KERBEROS

3/30/12

Netprog: Kerberos

1 1

Contents:
Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References

3/30/12

Introduction
It

is a secure, single-sign-on, trusted third-party authentication service Makes assumption that the connection between a client and service is insecure Passwords are encrypted to prevent others from reading them Clients only have to authenticate once during a pre-defined lifetime 3/30/12 Provides a way to authenticate

How did Kerberos get its name?

The name "Kerberos" comes from a mythological three-headed dog that guarded the entrance to Hades Hades => Underworld (where hackers apparently live).
3/30/12

Click to edit Master subtitle style

History
Developed Currently,

at MIT as a part of Project Athena in mid 1980s Kerberos is up to Version 5

Version

4 being the first version to be released outside of MIT. by several private companies as well as added to several operating systems. creation3/30/12 inspired by clientwas

Adopted

Its

Components
Principals

Realms

Key

Distribution Centers (KDCs)

Authentication Service Ticket Granting Service

3/30/12

Components
Principals:

Each entity, such as clients or application servers, is represented as a principal

Realms:

Companies and organizations are composed of different departments, each with a different service named realm
3/30/12

Components
Key

Distribution Centers (KDCs)

composed of an Authentication Service and Ticket Granting Server has a database that houses all principals and their keys for a given realm at least one KDC per realm

3/30/12

Authentication Process XYZ

Service

Think Kerberos Server Susans Desktop Computer

Susa n

Key Ticket Distributio Grantin n g Center Service

AuthenTication Service

3/30/12

XYZ Service Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc) Susans Desktop Computer
Susa n

Key Ticket Distributio Grantin n g Center Service

AuthenTication Service

3/30/12

XYZ Service

Key Ticket Distribution Granting Center Service Id like to be allowed to get tickets from the Ticket Granting Server, please.

Susans Desktop Computer

Susa n

AuthenTication Service

3/30/12

XYZ Service Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service. Susans Desktop Computer
Susa n

Key Ticket Distribution Granting Center Service

AuthenTication Service

3/30/12

XYZ Service

Key Ticket Distribution Granting Center Service

Susa n

word myPass

SusansTGT Desktop Computer

AuthenTication Service

3/30/12

TGT

Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a Ticket-Granting Ticket. The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire service tickets for use with services requiring Kerberos authentication. The TGT contains no password information.
3/30/12

XYZ Service

Let me prove I am Susan to XYZ Service. Heres a copy of my TGT!

Key Ticket Distribution Granting Center Service

Susa n

use XYZ

TGT TGT Susans Desktop Computer

AuthenTication Service

3/30/12

XYZ Service

Hey XYZ: Susan is Susan. CONFIRMED: TGS

Youre Susan. Here, take this.

Key Ticket Distribution Granting Center Service

TGT Susans Desktop Computer

Susa n

AuthenTication Service

3/30/12

XYZ Service Im Susan. Ill prove it. Heres a copy of my legit service ticket for XYZ.
Hey XYZ: Hey XYZ: Susan is Susan. Susan is Susan. CONFIRMED: TGS CONFIRMED: TGS

Key Ticket Distribution Granting Center Service

TGT Susans Desktop Computer

AuthenTication Service

Susa n

3/30/12

XYZ Service

Thats Susan alright. Let me determine if she is authorized to use me.

Key Ticket Distribution Granting Center Service

Hey XYZ: Susan is Susan. CONFIRMED: TGS

Hey XYZ: Susan is Susan. CONFIRMED: TGS

TGT Susans Desktop Computer

AuthenTication Service

Susa n

3/30/12

Authorization checks are performed by the XYZ service Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.

3/30/12

One remaining note: Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable. Until a tickets expiration, it may be used repeatedly.

3/30/12

XYZ Service ME AGAIN! Ill prove it. Heres another copy of my legit service ticket for XYZ.

Key Ticket Distribution Granting Center Service

Hey XYZ: Hey XYZ: Susan is Susan. Susan is Susan. CONFIRMED: TGS CONFIRMED: TGS

Susa n

use XYZ

TGT Susans Desktop Computer

AuthenTication Service

3/30/12

XYZ Service

Thats Susan again. Let me determine if she is authorized to use me.

Key Ticket Distribution Granting Center Service

Hey XYZ: Susan is Susan. CONFIRMED: TGS

Hey XYZ: Susan is Susan. CONFIRMED: TGS

TGT Susans Desktop Computer

AuthenTication Service

Susa n

3/30/12

Strengths
1.

2.

3. 4.

5.

Passwords are never sent across the network unencrypted Clients and applications services mutually authenticated Tickets have a limited lifetime Authentication through the AS only has to happen once Shared secret keys between clients and services are more efficient than public-keys
3/30/12

Weaknesses and Solutions

If TGT stolen, can be used Only a problem until to access network ticket expires in a services. few hours. Very bad if Authentication Physical protection Server compromised. for the server.

3/30/12

Applications :
Kerberos-aware applicationsstyle called Click to edit Master subtitle are Kerberized

Some kerberized applications are Berkeley R-commands Telnet POP USCs Win2000 network FTP

3/30/12

THANK YOU

3/30/12