Kerberos%20A%20network%20authentication%20protocol - PowerPoint PPT Presentation

About This Presentation
Title:

Kerberos%20A%20network%20authentication%20protocol

Description:

AFS Apache (with the mod_auth_kerb module) Apache 2 (using libapache-mod ... Any Java based software (since 1.4.2) using JAAS/JGSS can use Kerberos for security ... – PowerPoint PPT presentation

Number of Views:294
Avg rating:3.0/5.0
Slides: 16
Provided by: csGo
Category:

less

Transcript and Presenter's Notes

Title: Kerberos%20A%20network%20authentication%20protocol


1
KerberosA network authentication protocol
  • Nick Parker
  • CS372 Computer Networks

2
Introduction
  • Kerberos
  • Network Authentication Protocol
  • Mutual Network Authentication
  • Project Athena
  • Collaborative effort amongst MIT, Digital, and
    IBM
  • Support interoperability within large scale
    networks
  • Heterogeneous coherence

3
Kerberos in the field
  • AFS Apache (with the mod_auth_kerb module)
  • Apache 2 (using libapache-mod-auth-kerb)
  • Cisco routers and switches running IOS
  • Coda File System
  • Eudora
  • Mac OS X
  • Microsoft Windows (2000 and later) uses as
    default authentication protocol Mulberry, an
    e-mail client developed by Cyrusoft, Inc.
  • NFS (since NFSv3)
  • OpenSSH (with Kerberos v5 or higher)
  • PAM (with the pam_krb5 module)
  • Samba since v3.x
  • SOCKS (since SOCKS5)
  • Netatalk
  • The X Window System implementations
  • Indirectly, any software that allows the use of
    SASL for authentication, such as OpenLDAP,
    Dovecot IMAP4 and POP3 server, Postfix mail
    server
  • The Kerberos software suite also comes with
    kerberos-enabled clients and servers for rsh,
    FTP, and Telnet
  • Any Java based software (since 1.4.2) using
    JAAS/JGSS can use Kerberos for security

4
Problem
  • Network Resources
  • Multiple network resources
  • Heterogeneous resources
  • Identity/Credential management
  • Security risks associated with individual
    authentication
  • Result? Administrative Nightmare

5
Solution
  • Kerberos
  • Ticket based authentication system
  • Protocol - supports variance in local
    implementations
  • Innovation password is a shared secret.
  • Harnesses the speed and security of symmetric
    encryption
  • Caveat
  • Authentication server and Ticket granting server
    need to be trusted by both the client and the
    service

6
Under the Hood
  • User
  • PC, Workstation, PocketPC
  • Authentication Server
  • Issues a Ticket Granting Ticket (TGT)
  • Ticket Granting Server (TGS)
  • Issues tickets for Network Services
  • Network Service/Resource

7
Authentication Server
  • Issues a Ticket Granting Ticket (TGT)
  • User sends their username to server
  • Server responds with TGT encrypted with users
    password
  • User enters password on client if correct the
    TGT is successfully decrypted

8
Ticket Granting Server
  • Logically different from the AS, but may reside
    on the same server
  • User contacts when a network service is desired
  • Service ticket request encrypted with session key
    provided by the AS in the TGT, not users
    password
  • TGS authenticates ticket and issues a ticket for
    the resource as well as the encryption key to use
    with communication with the service

9
Network Service
  • Client sends resource ticket and authenticator to
    the service encrypted with client/service key
  • Service verifies both and issues a return message
    with a modified version of the timestamp the
    client sent in the authenticator encrypted with
    client/service key
  • Client views message if timestamp is modified
    correctly then service is genuine and ready to
    process request.

10
Authentication Walkthrough
  • A user enters a username and password on the
    client.
  • The client performs a one-way hash on the entered
    password, and this becomes the secret key of the
    client.
  • The client sends a clear-text message to the AS
    requesting services on behalf of the user. Sample
    Message "User XYZ would like to request
    services". Note Neither the secret key nor the
    password is sent to the AS.

11
Authentication Walkthrough (cont.)
  • The AS checks to see if the client is in its
    database. If it is, the AS sends back the
    following two messages to the client
  • Message A Client/TGS session key encrypted using
    the secret key of the user.
  • Message B Ticket-Granting Ticket (which includes
    the client ID, client network address, ticket
    validity period, and the client/TGS session key)
    encrypted using the secret key of the TGS.
  • Once the client receives messages A and B, it
    decrypts message A to obtain the client/TGS
    session key. This session key is used for further
    communications with TGS. (Note The client cannot
    decrypt the Message B, as it is encrypted using
    TGS's secret key.) At this point, the client has
    enough information to authenticate itself to the
    TGS.

12
Authentication Walkthrough (cont.)
  • When requesting services, the client sends the
    following two messages to the TGS
  • Message C Composed of the Ticket-Granting Ticket
    from message B and the ID of the requested
    service.
  • Message D Authenticator (which is composed of
    the client ID and the timestamp), encrypted using
    the client/TGS session key.
  • Upon receiving messages C and D, the TGS decrypts
    message D (Authenticator) using the client/TGS
    session key and sends the following two messages
    to the client
  • Message E Client-to-server ticket (which
    includes the client ID, client network address,
    validity period and Client/server session key)
    encrypted using the service's secret key.
  • Message F Client/server session key encrypted
    with the client/TGS session key.

13
Authentication Walkthrough (cont.)
  • Upon receiving messages E and F from TGS, the
    client has enough information to authenticate
    itself to the SS. The client connects to the SS
    and sends the following two messages
  • Message E from the previous step (the
    client-to-server ticket, encrypted using
    service's secret key).
  • Message G a new Authenticator, which includes
    the client ID, timestamp and is encrypted using
    client/server session key.
  • The SS decrypts the ticket using its own secret
    key and sends the following message to the client
    to confirm its true identity and willingness to
    serve the client
  • Message H the timestamp found in client's recent
    Authenticator plus 1, encrypted using the
    client/server session key.
  • The client decrypts the confirmation using the
    client/server session key and checks whether the
    timestamp is correctly updated. If so, then the
    client can trust the server and can start issuing
    service requests to the server. The server
    provides the requested services to the client.

14
Kerberos Operation
15
Questions and Discussion
Write a Comment
User Comments (0)
About PowerShow.com