Kerberos Authentication Protocol Simulation

1
Kerberos Authentication Protocol Simulation

• Course CpE 597 B
• Advisor Prof. Khaled Elleithy
• Student Nagendra Mallampati

2
Abstract

• Windows 2000 implements kerberos version 5 with
  extensions for publickey authentication.The
  kerberos client is implemented as a security
  provider through the Secutiry Service Provider
  Interface.Initial authentication is intergrated
  with winlogon single sign-on architecture.The
  Kerberos Distribution Center(KDC) is integrated
  with other windows 2000 security services running
  on the domain controller and uses the domains
  Active Directory as its security account database
  .

3
Goals of the Project

• To simulate the Kerberos Authentication Protocol
  using GSS-API.
• To show the different types of Security attacks
  in a GUI.

4
Figure used for Simulation
5
Scenario in the figure

• User logs on to the work station and requests
  service on the host.
• AS verifies users access right in the
  database,creates TGT and session key.Results are
  encrypted using key derived from users password.
• Workstation prompts user for password and
  decrypts and sends ticket and authenticator to
  TGS.

6
Scenario contd

• TGS decrypts ticket and authenticator,verifies
  request and creates ticket for the requested
  server.
• Workstation sends ticket ticket and authenticator
  to server.
• Server verifies that ticket and authenticator
  match,then grants access to service.

7
What is Kerberos?

• Network Authentication Protocol.
• Developed at MIT in the mid 1980s.
• Available as open source or in supported
  commercial software.

8
How did Kerberos get its name?

• The name "Kerberos" comes from a
• mythological three-headed dog that
• guarded the entrance
• to Hades. Invented by MIT,
• this form of security
• has been evolving
• in the Unix world for over a
• decade and is now becoming a standard .

9
Why Kerberos?

• Sending usernames and passwords in the clear
  jeopardizes the security of the network.
• Each time a password is sent in the clear,there
  is a chance of an security attack.

10
Types of Security Attacks

• Interception an attack on confidentiality.
• Interruption an attack of availability.
• Modification an attack on integrity.
• Fabrication an attack on authenticity.

11
Firewall Vs Kerberos ?

• Firewalls make a risky assumptionthat attackers
  come from outside.In reality,attacks frequently
  come from within.
• Kerberos assumes that network connections(rather
  than servers and workstations)are the weak link
  in network security.

12
Design Requirements

• Interactions between hosts and clients should be
  encrypted.
• Must be convenient for users.
• Protect against intercepted credentials.

13
How does Kerberos work?

• Instead of client sending password to application
  server
• -Request Ticket from authentication
  server.
• - Ticket and encrypted request sent to
  the application server.
• How to request tickets without repeatedly sending
  credentials?
• - Ticket Granting Ticket(TGT).

14
Terms used in Kerberos

• REALM It could be termed as a group''.
  Machines will belong to this group. It has
  become almost standard procedure to make the
  realm the same as your domain name.
• KDC the Kerberos Distribution Center , This is
  the machine that controls access.
• KEYTAB a file that contains encrypted
  information allowing users/machines to
  authenticate themselves.

15
Limitations of Kerberos

• Scalability.
• Doesnt explicitly protect against Trojan
  attacks.
• Is mainly intended for single-user workstations.
• KDC can be a single point of failure.

16
Benefits of Kerberos Authentication

• More efficient authentication to servers
• Mutual authentication
• Delegated authentication
• Simplified trust management
• Interoperability

17
Applications of Kerberos

• The Kerberos V5 applications are versions
• of existing UNIX network programs with the
  Kerberos features added.
• telnet
• rlogin
• FTP
• rsh
• rcp
• ksu

18
GSS-API

• Provides the way for applications to protect data
  that is sent to peer applications.
• Enables application control over secutiry
  aspects.
• More portable as regards to Network Security.

19
Functions of GSS-API

• Creates a security context in which data can be
  passed btween apllications.
• Applies one or more types of protection,known as
  security services,to the data to be transmitted.

20
Screenshots of the Project

• Without Kerberos (Security Attacks)
• With Kerberos.

21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
Conclusions
It can be concluded that kerberos,
when intergrated with other parts of the system,
can be made more useful . By implementing
Kerberos in Windows 2000 the authentication
process was extended.Kerberos is made a default
authorization service for windows 2000 as it
ensures a trustworthy authorization and more
secure.
32
References
Books Network Security
Essentials- William Stallings.
Websites http//java.sun.com/j2se/1.4.1/docs/ h
ttp//www.ietf.org/rfc/rfc2853.txt http//www.win
dowsitlibrary.com/Content/617/06/3.html5 http//
mit.edu/kerberos/www/ http//www.labmice.net/Secu
rity/kerberos.htm http//portal.acm.org/dl.cfm