Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kerberos Authentication Protocol


Published on

Published in: Education
  • Be the first to comment

Kerberos Authentication Protocol

  1. 1. KerberosAuthenticationProtocolASHOK BASNET (066BCT505)BIBEK SUBEDI (066BCT506)DINESH SUBEDI (066BCT512)
  2. 2. What is Kerberos  Network authentication protocol  Developed at MIT in the mid 1980s  Available as open source or in supported commercial software
  3. 3. Kerberos vs Firewall  Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within.  Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
  4. 4. Why Kerberos  Sending usernames and passwords in the clear jeopardizes the security of the network.  Each time a password is sent in the clear, there is a chance for interception.
  5. 5. Architecture It consists of following 3 components1. Client2. Authentication Server or Key Distribution Server (KDC)3. ServerAnd has 3 main exchanges1. Authentication Service (AS) Exchange2. Ticket Granting Service (TGS) Exchange3. Client Server (CS) Exchange
  6. 6. AS Exchange Exchange between client and Authentication Server (KDC) Client sends KRB_AS_REQ msg to KDC specifying credentials it wants Server replies with msg KRB_AS_REP containing the ticket and session key The Session key is encrypted with client’s secret key The TGT is encrypted with server’s secret key The encryption type is DES by default
  7. 7. TGS Exchange Is used to obtain additional tickets for the servers. Doesn’t need client’s secret key for encryption Transparent to the user TGS must have access to all secret keys But encrypts the ticket using server’s secret key Client sends KRB_TGS_REQ to the TGS server Server replies KRB_TGS_REP to the client with ticket
  8. 8. CS Exchange Client contacts with the real server Client sends KRB_AP_REQ to the server specifying the service Server validates client by decrypting ticket with server’s secret key and decrypting authenticator with sessions key contained in ticket Server optionally replies with KRB_AP_REP
  9. 9. Implementation Athena Project at MIT Microsoft WIndows
  10. 10. Limitations Only provides authentication Central Authentication server Cannot migrate existing password hashes into the Kerberos database Authentication is only as good as the users password Assumes relatively secure hosts on an insecure network Strict time requirements Complicates virtual hosting