Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deep Dive In To Kerberos


Published on

This presentation was first presented at Virtusa on 14th August 2014

Published in: Software
  • Be the first to comment

Deep Dive In To Kerberos

  1. 1. Deep Dive into - Kerberos Ishan A B Ambanwela
  2. 2. Contents 1.What is Kerberos 2.Design Objectives 3.Cons 4.Common Terms Explained 5.Kerberos Work Flow 6.Kerberos in Practical
  3. 3. What is Kerberos ● Computer network authentication protocol ● Developed in MIT in mid 1980s as a part of Project Athena ● Named After three-headed guard dog of Hades ● Current Version 5 was released under MIT license in 2005 (RFC4120)
  4. 4. Design Objectives ● Allows to communicate over non-secure network ● Based on tickets ● Designed for client-server model ● Interoperability ● Trust no one (mutual authentication client/server) ● Protected against Eavesdropping & Replay attacks
  5. 5. Cons ● Single point of failure ● Strict time requirements ● Symmetric cryptography ● Unique Kerberos keys ● Complications in virtual hosting and clusters ● Requires user accounts ● strict separation of domains ● administration protocol is not standardized
  6. 6. Some Common Terms ● KDC - Key Distribution Center ● AS - Authentication service ● AD - Active Directory ● Key - parameter which determines the functional output of a cryptographic algorithm ● Ticket - Piece of information which carries the identity ● Session - semi-permanent interactive information interchange
  7. 7. Kerberos - Terms ● TGT – Ticket Granting Ticket – Used to prove users own identity ● ST – Service Ticket – Allows a user to use a service – Used to securely pass the identity of the user to which the ticket is issued between KDC and the application server ● Authenticator – Proves that the user presenting the ticket is the user to which the ticket was issued – Proof that user knows the session key – Prevents replay attacks
  8. 8. Key Distribution Center Kerberos – Work flow Client Generate Client Secret Key (CSK) Authentication Server Ticket Granting Server Resource Server Username Password Username (clear text) A. Session Key (SK) B. Username, NA, Validity Period, Session Key (SK) CSK TGS SK TGS Secret Key One way Hash Client Secret Key (CSK) A B Decode CSK A. Session Key (SK) + Service ID (clear text) F SK C. Username, Timestamp C B. Username, NA, Validity Period, Session Key (SK) Decode TGS SK SK C. Username, Timestamp D. Client/Server Ticket, Username, NA, Validity Period, Client/Server Session Key (CSSK) E. Timestamp+1, Client/Server Session Key (CSSK) RS SK SK RS Secret Key E D SK F. Username, Timestamp’ Decode D F CSSK G. Timestamp’+1, Resource E. Timestamp+1, Client/Server Session Key (CSSK) SK CSSK G. Timestamp’+1, Resource
  9. 9. Kerberos in Practical
  10. 10. Java Example for Requesting a Kerberos Ticket in Client
  11. 11. Kerberos in Practical : background knowledge ● JAAS - Java Authentication and Authorization Service – LoginModule ( ● Classes implementing this contain the actual code for authentication ● various mechanisms to authenticate – LoginContext ( ● Starts authentication process by creating a Subject – Subject ( ● a single user, entity or system – Principal ( ● It encapsulates features or properties of a subject – Credentials
  12. 12. Browser Based Kerberos Ticket Validation
  13. 13. Kerberos in Practical : background knowledge ● GSSAPI – Generic Security Service Application Program Interface – IETF Standard ● SPNEGO – Simple and Protected GSSAPI Negotiation Mechanism – a pseudo mechanism used by client-server software to negotiate the choice of security technology
  14. 14. Browser Based Kerberos Authentication Example :Sample Requests and Responses
  15. 15. Special Thanks ● Praboda Disanayaka – For Providing Kerberos Work flow Slide ● Vicknesh Subramaniyam – For Providing Sample HTTP Requests/Responses
  16. 16. Q&A Discussion
  17. 17. Thank you and Good Luck :-)