SlideShare uma empresa Scribd logo

Kerberos protocol

Transferir como PPTX, PDF
A
Ajit Dadresa

Kerberos Authentication - http://www.ifour-consultancy.com

Tecnologia
1 de 23
Kerberos Authentication
Kerberos (protocol) ◦ Kerberos is a computer network authentication protocol ◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network ◦ Prove their identity to one another in a secure manner ◦ Aimed primarily at a client–server model and it provides mutual authentication ◦ Protected against eavesdropping and replay attacks http://www.ifour-consultancy.com Offshore software development company India
Microsoft Windows, UNIX & Kerberos ◦ Windows 2000 and later uses Kerberos as its default authentication method ◦ Documentation: ◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols" ◦ RFC 4757 documents Microsoft's use of the RC4 cipher ◦ Include software for Kerberos authentication of users or services http://www.ifour-consultancy.com Offshore software development company India
Components Principal Realm KDC AS TGS Client Server http://www.ifour-consultancy.com Offshore software development company India
Mechanism • Client authenticates itself to the Authentication Server (AS) which forwards the username to a Key distribution center (KDC) • KDC issues a Ticket Granting Ticket (TGT), which is time stamped • Encrypts it using the user's password and returns the encrypted result to the user's workstation • TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in http://www.ifour-consultancy.com Offshore software development company India
Mechanism When the client needs to communicate with another node • Client sends the TGT to the Ticket Granting Service (TGS) • After verifying the TGT is valid and the user is permitted to access the requested service • TGS issues a Ticket and session keys, which are returned to the client • Client then sends the Ticket to the service server (SS) along with its service request http://www.ifour-consultancy.com Offshore software development company India
User Client-based Logon ◦ User enters a username and password on the client machines ◦ Client transforms the password into the key of a symmetric cipher ◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used http://www.ifour-consultancy.com Offshore software development company India
Client Authentication ◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the user ◦ AS generates the secret key by hashing the password of the user found at the database ◦ AS checks to see if the client is in its database http://www.ifour-consultancy.com Offshore software development company India
Client Authentication ◦ If it is, the AS sends back the following two messages to the client: ◦ Message A: Client/TGS Session Key encrypted using the secret key of the client/user. ◦ Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization ◦ Client attempts to decrypt message A with the secret key generated from the password entered by the user ◦ If the password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A ◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key ◦ Session key is used for further communications with the TGS http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization When requesting services, the client sends the following two messages to the TGS ◦ Message C: Composed of the TGT from message B and the ID of the requested service. ◦ Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization ◦ Upon receiving messages C and D, the TGS retrieves message B out of message C ◦ Decrypts message B using the TGS secret key ◦ Gives it the "client/TGS session key“ http://www.ifour-consultancy.com Offshore software development company India
Client Service Authorization Using this "client/TGS session key“, the TGS decrypts message D Sends the following two messages to the client: ◦ Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key. ◦ Message F: Client/Server Session Key encrypted with the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
Client Service Request Upon receiving messages E and F from TGS ◦ Client has enough information to authenticate itself to the SS ◦ Client connects to the SS and sends the following two messages ◦ Message E from the previous step (the client-to-server ticket, encrypted using service's secret key). ◦ Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key. http://www.ifour-consultancy.com Offshore software development company India
Client Service Request ◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key ◦ SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client ◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key. ◦ Client decrypts the confirmation using the Client/Server Session Key http://www.ifour-consultancy.com Offshore software development company India
Client Service Request ◦ Checks whether the timestamp is correctly updated ◦ Client can trust the server and can start issuing service requests to the server ◦ Server provides the requested services to the client http://www.ifour-consultancy.com Offshore software development company India
Kerberos Authentication Process ( Cross Domain) ◦ Client in Domain 1 wishes to access a network resource in remote Domain 2 ◦ The client has already been authenticated to KDC in Domain 1 and has received TGT ◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources http://www.ifour-consultancy.com Offshore software development company India
Kerberos Authentication Process ( Cross Domain) ◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in Domain 1 respond to the client with TGT for Domain 2 ◦ The client presents the new TGT to KDC in domain 2 ◦ The KDC in Domain 2 responds with TGS fro the network resource ◦ The client accesses the Network resource in Domain 2 using the new TGS http://www.ifour-consultancy.com Offshore software development company India
Drawbacks and Limitations Single point of failure Kerberos has strict time requirements Administration protocol is not standardized All authentications are controlled by a centralized KDC http://www.ifour-consultancy.com Offshore software development company India
Drawbacks and Limitations Each network service which requires a different host name Requires user accounts, user clients and the services on the server to all have a trusted relationship to the Kerberos token server Required client trust makes creating staged environments difficult http://www.ifour-consultancy.com Offshore software development company India
Weakness in Kerberos Protocol Susceptible to offline password cracks Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability If TGT stolen, the attacker can access n/w until the session expires Severe effects if KDC is compromised http://www.ifour-consultancy.com Offshore software development company India
References http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 http://technet.microsoft.com/en-us/library/bb742516.aspx http://www.kerberos.info Symbiosis students ◦ Deepak Aggarwal ◦ Rohit Khadke ◦ Sonali Solanki ◦ Vineela Kanapala http://www.ifour-consultancy.com Offshore software development company India
http://www.ifour-consultancy.com Offshore software development company India

Recomendados

Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explained
Dotan Patrich
 
Pgp
PgpPgp
Pgp
Reham Maher El-Safarini
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 

Recomendados

Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explained
Dotan Patrich
 
Pgp
PgpPgp
Pgp
Reham Maher El-Safarini
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
Vidulatiwari
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
saurav5884
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network Security
Pa Van Tanku
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
Sou Jana
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
Mayuri Patil
 
Cryptography
CryptographyCryptography
Cryptography
Darshini Parikh
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptx
Sou Jana
 
Digital signature
Digital signatureDigital signature
Digital signature
AJAL A J
 
Kerberos
KerberosKerberos
Kerberos
Sudeep Shouche
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
Akash Jadhav
 
Cryptography
CryptographyCryptography
Cryptography
Jens Patel
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
Prabhat Goel
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
Ankit Mehta
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
Amar Shah
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
J.D. Wade
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Cryptography and Network Security
Cryptography and Network SecurityCryptography and Network Security
Cryptography and Network Security
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
X.509 Certificates
X.509 CertificatesX.509 Certificates
X.509 Certificates
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
Cryptography
CryptographyCryptography
Cryptography
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptx
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Kerberos
KerberosKerberos
Kerberos
 
Key management
Key managementKey management
Key management
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
 
Cryptography
CryptographyCryptography
Cryptography
 
Secret key cryptography
Secret key cryptographySecret key cryptography
Secret key cryptography
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
 
secure socket layer
secure socket layersecure socket layer
secure socket layer
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 

Semelhante a Kerberos protocol

Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
J.D. Wade
 

Semelhante a Kerberos protocol (20)

Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
IRJET- Internal Security in Metropolitan Area Network using Kerberos
IRJET- Internal Security in Metropolitan Area Network using KerberosIRJET- Internal Security in Metropolitan Area Network using Kerberos
IRJET- Internal Security in Metropolitan Area Network using Kerberos
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_ppt
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Technet.microsoft.com
Technet.microsoft.comTechnet.microsoft.com
Technet.microsoft.com
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems Overview
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocolCT UNIT 5 Session 3.ppt User authentication and kerberos protocol
CT UNIT 5 Session 3.ppt User authentication and kerberos protocol
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos Protocol
 

Mais de Ajit Dadresa

Mais de Ajit Dadresa (6)

Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
Unique identification authority of india uid
Unique identification authority of india uidUnique identification authority of india uid
Unique identification authority of india uid
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industry
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Kerberos protocol

  • 2. Kerberos (protocol) ◦ Kerberos is a computer network authentication protocol ◦ Works on the basis of 'tickets' to allow nodes communicating over a non-secure network ◦ Prove their identity to one another in a secure manner ◦ Aimed primarily at a client–server model and it provides mutual authentication ◦ Protected against eavesdropping and replay attacks http://www.ifour-consultancy.com Offshore software development company India
  • 3. Microsoft Windows, UNIX & Kerberos ◦ Windows 2000 and later uses Kerberos as its default authentication method ◦ Documentation: ◦ RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols" ◦ RFC 4757 documents Microsoft's use of the RC4 cipher ◦ Include software for Kerberos authentication of users or services http://www.ifour-consultancy.com Offshore software development company India
  • 4. Components Principal Realm KDC AS TGS Client Server http://www.ifour-consultancy.com Offshore software development company India
  • 5. Mechanism • Client authenticates itself to the Authentication Server (AS) which forwards the username to a Key distribution center (KDC) • KDC issues a Ticket Granting Ticket (TGT), which is time stamped • Encrypts it using the user's password and returns the encrypted result to the user's workstation • TGT remains valid until it expires, though may be transparently renewed by the user's session manager while they are logged in http://www.ifour-consultancy.com Offshore software development company India
  • 6. Mechanism When the client needs to communicate with another node • Client sends the TGT to the Ticket Granting Service (TGS) • After verifying the TGT is valid and the user is permitted to access the requested service • TGS issues a Ticket and session keys, which are returned to the client • Client then sends the Ticket to the service server (SS) along with its service request http://www.ifour-consultancy.com Offshore software development company India
  • 7. User Client-based Logon ◦ User enters a username and password on the client machines ◦ Client transforms the password into the key of a symmetric cipher ◦ Either uses the built in key scheduling or a one-way hash depending the cipher-suite used http://www.ifour-consultancy.com Offshore software development company India
  • 8. Client Authentication ◦ Client sends a clear text message of the user ID to the AS requesting services on behalf of the user ◦ AS generates the secret key by hashing the password of the user found at the database ◦ AS checks to see if the client is in its database http://www.ifour-consultancy.com Offshore software development company India
  • 9. Client Authentication ◦ If it is, the AS sends back the following two messages to the client: ◦ Message A: Client/TGS Session Key encrypted using the secret key of the client/user. ◦ Message B: Ticket-Granting-Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. http://www.ifour-consultancy.com Offshore software development company India
  • 10. Client Service Authorization ◦ Client attempts to decrypt message A with the secret key generated from the password entered by the user ◦ If the password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A ◦ With a valid password and secret key the client decrypts message A to obtain the Client/TGS Session Key ◦ Session key is used for further communications with the TGS http://www.ifour-consultancy.com Offshore software development company India
  • 11. Client Service Authorization When requesting services, the client sends the following two messages to the TGS ◦ Message C: Composed of the TGT from message B and the ID of the requested service. ◦ Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
  • 12. Client Service Authorization ◦ Upon receiving messages C and D, the TGS retrieves message B out of message C ◦ Decrypts message B using the TGS secret key ◦ Gives it the "client/TGS session key“ http://www.ifour-consultancy.com Offshore software development company India
  • 13. Client Service Authorization Using this "client/TGS session key“, the TGS decrypts message D Sends the following two messages to the client: ◦ Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key. ◦ Message F: Client/Server Session Key encrypted with the Client/TGS Session Key. http://www.ifour-consultancy.com Offshore software development company India
  • 14. Client Service Request Upon receiving messages E and F from TGS ◦ Client has enough information to authenticate itself to the SS ◦ Client connects to the SS and sends the following two messages ◦ Message E from the previous step (the client-to-server ticket, encrypted using service's secret key). ◦ Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key. http://www.ifour-consultancy.com Offshore software development company India
  • 15. Client Service Request ◦ SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key ◦ SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client ◦ Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key. ◦ Client decrypts the confirmation using the Client/Server Session Key http://www.ifour-consultancy.com Offshore software development company India
  • 16. Client Service Request ◦ Checks whether the timestamp is correctly updated ◦ Client can trust the server and can start issuing service requests to the server ◦ Server provides the requested services to the client http://www.ifour-consultancy.com Offshore software development company India
  • 17. Kerberos Authentication Process ( Cross Domain) ◦ Client in Domain 1 wishes to access a network resource in remote Domain 2 ◦ The client has already been authenticated to KDC in Domain 1 and has received TGT ◦ The client presents TGT to KDC in Domain 1 and request a TGS to access the remote resources http://www.ifour-consultancy.com Offshore software development company India
  • 18. Kerberos Authentication Process ( Cross Domain) ◦ The KDC in Domain 1 cannot provide TGS to network resource in Domain 2. Instead, KDC in Domain 1 respond to the client with TGT for Domain 2 ◦ The client presents the new TGT to KDC in domain 2 ◦ The KDC in Domain 2 responds with TGS fro the network resource ◦ The client accesses the Network resource in Domain 2 using the new TGS http://www.ifour-consultancy.com Offshore software development company India
  • 19. Drawbacks and Limitations Single point of failure Kerberos has strict time requirements Administration protocol is not standardized All authentications are controlled by a centralized KDC http://www.ifour-consultancy.com Offshore software development company India
  • 20. Drawbacks and Limitations Each network service which requires a different host name Requires user accounts, user clients and the services on the server to all have a trusted relationship to the Kerberos token server Required client trust makes creating staged environments difficult http://www.ifour-consultancy.com Offshore software development company India
  • 21. Weakness in Kerberos Protocol Susceptible to offline password cracks Password cracking tools : “l0phtcrack” able to demonstrate the vulnerability If TGT stolen, the attacker can access n/w until the session expires Severe effects if KDC is compromised http://www.ifour-consultancy.com Offshore software development company India
  • 22. References http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 http://technet.microsoft.com/en-us/library/bb742516.aspx http://www.kerberos.info Symbiosis students ◦ Deepak Aggarwal ◦ Rohit Khadke ◦ Sonali Solanki ◦ Vineela Kanapala http://www.ifour-consultancy.com Offshore software development company India

Notas do Editor

  1. Offshore software development company india – http://www.ifour-consultancy.com
  2. Offshore software development company india – http://www.ifour-consultancy.com
  3. Offshore software development company india – http://www.ifour-consultancy.com
  4. Offshore software development company india – http://www.ifour-consultancy.com
  5. Offshore software development company india – http://www.ifour-consultancy.com
  6. Offshore software development company india – http://www.ifour-consultancy.com
  7. Offshore software development company india – http://www.ifour-consultancy.com
  8. Offshore software development company india – http://www.ifour-consultancy.com
  9. Offshore software development company india – http://www.ifour-consultancy.com
  10. Offshore software development company india – http://www.ifour-consultancy.com
  11. Offshore software development company india – http://www.ifour-consultancy.com
  12. Offshore software development company india – http://www.ifour-consultancy.com
  13. Offshore software development company india – http://www.ifour-consultancy.com
  14. Offshore software development company india – http://www.ifour-consultancy.com
  15. Offshore software development company india – http://www.ifour-consultancy.com
  16. Offshore software development company india – http://www.ifour-consultancy.com
  17. Offshore software development company india – http://www.ifour-consultancy.com
  18. Offshore software development company india – http://www.ifour-consultancy.com
  19. Offshore software development company india – http://www.ifour-consultancy.com
  20. Offshore software development company india – http://www.ifour-consultancy.com
  21. Offshore software development company india – http://www.ifour-consultancy.com
  22. Offshore software development company India – http://www.ifour-consultancy.com
  23. Offshore software development company india – http://www.ifour-consultancy.com