2. Context
1 Introduction
2 Aims
3 Definition of components and terms
3.1 Realm
3.2 Principal
3.3 Ticket
3.4 Encryption
3.5 Key Distribution Center (KDC)
4 Kerberos Operation
5 How does Kerberos Work
5.1 TGT (Ticket Granting Ticket)
5.2 TGS (Ticket Granting Service)
5.3 AS (Application Server)
6. Applications
7. Weakness and Solutions
3. Introduction
• Network authentication protocol
• Developed at MIT in the mid
1980s
• Available as open source or in
supported commercial software
• Kerberos means dogs in Greek
Mythology
• This is standard for
4. Why Kerberos
• Sending usernames and
passwords in the clear security
problem may raise
• Each time a password is sent in
the clear, there is a chance for
interception.
• Server stores the password
• Client stores the password and
name
5. Aims of Kerberos
• Password must never travel over network
• Password never stored in the client in any
format. It will discarded Immediately
• Password never stored in server in an
unencrypted format
• User id and password may enter only once
per session
• When a user changes its password, it is
changed for all services at the same time
6. Firewall vs. Kerberos?
• Firewalls make a risky
assumption: that attackers are
coming from the outside. In
reality, attacks frequently come
from within.
• Kerberos assumes that network
connections (rather than
servers and work stations) are
the weak link in network
8. Realm
• It indicates Authentication
Administrative Domain
• It is used to provide trust relation
ship Between client and server and
domain and sub domain
• a user/service belongs to a realm if
and only if he/it shares a secret
(password/key) with the
authentication server of that realm.
9. Principal
• The name is used to give
entries in the authentication
server data base
• Principle in Kerberos V will be
like this
component1/component2/.../componentN@REALM
• The instance is optional and is
normally used to better qualify
10. Tickets
• Tickets are issued by the
authentication server
• these are encrypted using the secret
key of the service they are intended
for
• this key is a secret shared only
between the authentication server
and the server providing the service,
not even the client which requested
the ticket can know it or change its
contents
11. Ticket
• The requesting user's
principal(username);
• The principal of the service it is
intended;
• The IP address of the client
machine from which the ticket
can be used.
• The date and time (in
timestamp format) when the
12. Encryption
• Kerberos needs to encrypt and
decrypt the messages (tickets
and authenticators) passing
between the various
participants in the
authentication
• Kerberos uses only
symmetrical key encryption
13. Key Distribution
Center (KDC)
• The authentication server in a
Kerberos environment, based on
its ticket distribution function
for access to the services, is
called Key Distribution Center
• KDC Contains the following :
Database
Authentication Server
Time granting server
18. plications
• Authentication
• Authorization
• Confidentiality
• Within networks and small
sets of networks
19. Weaknesses and
Solutions
If TGT stolen, can be Only a problem
used to access until ticket
network services. expires in a few
hours.
Subject to dictionary Timestamps
attack. require hacker to
guess in 5
minutes.
Very bad if Physical
Authentication Server protection for the
compromised. server.