Title: Kerberos
1Kerberos
- Authenticating Over an
- Insecure Network
2Initial request
Authentication Server
User key
(only real user can decode)
Session key Service name
user to service
user
Service key
Session key User name
service
3Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
User Agent
User asks
User requests ticket to interact with Application
Server
4Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
User Agent
User agent contacts Authentication Server to
begin the process of authenticating the user as
being who he says he is
5Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
Session Key
User Agent
Auth Server looks up user private key, creates
session key to talk to TGS, encrypts with user
private key and returns. If not real user..
useless
6Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
Session Key
User Agent
User password(key)
User agent prompts user, takes key and decrypts
the session key. If not the real user, cant
read. User takes a ticket to access TGS from the
prev Step and encrypts appServer request info
using Session Key.
7Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
Session Key
User Agent
User agent sends request to the TGS with request
encrypted using the Session Key.
8Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
Session Key
User Agent
TGS creates a User/Server session key and
encrypts it using the Session Key and a
Permission Ticket for User/Server Interaction
encrypted using the Appserver key..
9Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
Session Key
User Agent
User agent decrypts the user/server key using the
Session Key and uses The US Session key is sent
with the US Ticket to the App Server
10Application Server
Kerberos Server
User and Server DB Private keys
Ticket Granting Server
Authentication Server
User Agent
AppServer uses own key to decrypt/authenticate
the request and verify The US Ticket to be valid.
Then begins communicating with the US Session
key .
11Conclusions
- No unencrypted messages across net
- Not able to spoof either client OR server
- Time stamps on the session keys so that even if
eventually decoded, could not use - Point of failure is the DB where the Kerberos
server is stored.