Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

kerberos

5.168 visualizaciones

Publicado el

kerberos

Publicado en: Ingeniería
  • Sé el primero en comentar

kerberos

  1. 1. ”KERBEROS” Sameer Farooq Reg_No: 11501907 M.tech (CSE) . Dept.of Computer Science& Engineering Lovely Professional University Phagwara, Jalandhar-144401
  2. 2. CONTENTS  WHAT IS KERBEROS?  HISTORY.  TERMINOLOGY.  WORKING.  KERBEROS ENVIRONMENT.  KERBEROS DATABASE.  KERBEROS ADMINISTRATOR.  ADVANTAGES & DISADVANTAGES.  PUBLIC KEY CRYPTOGRAPHY.  CONCLUSION.  REFERENCES.
  3. 3. Whatis Kerberos ? • Network authentication protocol. • Developed at MIT in the mid 1980s. • Uses trusted 3rd party authentication scheme. • Assumes that hosts are not trustworthy. • Requires that each client (each request for service) prove it’s identity. • Does not require user to enter password every time a service is requested !.
  4. 4. History • Steve Miller and Clifford Neuman designed the primary Kerberos version in1983. • Versions 1–3 occurred only internally at MIT as part of project Athena. • Windows 2000 was Microsoft's first system to implement Kerberos security standard. • Version 5, designed by John Kohl and Clifford Neuman, appeared in 1993 .
  5. 5. Recent updates include:- • Encryption and Checksum Specifications. • Clarification of the protocol with more detailed and clearer explanation of intended use. • A new edition of the GSS-API( Generic Security Service Application Program Interface ) specification.
  6. 6. Why Kerberos ? • Sending usernames and passwords in the clear jeopardizes the security of the network. • Each time a password is sent in the clear, there is a chance for interception. Provides • strong security on physically insecure network. • a centralized authentication server which authenticates • Users to servers. • Servers to users.
  7. 7. Firewall vs. Kerberos ? • Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within. • Assumes “bad guys” are on the outside….while the really damaging ones can be inside !. • Restrict use of Internet. • Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
  8. 8. TERMINOLOGY  Realm: Indicates an authentication administrator domain.  Principal: It is the name used to refer to the entries in AS.  Ticket: It is issued by AS & Encrypted using Secret key of Service.  Encryption:  Encryption type: DES, RC4-HMAC, AES128 &AES256 algorithms.  Encryption key.  Key Version Number (kvno)
  9. 9.  Key Distribution Center (KDC):  Database: Contains information about Users & Services.  Authentication Server (AS): Give reply to initial authentication Request from Client & issues TGT.  Ticket Granting Server (TGS): Distributes Service tickets to client.  Session Key: It is secret between Users & Services for which a client has work session open on a server.  Replay Cache  Credential Cache: Used to store password & related session key.
  10. 10. Fig. 1 Authentication service verifies the user ID Working of Kerberos Step 1: (Fig 1) The AS, receives the request by the client and verifies that the client.
  11. 11. Fig. 2 Authentication service issues TGT. Step 2:  Upon verification, a timestamp is created with current time in a user session with expiration date.  The timestamp ensures that when 8 hours is up, the encryption key is useless. Step 3: (Fig 2) The key is sent back to the client in the form of a TGT.
  12. 12. Fig. 3 Client submits TGT to TGS. Step 4: (Fig 3) The client submits the TGT to the TGS, to get authenticated.
  13. 13. Fig. 4 TGS grants client the service ticket. Step 5: (Fig. 4)  The TGS creates an encrypted key with a timestamp and grants the client a service ticket. Step 6:  The client decrypts the ticket & send ACK to TGS.
  14. 14. Fig. 5 Service server decrypts key & checks timestamp Step 7:  Then sends its own encrypted key to the service server.  The service decrypts the key and check timestamp is still valid or not.  If it is, the service contacts the KDC to receive a session that is returned to the client.
  15. 15. Fig. 6 For valid keys communication is initiated. Step 8: (Fig. 6)  The client decrypts the ticket. If the keys are still valid , comm- -unication is initiated between client and server.  Now the client is authenticated until the session expires.
  16. 16. Kerberos Environment Fig. 7 A possible Kerberos environment  First, Kerberos infrastructure contain at least one Kerberos Server.  The KDC holds a complete database of user and service keys.  Second, Kerberos-enabled clients and services called kerberized clients and services. 1. Typical Infrastructure(Fig. 7) 2. Kerberized Services
  17. 17. Kerberos Database Fig. 8 Authentication Requests.  Kerberos operations requires both read only and write access is done through Kerberos database.  From figure operations requiring read- only access to the Kerberos database are performed by the AS(KDBM), which can run on both master and slave M/c.
  18. 18.  From figure we may say that changes may only be made to the Master Kerberos database where Slave copies are read-only.  Therefore, the KDBM server may only run on the master Kerberos M/c. Fig. Administration Requests.
  19. 19. Kerberos Administrator  It manages and controls all the Operations & Functions of Kerberos.  Running a program to initialize database.  Register essential principals in the database.  Kerberos administration server and AS must be started up properly.  For new Kerberos application ,it must take few steps to get it working.  It must be registered in the database  Assigned a private key  It must also ensure that Kerberos machines are physically secure & also able to maintain backups of the Master database.
  20. 20.  Advantages:  Passwords are never sent across the network unencrypted.  Clients and applications services mutually authenticated.  Tickets have a limited lifetime.  Authentication through the AS only has to happen once.  Sharing secret keys is more efficient than public-keys.  Disadvantages:  Kerberos only provides authentication for clients and services.  Vulnerable to users making poor password choices.  Client M/c and service(servers) M/c to be designed with Kerberos authentication in mind.
  21. 21. PUBLIC KEY CRYPTOGRAPHY  In Public Key Cryptography two different but mathematically related keys are used.  The public key may be freely distributed, while its paired private key must remain secret.  The public key is typically used for encryption, while the private or secret key is used for decryption.  It give new direction to Kerberos as it eases key distribution a lot.  KDC doesn’t need to save client keys in its database.  To obtain a TGT, the client has to present his public key.  A trusted certification authority (CA) has to sign every valid public key.
  22. 22. CONCLUSION  Researched and developed for over 8 years.  Kerberos doesn’t fail to deliver services.  Ex:- Cisco, Microsoft, Apple, and many others.  As authentication is critical for the security of computer systems, traditional authentication methods are not suitable for use in computer networks  The Kerberos authentication system is well suited for authentication of users in such environments.
  23. 23. REFERENCES  Computer Networking by James Kurose and Keith Rose.  Kerberos: Network Authentication System by Brain Pung.  Introduction to Kerberos technology.  http://web.mit.edu/Kerberos/  http://searchsecurity.techtarget.com/sDefinition/  http://www.google.co.in/

×