Unformatted text preview:

KerberosKerberos DesignKerberos Design (cont.)PowerPoint PresentationSecret Key CryptographyTicketsTickets (cont.)Slide 8Ticket ContentsSession KeyAuthenticatorsBootstrapAuthentication ServerSlide 14Authentication Server ResponseAccessing the TGSAccessing a ServerTGS responseTGS ResponseClient accesses ServerKerberos SummaryKerberos Summary (cont.)Netprog: Kerberos 1KerberosKerberos•Part of project Athena (MIT).Part of project Athena (MIT).•Trusted 3rd party authentication scheme.Trusted 3rd party authentication scheme.•Assumes that hosts are not trustworthy.Assumes that hosts are not trustworthy.•Requires that each client (each request Requires that each client (each request for service) prove it’s identity.for service) prove it’s identity.•Does not require user to enter password Does not require user to enter password every time a service is requested!every time a service is requested!Netprog: Kerberos 2Kerberos DesignKerberos Design•User must identify itself once at the User must identify itself once at the beginning of a workstation session beginning of a workstation session (login session).(login session).•Passwords are never sent across the Passwords are never sent across the network in cleartext (or stored in network in cleartext (or stored in memory)memory)Netprog: Kerberos 3Kerberos Design (cont.)Kerberos Design (cont.)•Every user has a password.Every user has a password.•Every service has a password.Every service has a password.•The only entity that knows all the The only entity that knows all the passwords is the passwords is the Authentication ServerAuthentication Server..Netprog: Kerberos 4ServerServerServerServerServerServerServerServerServerServerServerServerServerServerServerServerKerberosKerberosDatabaseDatabaseTicket GrantingTicket Granting ServerServerTicket GrantingTicket Granting ServerServerAuthenticationAuthentication ServerServerAuthenticationAuthentication ServerServerWorkstationWorkstationWorkstationWorkstationKerberos Key Distribution ServiceKerberos Key Distribution ServiceNetprog: Kerberos 5Secret Key CryptographySecret Key Cryptography•The encryption used by current The encryption used by current Kerberos implementations is DES, Kerberos implementations is DES, although Kerberos V5 has hooks so although Kerberos V5 has hooks so that other algorithms can be used. that other algorithms can be used. encryption encryption plaintextplaintextciphertextciphertext keykeyciphertext ciphertext plaintextplaintextdecryptiondecryptionNetprog: Kerberos 6TicketsTickets•Each request for a service requires a Each request for a service requires a ticket.ticket.•A ticket provides a single client with A ticket provides a single client with access to a single server.access to a single server.Netprog: Kerberos 7Tickets (cont.)Tickets (cont.)•Tickets are dispensed by the “Ticket Tickets are dispensed by the “Ticket Granting Server” (Granting Server” (TGSTGS), which has ), which has knowledge of all the encryption keys.knowledge of all the encryption keys.•Tickets are meaningless to clients, they Tickets are meaningless to clients, they simply use them to gain access to simply use them to gain access to servers.servers.Netprog: Kerberos 8Tickets (cont.)Tickets (cont.)•The The TGSTGS seals (encrypts) each ticket seals (encrypts) each ticket with the secret encryption key of the with the secret encryption key of the server.server.•Sealed tickets can be sent safely over a Sealed tickets can be sent safely over a network - only the server can make network - only the server can make sense out of it.sense out of it.•Each ticket has a limited lifetime (a few Each ticket has a limited lifetime (a few hours).hours).Netprog: Kerberos 9Ticket ContentsTicket Contents•Client name (user login name)Client name (user login name)•Server nameServer name•Client Host network addressClient Host network address•Session Key for Client/ServerSession Key for Client/Server•Ticket lifetime Ticket lifetime •Creation timestampCreation timestampNetprog: Kerberos 10Session KeySession Key•Random number that is specific to a Random number that is specific to a session.session.•Session Key is used to Session Key is used to sealseal client client requests to server.requests to server.•Session Key can be used to seal Session Key can be used to seal responses (application specific usage).responses (application specific usage).Netprog: Kerberos 11AuthenticatorsAuthenticators•Authenticators prove a client’s identity.Authenticators prove a client’s identity.•Includes:Includes:–Client user name.Client user name.–Client network address.Client network address.–Timestamp.Timestamp.•Authenticators are sealed with a Authenticators are sealed with a session key.session key.Netprog: Kerberos 12BootstrapBootstrap•Each time a client wants to contact a Each time a client wants to contact a server, it must first ask the 3rd party server, it must first ask the 3rd party ((TGSTGS) for a ticket and session key.) for a ticket and session key.•In order to request a ticket from the In order to request a ticket from the TGSTGS, the client must already have a TG , the client must already have a TG ticket and a session key for ticket and a session key for communicating with the communicating with the TGSTGS! !Netprog: Kerberos 13Authentication ServerAuthentication Server•The client sends a The client sends a plaintextplaintext request to request to the the ASAS asking for a ticket it can use to asking for a ticket it can use to talk to the talk to the TGSTGS..•REQUEST:REQUEST:–login namelogin name–TGSTGS name nameSince this request contains only well-Since this request contains only well-known names, it does not need to be known names, it does not need to be sealed.sealed.Netprog: Kerberos 14Authentication ServerAuthentication Server•The The ASAS finds the keys corresponding to finds the keys corresponding to the login name and the the login name and the TGSTGS name. name.•The The ASAS creates a ticket: creates a ticket:–login namelogin name–TGSTGS name name–client network addressclient network address–TGSTGS session key session key•The The ASAS seals the ticket with the seals the ticket with the TGSTGS secret key.secret key.Netprog: Kerberos 15Authentication Server ResponseAuthentication Server Response•The The ASAS also creates a random session also creates a random


View Full Document

ODU CS 772 - Kerberos

Download Kerberos
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Kerberos and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Kerberos 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?