Kerberos

Authentication Protocol
Authentication Application
Authentication Protocol
 Users wish to access services on servers.
 used to convince each others identity and to
exchange session keys.
 Require the user to prove his identity for each
service invoked
 Require that servers prove their identity to clients
 Provide security in a distributed architecture
consisting of dedicated user workstations
(clients), and distributed or centralized servers.
 may be one-way or mutual.
Security Concerns
 key concerns are
1. Confidentiality:-encrypt identification and
session key info.
2. Timestamp:- to prevent replay attacks.
 by using sequence numbers
3
Kerberos
In Greek mythology, a many headed dog, the guardian of the

entrance of Hades
What is Kerberos?
 Developed as part of Project Athena at MIT
 Open Source hence freely available
 Provides centralised private-key third-party

authentication in a distributed network
 Provides single sign-on capability
 Passwords (i.e: Secret Key) never sent across network
 Key revocation can be achived by disabling a user at

KDC.
How does Kerberos Works?
 Uses an Authentication Server (AS)

 Knows all user passwords, and stores in a DB
 Shares a unique secret key with every user.
 Send an encrypted ticket granting ticket
 TGT contains a lifetime and timestamp
How does Kerberos Works?
 Uses a Ticket Granting Server (TGS)
 Issues tickets to users authenticated by AS.
 Encrypted with a key only known by AS and
TGS
 Returns a service granting ticket
 Service granting ticket contains timestamp
and lifetime
Kerberos Dialog
 Message Exchanges
 Simplified approach
Client asks authentication server for ticket
AS exchange to obtain ticket-granting
ticket
AS grants ticket
TGS exchange to obtain service granting
ticket
Client sends ticket to server
Client/Server authentication exchange to
obtain service
Ticket
XYZ Service Granting
Think “Kerberos Server” and Service
SERVER don’t let yourself get mired in
terminology.
Key
Distribution
Center
Authen-
Tication
Service
Gurukul
Desktop
USER Computer
Ticket
Granting
XYZ Service Service
Key
“I’d like to be allowed Distribution
to get tickets from the Center
Ticket Granting Server,
please.
Authen-
Tication
Service
UID
Gurukul
UID&PW Desktop
USER Computer
Ticket
Granting
XYZ Service Service
“Okay. I locked this box with
your secret password. If you
can unlock it, you can use its Key
contents to access my Ticket Distribution
Granting Service.” Center
Authen-
Tication
Service
Gurukul
Desktop
USER Computer
Ticket
Granting
XYZ Service Service
Key
Distribution
Center
Authen-
Tication
TGT Service
ord Gurukul
My Passw
Desktop
USER Computer
TGT
 Because Gurukul was able to open the box
(decrypt a message) from the Authentication
Service, he/she is now the owner of a “Ticket-
Granting Ticket”.
 The Ticket-Granting Ticket (TGT) must be

presented to the Ticket Granting Service in
order to acquire “service tickets” for use with
services requiring Kerberos authentication.
 The TGT contains no password information.

Kerberos Realms
 a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
 application servers, sharing keys with server
 A Kerberos Realm
 Setof managed nodes that share the same Kerberos
database
 To improve the performance
 To over come failure issues due too single AS & TGS
Multiple Kerberi
 Kerberos server in each realm shares a secret key
with one another
 There must be trust between the servers
 i.e. each server are registered with one another
 Does not scale well
Kerberos Version 4
Pc=password of client
c + ID v
1- ID c+P
- Tic ket
2
3- I
D c +T
icke
t
Ticket=Ekv[IDc,ADc,IDv]
kv=Secret Key between AS and

IDc= User id of client V (Server)
Kerberos Version 4
 Weaknesses
Big load on AS (Provide secondary ticket-

granting servers)
Repeated password entry (Password to
AS seldom, tickets from TGS when
needed, based on AS authentication)
Version 4 Authentication
Dialogue
 Problems:
 Lifetime associated with the ticket-granting ticket
 If to short  repeatedly asked for password
 If to long  greater opportunity to replay
 The threat is that an opponent will steal the
ticket and use it before it expires
Henric Johnson 20
Strategies and Countermoves
 What opponents of 4 can do
 Wait for long-lived ticket-granting
tickets and then reuse
 Capture service-granting tickets and
then use remaining time
 Antitheft of ticket-granting tickets
 AS provides both client with a secret,
securely
 Done by sending a session key
 Thisprocedure also makes service-

granting tickets reusable
Kerberos Organization
 Called a realm, it includes:
 Kerberos server, which includes:
 UID and hashed password for each user
 Shared secret key with each user
 Kerberos server includes both AS and
TGS
 Inter-realm issues
 Kerberos servers in each realm are
registered with each other (share a
secret key)
 TGS in server realm issues tickets to
client on other realm (i.e RTGS)
Kerberos Version 5
 Fixes version 4 environmental
shortcomings
 New elements for AS exchange:
 Realm, Options, Times, Nonce
 Client/server authentication exchange
 Sub key, sequence number
 Kerberos Ticket Flags
Difference Between Version 4 & 5
Point of Discussion Version 4 Version 5
Encryption Algorithm Used DES only DES & its variant, IDEA
etc.
Identifiers IP Address only N/w Add, Type , length

Message byte ordering Not Allowed Allowed
Tickets Lifetime Small Renewable time span

Authentication forwarding Same server only Any server in realm
Inter-realm authentication No Yes
Support Single Multiple
(SCALING) Peer-to-peer Transitive (Cross-realm)
Replay Caches Support No Yes
Postdatabale Ticket Not Available Available
Forwardable (New Ticket) Single ticket, same Current credentials to
M/C, Same IP get valid on another M/C
Attacks on Kerberos
 Threats exist:
 Modification Attack:- Network address of a workstation.
 Replay Attack:-Eavesdrop while communication.
 PW Guessing Attack:- User pretend to be another user.
 Inter-session chosen Plaintext Attack:- As per V.5 Draft
Created by Mr. Sumit Patel

Kerberos Mechanism Used By
 Microsoft Passport Technology

 Windows NT
Version 5 – Continued
 Avoids double encryptions
 Avoids PCBC (vulnerable to a cipher block
exchange attack)
 Session and sub-session keys
 Pre-authentication – makes password
attacks more difficult (but not impossible)

Kerberos

Uploaded by

Copyright:

Available Formats

Kerberos

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kerberos

Uploaded by

Copyright:

Available Formats

Authentication Protocol

In Greek mythology, a many headed dog, the guardian of the

 Open Source hence freely available

 Provides centralised private-key third-party

 Provides single sign-on capability

 Passwords (i.e: Secret Key) never sent across network

 Key revocation can be achived by disabling a user at

 Uses an Authentication Server (AS)

 The Ticket-Granting Ticket (TGT) must be

 The TGT contains no password information.

kv=Secret Key between AS and

Big load on AS (Provide secondary ticket-

 Thisprocedure also makes service-

Identifiers IP Address only N/w Add, Type , length

Tickets Lifetime Small Renewable time span

Created by Mr. Sumit Patel

 Microsoft Passport Technology

You might also like