Kerberos• Developed at M.I.T. in 1980.• Greek Mythology: 3 headed dog.• 3 “heads” — a client, a server, and a trusted third party that mediates between the other two.• A secret key based service for providing authentication in open networks.• Authentication mediated by a trusted 3rd party on the network: – Key Distribution Center (KDC)• Kerberos Version 5
Firewall v/s Kerberos• Firewall – Assume that "the bad guys" are on the outside. – Bur real treat is from insiders.• Kerberos – Assumes that network connections are the weak link in network security. – Strong authentication compared to firewalls.
Authentication?• Verifying someone’s identity• Types of Authentication: 1) Password Based 2) Cryptographic
Cryptographic Authentication• No password over the Network.• User Identification done by a cryptographic operation based on: – Quantity supplied by the server – user’s secret key
Encryption and Decryption• Encryption- • Source • Data + Cipher text = Encryption• Decryption- • Destination • Decipher text - Data = Decryption
Asymmetric Key Cryptography• Public key cryptography• A pair of related keys are used: – Public and Private keys.• Data encrypted with one can only be decrypted with the other• Usually, a user publishes his public key widely – Others use it to encrypt data intended for the user – User decrypts using the private key (known only to him)• Algorithm: RSA
Key Distribution Center (KDC)• Implemented as a domain service• Active Directory for database• Global Catalog for directing referrals to KDCs in other domains.• Uses certificates to encrypt communication between client and KDC.
Key Distribution Center (KDC)Types Of Keys Used• Long-Term Symmetric Keys: User, System, Service, and Inter-realm Keys• Long-Term Asymmetric Keys: Public Key• Short-Term Symmetric Keys: Session Keys
Key Distribution Center (KDC)• Authentication Service (AS)• Ticket-Granting Service (TGS)
Common Issues• Infrastructure Required: – Active Directory – TCP/IP Network Connectivity – Domain Name System – Time Service – Operating System
Common Issues• Console logon, Network logon, access to network resources, or remote access• How to identify if issues is related to Kerberos? – Event log : System , Security – Source: Kerberos, KDC, LsaSrv, or Netlogon
Common Issues1) Time Synchronization (Clock Skew) – 0x25: KRB_AP_ERR_SKEW: Clock Skew too great