2. Kerberos
• Developed at M.I.T. in 1980.
• Greek Mythology: 3 headed dog.
• 3 “heads” — a client, a server, and a trusted third party that
mediates between the other two.
• A secret key based service for providing authentication in
open networks.
• Authentication mediated by a trusted 3rd party on the
network:
– Key Distribution Center (KDC)
• Kerberos Version 5
3. Firewall v/s Kerberos
• Firewall
– Assume that "the bad guys" are on the outside.
– Bur real treat is from insiders.
• Kerberos
– Assumes that network connections are the weak link in
network security.
– Strong authentication compared to firewalls.
5. Cryptographic Authentication
• No password over the Network.
• User Identification done by a cryptographic
operation based on:
– Quantity supplied by the server
– user’s secret key
6. Encryption and Decryption
• Encryption-
• Source
• Data + Cipher text = Encryption
• Decryption-
• Destination
• Decipher text - Data = Decryption
8. Asymmetric Key Cryptography
• Public key cryptography
• A pair of related keys are used:
– Public and Private keys.
• Data encrypted with one can only be
decrypted with the other
• Usually, a user publishes his public key widely
– Others use it to encrypt data intended for the user
– User decrypts using the private key (known only to
him)
• Algorithm: RSA
9. Key Distribution Center (KDC)
• Implemented as a domain service
• Active Directory for database
• Global Catalog for directing referrals to KDCs
in other domains.
• Uses certificates to encrypt communication
between client and KDC.
10. Key Distribution Center (KDC)
Types Of Keys Used
• Long-Term Symmetric Keys:
User, System, Service, and
Inter-realm Keys
• Long-Term Asymmetric
Keys: Public Key
• Short-Term Symmetric Keys:
Session Keys
14. Common Issues
• Infrastructure Required:
– Active Directory
– TCP/IP Network Connectivity
– Domain Name System
– Time Service
– Operating System
15. Common Issues
• Console logon, Network logon, access to
network resources, or remote access
• How to identify if issues is related to
Kerberos?
– Event log : System , Security
– Source: Kerberos, KDC, LsaSrv, or Netlogon
16. Common Issues
1) Time Synchronization (Clock Skew)
– 0x25: KRB_AP_ERR_SKEW: Clock Skew too great