
    16. 16. Kerberos: The Version 4 Authentication Dialog Cont. Once per type of service ticketTGS=EKtgs [Kc.tgs,IDc,ADc,IDtgs, TS2, LifeTime2 ] KERBEROS AuthenticatorC=EKc.tgs[IDc,ADc,TS3] ticketV=EKV[Kc.v,IDc,ADc,IDv, TS4, LifeTime4 ] 3- TicketTGS + AuthenticatorC + IDv 4-EKc.tgs[ Kc.v,IDv,Ts4,Ticketv] 7/10/2013 KERBEROS 16
    17. 17. Kerberos: The Version 4 Authentication Dialog Cont. Once per service session 5- TicketV+ AuthenticatorC 6- EKc.v[TS5+1] TicketV=EKv [Kv.c, IDc, ADc, IDv, TS4, Lifetime4] AuthenticatorC=EKc.v [IDc,ADc,TS5] 7/10/2013 KERBEROS 17
    18. 18. Tickets:  Contains information which must be considered private to the user  Allows user to use a service or to access TGS  Reusable for a period of particular time  Used for distribution of keys securely 7/10/2013 KERBEROS 18
    19. 19. Authenticators  Proves the client’s identity  Proves that user knows the session key  Prevents replay attack  Used only once and has a very short life time  One authenticator is typically built per session of use of a service 7/10/2013 KERBEROS 19
    20. 20. Kerberos Overview 7/10/2013 KERBEROS 20
    21. 21. Kerberos Realms  A single administrative domain includes:  a Kerberos server  a number of clients, all registered with server  application servers, sharing keys with server  What will happen when users in one realm need access to service from other realms?:  Kerberos provide inter-realm authentication 7/10/2013 KERBEROS 21
    22. 22. Inter-realm Authentication:  Kerberos server in each realm shares a secret key with other realms.  It requires  Kerberos server in one realm should trust the one in other realm to authenticate its users  The second also trusts the Kerberos server in the first realm 7/10/2013 KERBEROS 22
    23. 23. Request for Service in another realm: 7/10/2013 KERBEROS 23
    24. 24. KERBEROS Version 5 versus Version4  Environmental shortcomings of Version 4:  Encryption system dependence: DES  Message byte ordering  Internet protocol dependence  Ticket lifetime  Authentication forwarding  Inter-realm authentication 7/10/2013 KERBEROS 24
    25. 25. KERBEROS Version 5 versus Version4  Technical deficiencies of Version 4:  Double encryption  Session Keys  Password attack  Mode of Encryption 7/10/2013 KERBEROS 25
    26. 26. New Elements in Kerberos Version 5  Realm  Indicates realm of the user  Options  Times  From: the desired start time for the ticket  Till: the requested expiration time  Rtime: requested renew-till time  Nonce  A random value to assure the response is fresh 7/10/2013 KERBEROS 26
    27. 27. Kerberos Version 5 Message Exchange:1  To obtain ticket-granting ticket: (1)C  AS : Options || IDc || Realmc || IDtgs ||Times || Nonce1 (2) AS  C : Realmc || IDc || Ticket tgs || EKc [ Kc,tgs || IDtgs || Times || Nonce1 ||| Realm tgs ] Ticket tgs= EKtgs [ Flags || Kc,tgs || Realm c || IDc || ADc || Times] 7/10/2013 KERBEROS 27
    28. 28. Kerberos Version 5 Message Exchange:2  To obtain service-granting ticket : (3)C  TGS : Options || IDv || Times || Nonce2 || Ticket tgs ║ Authenticator c (4)TGS  C : Realmc || IDc || Ticket v || EK c,tgs [ Kc,v ║Times|| Nonce2 || IDv ║ Realm v] Ticket tgs= EKtgs [ Flags || Kc,tgs || Realm c || IDc || ADc || Times] Ticket v : EK v [Kc,,v ║ Realmc || IDc ║ ADc ║ Times ] Authenticator c : EK c,tgs [IDc ║ Realmc ║ TS1] 7/10/2013 KERBEROS 28
    29. 29. Kerberos Version 5 Message Exchange:3  To obtain service (5) C  S : Options || Ticket v|| Authenticator c (6) S  C : EK c,v [TS2|| Subkey || Seq# ]  Ticket v : EK v [Flags || Kc,v || Realmc || IDc || ADc || Times ]  Authenticator c : EK c,v [IDc || Realmc || TS2 || Subkey|| Seq# ] 7/10/2013 KERBEROS 29
    30. 30. Kerberos : Strengths  User's passwords are never sent across the network, encrypted or in plain text  Secret keys are only passed across the network in encrypted form  Client and server systems mutually authenticate  It limits the duration of their users' authentication.  Authentications are reusable and durable 7/10/2013 KERBEROS 30
    31. 31. Conclusion  Kerberos is an authentication service using convention encryption  Kerberos the solution to network security is a protocol designed to provide centralized authentication whose function is to authenticate user to server and server to user. 7/10/2013 KERBEROS 31
    32. 32. THANK YOU 7/10/2013 KERBEROS 32

    ×