Kerberos Authentication for Information Security

8/12/2019 Kerberos Authentication for Information Security

1/18

KERBEROS AUTHENTICATION


2/18

CONTENTS

Authentication

What Is Kerberos?

Components

Cross-realm Authentication Architecture

Kerberos Authentication Benefits

Why Kerberos?

Drawbacks Of Kerberos

Conclusion

References


3/18

AUTHENTICATION

Authenticationis the verification of the identity of aparty who generated some data, and of the integrity ofthe data

A principalis the party whose identity is verified

The verifieris the party who demands assurance of theprincipal's identity.


4/18

AUTHENTICATION

Issues with:

Password

based

authentication

Authentication

by assertion


5/18

WHAT IS KERBEROS?

Distributedauthentication

service

Allows a process

(a client) runningon behalf of a

principal (a user)to prove itsidentity to a

verifier

Without sendingdata across the

network


6/18

WHAT IS KERBEROS?

Provides integrity andconfidentiality for data

Developed in the mid-'80s as partof MIT's Project Athena

V4 still runs at many sites

V5 is considered to be standardKerberos


7/18

COMPONENTS

Principals Realms

Key DistributionCenters (KDCs)

Authentication

Service Ticket Granting

Server

Tickets


8/18

ARCHITECHTURE


9/18

CROSS-REALM

AUTHENTICATION


10/18

KERBEROS

AUTHENTICATION BENEFITS

Interoperability

Kerberos V5protocol providesinteroperabilitywith othernetworks

Efficientauthentication to

servers

Server can directlyauthenticate theclients byexaminingcredentials

presented withoutgoing to thedomain controller

Comparison to NTLAN Manager

More secure

More flexible

More efficient


11/18

KERBEROS

AUTHENTICATION BENEFITS

Mutual authentication

Provides a centralizedauthentication server toauthenticate users toservers and servers tousers.

Delegated authentication

The Kerberos V5 protocolincludes a proxymechanism that enables aservice to impersonate itsclient when connecting to

other services. Noequivalent is availablewith NTLM


12/18

WHY KERBEROS?

Divide up resource capabilities between manyusers

Restrict users access to resources

Typical authentication mechanismpasswords

When a user wants to gain access to a server, the server needsto verify the users identity. Because access to resources are

based on identity and associated permissions, the server mustbe sure the user really has the identity it claims.

Authenticate user identity


13/18

WHY KERBEROS?

The users name that is, the User Principal Name (UPN) and

the users credentials are packaged in a data structure called aticket.

Securely package the users name

After the ticket is encrypted, messages are used to transportuser credentials along the network.

Securely deliver user credentials


14/18

DRAWBACKS OF

KERBEROS

Single point of failure

Strict time requirements

No standardisation

All authentications arecontrolled by acentralized KDC


15/18

DRAWBACKS OF

KERBEROS

Unique Kerberos keys

Kerberos assumes thateach user is trusted but isusing an untrusted host

on an untrusted network

Unencrypted passwordstransferred to a non-

kerberized service is at risk


16/18

CONCLUSION

Traditional authentication methods are notsuitable for use in computer networks

where attackers monitor network traffic to

intercept passwords.

The use of strong authentication methodsthat do not disclose passwords is

imperative. The Kerberos authenticationsystem is well suited for authentication of

users in such environments.


17/18

REFERENCES

Kerberos: An Authentication Service forOpen Network Systems

Steiner, Neuman, Schiller, 1988, Winter USENIX

http://en.wikipedia.org/wiki/Kerberos_(protocol)

http://www.ifour-consultancy.com
http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)


18/18

Date post:	03-Jun-2018
Category:	Documents
Upload:	ifour-consultancy
View:	232 times
Download:	0 times

Kerberos Authentication for Information Security

Documents