Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

1. KERBEROS
1
O m a l P e r e r a
o m a l p e r e r a . g i t h u b . i o
Undergraduate,
BSc. (Special) Information Systems.
CCNA (640-802)

2. Content
● Introduction
● History
● Why Kerberos
● Authenticating using Kerberos
● Kerberos components
● Application of Kerberos
● Advantages
● Disadvantages
● Firewall vs Kerberos?
● References
2

3. Introduction
● A protocol for authentication
● Developed at MIT in the mid 1980’s
● Uses tickets to authenticate
● Avoids saving passwords locally
● Avoids sending passwords over the internet
● Involves a trusted third party
● Built on symmetric-key cryptography
3

4. History
● Initially developed to protect network services provided by Project Athena
● Protocol is based on Needham-Schroeder symmetric key protocol
● Versions 1-3 occurred only internally at MIT
● Version 4 was designed by Steve Miller and Clifford Neuman in late 1980s
● Version 5 was designed by Neuman and Kohl in 1993
4

5. Why Kerberos?
● Kerberos is mature
● Kerberos meets the requirements of modern distributed systems
● Kerberos is architecturally sound
● Kerberos is already in place
5

6. Authenticating using Kerberos
Fig 1 - Steps to authenticate
6

7. Kerberos Components
7

8. Kerberos Components
8

9. Key Distribution Center (KDC)
● One Kerberos server  one region
● Distribution Center contains the
○ Authentication Service
○ the Ticket-Granting Service
○ master database for Kerberos
● Services are implemented as a single daemon
9
Authentication Service
● handles user authentication / verifying that principals are correctly identified
● Consists Servers in the KDC + security clients
● security server accesses the registry database to perform queries
then updates and to validate user logins

10. Ticket-Granting Service
● Once authenticated, a principal will be granted a TGT and a ticket
session key
● Your credentials = ticket + its associated key
● credentials are stored in a credentials cache, a file in a directory in the
principle
10
The Kerberos Database
● Database contains all of the
○ realm’s Kerberos principals their passwords
○ other administrative information about each principal
● The master KDC contains the primary copy of the database,
which it propagates at regular intervals to the slave KDCs

11. Kerberos Components
11

12. Kerberos Utility Programs
● OpenVMS provides different user interface programs
○ original UNIX style
○ DCL version
○ X Windows version
12
Kerberos Registry
● Kerberos registry can be manipulated in several ways
● It is initially created via the KRB$CONFIGURE
● Other tools
● Kadmin - kinit - Klist
● Kdestroy - Kpasswd -kdb5_util - Dumps or loads the
Kerberos database for save and restore

13. Applications of Kerberos
● Microsoft Windows
● Email, FTP, network file systems, other applications have been kerberized
● Local authentication
● Authentication for network protocols
● Secure windows systems
13

14. Advantages
● Passwords are never sent across the network unencrypted
● Client and application services mutually authenticated
● Tickets have a limited lifetime
● Authentication through Authentication Service has to happen only once
● Sharing secret keys is more efficient than public keys
14

15. Disadvantages
● Single point of failure. it requires continuous availability of a central server
● Only provides authentication for clients and services
● Vulnerable to users making poor password choices
● Has strict time requirements
15

16. Firewall vs Kerberos?
● Firewalls
○ Assumes that the bad guys are from outside
○ But real threats are from insiders
● Kerberos
○ assumes that network connections are the weak link in network
security
○ Strong authentication compared to firewalls
16

17. References
● http://h41379.www4.hpe.com/doc/83final/ba554_90008/ch01s03.html
● https://docs.oracle.com/cd/E18752_01/html/816-4557/intro-27.html
● https://people.eecs.berkeley.edu/~fox/summaries/glomop/kerb_limit.html
● http://searchsecurity.techtarget.com/news/1308058/Kerberos-Authentication-with-some-drawbacks
● https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3/com.ibm.isam.doc/wrp_config/reference/ref_s
pnego_authe_lim.html
● https://www.slideshare.net/dotanp/kerberos-explained
● http://web.mit.edu/sipb/doc/working/guide/guide/node20.html
● https://www.kerberos.org/about/FAQ.html
● http://computing.help.inf.ed.ac.uk/why-do-we-need-kerberos
17

18. Copyrights
○ All the images, figures are credited to its original authors.
○ Presentation is for educational use.
○ Cover page image – https://www.freepik.com/
18

19. 19