SlideShare una empresa de Scribd logo

Kerberos

Descargar como PPTX, PDF
Sutanu Paul
Sutanu Paul
Tecnología
1 de 27
KERBEROS PRESENTED BY SUTANU PAUL(CSI 13023) MD ARIFUL HOQUE(CSI 13020) MTECH(IT) 1ST SEM TEZPUR UNIVERSITY
OUTLINE • • • • • • • • • • What is Kerberos? Why Kerberos? Firewall Vs Kerberos Kerberos design How does Kerberos work? Application of Kerberos Comparison between version 4 and 5 Attacks on Kerberos Limitation of Kerberos References
WHAT IS KERBEROS? • Literal meaning: In Greek mythology,kerberos is a multi-headed dog (usually three) which gaurds the entrance of Hades. • Technically Kerberos is an authentication protocol implemented on Project Athena at MIT • Athena provides an open network computing environment • Each user has complete control of its workstation • But the workstations can not be trusted completely to identify its users to the network services • Kerberos acts as a third party authenticator - Helps the user to prove its identity to the various services and vice versa • Uses symmetrical cryptographic algorithms (private key cryptosystems) –Same key is used for encryption as well as decryption –Uses DES (Data Encryption Standard)
WHAT IS KERBEROS?…cont. What's with the 3 heads? ● Authentication – confirms that a user who is requesting services is a valid user of the network ● Authorization – granting of specific types of service to a user, based on their authentication ● Accounting – The tracking of the consumption of network resources by users
WHY KERBEROS? • Authentication is a key feature in a multi-user environment. • Sending usernames and passwords over the network is not secure. • Each time a password is sent in the network, there is a chance for interception. Problem: Cannot trust workstation to identify their users correctly in an open distributed environment Solution: – Building elaborate authentication protocols at each server – A centralized authentication server (Kerberos)
FIREWALL VS KERBEROS • Firewall make a risky assumption that attackers are coming from the outside. In reality attacks frequently come from within. • Kerberos assumes that network connections (rather than servers and workstations) are the weak link in network security.
HOW DOES KERBEROS WORK? ….cont. • To request a service from a server, the client goes through three phases of authentication • Phase 1 –The client requests a ticket from the Kerberos –Kerberos grants a ticket and a session key –The ticket is used for requesting other tickets for various services –Ticket conveys the identity of the client to the server –The session key is used for conversation between the client and the server
HOW DOES KERBEROS WORK? ….cont. Phase 2 –The client uses the ticket of the first phase to request a ticket from the ticket granting server (TGS) for a specific service Phase 3 –The client presents the key to the server for the service
A more detailed look… AUTHENTICATION SERVER • The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. • Request: -Login name -TGS name • Since this request contains only well-known names, it does not need to be sealed.
AUTHENTICATION SERVER • The AS finds the keys corresponding to the login name and the TGS name. • The AS creates a ticket: – Login name – TGS name – Client network address – TGS session key • The AS seals the ticket with the TGS secret key.
AUTHENTICATION SERVER RESPONSE • The AS also creates a random session key for the client and the TGS to use. • The session key and the sealed ticket are sealed with the user (login name) secret key. Sealed with TGS key Ticket: TGS session key Sealed with user key login name TGS name net address TGS session key
ACCESSING THE TGS • The client decrypts the message using the user’s password as the secret key. • The client now has a session key and ticket that can be used to contact the TGS. • The client cannot see inside the ticket, since the client does not know the TGS secret key.
ACCESSING A SERVER • When a client wants to start using a server (service), the client must first obtain a ticket. • The client composes a request to send to the TGS Sealed with TGS key TGS Ticket Authenticator Server Name Sealed with session key
TGS RESPONSE • The TGS decrypts the ticket using it’s secret key. Inside is the TGS session key. • The TGS decrypts the authenticator using the session key. • The TGS check to make sure login names, client addresses and TGS server name are all ok. • TGS makes sure the authenticator is recent.
TGS RESPONSE Once everything checks out - the TGS: • Builds a ticket for the client and requested server. The ticket is sealed with the server key. • Creates a session key • Seals the entire message with the TGS session key and sends it to the client
CLIENT ACCESSES SERVER • The client now decrypts the TGS response using the TGS session key. • The client now has a session key for use with the new server, and a ticket to use with that server. • The client can contact the new server using the same format used to access the TGS.
WHY TWO SERVERS? Note that –First phase is used for user-authentication (using the id and password) –Second and third phase may continue several times with the same TGT granted by the first phase In absence of this additional phase –For each service, the user needs to authenticate itself using its password –Once the intruder gets the first session key, it can continue doing malicious works throughout the session –That’s why life and timestamp are mentioned
APPLICATIONS OF KERBEROS • Windows servers use Kerberos as the primary authentication protocol. • Telnet/FTP uses Kerberos. • Authentication for web services. • Authenticating email client and servers.
comparison between version 4 and 5 Version 4 • Environmental drawbacks – Encryption system dependence – Internet protocol dependence – Message format – Ticket lifetimes – Authentication forwarding – Inter-realm authentication
VERSION 4 • Technical deficiencies – Double Encryption (Bellovin and Merritt [Bel90]) – PCBC encryption – Authenticators and replay detection – Password attacks – Session keys – Cryptographic checksum – Kerberised
ATTACKS ON KERBEROS • • • • KDC security Availability Replay attacks Password-guessing attacks
Limitations of Kerberos
REFERENCES Books o Computer Networks by Andrew S Tanenbaum, Fifth Edition. o Data Communications and Networking by Behrouz A Forouzan, Fourth Edition. Websites owww.mit.edu owww.google.com owww.wikipedia.com
KERBEROS DESIGN • • • • • • • • Every User has a password. Every service has a password. Password are never sent across the network in clear text(or stored in memory) User must identify himself once at the beginning of a workstation session(login session) The only entity that knows all the passwords is the AUTHENTICATION SERVER (AS) Every user shares its private secret key with the AUTHENTICATION SERVER -User X doesn’t know the private key of user Y. Key Distribution: When X wants to communicate with Y, they need to use a secret key between them -AS is responsible for distributing this session key (conversation key) between X and Y Everybody has to trust AS
HOW DOES KERBEROS WORK? ….cont. • Instead of client (Alice) sending password to application server(Bob): -It Request TICKET From AUTHENTICATION SERVER -the TICKET and encrypted request is sent to application server(Bob). • How To Request Tickets Without Repeatedly Sending Credentials? – TICKET-GRANTING TICKET (TGT)

Recomendados

Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
Sou Jana
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Kerberos ppt
Kerberos pptKerberos ppt
Kerberos ppt
OECLIB Odisha Electronics Control Library
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 

Recomendados

Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
Sou Jana
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Kerberos ppt
Kerberos pptKerberos ppt
Kerberos ppt
OECLIB Odisha Electronics Control Library
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos
KerberosKerberos
Kerberos
Sudeep Shouche
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
Kerberos
KerberosKerberos
Kerberos
Rahul Pundir
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
Dr.Florence Dayana
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
Triad Square InfoSec
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
SHUBHA CHATURVEDI
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
Email security
Email securityEmail security
Email security
Indrajit Sreemany
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
Ruchi Maurya
 
IP Security
IP SecurityIP Security
IP Security
Dr.Florence Dayana
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Double DES & Triple DES
Double DES & Triple DESDouble DES & Triple DES
Double DES & Triple DES
Hemant Sharma
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
Vidulatiwari
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
Avirot Mitamura
 
block ciphers
block ciphersblock ciphers
block ciphers
Asad Ali
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
Ajit Dadresa
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explained
Dotan Patrich
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
Chris Geier
 

Más contenido relacionado

La actualidad más candente

Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
Ruchi Maurya
 

La actualidad más candente (20)

Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
Kerberos
KerberosKerberos
Kerberos
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Kerberos
KerberosKerberos
Kerberos
 
kerberos
kerberoskerberos
kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Message authentication
Message authenticationMessage authentication
Message authentication
 
Classical encryption techniques
Classical encryption techniquesClassical encryption techniques
Classical encryption techniques
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
 
Email security
Email securityEmail security
Email security
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
 
IP Security
IP SecurityIP Security
IP Security
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Double DES & Triple DES
Double DES & Triple DESDouble DES & Triple DES
Double DES & Triple DES
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
 

Destacado

Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
Chris Geier
 

Destacado (20)

Kerberos explained
Kerberos explainedKerberos explained
Kerberos explained
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos Protocol
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling YouRSA Conference 2017 session: What System Stores on the Disk Without Telling You
RSA Conference 2017 session: What System Stores on the Disk Without Telling You
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
The Stuxnet Worm creation process
The Stuxnet Worm creation processThe Stuxnet Worm creation process
The Stuxnet Worm creation process
 

Similar a Kerberos

Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
anchalaguna
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
limsh
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
J.D. Wade
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
Shashwat Shriparv
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 

Similar a Kerberos (20)

CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
6. Kerberos.ppt
6. Kerberos.ppt6. Kerberos.ppt
6. Kerberos.ppt
 
kerb.ppt
kerb.pptkerb.ppt
kerb.ppt
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
 
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocolCT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
 
kerberos
kerberoskerberos
kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Kerberos realms & multiple kerberi
Kerberos realms & multiple kerberiKerberos realms & multiple kerberi
Kerberos realms & multiple kerberi
 
1165839977.pptx
1165839977.pptx1165839977.pptx
1165839977.pptx
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Kerberos

  • 1. KERBEROS PRESENTED BY SUTANU PAUL(CSI 13023) MD ARIFUL HOQUE(CSI 13020) MTECH(IT) 1ST SEM TEZPUR UNIVERSITY
  • 2. OUTLINE • • • • • • • • • • What is Kerberos? Why Kerberos? Firewall Vs Kerberos Kerberos design How does Kerberos work? Application of Kerberos Comparison between version 4 and 5 Attacks on Kerberos Limitation of Kerberos References
  • 3. WHAT IS KERBEROS? • Literal meaning: In Greek mythology,kerberos is a multi-headed dog (usually three) which gaurds the entrance of Hades. • Technically Kerberos is an authentication protocol implemented on Project Athena at MIT • Athena provides an open network computing environment • Each user has complete control of its workstation • But the workstations can not be trusted completely to identify its users to the network services • Kerberos acts as a third party authenticator - Helps the user to prove its identity to the various services and vice versa • Uses symmetrical cryptographic algorithms (private key cryptosystems) –Same key is used for encryption as well as decryption –Uses DES (Data Encryption Standard)
  • 4. WHAT IS KERBEROS?…cont. What's with the 3 heads? ● Authentication – confirms that a user who is requesting services is a valid user of the network ● Authorization – granting of specific types of service to a user, based on their authentication ● Accounting – The tracking of the consumption of network resources by users
  • 5. WHY KERBEROS? • Authentication is a key feature in a multi-user environment. • Sending usernames and passwords over the network is not secure. • Each time a password is sent in the network, there is a chance for interception. Problem: Cannot trust workstation to identify their users correctly in an open distributed environment Solution: – Building elaborate authentication protocols at each server – A centralized authentication server (Kerberos)
  • 6. FIREWALL VS KERBEROS • Firewall make a risky assumption that attackers are coming from the outside. In reality attacks frequently come from within. • Kerberos assumes that network connections (rather than servers and workstations) are the weak link in network security.
  • 7.
  • 8. HOW DOES KERBEROS WORK? ….cont. • To request a service from a server, the client goes through three phases of authentication • Phase 1 –The client requests a ticket from the Kerberos –Kerberos grants a ticket and a session key –The ticket is used for requesting other tickets for various services –Ticket conveys the identity of the client to the server –The session key is used for conversation between the client and the server
  • 9. HOW DOES KERBEROS WORK? ….cont. Phase 2 –The client uses the ticket of the first phase to request a ticket from the ticket granting server (TGS) for a specific service Phase 3 –The client presents the key to the server for the service
  • 10. A more detailed look… AUTHENTICATION SERVER • The client sends a plaintext request to the AS asking for a ticket it can use to talk to the TGS. • Request: -Login name -TGS name • Since this request contains only well-known names, it does not need to be sealed.
  • 11. AUTHENTICATION SERVER • The AS finds the keys corresponding to the login name and the TGS name. • The AS creates a ticket: – Login name – TGS name – Client network address – TGS session key • The AS seals the ticket with the TGS secret key.
  • 12. AUTHENTICATION SERVER RESPONSE • The AS also creates a random session key for the client and the TGS to use. • The session key and the sealed ticket are sealed with the user (login name) secret key. Sealed with TGS key Ticket: TGS session key Sealed with user key login name TGS name net address TGS session key
  • 13. ACCESSING THE TGS • The client decrypts the message using the user’s password as the secret key. • The client now has a session key and ticket that can be used to contact the TGS. • The client cannot see inside the ticket, since the client does not know the TGS secret key.
  • 14. ACCESSING A SERVER • When a client wants to start using a server (service), the client must first obtain a ticket. • The client composes a request to send to the TGS Sealed with TGS key TGS Ticket Authenticator Server Name Sealed with session key
  • 15. TGS RESPONSE • The TGS decrypts the ticket using it’s secret key. Inside is the TGS session key. • The TGS decrypts the authenticator using the session key. • The TGS check to make sure login names, client addresses and TGS server name are all ok. • TGS makes sure the authenticator is recent.
  • 16. TGS RESPONSE Once everything checks out - the TGS: • Builds a ticket for the client and requested server. The ticket is sealed with the server key. • Creates a session key • Seals the entire message with the TGS session key and sends it to the client
  • 17. CLIENT ACCESSES SERVER • The client now decrypts the TGS response using the TGS session key. • The client now has a session key for use with the new server, and a ticket to use with that server. • The client can contact the new server using the same format used to access the TGS.
  • 18.
  • 19. WHY TWO SERVERS? Note that –First phase is used for user-authentication (using the id and password) –Second and third phase may continue several times with the same TGT granted by the first phase In absence of this additional phase –For each service, the user needs to authenticate itself using its password –Once the intruder gets the first session key, it can continue doing malicious works throughout the session –That’s why life and timestamp are mentioned
  • 20. APPLICATIONS OF KERBEROS • Windows servers use Kerberos as the primary authentication protocol. • Telnet/FTP uses Kerberos. • Authentication for web services. • Authenticating email client and servers.
  • 21. comparison between version 4 and 5 Version 4 • Environmental drawbacks – Encryption system dependence – Internet protocol dependence – Message format – Ticket lifetimes – Authentication forwarding – Inter-realm authentication
  • 22. VERSION 4 • Technical deficiencies – Double Encryption (Bellovin and Merritt [Bel90]) – PCBC encryption – Authenticators and replay detection – Password attacks – Session keys – Cryptographic checksum – Kerberised
  • 23. ATTACKS ON KERBEROS • • • • KDC security Availability Replay attacks Password-guessing attacks
  • 25. REFERENCES Books o Computer Networks by Andrew S Tanenbaum, Fifth Edition. o Data Communications and Networking by Behrouz A Forouzan, Fourth Edition. Websites owww.mit.edu owww.google.com owww.wikipedia.com
  • 26. KERBEROS DESIGN • • • • • • • • Every User has a password. Every service has a password. Password are never sent across the network in clear text(or stored in memory) User must identify himself once at the beginning of a workstation session(login session) The only entity that knows all the passwords is the AUTHENTICATION SERVER (AS) Every user shares its private secret key with the AUTHENTICATION SERVER -User X doesn’t know the private key of user Y. Key Distribution: When X wants to communicate with Y, they need to use a secret key between them -AS is responsible for distributing this session key (conversation key) between X and Y Everybody has to trust AS
  • 27. HOW DOES KERBEROS WORK? ….cont. • Instead of client (Alice) sending password to application server(Bob): -It Request TICKET From AUTHENTICATION SERVER -the TICKET and encrypted request is sent to application server(Bob). • How To Request Tickets Without Repeatedly Sending Credentials? – TICKET-GRANTING TICKET (TGT)