Beruflich Dokumente
Kultur Dokumente
3/30/12
Netprog: Kerberos
1 1
Contents:
Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References
3/30/12
Introduction
It
is a secure, single-sign-on, trusted third-party authentication service Makes assumption that the connection between a client and service is insecure Passwords are encrypted to prevent others from reading them Clients only have to authenticate once during a pre-defined lifetime 3/30/12 Provides a way to authenticate
History
Developed Currently,
Version
4 being the first version to be released outside of MIT. by several private companies as well as added to several operating systems. creation3/30/12 inspired by clientwas
Adopted
Its
Components
Principals
Realms
Key
Components
Principals:
Companies and organizations are composed of different departments, each with a different service named realm
3/30/12
Components
Key
composed of an Authentication Service and Ticket Granting Server has a database that houses all principals and their keys for a given realm at least one KDC per realm
3/30/12
AuthenTication Service
3/30/12
XYZ Service Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc) Susans Desktop Computer
Susa n
AuthenTication Service
3/30/12
XYZ Service
Key Ticket Distribution Granting Center Service Id like to be allowed to get tickets from the Ticket Granting Server, please.
AuthenTication Service
3/30/12
XYZ Service Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service. Susans Desktop Computer
Susa n
AuthenTication Service
3/30/12
XYZ Service
Susa n
word myPass
AuthenTication Service
3/30/12
TGT
Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a Ticket-Granting Ticket. The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire service tickets for use with services requiring Kerberos authentication. The TGT contains no password information.
3/30/12
XYZ Service
Susa n
use XYZ
AuthenTication Service
3/30/12
XYZ Service
AuthenTication Service
3/30/12
XYZ Service Im Susan. Ill prove it. Heres a copy of my legit service ticket for XYZ.
Hey XYZ: Hey XYZ: Susan is Susan. Susan is Susan. CONFIRMED: TGS CONFIRMED: TGS
AuthenTication Service
Susa n
3/30/12
XYZ Service
AuthenTication Service
Susa n
3/30/12
Authorization checks are performed by the XYZ service Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.
3/30/12
One remaining note: Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable. Until a tickets expiration, it may be used repeatedly.
3/30/12
XYZ Service ME AGAIN! Ill prove it. Heres another copy of my legit service ticket for XYZ.
Hey XYZ: Hey XYZ: Susan is Susan. Susan is Susan. CONFIRMED: TGS CONFIRMED: TGS
Susa n
use XYZ
AuthenTication Service
3/30/12
XYZ Service
AuthenTication Service
Susa n
3/30/12
Strengths
1.
2.
3. 4.
5.
Passwords are never sent across the network unencrypted Clients and applications services mutually authenticated Tickets have a limited lifetime Authentication through the AS only has to happen once Shared secret keys between clients and services are more efficient than public-keys
3/30/12
3/30/12
Applications :
Kerberos-aware applicationsstyle called Click to edit Master subtitle are Kerberized
Some kerberized applications are Berkeley R-commands Telnet POP USCs Win2000 network FTP
3/30/12
THANK YOU
3/30/12