Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kerberos protocol

2,984 views

Published on

Kerberos Authentication

- http://www.ifour-consultancy.com

Published in: Technology
  • Be the first to comment

Kerberos protocol

  1. 1. Kerberos Authentication
  2. 2. Kerberos (protocol) ◦ Kerberos is a computer network authentication protocol ◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network ◦ Prove their identity to one another in a secure manner ◦ Aimed primarily at a client–server model and it provides mutual authentication ◦ Protected against eavesdropping and replay attacks http://www.ifour-consultancy.com Offshore software development company India
  3. 3. Microsoft Windows, UNIX & Kerberos ◦ Windows 2000 and later uses Kerberos as its default authentication method ◦ Documentation: ◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols" ◦ RFC 4757 documents Microsoft's use of the RC4 cipher ◦ Include software for Kerberos authentication of users or services http://www.ifour-consultancy.com Offshore software development company India
  4. 4. Components Principal Realm KDC AS TGS Client Server http://www.ifour-consultancy.com Offshore software development company India
  5. 5. Mechanism • Client authenticates itself to the Authentication Server (AS) which forwards the username to a Key distribution center (KDC) • KDC issues a Ticket Granting Ticket (TGT), which is time stamped • Encrypts it using the user's password and returns the encrypted result to the user's workstation • TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in http://www.ifour-consultancy.com Offshore software development company India
  6. 6. Mechanism When the client needs to communicate with another node • Client sends the TGT to the Ticket Granting Service (TGS) • After verifying the TGT is valid and the user is permitted to access the requested service • TGS issues a Ticket and session keys, which are returned to the client • Client then sends the Ticket to the service server (SS) along with its service request http://www.ifour-consultancy.com Offshore software development company India
  7. 7. User Client-based Logon ◦ User enters a username and password on the client machines ◦ Client transforms the password into the key of a symmetric cipher ◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used http://www.ifour-consultancy.com Offshore software development company India
  8. 8. Client Authentication ◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the user ◦ AS generates the secret key by hashing the password of the user found at the database ◦ AS checks to see if the client is in its database http://www.ifour-consultancy.com Offshore software development company India
  9. 9. Client Authentication ◦ If it is, the AS sends back the following two messages to the client: ◦ Message A: Client/TGS Session Key encrypted using the secret key of the client/user. ◦ Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. http://www.ifour-consultancy.com Offshore software development company India
  10. 10. Client Service Authorization ◦ Client attempts to decrypt message A with the secret key generated from the password entered by the user ◦ If the password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A ◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key ◦ Session key is used for further communications with the TGS http://www.ifour-consultancy.com Offshore software development company India
  11. 11. Client Service Authorization When requesting services, the client sends the following two messages to the TGS ◦ Message C: Composed of the TGT from message B and the ID of the requested service. ◦ Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
  12. 12. Client Service Authorization ◦ Upon receiving messages C and D, the TGS retrieves message B out of message C ◦ Decrypts message B using the TGS secret key ◦ Gives it the "client/TGS session key“ http://www.ifour-consultancy.com Offshore software development company India
  13. 13. Client Service Authorization Using this "client/TGS session key“, the TGS decrypts message D Sends the following two messages to the client: ◦ Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key. ◦ Message F: Client/Server Session Key encrypted with the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
  14. 14. Client Service Request Upon receiving messages E and F from TGS ◦ Client has enough information to authenticate itself to the SS ◦ Client connects to the SS and sends the following two messages ◦ Message E from the previous step (the client-to-server ticket, encrypted using service's secret key). ◦ Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key. http://www.ifour-consultancy.com Offshore software development company India
  15. 15. Client Service Request ◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key ◦ SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client ◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key. ◦ Client decrypts the confirmation using the Client/Server Session Key http://www.ifour-consultancy.com Offshore software development company India
  16. 16. Client Service Request ◦ Checks whether the timestamp is correctly updated ◦ Client can trust the server and can start issuing service requests to the server ◦ Server provides the requested services to the client http://www.ifour-consultancy.com Offshore software development company India
  17. 17. Kerberos Authentication Process ( Cross Domain) ◦ Client in Domain 1 wishes to access a network resource in remote Domain 2 ◦ The client has already been authenticated to KDC in Domain 1 and has received TGT ◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources http://www.ifour-consultancy.com Offshore software development company India
  18. 18. Kerberos Authentication Process ( Cross Domain) ◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in Domain 1 respond to the client with TGT for Domain 2 ◦ The client presents the new TGT to KDC in domain 2 ◦ The KDC in Domain 2 responds with TGS fro the network resource ◦ The client accesses the Network resource in Domain 2 using the new TGS http://www.ifour-consultancy.com Offshore software development company India
  19. 19. Drawbacks and Limitations Single point of failure Kerberos has strict time requirements Administration protocol is not standardized All authentications are controlled by a centralized KDC http://www.ifour-consultancy.com Offshore software development company India
  20. 20. Drawbacks and Limitations Each network service which requires a different host name Requires user accounts, user clients and the services on the server to all have a trusted relationship to the Kerberos token server Required client trust makes creating staged environments difficult http://www.ifour-consultancy.com Offshore software development company India
  21. 21. Weakness in Kerberos Protocol Susceptible to offline password cracks Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability If TGT stolen, the attacker can access n/w until the session expires Severe effects if KDC is compromised http://www.ifour-consultancy.com Offshore software development company India
  22. 22. References http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 http://technet.microsoft.com/en-us/library/bb742516.aspx http://www.kerberos.info Symbiosis students ◦ Deepak Aggarwal ◦ Rohit Khadke ◦ Sonali Solanki ◦ Vineela Kanapala http://www.ifour-consultancy.com Offshore software development company India
  23. 23. http://www.ifour-consultancy.com Offshore software development company India

×