SlideShare uma empresa Scribd logo
1 de 11
Baixar para ler offline
Welcome to
dwivedishashwat@gmail.com
TechGurukul
System Architecture Series:
[Kerberos]
Learning Architecture of and
various components in a technology system
dwivedishashwat@gmail.com
TechGurukul
Welcome to :
About Kerberos
1. Kerberos is a ticketing-based authentication system, based on the use of
symmetric keys. Kerberos uses tickets to provide authentication to resources
instead of passwords. This eliminates the threat of password stealing via
network sniffing. One of the biggest benefits of Kerberos is its ability to provide
single sign-on (SSO). Once you log into your Kerberos environment, you will be
automatically logged into other applications in the environment.
2. To help provide a secure environment, Kerberos makes use of Mutual
Authentication. In Mutual Authentication, both the server and the client must be
authenticated. The client knows that the server can be trusted, and the server
knows that the client can be trusted. This authentication helps prevent man-in-
the-middle attacks and spoofing. Kerberos is also time sensitive. The tickets in a
Kerberos environment must be renewed periodically or they will expire.
Components and terms of Kerberos
1. Client: User/system/service which want to call another service/server. E.g : suppose want to access any resource on any service/server which is
Kerberos enabled.
2. Server
1. KDC: This is basically the Key distribution server which has following components:
1. Authentication Server : Authentication Server is the part of the KDC which replies to the initial authentication request from the client, when
the user, not yet authenticated, must enter the password. In response to an authentication request, the AS issues a special ticket known as
the Ticket Granting Ticket, or more briefly TGT, the principal associated with which is krbtgt/REALM@REALM.
2. Ticket Granting Server : Ticket Granting Server is the KDC component which distributes service tickets to clients with a valid TGT,
guaranteeing the authenticity of the identity for obtaining the requested resource on the application servers. The TGS can be considered as
an application server which provides the issuing of service tickets as a service
3. Principle Database : container for entries associated with users and services. We refer to an entry by using the principal, It contains :
1. The principal to which the entry is associated;
2. The encryption key and related kvno;
3. The maximum validity duration for a ticket associated to the principal;
4. The maximum time a ticket associated to the principal may be renewed (only Kerberos 5);
5. The attributes or flags characterizing the behavior of the tickets;
6. The password expiration date;
7. The expiration date of the principal, after which no tickets will be issued.
3. Realm : The term realm indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication
server has the authority to authenticate a user, host or service. This does not mean that the authentication between a user and a service that they
must belong to the same realm: if the two objects are part of different realms and there is a trust relationship between them, then the authentication
can take place. This characteristic, known as Cross-Authentication
1. Principal : A principal is the name used to refer to the entries in the authentication server database. A principal is
associated with each user, host or service of a given realm.
2. Ticket : A ticket is something a client presents to an application server to demonstrate the authenticity of its identity. Tickets
are issued by the authentication server and are encrypted using the secret key of the service they are intended for. Since
this key is a secret shared only between the authentication server and the server providing the service, not even the client
which requested the ticket can know it or change its contents.
3. Encryption : Kerberos often needs to encrypt and decrypt the messages (tickets and authenticators) passing between the
various participants in the authentication. It is important to note that Kerberos uses only symmetrical key encryption (in
other words the same key is used to encrypt and decrypt.
1. Kerberos 4 supports DES 56-bit
2. Kerberos 5 supports DES and AES keys with 128 and 256 bit.
4. Salt : This is a string to be concatenated to the unencrypted password before applying the string2key function to obtain the
key. Kerberos 5 uses the same principal of the user as salt: Kuser = string2key ( Puser + "user@REALM.COM" )
5. Key versions number kvno: When a user changes a password or an administrator updates the secret key for an application
server, this change is logged by advancing a counter. The current value of the counter identifying the key version, is known
as the Key Version Number or more briefly kvno.
Components and terms of Kerberos
Learning about Kerberos Architecture and Components
Server/Application/Service
which uses need to access
(HDFS/NFS/SSH)
Database
User id/secret key
Service id/secret key
etc
1
2
3
4
5
6
Kerberos Architecture.pptx
Steps Flow
1. Ticket Request from client
2. Ticket Sent from KDC
3. Service Ticket request form Client
4. Service ticket sent from KDC
5. Ticket Presented to Application Server
6. Open access channel for application to access service.
Steps Flow
1. Shashwat to KDC Hi, I’m Shashwat. Could I have access to the AuthServer?
2. AuthServer to Shashwat Here is your “ticket-granting ticket.” If you aren’t Shashwat, it’s
useless. If you are Shashwat, decrypt this, and come back with the answer.
3. Shashwat to TGS Okay, I figured out your secret. Give me a “service-granting ticket” so I can
talk to server Application_Server_OR_Service.
4. TGS to Shashwat You have it! It’s encrypted using the same mechanism as before, and then
encrypted with Application_Server_OR_Service's password. This ticket will be accepted by
Application_Server_OR_Service for eight hours.
5. Client to Application_Server_OR_Service The KDC gave me this ticket, and it is encrypted
using your password. Please Validate me.
6. Application_Server_OR_Service to Shashwat Hello, Shashwat! I’ve decrypted what you got
from the KDC, I trust the KDC, and he trusts you, so your access is granted.
Kerberos Architecture.pptx
dwivedishashwat@gmail.com
Thanks For Watching
—-TechGurukul—-
Please support our channel by just liking
Subscribing and pressing bell icon to keep
in touch

Mais conteúdo relacionado

Semelhante a Kerberos Architecture.pptx

Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityJ.D. Wade
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
Kerberos realms & multiple kerberi
Kerberos realms & multiple kerberiKerberos realms & multiple kerberi
Kerberos realms & multiple kerberiManas Nayak
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3limsh
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015J.D. Wade
 
Module 4 network and computer security
Module  4 network and computer securityModule  4 network and computer security
Module 4 network and computer securityDeepak John
 
kerb.ppt
kerb.pptkerb.ppt
kerb.pptJdQi
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1anchalaguna
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodIJCERT
 

Semelhante a Kerberos Architecture.pptx (20)

Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Kerberos
KerberosKerberos
Kerberos
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 
Kerberos realms & multiple kerberi
Kerberos realms & multiple kerberiKerberos realms & multiple kerberi
Kerberos realms & multiple kerberi
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
 
Rakesh
RakeshRakesh
Rakesh
 
Rakesh
RakeshRakesh
Rakesh
 
Module 4 network and computer security
Module  4 network and computer securityModule  4 network and computer security
Module 4 network and computer security
 
Firewalls
FirewallsFirewalls
Firewalls
 
kerb.ppt
kerb.pptkerb.ppt
kerb.ppt
 
Web Security
Web SecurityWeb Security
Web Security
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
 
Kerberos
KerberosKerberos
Kerberos
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication Method
 

Mais de Shashwat Shriparv (20)

Learning Linux Series Administrator Commands.pptx
Learning Linux Series Administrator Commands.pptxLearning Linux Series Administrator Commands.pptx
Learning Linux Series Administrator Commands.pptx
 
LibreOffice 7.3.pptx
LibreOffice 7.3.pptxLibreOffice 7.3.pptx
LibreOffice 7.3.pptx
 
Suspending a Process in Linux.pptx
Suspending a Process in Linux.pptxSuspending a Process in Linux.pptx
Suspending a Process in Linux.pptx
 
Command Seperators.pptx
Command Seperators.pptxCommand Seperators.pptx
Command Seperators.pptx
 
Upgrading hadoop
Upgrading hadoopUpgrading hadoop
Upgrading hadoop
 
Hadoop migration and upgradation
Hadoop migration and upgradationHadoop migration and upgradation
Hadoop migration and upgradation
 
R language introduction
R language introductionR language introduction
R language introduction
 
Hive query optimization infinity
Hive query optimization infinityHive query optimization infinity
Hive query optimization infinity
 
H base introduction & development
H base introduction & developmentH base introduction & development
H base introduction & development
 
Hbase interact with shell
Hbase interact with shellHbase interact with shell
Hbase interact with shell
 
H base development
H base developmentH base development
H base development
 
Hbase
HbaseHbase
Hbase
 
H base
H baseH base
H base
 
My sql
My sqlMy sql
My sql
 
Apache tomcat
Apache tomcatApache tomcat
Apache tomcat
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 you
 
Introduction to apache hadoop
Introduction to apache hadoopIntroduction to apache hadoop
Introduction to apache hadoop
 
Next generation technology
Next generation technologyNext generation technology
Next generation technology
 
Configure h base hadoop and hbase client
Configure h base hadoop and hbase clientConfigure h base hadoop and hbase client
Configure h base hadoop and hbase client
 
Java interview questions
Java interview questionsJava interview questions
Java interview questions
 

Último

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 

Último (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 

Kerberos Architecture.pptx

  • 2. System Architecture Series: [Kerberos] Learning Architecture of and various components in a technology system dwivedishashwat@gmail.com TechGurukul Welcome to :
  • 3. About Kerberos 1. Kerberos is a ticketing-based authentication system, based on the use of symmetric keys. Kerberos uses tickets to provide authentication to resources instead of passwords. This eliminates the threat of password stealing via network sniffing. One of the biggest benefits of Kerberos is its ability to provide single sign-on (SSO). Once you log into your Kerberos environment, you will be automatically logged into other applications in the environment. 2. To help provide a secure environment, Kerberos makes use of Mutual Authentication. In Mutual Authentication, both the server and the client must be authenticated. The client knows that the server can be trusted, and the server knows that the client can be trusted. This authentication helps prevent man-in- the-middle attacks and spoofing. Kerberos is also time sensitive. The tickets in a Kerberos environment must be renewed periodically or they will expire.
  • 4. Components and terms of Kerberos 1. Client: User/system/service which want to call another service/server. E.g : suppose want to access any resource on any service/server which is Kerberos enabled. 2. Server 1. KDC: This is basically the Key distribution server which has following components: 1. Authentication Server : Authentication Server is the part of the KDC which replies to the initial authentication request from the client, when the user, not yet authenticated, must enter the password. In response to an authentication request, the AS issues a special ticket known as the Ticket Granting Ticket, or more briefly TGT, the principal associated with which is krbtgt/REALM@REALM. 2. Ticket Granting Server : Ticket Granting Server is the KDC component which distributes service tickets to clients with a valid TGT, guaranteeing the authenticity of the identity for obtaining the requested resource on the application servers. The TGS can be considered as an application server which provides the issuing of service tickets as a service 3. Principle Database : container for entries associated with users and services. We refer to an entry by using the principal, It contains : 1. The principal to which the entry is associated; 2. The encryption key and related kvno; 3. The maximum validity duration for a ticket associated to the principal; 4. The maximum time a ticket associated to the principal may be renewed (only Kerberos 5); 5. The attributes or flags characterizing the behavior of the tickets; 6. The password expiration date; 7. The expiration date of the principal, after which no tickets will be issued. 3. Realm : The term realm indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host or service. This does not mean that the authentication between a user and a service that they must belong to the same realm: if the two objects are part of different realms and there is a trust relationship between them, then the authentication can take place. This characteristic, known as Cross-Authentication
  • 5. 1. Principal : A principal is the name used to refer to the entries in the authentication server database. A principal is associated with each user, host or service of a given realm. 2. Ticket : A ticket is something a client presents to an application server to demonstrate the authenticity of its identity. Tickets are issued by the authentication server and are encrypted using the secret key of the service they are intended for. Since this key is a secret shared only between the authentication server and the server providing the service, not even the client which requested the ticket can know it or change its contents. 3. Encryption : Kerberos often needs to encrypt and decrypt the messages (tickets and authenticators) passing between the various participants in the authentication. It is important to note that Kerberos uses only symmetrical key encryption (in other words the same key is used to encrypt and decrypt. 1. Kerberos 4 supports DES 56-bit 2. Kerberos 5 supports DES and AES keys with 128 and 256 bit. 4. Salt : This is a string to be concatenated to the unencrypted password before applying the string2key function to obtain the key. Kerberos 5 uses the same principal of the user as salt: Kuser = string2key ( Puser + "user@REALM.COM" ) 5. Key versions number kvno: When a user changes a password or an administrator updates the secret key for an application server, this change is logged by advancing a counter. The current value of the counter identifying the key version, is known as the Key Version Number or more briefly kvno. Components and terms of Kerberos
  • 6. Learning about Kerberos Architecture and Components Server/Application/Service which uses need to access (HDFS/NFS/SSH) Database User id/secret key Service id/secret key etc 1 2 3 4 5 6
  • 8. Steps Flow 1. Ticket Request from client 2. Ticket Sent from KDC 3. Service Ticket request form Client 4. Service ticket sent from KDC 5. Ticket Presented to Application Server 6. Open access channel for application to access service.
  • 9. Steps Flow 1. Shashwat to KDC Hi, I’m Shashwat. Could I have access to the AuthServer? 2. AuthServer to Shashwat Here is your “ticket-granting ticket.” If you aren’t Shashwat, it’s useless. If you are Shashwat, decrypt this, and come back with the answer. 3. Shashwat to TGS Okay, I figured out your secret. Give me a “service-granting ticket” so I can talk to server Application_Server_OR_Service. 4. TGS to Shashwat You have it! It’s encrypted using the same mechanism as before, and then encrypted with Application_Server_OR_Service's password. This ticket will be accepted by Application_Server_OR_Service for eight hours. 5. Client to Application_Server_OR_Service The KDC gave me this ticket, and it is encrypted using your password. Please Validate me. 6. Application_Server_OR_Service to Shashwat Hello, Shashwat! I’ve decrypted what you got from the KDC, I trust the KDC, and he trusts you, so your access is granted.
  • 11. dwivedishashwat@gmail.com Thanks For Watching —-TechGurukul—- Please support our channel by just liking Subscribing and pressing bell icon to keep in touch