Kerberos System

quicksandwalleyeInternet and Web Development

Oct 31, 2013 (3 years and 10 months ago)

100 views

KERBEROS SYSTEM

Kumar Madugula

What is Kerberos?


A secure network authentication protocol.



Uses trusted key distribution center




Developed at MIT in 80’s



What it does?



Authenticates the client



Distributes a shared session key between
client and application server programs.



User enters the password only once. No
need to enter password when ever user
opens an application.



Terminology



Principle


Authentication Server (AS)


Ticket Granting Server (TGS)


Application Server



Ticket Granting Ticket (TGT)


Ticket


Session Key



Terminology


Client

Authentication

Server

Ticket Granting

Server

Application

Server

TGT

Ticket

Working



Client steps



Obtains Ticket Granting Ticket from the
Authentication Server



Obtains Ticket from the ticket granting
server to required application server.



Communicate with the application server


Client and Authentication Server (AS)
interaction


Client sends user name and a request for a
ticket to access TGS.



Client

Authentication

Server

Name, TGS, nonce

Client and Authentication Server

interaction



The authentication server looks up the client in its database.


Generates a session key (K
CT
) for use between the client and the
TGS.


AS encrypts the K
CT

using the client’s secret key (K
user
).


The authentication server also uses the TGS’s secret key to create
and send the user a ticket
-
granting ticket (TGT).


Client

Authentication

Server

SK1,TGT

SK1={K
CT

,nonce} K
user

TGT={user,TGS,t1,t2, K
CT
} K
TGS


Client Ticket Granting Server Interaction


Client uses his password to decrypt SK1 to obtain session key.
then uses it to create an authenticator containing the user’s
name, IP address and a time stamp.



The client sends this authenticator, along with the TGT, to the
TGS, requesting access to the application server (S).

Client

Ticket Granting

Server

AUTH1, TGT, Server, nonce

TGT={user,TGS,t1,t2, K
CT
} K
TGS


AUTH1={user, ipaddress, timestamp} K
CT

Client and Ticket granting server interaction


The TGS decrypts the TGT, then uses K
CT

inside the TGT to
decrypt the authenticator. It verifies information in the
authenticator (AUTH1)



Then the TGS creates a new session key (K
CS
) for the client and
application server to use, encrypts it using K
CT
. It also creates a
new ticket encrypted with the target server’s secret key (K
Server
)

Client

Ticket Granting

Server

SK2, TK

SK2={K
CS
, nonce} K
CT

TK={user,server,t1,t2, K
CS
} K
Server


Client and Server Interaction



Client decrypts SK2 get K
CS
.


creates a new authenticator encrypts with K
CS
and sends it with
ticket to the application server.

Client

Application

Server

AUTH2,TK,request,nonce

AUTH1={user, ipaddress, timestamp} K
CS

TK={user,server,t1,t2, K
CS
} K
Server


The application server decrypts and checks the ticket then decrypts
the authenticator and verifies the user.


From now client and server uses K
CS

as a shared secret key to
communicate.

Advantages and Weaknesses



User's passwords are never sent across the
network, encrypted or in plain text



A user need only authenticate to the Kerberos
system once



Kerberos v5 can use any private key encryption
algorithm



Windows 2000 uses a modified version of
Kerberos which uses public key certificates
instead of shared secret keys for initial
authentication.

Disadvantages


Trusting trusted party (TGS and AS)


Kerberos was designed for use with single
-
user
client systems


All the existing software's must be Kerberos
compatible.


vulnerable to brute
-
force attacks against TGS or
AS