netprog: kerberos1 kerberos. contents: introduction history components authentication process...
TRANSCRIPT
![Page 1: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/1.jpg)
Netprog: Kerberos 1
KERBEROS
![Page 2: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/2.jpg)
Contents:IntroductionHistoryComponentsAuthentication ProcessStrengthsWeaknesses and SolutionsApplicationsReferences
![Page 3: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/3.jpg)
IntroductionIt is a secure, single-sign-on, trusted
third-party authentication serviceMakes assumption that the connection
between a client and service is insecure
Passwords are encrypted to prevent others from reading them
Clients only have to authenticate once during a pre-defined lifetime
Provides a way to authenticate clients to services to each other through a trusted third party
![Page 4: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/4.jpg)
How did Kerberos get it’s name?
The name "Kerberos" comes from a mythological three-headed dog that guarded the entrance to HadesHades => Underworld (where hackers apparently live).
![Page 5: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/5.jpg)
HistoryDeveloped at MIT as a part of Project
Athena in mid 1980sCurrently, Kerberos is up to Version
5Version 4 being the first version to
be released outside of MIT.Adopted by several private
companies as well as added to several operating systems.
Its creation was inspired by client-server model
![Page 6: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/6.jpg)
ComponentsPrincipals
Realms
Key Distribution Centers (KDC’s)◦Authentication Service◦Ticket Granting Service
![Page 7: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/7.jpg)
ComponentsPrincipals: Each entity, such as clients or
application servers, is represented as a principal
Realms: Companies and organizations are
composed of different departments, each with a different service named realm
![Page 8: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/8.jpg)
ComponentsKey Distribution Centers (KDC’s)
◦composed of an Authentication Service and Ticket Granting Server
◦has a database that houses all principals and their keys for a given realm
◦at least one KDC per realm
![Page 9: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/9.jpg)
Susan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
Susan’sDesktop
Computer
Think “Kerberos Server”
Authentication Process
![Page 10: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/10.jpg)
Susan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
Susan’sDesktop
Computer
Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)
![Page 11: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/11.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
“I’d like to be allowed to get tickets from the Ticket Granting Server, please.
![Page 12: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/12.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service“Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”
![Page 13: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/13.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
myPassword
XYZ Service
TGT
![Page 14: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/14.jpg)
TGT
Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a “Ticket-Granting Ticket”.
The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication.
The TGT contains no password information.
![Page 15: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/15.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
“Let me prove I am Susan to XYZ Service.
Here’s a copy of my TGT!”
use XYZ
TGTTGT
![Page 16: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/16.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGT
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
You’re Susan.Here, take this.
![Page 17: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/17.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
I’m Susan. I’ll prove it. Here’s a copy of my legit service ticket for
XYZ.
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
![Page 18: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/18.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
That’s Susan alright. Let me determine if she is authorized to use me.
![Page 19: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/19.jpg)
Authorization checks are performed by the XYZ service…
Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.
![Page 20: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/20.jpg)
One remaining note:
Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable.
Until a ticket’s expiration, it may be used repeatedly.
![Page 21: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/21.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for
XYZ.
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
use XYZ
![Page 22: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/22.jpg)
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
That’s Susan… again. Let me determine if she is authorized to use me.
![Page 23: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/23.jpg)
Strengths
1. Passwords are never sent across the network unencrypted
2. Clients and applications services mutually authenticated
3. Tickets have a limited lifetime4. Authentication through the AS only
has to happen once5. Shared secret keys between clients
and services are more efficient than public-keys
![Page 24: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/24.jpg)
Weaknesses and Solutions
If TGT stolen, can be used to access network services.
Only a problem until ticket expires in a few hours.
Very bad if Authentication Server compromised.
Physical protection for the server.
![Page 25: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/25.jpg)
Applications :
Kerberos-aware applications are called Kerberized
Some kerberized applications are – Berkeley R-commands Telnet POP USC’s Win2000 network FTP
![Page 26: Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References](https://reader034.vdocument.in/reader034/viewer/2022042718/56649eb75503460f94bc14d3/html5/thumbnails/26.jpg)
THANK YOU