Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Streamlining Python Development: A Guide to a Modern Project Setup
Kerberos for Distributed System Security - Omal Perera
1. KERBEROS
1
O m a l P e r e r a
o m a l p e r e r a . g i t h u b . i o
Undergraduate,
BSc. (Special) Information Systems.
CCNA (640-802)
2. Content
● Introduction
● History
● Why Kerberos
● Authenticating using Kerberos
● Kerberos components
● Application of Kerberos
● Advantages
● Disadvantages
● Firewall vs Kerberos?
● References
2
3. Introduction
● A protocol for authentication
● Developed at MIT in the mid 1980’s
● Uses tickets to authenticate
● Avoids saving passwords locally
● Avoids sending passwords over the internet
● Involves a trusted third party
● Built on symmetric-key cryptography
3
4. History
● Initially developed to protect network services provided by Project Athena
● Protocol is based on Needham-Schroeder symmetric key protocol
● Versions 1-3 occurred only internally at MIT
● Version 4 was designed by Steve Miller and Clifford Neuman in late 1980s
● Version 5 was designed by Neuman and Kohl in 1993
4
5. Why Kerberos?
● Kerberos is mature
● Kerberos meets the requirements of modern distributed systems
● Kerberos is architecturally sound
● Kerberos is already in place
5
9. Key Distribution Center (KDC)
● One Kerberos server one region
● Distribution Center contains the
○ Authentication Service
○ the Ticket-Granting Service
○ master database for Kerberos
● Services are implemented as a single daemon
9
Authentication Service
● handles user authentication / verifying that principals are correctly identified
● Consists Servers in the KDC + security clients
● security server accesses the registry database to perform queries
then updates and to validate user logins
10. Ticket-Granting Service
● Once authenticated, a principal will be granted a TGT and a ticket
session key
● Your credentials = ticket + its associated key
● credentials are stored in a credentials cache, a file in a directory in the
principle
10
The Kerberos Database
● Database contains all of the
○ realm’s Kerberos principals their passwords
○ other administrative information about each principal
● The master KDC contains the primary copy of the database,
which it propagates at regular intervals to the slave KDCs
12. Kerberos Utility Programs
● OpenVMS provides different user interface programs
○ original UNIX style
○ DCL version
○ X Windows version
12
Kerberos Registry
● Kerberos registry can be manipulated in several ways
● It is initially created via the KRB$CONFIGURE
● Other tools
● Kadmin - kinit - Klist
● Kdestroy - Kpasswd -kdb5_util - Dumps or loads the
Kerberos database for save and restore
13. Applications of Kerberos
● Microsoft Windows
● Email, FTP, network file systems, other applications have been kerberized
● Local authentication
● Authentication for network protocols
● Secure windows systems
13
14. Advantages
● Passwords are never sent across the network unencrypted
● Client and application services mutually authenticated
● Tickets have a limited lifetime
● Authentication through Authentication Service has to happen only once
● Sharing secret keys is more efficient than public keys
14
15. Disadvantages
● Single point of failure. it requires continuous availability of a central server
● Only provides authentication for clients and services
● Vulnerable to users making poor password choices
● Has strict time requirements
15
16. Firewall vs Kerberos?
● Firewalls
○ Assumes that the bad guys are from outside
○ But real threats are from insiders
● Kerberos
○ assumes that network connections are the weak link in network
security
○ Strong authentication compared to firewalls
16
18. Copyrights
○ All the images, figures are credited to its original authors.
○ Presentation is for educational use.
○ Cover page image – https://www.freepik.com/
18
Local Autentication
- login using su in OpenBSD
Autentication Local Network
- Remote login
- Remote shell
Secure Windows Systems
-SSP security support Provider – API system used in windows
{{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}