2. CONTENTS
1. ABSTRACT
2. INTRODUCTION
3. HISTORY
4. WHY Kerberos?
5. FIREWALL VS KERBEROS
6. TERMINOLOGY
7. WORKING
8. APPLICATION
9. COMPARASION OF Kerberos VERSION4 AND VERSION5
10. ADVANTAGES AND DISDVANTAGES
11. CONCLUSION
12. REFERENCES
2
3. ABSTRACT
◦ When using authentication based on cryptography, an attacker listening to the
network gains no information that would enable it to falsely claim another's
identity. Kerberos is the most commonly used example of this type of
authentication technology. The authors concentrate on authentication for real-
time, interactive services that are offered on computer networks. They use the
term real-time loosely to mean that a client process is waiting for a response to
a query or command so that it can display the results to the user, or otherwise
continue performing its intended function. This class of services includes
remote login, file system reads and writes, and information retrieval for
applications like Mosaic.
3
4. INTRODUCTION
◦ Literal meaning: In Greek mythology, Kerberos is a multi-headed dog (usually three) which
guards the entrance of Hades.
◦ Technically Kerberos is an authentication protocol implemented on Project Athena at MIT
◦ Each user has complete control of its workstation
◦ But the workstations can not be trusted completely to identify its users to the network services
◦ Kerberos acts as a third party authenticator - Helps the user to prove its identity to the various
services and vice versa
◦ Uses symmetrical cryptographic algorithms (private key cryptosystems) –Same key is used for
encryption as well as decryption –Uses DES (Data Encryption Standard)
4
5. 5
● Authentication : Confirms that a user who is requesting services is a valid user of the network
● Authorization : Granting of specific types of service to a user, based on their authentication
● Accounting : The tracking of the consumption of network resources by users
THE THREE HEADS :
6. HISTORY
Neuman and John Kohl published version 5 in 1993 with the intention of overcoming existing limitations and security problems.
Version 5 appeared as RFC 1510, which was then made obsolete by RFC 4120 in 2005.
Kerberos version 4 was primarily designed by Steve Miller and Clifford Neuman. Published in the late 1980s, version 4 was also
targeted at Project Athena.
Massachusetts Institute of Technology (MIT) developed Kerberos to protect network services provided by Project Athena. The protocol
is based on the earlier Needham–Schroeder symmetric key protocol. Several versions of the protocol exist; versions 1–3 occurred only
internally at MIT.
6
7. WHY Kerberos?
◦ Authentication is a key feature in a multi-user environment.
◦ Sending usernames and passwords over the network is not secure.
◦ Each time a password is sent in the network, there is a chance for interception.
◦ Problem: Cannot trust workstation to identify their users correctly in an open distributed environment .
◦ Solution: – Building elaborate authentication protocols at each server.
– A centralized authentication server (Kerberos) which authenticates users to servers and server
to users.
7
8. FIREWALL VS KERBEROS
◦ Firewall make a risky assumption that attackers are coming from the outside. In reality
attacks frequently come from within.
Assume “bad guys” are outside while the really damaging is happening in inside.
They even restrict how users can use the internet.
◦ Kerberos assumes that network connections (rather than servers and workstations) are
the weak link in network security.
8
9. TERMINOLOGY
USER: A human being who wishes to use a computer system.
SERVICE: A program or set of programs running on a computer which is accessible over the
network. The service would like to know with certainty that the workstation to which it is
providing the service is really being used by the user who claims to be logged in on the
workstation.
PRINCIPAL: An entity that can both prove its identity and verify the identities of other
principals who wish to communicate with it, each user and each service registered with Kerberos
is thus a principal.
TICKET:A data structure obtained from Kerberos, which is presented to a service or application
to authenticate the ticket holder.
9
10. 10
K.D.C. (Key Distribution Centre):Kerberos servers plus database of principals is regarded as the Key
Distribution Centre.
KDC consists of:
Ticket Granting Service (TGS):A server that issues tickets for a desired service which are in turn
given to users for access to the service. The TGS usually runs on the same host as the KDC.
Authentication Server(AS):Give reply to initial authentication requests from users.
Ticket Granting Ticket (TGT):A special ticket that allows the client to obtain additional tickets
without applying for them from the KDC
Database: Contains information about Users & Services.
SESSION KEY: The client has its own copy of this session key, which was contained in the credentials that
include this ticket Only the server can decrypt the ticket to receive its copy of the session key. Once this is
done, the server and client share a common secret key. That key is used to complete the authentication
process and may also be employed by client and server to encrypt their entire session.
CREDENTIALS: The combination of a ticket and its session key .The client sends the ticket to the server
in order to distribute the session key and also sends an authenticator which is encrypted in that session key.
13. PROTOCOL
The user sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS.
It request for Login name and TGS name.
Since this request contains only well-known names, it does not need to be sealed.
The AS finds the keys corresponding to the login name and the TGS name.
The AS creates a ticket:
The AS seals the ticket with the TGS secret key which is known to only AS and TGS.
13
– Login name
– TGS name
–User’s IP address
– TGS session key
Sealed with
TGS secret
key
14. 14
• The AS also creates a random TGS session key for the user and the TGS to use.
• The session key and the sealed ticket are sealed with the user (login name) secret key.
TGS session key
TG Ticket:
o login name
o TGS name
o User’s IP address
o TGS session key
Sealed with
user’s secret
key
Sealed with
TGS secret
key
The user decrypts the above message using the user’s password as the user’s secret key.
The user now has a TGS session key and TG ticket that can be used to contact the TGS.
The user cannot see inside the TG ticket, since the user does not know the TGS secret key
15. 15
When a user wants to start using a server (service), the user must first obtain a ticket or
SGT (Service Granting Ticket).
The user composes a request to send to the TGS.
Message
TG Ticket
Authenticator
Sealed with TGS secret key
Sealed with TGS session
key
The TGS decrypts the TG Ticket using it’s TGS secret key. Inside there is TGS session
key present.
The TGS decrypts the authenticator using the TGS session key.
16. 16
Authenticator contains: Login name
User’s IPAddress
Timestamp
The lifetime of Authenticator is short and only used once.
After all the decryption of both TG Ticket and Authenticator, TGS compares the login name
and User’s IP address from Authenticator along with TG Ticket.
If the values matches, then it assures the TGS that User is the real owner.
TGS responds to User with the message encrypted using TGS Session Key which is known by
User and TGS.
Message contains :
Message
SGT(Service Granting Ticket):
ID of service
Timestamp of key
TGS Session Key
Sealed with Server
Key
TGS Session Key
17. 17
User gets the SGT for the Server after decrypting the message using TGS Session Key.
User can use it each time he wishes for the same service.
User sends the SGT along with the Authenticator to the Server for the service.
Server decrypts the SGT using Server Key which is known to TGS and Server.
Server gets TGS Session Key from SGT and then decrypt the Authenticator.
For mutual authentication, Server checks both the timestamp present in SGT and Authenticator.
Server increments timestamp by +1,then sends message to the User by encrypting using User
Session Key.
User decrypts the message using User Session Key and gets message.
User can use the Server for a time limit.
Authenticator
SGT
Sealed with TGS
Session Key
Sealed with
Server Key
Message(Timestamp+1)
Sealed with User
Session Key
20. APPLICATION
◦ • Windows servers use Kerberos as the primary authentication protocol.
◦ • Telnet/FTP uses Kerberos.
◦ • Authentication for web services.
◦ • Authenticating email client and servers.
20
21. COMPARASION
Kerberos VERSION 4
◦ Kerberos Version 4 was released in 1980’s way before
version 5 was released.
◦ Kerberos version 4 uses DES encryption techniques.
◦ In Kerberos version 4, the ticket lifetime has to be
specified in units of 5 minutes.
◦ It provides ticket support.
Kerberos VERSION 5
◦ Kerberos version 5 was published in 1993, 13 year after
the release of Kerberos Version 4.
◦ In Kerberos version 5, the cipher text is tagged with an
encryption type identifier and therefore any type of
encryption can be used.
◦ In Kerberos version 5, ticket one lifetime can specify an
explicit start and finish times allowing arbitrary
lifetimes.
◦ It provides ticket support with extra facilities for
forwarding, renewing and postdating tickets.
21
22. ADVANTAGES and DISAVANTAGES
oADVANTAGES:
Kerberos is suitable for authentication and confidentiality services within a network environment.
Once a user logs in to the system, then all the related Kerberos ticket operation happens automatically.
Kerberos protocol uses a unique ticketing system in order to provide faster authentication.
oDISADVANTAGES:
Kerberos system is dependent on a centralized server. If server is down, no one can login.
If an hacker accesses KDC, then the entire Kerberos authentication system is at risk.
If the user’s clock is not synchronized with the Kerberos server’s clock, then the authentication will fail.
22
23. CONCLUSION
Researched and developed for over 8 years.
Kerberos doesn’t fail to deliver services.
Ex:- Cisco, Microsoft, Apple, and many others.
As authentication is critical for the security of computer systems, traditional authentication
methods are not suitable for use in computer networks
The Kerberos authentication system is well suited for authentication of users in such
environments.
23
24. REFERENCES
◦ Computer Networking by James Kurose and Keith Rose.
◦ Kerberos: Network Authentication System by Brain Pung.
◦ Introduction to Kerberos technology
◦ Websites :
www.mit.edu
www.google.com
www.wikipedia.com
24