Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Kerberos Authentication Protocol

16.003 visualizaciones

Publicado el

Publicado en: Educación
  • Sé el primero en comentar

Kerberos Authentication Protocol

  1. 1. KerberosAuthenticationProtocolASHOK BASNET (066BCT505)BIBEK SUBEDI (066BCT506)DINESH SUBEDI (066BCT512)
  2. 2. What is Kerberos  Network authentication protocol  Developed at MIT in the mid 1980s  Available as open source or in supported commercial software
  3. 3. Kerberos vs Firewall  Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within.  Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
  4. 4. Why Kerberos  Sending usernames and passwords in the clear jeopardizes the security of the network.  Each time a password is sent in the clear, there is a chance for interception.
  5. 5. Architecture It consists of following 3 components1. Client2. Authentication Server or Key Distribution Server (KDC)3. ServerAnd has 3 main exchanges1. Authentication Service (AS) Exchange2. Ticket Granting Service (TGS) Exchange3. Client Server (CS) Exchange
  6. 6. AS Exchange Exchange between client and Authentication Server (KDC) Client sends KRB_AS_REQ msg to KDC specifying credentials it wants Server replies with msg KRB_AS_REP containing the ticket and session key The Session key is encrypted with client’s secret key The TGT is encrypted with server’s secret key The encryption type is DES by default
  7. 7. TGS Exchange Is used to obtain additional tickets for the servers. Doesn’t need client’s secret key for encryption Transparent to the user TGS must have access to all secret keys But encrypts the ticket using server’s secret key Client sends KRB_TGS_REQ to the TGS server Server replies KRB_TGS_REP to the client with ticket
  8. 8. CS Exchange Client contacts with the real server Client sends KRB_AP_REQ to the server specifying the service Server validates client by decrypting ticket with server’s secret key and decrypting authenticator with sessions key contained in ticket Server optionally replies with KRB_AP_REP
  9. 9. Implementation Athena Project at MIT Microsoft WIndows
  10. 10. Limitations Only provides authentication Central Authentication server Cannot migrate existing password hashes into the Kerberos database Authentication is only as good as the users password Assumes relatively secure hosts on an insecure network Strict time requirements Complicates virtual hosting