Sutanu Paul, profile picture
Uploaded bySutanu Paul
PPTX, PDF16,186 views

Kerberos

This document provides an overview of Kerberos, including: - Kerberos is an authentication protocol that uses symmetric encryption and timestamps to allow nodes communicating over an insecure network to verify each other's identity securely. - It works by having a client first authenticate with an authentication server to obtain a ticket-granting ticket, then uses that ticket to obtain additional tickets for access to other services. - Kerberos addresses the need for secure authentication in distributed network environments where the workstations themselves cannot be fully trusted.

Embed presentation

Downloaded 499 times
KERBEROS PRESENTED BY SUTANU PAUL(CSI 13023) MD ARIFUL HOQUE(CSI 13020) MTECH(IT) 1ST SEM TEZPUR UNIVERSITY
OUTLINE • • • • • • • • • • What is Kerberos? Why Kerberos? Firewall Vs Kerberos Kerberos design How does Kerberos work? Application of Kerberos Comparison between version 4 and 5 Attacks on Kerberos Limitation of Kerberos References
WHAT IS KERBEROS? • Literal meaning: In Greek mythology,kerberos is a multi-headed dog (usually three) which gaurds the entrance of Hades. • Technically Kerberos is an authentication protocol implemented on Project Athena at MIT • Athena provides an open network computing environment • Each user has complete control of its workstation • But the workstations can not be trusted completely to identify its users to the network services • Kerberos acts as a third party authenticator - Helps the user to prove its identity to the various services and vice versa • Uses symmetrical cryptographic algorithms (private key cryptosystems) –Same key is used for encryption as well as decryption –Uses DES (Data Encryption Standard)
WHAT IS KERBEROS?…cont. What's with the 3 heads? ● Authentication – confirms that a user who is requesting services is a valid user of the network ● Authorization – granting of specific types of service to a user, based on their authentication ● Accounting – The tracking of the consumption of network resources by users
WHY KERBEROS? • Authentication is a key feature in a multi-user environment. • Sending usernames and passwords over the network is not secure. • Each time a password is sent in the network, there is a chance for interception. Problem: Cannot trust workstation to identify their users correctly in an open distributed environment Solution: – Building elaborate authentication protocols at each server – A centralized authentication server (Kerberos)
FIREWALL VS KERBEROS • Firewall make a risky assumption that attackers are coming from the outside. In reality attacks frequently come from within. • Kerberos assumes that network connections (rather than servers and workstations) are the weak link in network security.
HOW DOES KERBEROS WORK? ….cont. • To request a service from a server, the client goes through three phases of authentication • Phase 1 –The client requests a ticket from the Kerberos –Kerberos grants a ticket and a session key –The ticket is used for requesting other tickets for various services –Ticket conveys the identity of the client to the server –The session key is used for conversation between the client and the server
HOW DOES KERBEROS WORK? ….cont. Phase 2 –The client uses the ticket of the first phase to request a ticket from the ticket granting server (TGS) for a specific service Phase 3 –The client presents the key to the server for the service
A more detailed look… AUTHENTICATION SERVER • The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. • Request: -Login name -TGS name • Since this request contains only well-known names, it does not need to be sealed.
AUTHENTICATION SERVER • The AS finds the keys corresponding to the login name and the TGS name. • The AS creates a ticket: – Login name – TGS name – Client network address – TGS session key • The AS seals the ticket with the TGS secret key.
AUTHENTICATION SERVER RESPONSE • The AS also creates a random session key for the client and the TGS to use. • The session key and the sealed ticket are sealed with the user (login name) secret key. Sealed with TGS key Ticket: TGS session key Sealed with user key login name TGS name net address TGS session key
ACCESSING THE TGS • The client decrypts the message using the user’s password as the secret key. • The client now has a session key and ticket that can be used to contact the TGS. • The client cannot see inside the ticket, since the client does not know the TGS secret key.
ACCESSING A SERVER • When a client wants to start using a server (service), the client must first obtain a ticket. • The client composes a request to send to the TGS Sealed with TGS key TGS Ticket Authenticator Server Name Sealed with session key
TGS RESPONSE • The TGS decrypts the ticket using it’s secret key. Inside is the TGS session key. • The TGS decrypts the authenticator using the session key. • The TGS check to make sure login names, client addresses and TGS server name are all ok. • TGS makes sure the authenticator is recent.
TGS RESPONSE Once everything checks out - the TGS: • Builds a ticket for the client and requested server. The ticket is sealed with the server key. • Creates a session key • Seals the entire message with the TGS session key and sends it to the client
CLIENT ACCESSES SERVER • The client now decrypts the TGS response using the TGS session key. • The client now has a session key for use with the new server, and a ticket to use with that server. • The client can contact the new server using the same format used to access the TGS.
WHY TWO SERVERS? Note that –First phase is used for user-authentication (using the id and password) –Second and third phase may continue several times with the same TGT granted by the first phase In absence of this additional phase –For each service, the user needs to authenticate itself using its password –Once the intruder gets the first session key, it can continue doing malicious works throughout the session –That’s why life and timestamp are mentioned
APPLICATIONS OF KERBEROS • Windows servers use Kerberos as the primary authentication protocol. • Telnet/FTP uses Kerberos. • Authentication for web services. • Authenticating email client and servers.
comparison between version 4 and 5 Version 4 • Environmental drawbacks – Encryption system dependence – Internet protocol dependence – Message format – Ticket lifetimes – Authentication forwarding – Inter-realm authentication
VERSION 4 • Technical deficiencies – Double Encryption (Bellovin and Merritt [Bel90]) – PCBC encryption – Authenticators and replay detection – Password attacks – Session keys – Cryptographic checksum – Kerberised
ATTACKS ON KERBEROS • • • • KDC security Availability Replay attacks Password-guessing attacks
Limitations of Kerberos
REFERENCES Books o Computer Networks by Andrew S Tanenbaum, Fifth Edition. o Data Communications and Networking by Behrouz A Forouzan, Fourth Edition. Websites owww.mit.edu owww.google.com owww.wikipedia.com
KERBEROS DESIGN • • • • • • • • Every User has a password. Every service has a password. Password are never sent across the network in clear text(or stored in memory) User must identify himself once at the beginning of a workstation session(login session) The only entity that knows all the passwords is the AUTHENTICATION SERVER (AS) Every user shares its private secret key with the AUTHENTICATION SERVER -User X doesn’t know the private key of user Y. Key Distribution: When X wants to communicate with Y, they need to use a secret key between them -AS is responsible for distributing this session key (conversation key) between X and Y Everybody has to trust AS
HOW DOES KERBEROS WORK? ….cont. • Instead of client (Alice) sending password to application server(Bob): -It Request TICKET From AUTHENTICATION SERVER -the TICKET and encrypted request is sent to application server(Bob). • How To Request Tickets Without Repeatedly Sending Credentials? – TICKET-GRANTING TICKET (TGT)

More Related Content

PPTX
Kerberos
byRafatSamreen
 
PDF
Web Security
byDr.Florence Dayana
 
PPTX
Secure Hash Algorithm
byVishakha Agarwal
 
PPT
X.509 Certificates
bySou Jana
 
PPTX
kerberos
bysameer farooq
 
PPTX
SHA- Secure hashing algorithm
byRuchi Maurya
 
PPT
Message authentication and hash function
byomarShiekh1
 
PPTX
MAC-Message Authentication Codes
byDarshanPatil82
 
Kerberos
byRafatSamreen
 
Web Security
byDr.Florence Dayana
 
Secure Hash Algorithm
byVishakha Agarwal
 
X.509 Certificates
bySou Jana
 
kerberos
bysameer farooq
 
SHA- Secure hashing algorithm
byRuchi Maurya
 
Message authentication and hash function
byomarShiekh1
 
MAC-Message Authentication Codes
byDarshanPatil82
 

What's hot

PDF
Authentication techniques
byIGZ Software house
 
PPTX
Hash Function
bySiddharth Srivastava
 
PPT
Message authentication
byCAS
 
PPT
Ipsec
byRupesh Mishra
 
PPTX
Key management
bySujata Regoti
 
PDF
IP Security
byDr.Florence Dayana
 
PPTX
Kerberos : An Authentication Application
byVidulatiwari
 
PPT
block ciphers
byAsad Ali
 
PPT
Network Security and Cryptography
byAdam Reagan
 
PPTX
Pgp pretty good privacy
byPawan Arya
 
PPTX
SSL
byBadrul Alam bulon
 
PPTX
User authentication
byCAS
 
PPT
Email security
byIndrajit Sreemany
 
PPTX
RSA Algorithm
bySrinadh Muvva
 
PDF
AES-Advanced Encryption Standard
byPrince Rachit
 
PDF
Electronic mail security
byDr.Florence Dayana
 
PPTX
Access Controls
byprimeteacher32
 
PPTX
Key management and distribution
byRiya Choudhary
 
PPT
Block Cipher and its Design Principles
bySHUBHA CHATURVEDI
 
PPTX
Corba concepts & corba architecture
bynupurmakhija1211
 
Authentication techniques
byIGZ Software house
 
Hash Function
bySiddharth Srivastava
 
Message authentication
byCAS
 
Ipsec
byRupesh Mishra
 
Key management
bySujata Regoti
 
IP Security
byDr.Florence Dayana
 
Kerberos : An Authentication Application
byVidulatiwari
 
block ciphers
byAsad Ali
 
Network Security and Cryptography
byAdam Reagan
 
Pgp pretty good privacy
byPawan Arya
 
SSL
byBadrul Alam bulon
 
User authentication
byCAS
 
Email security
byIndrajit Sreemany
 
RSA Algorithm
bySrinadh Muvva
 
AES-Advanced Encryption Standard
byPrince Rachit
 
Electronic mail security
byDr.Florence Dayana
 
Access Controls
byprimeteacher32
 
Key management and distribution
byRiya Choudhary
 
Block Cipher and its Design Principles
bySHUBHA CHATURVEDI
 
Corba concepts & corba architecture
bynupurmakhija1211
 

Viewers also liked

PPTX
Kerberos explained
byDotan Patrich
 
PPTX
Kerberos Authentication Protocol
byBibek Subedi
 
PDF
Kerberos presentation
byChris Geier
 
PPTX
Kerberos
bySudeep Shouche
 
PPTX
Kerberos protocol
byAjit Dadresa
 
PDF
An Introduction to Kerberos
byShumon Huque
 
PPTX
Kerberos
byRahul Pundir
 
PDF
Kerberos Protocol
byNetwax Lab
 
PPT
Kerberos
byPrafull Johri
 
PDF
Kerberos
bySparkbit
 
PPTX
Kerberos survival guide-STL 2015
byJ.D. Wade
 
RTF
Kerberos case study
byMayuri Patil
 
PDF
Windows Service Hardening
byDigital Bond
 
PPTX
The RIPE Experience
byDigital Bond
 
PPTX
Internet Accessible ICS in Japan (English)
byDigital Bond
 
PDF
Accelerating OT - A Case Study
byDigital Bond
 
PPTX
Incubation of ICS Malware (English)
byDigital Bond
 
PDF
S4xJapan Closing Keynote
byDigital Bond
 
PDF
Attacking and Defending Autos Via OBD-II from escar Asia
byDigital Bond
 
PPTX
Vulnerability Inheritance in ICS (English)
byDigital Bond
 
Kerberos explained
byDotan Patrich
 
Kerberos Authentication Protocol
byBibek Subedi
 
Kerberos presentation
byChris Geier
 
Kerberos
bySudeep Shouche
 
Kerberos protocol
byAjit Dadresa
 
An Introduction to Kerberos
byShumon Huque
 
Kerberos
byRahul Pundir
 
Kerberos Protocol
byNetwax Lab
 
Kerberos
byPrafull Johri
 
Kerberos
bySparkbit
 
Kerberos survival guide-STL 2015
byJ.D. Wade
 
Kerberos case study
byMayuri Patil
 
Windows Service Hardening
byDigital Bond
 
The RIPE Experience
byDigital Bond
 
Internet Accessible ICS in Japan (English)
byDigital Bond
 
Accelerating OT - A Case Study
byDigital Bond
 
Incubation of ICS Malware (English)
byDigital Bond
 
S4xJapan Closing Keynote
byDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
byDigital Bond
 
Vulnerability Inheritance in ICS (English)
byDigital Bond
 

Similar to Kerberos

PPTX
1. Kerberos is an auth protocol llllllllllllllllllllll
byMrVMNair
 
PPT
kerb.ppt
byJdQi
 
PPT
Kerberos (1)
byAna Salas Elizondo
 
PPTX
IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any El...
byAvsAkhilAkhil
 
PPT
Kerberos full with detailed explanation tkerberos.ppt
bymanikandancsesdm
 
PPT
Kerberos
byMohanasundaram Nattudurai
 
PPT
Kerberos
bySou Jana
 
PPTX
Rakesh raj
byDBNCOET
 
PDF
Presentation of Kerberos as per ECE scheme
byDeepanshuMidha5140
 
PDF
Firewalls
byGajendra Saini
 
PPTX
6.Kerberos_in symmetric key distribution.pptx
byMushfiqUlHaque6
 
PDF
IRJET- Secure Kerberos System in Distributed Environment
byIRJET Journal
 
PDF
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
PPT
Gunaspresentation1
byanchalaguna
 
PDF
Deep Dive In To Kerberos
byIshan A B Ambanwela
 
PDF
Kerberos Process.pdf
byYogeshwaran R
 
PDF
Kerberos Security in Distributed Systems
byIRJET Journal
 
PPTX
kerberos
bySadhana28
 
PDF
Unit 3_Kerberos Protocol_Working_Version.pdf
byKanchanPatil34
 
DOCX
Rakesh
byDBNCOET
 
1. Kerberos is an auth protocol llllllllllllllllllllll
byMrVMNair
 
kerb.ppt
byJdQi
 
Kerberos (1)
byAna Salas Elizondo
 
IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any El...
byAvsAkhilAkhil
 
Kerberos full with detailed explanation tkerberos.ppt
bymanikandancsesdm
 
Kerberos
byMohanasundaram Nattudurai
 
Kerberos
bySou Jana
 
Rakesh raj
byDBNCOET
 
Presentation of Kerberos as per ECE scheme
byDeepanshuMidha5140
 
Firewalls
byGajendra Saini
 
6.Kerberos_in symmetric key distribution.pptx
byMushfiqUlHaque6
 
IRJET- Secure Kerberos System in Distributed Environment
byIRJET Journal
 
CRYPTOGRAPHY AND NETWORK SECURITY
byKathirvel Ayyaswamy
 
Gunaspresentation1
byanchalaguna
 
Deep Dive In To Kerberos
byIshan A B Ambanwela
 
Kerberos Process.pdf
byYogeshwaran R
 
Kerberos Security in Distributed Systems
byIRJET Journal
 
kerberos
bySadhana28
 
Unit 3_Kerberos Protocol_Working_Version.pdf
byKanchanPatil34
 
Rakesh
byDBNCOET
 

Recently uploaded

PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PPTX
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
AI Driven & AI Native Development AI native development
byZainKarim7
 

Kerberos

  • 1.
    KERBEROS PRESENTED BY SUTANU PAUL(CSI13023) MD ARIFUL HOQUE(CSI 13020) MTECH(IT) 1ST SEM TEZPUR UNIVERSITY
  • 2.
    OUTLINE • • • • • • • • • • What is Kerberos? WhyKerberos? Firewall Vs Kerberos Kerberos design How does Kerberos work? Application of Kerberos Comparison between version 4 and 5 Attacks on Kerberos Limitation of Kerberos References
  • 3.
    WHAT IS KERBEROS? •Literal meaning: In Greek mythology,kerberos is a multi-headed dog (usually three) which gaurds the entrance of Hades. • Technically Kerberos is an authentication protocol implemented on Project Athena at MIT • Athena provides an open network computing environment • Each user has complete control of its workstation • But the workstations can not be trusted completely to identify its users to the network services • Kerberos acts as a third party authenticator - Helps the user to prove its identity to the various services and vice versa • Uses symmetrical cryptographic algorithms (private key cryptosystems) –Same key is used for encryption as well as decryption –Uses DES (Data Encryption Standard)
  • 4.
    WHAT IS KERBEROS?…cont. What'swith the 3 heads? ● Authentication – confirms that a user who is requesting services is a valid user of the network ● Authorization – granting of specific types of service to a user, based on their authentication ● Accounting – The tracking of the consumption of network resources by users
  • 5.
    WHY KERBEROS? • Authenticationis a key feature in a multi-user environment. • Sending usernames and passwords over the network is not secure. • Each time a password is sent in the network, there is a chance for interception. Problem: Cannot trust workstation to identify their users correctly in an open distributed environment Solution: – Building elaborate authentication protocols at each server – A centralized authentication server (Kerberos)
  • 6.
    FIREWALL VS KERBEROS •Firewall make a risky assumption that attackers are coming from the outside. In reality attacks frequently come from within. • Kerberos assumes that network connections (rather than servers and workstations) are the weak link in network security.
  • 8.
    HOW DOES KERBEROSWORK? ….cont. • To request a service from a server, the client goes through three phases of authentication • Phase 1 –The client requests a ticket from the Kerberos –Kerberos grants a ticket and a session key –The ticket is used for requesting other tickets for various services –Ticket conveys the identity of the client to the server –The session key is used for conversation between the client and the server
  • 9.
    HOW DOES KERBEROSWORK? ….cont. Phase 2 –The client uses the ticket of the first phase to request a ticket from the ticket granting server (TGS) for a specific service Phase 3 –The client presents the key to the server for the service
  • 10.
    A more detailedlook… AUTHENTICATION SERVER • The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. • Request: -Login name -TGS name • Since this request contains only well-known names, it does not need to be sealed.
  • 11.
    AUTHENTICATION SERVER • TheAS finds the keys corresponding to the login name and the TGS name. • The AS creates a ticket: – Login name – TGS name – Client network address – TGS session key • The AS seals the ticket with the TGS secret key.
  • 12.
    AUTHENTICATION SERVER RESPONSE • TheAS also creates a random session key for the client and the TGS to use. • The session key and the sealed ticket are sealed with the user (login name) secret key. Sealed with TGS key Ticket: TGS session key Sealed with user key login name TGS name net address TGS session key
  • 13.
    ACCESSING THE TGS •The client decrypts the message using the user’s password as the secret key. • The client now has a session key and ticket that can be used to contact the TGS. • The client cannot see inside the ticket, since the client does not know the TGS secret key.
  • 14.
    ACCESSING A SERVER •When a client wants to start using a server (service), the client must first obtain a ticket. • The client composes a request to send to the TGS Sealed with TGS key TGS Ticket Authenticator Server Name Sealed with session key
  • 15.
    TGS RESPONSE • TheTGS decrypts the ticket using it’s secret key. Inside is the TGS session key. • The TGS decrypts the authenticator using the session key. • The TGS check to make sure login names, client addresses and TGS server name are all ok. • TGS makes sure the authenticator is recent.
  • 16.
    TGS RESPONSE Once everythingchecks out - the TGS: • Builds a ticket for the client and requested server. The ticket is sealed with the server key. • Creates a session key • Seals the entire message with the TGS session key and sends it to the client
  • 17.
    CLIENT ACCESSES SERVER •The client now decrypts the TGS response using the TGS session key. • The client now has a session key for use with the new server, and a ticket to use with that server. • The client can contact the new server using the same format used to access the TGS.
  • 19.
    WHY TWO SERVERS? Notethat –First phase is used for user-authentication (using the id and password) –Second and third phase may continue several times with the same TGT granted by the first phase In absence of this additional phase –For each service, the user needs to authenticate itself using its password –Once the intruder gets the first session key, it can continue doing malicious works throughout the session –That’s why life and timestamp are mentioned
  • 20.
    APPLICATIONS OF KERBEROS •Windows servers use Kerberos as the primary authentication protocol. • Telnet/FTP uses Kerberos. • Authentication for web services. • Authenticating email client and servers.
  • 21.
    comparison between version4 and 5 Version 4 • Environmental drawbacks – Encryption system dependence – Internet protocol dependence – Message format – Ticket lifetimes – Authentication forwarding – Inter-realm authentication
  • 22.
    VERSION 4 • Technicaldeficiencies – Double Encryption (Bellovin and Merritt [Bel90]) – PCBC encryption – Authenticators and replay detection – Password attacks – Session keys – Cryptographic checksum – Kerberised
  • 23.
    ATTACKS ON KERBEROS • • • • KDCsecurity Availability Replay attacks Password-guessing attacks
  • 24.
  • 25.
    REFERENCES Books o Computer Networks by Andrew S Tanenbaum, FifthEdition. o Data Communications and Networking by Behrouz A Forouzan, Fourth Edition. Websites owww.mit.edu owww.google.com owww.wikipedia.com
  • 26.
    KERBEROS DESIGN • • • • • • • • Every Userhas a password. Every service has a password. Password are never sent across the network in clear text(or stored in memory) User must identify himself once at the beginning of a workstation session(login session) The only entity that knows all the passwords is the AUTHENTICATION SERVER (AS) Every user shares its private secret key with the AUTHENTICATION SERVER -User X doesn’t know the private key of user Y. Key Distribution: When X wants to communicate with Y, they need to use a secret key between them -AS is responsible for distributing this session key (conversation key) between X and Y Everybody has to trust AS
  • 27.
    HOW DOES KERBEROSWORK? ….cont. • Instead of client (Alice) sending password to application server(Bob): -It Request TICKET From AUTHENTICATION SERVER -the TICKET and encrypted request is sent to application server(Bob). • How To Request Tickets Without Repeatedly Sending Credentials? – TICKET-GRANTING TICKET (TGT)