Gunaspresentation1
-
Upload
anchalaguna -
Category
Technology
-
view
289 -
download
0
Transcript of Gunaspresentation1
By
A.GUNA SEKHAR
Context 1 Introduction
2 Aims3 Definition of components and terms 3.1 Realm 3.2 Principal 3.3 Ticket 3.4 Encryption 3.5 Key Distribution Center (KDC)4 Kerberos Operation 5 How does Kerberos Work 5.1 TGT (Ticket Granting Ticket)
5.2 TGS (Ticket Granting Service) 5.3 AS (Application Server) 6. Applications 7. Weakness and Solutions
Introduction
• Network authentication protocol• Developed at MIT in the mid 1980s• Available as open source or in
supported commercial software• Kerberos means dogs in Greek
Mythology• This is standard for authentication
Why Kerberos
• Sending usernames and passwords in the clear security problem may raise
• Each time a password is sent in the clear, there is a chance for interception.
• Server stores the password• Client stores the password and name
Aims of Kerberos
• Password must never travel over network• Password never stored in the client in any
format. It will discarded Immediately• Password never stored in server in an
unencrypted format• User id and password may enter only once per
session • When a user changes its password, it is
changed for all services at the same time
Firewall vs. Kerberos?
• Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within.
• Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.
Terminology we have to know before knowing working of Kerberos
Realm
• It indicates Authentication Administrative Domain
• It is used to provide trust relation ship Between client and server and domain and sub domain
• a user/service belongs to a realm if and only if he/it shares a secret (password/key) with the authentication server of that realm.
Principal
• The name is used to give entries in the authentication server data base
• Principle in Kerberos V will be like this component1/component2/.../componentN@REALM
• The instance is optional and is normally used to better qualify the type of user.
Tickets
• Tickets are issued by the authentication server
• these are encrypted using the secret key of the service they are intended for
• this key is a secret shared only between the authentication server and the server providing the service, not even the client which requested the ticket can know it or change its contents
Ticket
• The requesting user's principal(username);
• The principal of the service it is intended;• The IP address of the client machine from
which the ticket can be used.• The date and time (in timestamp format)
when the tickets validity commences;• The ticket's maximum lifetime• The session key
Encryption
• Kerberos needs to encrypt and decrypt the messages (tickets and authenticators) passing between the various participants in the authentication
• Kerberos uses only symmetrical key encryption
Key Distribution Center (KDC)
• The authentication server in a Kerberos environment, based on its ticket distribution function for access to the services, is called Key Distribution Center
• KDC Contains the following :Database
Authentication ServerTime granting server
Kerberos Operation
How does Kerberos work?: Ticket Granting Tickets
How does Kerberos Work?: The Ticket Granting Service
How does Kerberos work?: The Application Server
Applications
• Authentication• Authorization• Confidentiality• Within networks and small sets of networks
Weaknesses and Solutions
If TGT stolen, can be used to access network services.
Only a problem until ticket expires in a few hours.
Subject to dictionary attack.
Timestamps require hacker to guess in 5 minutes.
Very bad if Authentication Server compromised.
Physical protection for the server.
Questions?
THANK YOU