Kerberos Lecture Outline Internet Authentication Applications Kerberos remote log in X 509 Directory Authentication Services S MIME Friday PGP Friday Computer and Network Forensics next week CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 1 Kerberos Internet Authentication Applications Some approaches that organizations use to secure networked servers and hosts remote log in Biometric facilities Systems that generate one time passwords Problem with the above they require specialized equipment expensive e g DES gold card used by banks Another solutions is to use authentication software tied to a secure authentication server approach taken by Kerberos MIT Available both in the public domain and commercially supported versions Kerberos is widely used very popular defacto standard for remote authentication CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 2 Kerberos Overall Scheme of Kerberos 3rd party authentication service Clients and servers both trust a Kerberos server to mediate their mutual authentication user at client remote server CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 3 Kerberos Kerberos Overview Authentication Server AS user initially negotiate with AS to identify self AS provides a non corruptible authentication credential ticket granting ticket TGT Ticket Granting server TGS user subsequently request access to other services from TGS on basis of its TGT CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 4 Kerberos How to do send verification securely User at the Client should not have to send password to the AS over the network Kerberos should not have to send a plaintext message to the server to validate the client over the network Some form of should be used In fact the DES is used The AS shares a unique and secret key with each server these keys must be physically or by some other secure manner be exchanged beforehand CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 5 Kerberos User and Client interaction with AS CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 6 Kerberos Ticket Granting Ticket TGT This ticket contains indication that AS has accepted this client and its user the user s ID the server s ID a timestamp a TTL copy of the same session key sent in the outer message to the client The entire ticket is encrypted using a secret DES key shared by the AS and the server thus no one can tamper with the ticket CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 7 Kerberos Ticket Granting Server TGS Recall that the AS served the client the secret session key encrypted by the user s password it was also buried in the TGT SKsession Recall that the TGT is encrypted with a secret DES key This DES key is shared by the AS and the server CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 8 Kerberos Server The TGT is thus decrypted using the by the server When the TGT is decrypted it reveals the Remember the Client also has access to the CSCI 415 Computer and Network Security Dr Nazli Hardy Adapted from Computer Security Principles and Practice Stallings and Lawrie 9