2. CONTENTS
INTRODUCTION
History
Motivation
WHAT IS KERBEROS?
TERMINOLOGY
WORKING
KERBEROS ENVIRONMENT
KERBEROS DATABASE
KERBEROS ADMINISTRATOR
ADVANTAGES & DISADVANTAGES
PUBLIC KEY CRYPTOGRAPHY
CONCLUSION
REFERENCES
3. INTRODUCTION
History
Developed at the MIT during development of Project called Athena
started in 1983 with UNIX timesharing computers.
Motivation
It must be secure.
It must be reliable.
It should be transparent.
It should be scalable.
4. What is Kerberos?
In an open network computing environment, a workstation
cannot be trusted to identify its Users correctly.
Trusted third-party authentication service.
Monstrous three-headed guard dog of Hades.
Authentication protocol for trusted hosts on un-trusted networks.
Provide reliable authentication over open and insecure networks.
Uses secret-key cryptography with symmetric Needham-
Schroeder protocol.
5. Realm:
TERMINOLOGY
Indicates an authentication administrator domain.
Principal:
It is the name used to refer to the entries in AS.
Ticket:
It is issued by AS & Encrypted using Secret key of Service.
Encryption:
Encryption type:
DES, RC4-HMAC, AES128 &AES256 algorithms.
Encryption key
Salt
Key Version Number (kvno)
6. Key Distribution Center (KDC):
Database:
Contains information about Users & Services.
Authentication Server (AS):
Give reply to initial authentication Request from Client & issues TGT.
Ticket Granting Server (TGS):
Distributes Service tickets to client.
Session Key:
It is secret between Users & Services for which a client has work session
open on a server.
Replay Cache
Credential Cache:
Used to store password & related session key.
7. Working of Kerberos
Step 1: (Fig 1)
The AS, receives the request
by the client and verifies that the
client.
Fig. 1 Authentication service verifies the user ID
8. Step 2:
Upon verification, a timestamp is
created with current time in a user
session with expiration date.
The timestamp ensures that when
8 hours is up, the encryption key is
useless.
Step 3: (Fig 2)
The key is sent back to the
client in the form of a TGT.
Fig. 2 Authentication service issues TGT.
9. Step 4: (Fig 3)
The client submits the TGT
to the TGS, to get authenticated.
Fig. 3 Client submits TGT to TGS.
10. Step 5: (Fig. 4)
The TGS creates an encrypted
key with a timestamp and grants
the client a service ticket.
Step 6:
The client decrypts the ticket &
send ACK to TGS.
Fig. 4 TGS grants client the service ticket.
11. Step 7:
Then sends its own encrypted
key to the service server.
The service decrypts the
key and check timestamp is
still valid or not.
If it is, the service contacts
the KDC to receive a session
that is returned to the client.
Fig. 5 Service server decrypts key & checks timestamp
12. Step 8: (Fig. 6)
The client decrypts the ticket.
If the keys are still valid , comm-
-unication is initiated between client
and server.
Now the client is authenticated
until the session expires.
Fig. 6 For valid keys communication is initiated.
13. Kerberos Environment
First, Kerberos infrastructure
contain at least one Kerberos
Server.
The KDC holds a complete
database of user and service
keys.
Second, Kerberos-enabled
clients and services called
kerberized clients and services.
1. Typical Infrastructure(Fig. 7)
2. Kerberized Services
Fig. 7 A possible Kerberos environment
14. Kerberos Database
Kerberos operations requirs both
read only and write access is done
through Kerberos database.
From figure operations requiring read-
only access to the Kerberos database are
performed by the AS(KDBM), which
can run on both master and slave M/c.
Fig. 8 Authentication Requests.
15. From figure we may say that
changes may only be made to the
Master Kerberos database where
Slave copies are read-only.
Therefore, the KDBM server may
only run on the master Kerberos M/c.
Fig. Administration Requests.
16. Kerberos Administrator
It manages and controls all the Operations & Functions of Kerberos.
Running a program to initialize database.
Register essential principals in the database.
Kerberos administration server and AS must be started up properly.
For new Kerberos application ,it must take few steps to get it working.
It must be registered in the database
Assigned a private key
It must also ensure that Kerberos machines are physically secure & also
able to maintain backups of the Master database.
17. Advantages:
Passwords are never sent across the network unencrypted.
Clients and applications services mutually authenticated.
Tickets have a limited lifetime.
Authentication through the AS only has to happen once.
Sharing secret keys is more efficient than public-keys.
Disadvantages
Kerberos only provides authentication for clients and
services.
Vulnerable to users making poor password choices.
Client M/c and service(servers) M/c to be designed with
Kerberos authentication in mind.
18. PUBLIC KEY CRYPTOGRAPHY
In Public Key Cryptography two different but mathematically related
keys are used.
The public key may be freely distributed, while its paired private key
must remain secret.
The public key is typically used for encryption, while the private or
secret key is used for decryption.
It give new direction to Kerberos as it eases key distribution a lot.
KDC doesn’t need to save client keys in its database.
To obtain a TGT, the client has to present his public key.
A trusted certification authority (CA) has to sign every valid public key.
19. CONCLUSION
Researched and developed for over 8 years.
Kerberos doesn’t fail to deliver services.
Ex:- Cisco, Microsoft, Apple, and many others.
As authentication is critical for the security of computer
systems, traditional authentication methods are not suitable
for use in computer networks
The Kerberos authentication system is well suited for
authentication of users in such environments.
20. REFERENCES
Computer Networking by James Kurose and Keith Rose.
Kerberos: Network Authentication System by Brain Pung.
Introduction to Kerberos technology.
http://web.mit.edu/Kerberos/
http://searchsecurity.techtarget.com/sDefinition/
http://www.google.co.in/