Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Kerberos protocol

2.985 visualizaciones

Publicado el

Kerberos Authentication

- http://www.ifour-consultancy.com

Publicado en: Tecnología
  • Sé el primero en comentar

Kerberos protocol

  1. 1. Kerberos Authentication
  2. 2. Kerberos (protocol) ◦ Kerberos is a computer network authentication protocol ◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network ◦ Prove their identity to one another in a secure manner ◦ Aimed primarily at a client–server model and it provides mutual authentication ◦ Protected against eavesdropping and replay attacks http://www.ifour-consultancy.com Offshore software development company India
  3. 3. Microsoft Windows, UNIX & Kerberos ◦ Windows 2000 and later uses Kerberos as its default authentication method ◦ Documentation: ◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols" ◦ RFC 4757 documents Microsoft's use of the RC4 cipher ◦ Include software for Kerberos authentication of users or services http://www.ifour-consultancy.com Offshore software development company India
  4. 4. Components Principal Realm KDC AS TGS Client Server http://www.ifour-consultancy.com Offshore software development company India
  5. 5. Mechanism • Client authenticates itself to the Authentication Server (AS) which forwards the username to a Key distribution center (KDC) • KDC issues a Ticket Granting Ticket (TGT), which is time stamped • Encrypts it using the user's password and returns the encrypted result to the user's workstation • TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in http://www.ifour-consultancy.com Offshore software development company India
  6. 6. Mechanism When the client needs to communicate with another node • Client sends the TGT to the Ticket Granting Service (TGS) • After verifying the TGT is valid and the user is permitted to access the requested service • TGS issues a Ticket and session keys, which are returned to the client • Client then sends the Ticket to the service server (SS) along with its service request http://www.ifour-consultancy.com Offshore software development company India
  7. 7. User Client-based Logon ◦ User enters a username and password on the client machines ◦ Client transforms the password into the key of a symmetric cipher ◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used http://www.ifour-consultancy.com Offshore software development company India
  8. 8. Client Authentication ◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the user ◦ AS generates the secret key by hashing the password of the user found at the database ◦ AS checks to see if the client is in its database http://www.ifour-consultancy.com Offshore software development company India
  9. 9. Client Authentication ◦ If it is, the AS sends back the following two messages to the client: ◦ Message A: Client/TGS Session Key encrypted using the secret key of the client/user. ◦ Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. http://www.ifour-consultancy.com Offshore software development company India
  10. 10. Client Service Authorization ◦ Client attempts to decrypt message A with the secret key generated from the password entered by the user ◦ If the password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A ◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key ◦ Session key is used for further communications with the TGS http://www.ifour-consultancy.com Offshore software development company India
  11. 11. Client Service Authorization When requesting services, the client sends the following two messages to the TGS ◦ Message C: Composed of the TGT from message B and the ID of the requested service. ◦ Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
  12. 12. Client Service Authorization ◦ Upon receiving messages C and D, the TGS retrieves message B out of message C ◦ Decrypts message B using the TGS secret key ◦ Gives it the "client/TGS session key“ http://www.ifour-consultancy.com Offshore software development company India
  13. 13. Client Service Authorization Using this "client/TGS session key“, the TGS decrypts message D Sends the following two messages to the client: ◦ Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key. ◦ Message F: Client/Server Session Key encrypted with the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
  14. 14. Client Service Request Upon receiving messages E and F from TGS ◦ Client has enough information to authenticate itself to the SS ◦ Client connects to the SS and sends the following two messages ◦ Message E from the previous step (the client-to-server ticket, encrypted using service's secret key). ◦ Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key. http://www.ifour-consultancy.com Offshore software development company India
  15. 15. Client Service Request ◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key ◦ SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client ◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key. ◦ Client decrypts the confirmation using the Client/Server Session Key http://www.ifour-consultancy.com Offshore software development company India
  16. 16. Client Service Request ◦ Checks whether the timestamp is correctly updated ◦ Client can trust the server and can start issuing service requests to the server ◦ Server provides the requested services to the client http://www.ifour-consultancy.com Offshore software development company India
  17. 17. Kerberos Authentication Process ( Cross Domain) ◦ Client in Domain 1 wishes to access a network resource in remote Domain 2 ◦ The client has already been authenticated to KDC in Domain 1 and has received TGT ◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources http://www.ifour-consultancy.com Offshore software development company India
  18. 18. Kerberos Authentication Process ( Cross Domain) ◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in Domain 1 respond to the client with TGT for Domain 2 ◦ The client presents the new TGT to KDC in domain 2 ◦ The KDC in Domain 2 responds with TGS fro the network resource ◦ The client accesses the Network resource in Domain 2 using the new TGS http://www.ifour-consultancy.com Offshore software development company India
  19. 19. Drawbacks and Limitations Single point of failure Kerberos has strict time requirements Administration protocol is not standardized All authentications are controlled by a centralized KDC http://www.ifour-consultancy.com Offshore software development company India
  20. 20. Drawbacks and Limitations Each network service which requires a different host name Requires user accounts, user clients and the services on the server to all have a trusted relationship to the Kerberos token server Required client trust makes creating staged environments difficult http://www.ifour-consultancy.com Offshore software development company India
  21. 21. Weakness in Kerberos Protocol Susceptible to offline password cracks Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability If TGT stolen, the attacker can access n/w until the session expires Severe effects if KDC is compromised http://www.ifour-consultancy.com Offshore software development company India
  22. 22. References http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 http://technet.microsoft.com/en-us/library/bb742516.aspx http://www.kerberos.info Symbiosis students ◦ Deepak Aggarwal ◦ Rohit Khadke ◦ Sonali Solanki ◦ Vineela Kanapala http://www.ifour-consultancy.com Offshore software development company India
  23. 23. http://www.ifour-consultancy.com Offshore software development company India

×