CS 470 - PowerPoint PPT Presentation

About This Presentation
Title:

CS 470

Description:

Kerberos CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk Kerberos Cryptographic authentication for distributed systems Based on symmetric-key ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 11
Provided by: AliAydi
Category:
Tags:

less

Transcript and Presenter's Notes

Title: CS 470


1
Kerberos
  • CS 470
  • Introduction to Applied Cryptography
  • Instructor Ali Aydin Selcuk

2
Kerberos
  • Cryptographic authentication for distributed
    systems
  • Based on symmetric-key authentication with KDC
  • Requirements
  • Security
  • Reliability
  • Transparency
  • Scalability

3
Kerberos
  • Advantages
  • secure authentication
  • single sign-on
  • secure data flow
  • Applications benefiting from Kerberos
  • telnet, ftp
  • BSD rtools (rlogin, rsh, rcp)
  • NFS
  • Others (pine, eudora, etc.)

4
Kerberos Keys
  • Each principal shares a master key with KDC
  • KA Alices master key. Used for initial
    authentication
  • SA Alices session key. Created after initial
    authentication, used instead of KA.
  • KAB Alice-Bob session key.
  • Ticket Granting Tickets (TGT)
  • issued to Alice by KDC after login
  • contains SA encrypted with KKDC
  • used to obtain session key KAB

5
Logging into the Network
  • (doesnt protect against dictionary attacks with
    eavesdropping)

Alice, pwd
Alice needs a TGT
Alices terminal
Alice
KDC
KASA, TGT
6
Logging into the Network (contd)
  • The workstation,
  • converts Alices password into a DES key
  • when receives the credentials from the server,
    decrypts them using this DES key
  • if decrypts correctly, authentication is
    successful
  • discards Alices master key retains the TGT.
  • TGT contains all the information KDC needs about
    Alices session hence KDC can work without
    remembering any volatile data.

7
Accessing a Remote Principal
Alice, Bob, TGT, SAtimestamp
rlogin Bob
  • Afterwards, the traffic between Alice Bob can
    be
  • unprotected
  • authenticated
  • encrypted authenticated

Alices workstation
KDC
SABob, KAB, KBAlice, KAB
Alice
KBAlice, KAB, KABtimestamp
Bob
KABtimestamp1
8
Replicated KDCs
  • A single KDC would be
  • a performance bottleneck
  • a single point of failure
  • Have multiple replicas of the KDC with the
    database and the master key
  • Any replica can serve as KDC for authentication
  • Only one KDC (the master copy) handles the
    additions deletions of principals (for
    consistency)

9
Multiple Realms
  • KDCA KDCB must have registered with each other
  • Chains longer than two KDCs not allowed (v.4)

Alice, KDCB
KDCA
ticket to KDCB
Alice
Alice, Bob
KDCB
ticket to Bob
Bob
AP_REQ
10
Kerberos v5
  • Platform-independent coding (ASN.1)
  • Support for non-IP addresses
  • non-DES encryption
  • Delegation of rights
  • Hierarchy of realms
  • Extended ticket lifetime
  • Has public-key extensions (e.g., SESAME, Win2000)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CS 470" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!