Date post: | 13-May-2015 |
Category: |
Education |
Upload: | bibek-subedi |
View: | 3,949 times |
Download: | 2 times |
Kerberos Authentication Protocol
ASHOK BASNET (066BCT505)
BIBEK SUBEDI (066BCT506)
DINESH SUBEDI (066BCT512)
What is Kerberos
Network authentication protocol
Developed at MIT in the mid 1980s
Available as open source or in supported commercial software
Kerberos vs Firewall
Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within.
Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
Why Kerberos
Sending usernames and passwords in the clear jeopardizes the security of the network.
Each time a password is sent in the clear, there is a chance for interception.
Architecture
It consists of following 3 components
1. Client
2. Authentication Server or Key Distribution Server (KDC)
3. Server
And has 3 main exchanges
4. Authentication Service (AS) Exchange
5. Ticket Granting Service (TGS) Exchange
6. Client Server (CS) Exchange
AS Exchange
Exchange between client and Authentication Server (KDC)
Client sends KRB_AS_REQ msg to KDC specifying credentials it wants
Server replies with msg KRB_AS_REP containing the ticket and session key
The Session key is encrypted with client’s secret key
The TGT is encrypted with server’s secret key
The encryption type is DES by default
TGS Exchange
Is used to obtain additional tickets for the servers.
Doesn’t need client’s secret key for encryption
Transparent to the user
TGS must have access to all secret keys
But encrypts the ticket using server’s secret key
Client sends KRB_TGS_REQ to the TGS server
Server replies KRB_TGS_REP to the client with ticket
CS Exchange Client contacts with the real server
Client sends KRB_AP_REQ to the server specifying the service
Server validates client by decrypting ticket with server’s secret key and decrypting authenticator with sessions key contained in ticket
Server optionally replies with KRB_AP_REP
Implementation
Athena Project at MIT
Microsoft WIndows
Limitations
Only provides authentication
Central Authentication server
Cannot migrate existing password hashes into the Kerberos database
Authentication is only as good as the user's password
Assumes relatively secure hosts on an insecure network
Strict time requirements
Complicates virtual hosting