Presentation of Kerberos as per ECE scheme
DeepanshuMidha5140
22 views
28 slides
May 07, 2024
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
Kerberos
Slide Content
KERBEROS
KERBEROS
Authentication service designed for use in a
distributed environment.
Developed as part of project Athena at MIT.
Authentication service designed for use in a
distributed environment.
Developed as part of project Athena at MIT.
ATTACKS ON OPEN DISTRIBUTED
ENVIRONMENT
Impersonation
Altering of address of workstation
Entrance into the network
ENVIRONMENT
Impersonation
Altering of address of workstation
Entrance into the network
FUNDAMENTAL REQUIREMENT IN AN
AUTHENTICATION SERVICE
Secure
Reliable
Transparent
Scalable
AUTHENTICATION SERVICE
Secure
Reliable
Transparent
Scalable
TWO VERSIONS OF KERBEROS
Kerberos v4 (developed in 1988) is still in common use
Kerberos v5 (1994) corrects some security deficiencies of
version 4 and has been issued a draft internet standard
(RFC 1510)
Kerberos v4 (developed in 1988) is still in common use
Kerberos v5 (1994) corrects some security deficiencies of
version 4 and has been issued a draft internet standard
(RFC 1510)
KERBEROS 4
It uses DES
An authentication server (AS) is used which
stores the passwords of all users and also shares
a unique secret key with each user.
It uses DES
An authentication server (AS) is used which
stores the passwords of all users and also shares
a unique secret key with each user.
SIMPLE AUTHENTICATION DIALOGUE
1.C →AS: ID
C|| P
C|| ID
V
2.AS→C: Ticket
3.C→V : ID
C || Ticket
Ticket = E(Kv,[ID
C
|| AD
C|| ID
V])
C = Client
AS = authentication server
V = server
ID
C= identifier of user on C
ID
V= identifier of V
P
C= password of user on C
AD
C= network address of C
K
V= secret encryption key shared by AS and V
1.C →AS: ID
C|| P
C|| ID
V
2.AS→C: Ticket
3.C→V : ID
C || Ticket
Ticket = E(Kv,[ID
C
|| AD
C|| ID
V])
C = Client
AS = authentication server
V = server
ID
C= identifier of user on C
ID
V= identifier of V
P
C= password of user on C
AD
C= network address of C
K
V= secret encryption key shared by AS and V
DRAWBACKS
Users password is unprotected.
User has to login every time he request for
service.
These can be removed by using a more secure
scheme. It uses a new server TGS.
Users password is unprotected.
User has to login every time he request for
service.
These can be removed by using a more secure
scheme. It uses a new server TGS.
TICKET GRANTING SERVER
Issues ticket to users authenticated to AS.
Ticket granting ticket is issued by AS.
Each time the user require access to a new
service, the client applies to the TGS, using the
ticket.
Then TGS grants a ticket for a particular service.
Issues ticket to users authenticated to AS.
Ticket granting ticket is issued by AS.
Each time the user require access to a new
service, the client applies to the TGS, using the
ticket.
Then TGS grants a ticket for a particular service.
A MORE SECURE AUTHENTICATION DIALOGUE
Once per service session:
(1) C →AS: ID
C || ID
tgs
(2) AS→C:E(K
C,[Ticket
tgs])
Once per type of service:
(3) C→TGS: ID
C || ID
´V || Ticket
tgs
(4) TGS→C: Ticket
V
Once per service session:
(5) C→V:Ticket
V || ID
´C
Ticket
tgs= E(Ktgs,[ID
C|| AD
C|| ID
tgs || TS
1 ||
Lifetime
1])
Ticket
V= E(Kv, [ID
C|| AD
C|| ID
V || TS
2 ||
Lifetime
2])
Once per service session:
(1) C →AS: ID
C || ID
tgs
(2) AS→C:E(K
C,[Ticket
tgs])
Once per type of service:
(3) C→TGS: ID
C || ID
´V || Ticket
tgs
(4) TGS→C: Ticket
V
Once per service session:
(5) C→V:Ticket
V || ID
´C
Ticket
tgs= E(Ktgs,[ID
C|| AD
C|| ID
tgs || TS
1 ||
Lifetime
1])
Ticket
V= E(Kv, [ID
C|| AD
C|| ID
V || TS
2 ||
Lifetime
2])
THE VERSION 4 AUTHENTICATION
DIALOGUE:
Two additional problems remain in the second scenario:
1. Lifetime associated with the ticket-granting ticket:
Short Lifetime: User is repeatedly asked for password
Long Lifetime: Greater opportunity for replay
2. Requirement for servers to authenticate themselves to
users
DIALOGUE:
Two additional problems remain in the second scenario:
1. Lifetime associated with the ticket-granting ticket:
Short Lifetime: User is repeatedly asked for password
Long Lifetime: Greater opportunity for replay
2. Requirement for servers to authenticate themselves to
users
ELEMENTS OF KERBEROS VERSION 4
PROTOCOL
PROTOCOL
1.Authentication Service Exchange: to obtain ticket-
granting ticket
2.Ticket-Granting Service Exchange: to obtain service-
granting ticket
3.Client/Server Authentication Exchange: to obtain
service
granting ticket
2.Ticket-Granting Service Exchange: to obtain service-
granting ticket
3.Client/Server Authentication Exchange: to obtain
service
AUTHENTICATION SERVICE EXCHANGE
1. C → AS ID
c||ID
tgs||TS
1
Client requests ticket-granting ticket
2. AS → C E(K
c,[K
c,tgs||ID
tgs||TS
2||Lifetime
2||Ticket
tgs])
Ticket
tgs=E(K
tgs, [K
c,tgs||ID
c||AD
c||ID
tgs||TS
2||Lifetime
2])
AS returns ticket-granting ticket
1. C → AS ID
c||ID
tgs||TS
1
Client requests ticket-granting ticket
2. AS → C E(K
c,[K
c,tgs||ID
tgs||TS
2||Lifetime
2||Ticket
tgs])
Ticket
tgs=E(K
tgs, [K
c,tgs||ID
c||AD
c||ID
tgs||TS
2||Lifetime
2])
AS returns ticket-granting ticket
TICKET-GRANTING SERVICE EXCHANGE
3. C → TGS ID
v||Ticket
tgs||Authenticator
c
Authenticator
c=E(K
c,tgs,[ID
c||AD
c||TS
3])
Client requests service-granting ticket
4. TGS → C E(K
c,tgs, [K
c,v||ID
v||TS
4||Ticket
v])
Ticket
v= E(K
v,[K
c,v||ID
c||AD
c||ID
v||TS
4||Lifetime
4])
TGS returns service-granting ticket
3. C → TGS ID
v||Ticket
tgs||Authenticator
c
Authenticator
c=E(K
c,tgs,[ID
c||AD
c||TS
3])
Client requests service-granting ticket
4. TGS → C E(K
c,tgs, [K
c,v||ID
v||TS
4||Ticket
v])
Ticket
v= E(K
v,[K
c,v||ID
c||AD
c||ID
v||TS
4||Lifetime
4])
TGS returns service-granting ticket
CLIENT/SERVER AUTHENTICATION
EXCHANGE
5. C → V Ticket
v||Authenticator
c
Ticket
v=E(K
v,[K
c,v||ID
c||AD
c||ID
v||TS
4||Lifetime
4])
Authenticator
c=E(K
c,v,[ID
c||AD
c||TS
5])
Client requests service
6. V → C E(K
c,v,[TS
5+1])
Optional authentication of server to client
EXCHANGE
5. C → V Ticket
v||Authenticator
c
Ticket
v=E(K
v,[K
c,v||ID
c||AD
c||ID
v||TS
4||Lifetime
4])
Authenticator
c=E(K
c,v,[ID
c||AD
c||TS
5])
Client requests service
6. V → C E(K
c,v,[TS
5+1])
Optional authentication of server to client
KERBEROS REALMS
Requirements of a full-service Kerberos environment:
All users registered with the Kerberos server
All servers registered with the Kerberos server
The two Kerberos servers registered with each other (to support
interrealm authentication)
Requirements of a full-service Kerberos environment:
All users registered with the Kerberos server
All servers registered with the Kerberos server
The two Kerberos servers registered with each other (to support
interrealm authentication)
REQUEST FOR SERVICE IN ANOTHER REALM
1.Request ticket for local TGS
C → AS ID
c||ID
tgs||TS
1
2.Ticket for local TGS
AS → C E(K
c,[K
c,tgs||ID
tgs||TS
2||Lifetime
2||Ticket
tgs])
3.Request ticket for remote TGS
C → TGS ID
tgsrem||Ticket
tgs||Authenticator
c
4.Ticket for remote TGS
TGS → C E(K
c,tgs,[K
c,tgsrem||ID
tgsrem||TS
4||Ticket
tgsrem])
C → AS ID
c||ID
tgs||TS
1
2.Ticket for local TGS
AS → C E(K
c,[K
c,tgs||ID
tgs||TS
2||Lifetime
2||Ticket
tgs])
3.Request ticket for remote TGS
C → TGS ID
tgsrem||Ticket
tgs||Authenticator
c
4.Ticket for remote TGS
TGS → C E(K
c,tgs,[K
c,tgsrem||ID
tgsrem||TS
4||Ticket
tgsrem])
5.Request ticket for remote server
C → TGS
rem ID
vrem||Ticket
tgsrem||Authenticator
c
6.Ticket for remote server
TGS
rem → C E(K
c,tgsrem,[K
c,vrem||ID
vrem||TS
6||Ticket
vrem])
7.Request remote service
C → V
rem Ticket
vrem||Authenticator
c
However, this approach does not scale well to many realms. For N realms,
there must be N(N-1)/2 secure key exchanges between realms
C → TGS
rem ID
vrem||Ticket
tgsrem||Authenticator
c
6.Ticket for remote server
TGS
rem → C E(K
c,tgsrem,[K
c,vrem||ID
vrem||TS
6||Ticket
vrem])
7.Request remote service
C → V
rem Ticket
vrem||Authenticator
c
However, this approach does not scale well to many realms. For N realms,
there must be N(N-1)/2 secure key exchanges between realms
KERBEROS V5
General purpose authentication service
Specified in RFC-4120
Overcome the shortcomings of v4
General purpose authentication service
Specified in RFC-4120
Overcome the shortcomings of v4
SHORTCOMING OF V4
Environmental Shortcomings
-Related to the architecture of network
Technical Shortcomings :
- Deficiencies in the v4 itself
Environmental Shortcomings
-Related to the architecture of network
Technical Shortcomings :
- Deficiencies in the v4 itself
KERBEROS V4 ENVIRONMENTAL
SHORTCOMINGS
Encryption System Dependence
Internet Protocol Dependence
Message by ordering
Ticket Lifetime
Authentication Forwarding
Inter-realm Authentication
SHORTCOMINGS
Encryption System Dependence
Internet Protocol Dependence
Message by ordering
Ticket Lifetime
Authentication Forwarding
Inter-realm Authentication
KERBEROS V4 TECHNICAL
SHORTCOMINGS
Double Encryption
Propagation Cipher Block Chaining Encryption
Session Keys
Password Attacks
SHORTCOMINGS
Double Encryption
Propagation Cipher Block Chaining Encryption
Session Keys
Password Attacks
KERBEROS V5 EXCHANGES
KERBEROS V5 FLAGS
CONCLUSION
Version 5 of Kerberos is a step toward the design
of an authentication system that is widely
applicable.
We believe the framework is flexible enough to
accommodate future requirements like
1.Smart Cards
2.Remote Administration
Version 5 of Kerberos is a step toward the design
of an authentication system that is widely
applicable.
We believe the framework is flexible enough to
accommodate future requirements like
1.Smart Cards
2.Remote Administration
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 22
- Slides 28
- Age 573 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views