Kerberos for Distributed System Security - Omal Perera
Download as PPTX, PDF2 likes499 views
The document provides an overview of the Kerberos authentication protocol, detailing its history, components, advantages, and disadvantages. Developed at MIT, Kerberos utilizes a trusted third party for secure authentication while avoiding password transmission over networks. Key features include a Key Distribution Center (KDC) for managing tickets and a strong emphasis on security despite certain vulnerabilities and reliance on a central server.
Kerberos for Distributed System Security - Omal Perera
- 1. KERBEROS 1 O m a l P e r e r a o m a l p e r e r a . g i t h u b . i o Undergraduate, BSc. (Special) Information Systems. CCNA (640-802)
- 2. Content ● Introduction ● History ● Why Kerberos ● Authenticating using Kerberos ● Kerberos components ● Application of Kerberos ● Advantages ● Disadvantages ● Firewall vs Kerberos? ● References 2
- 3. Introduction ● A protocol for authentication ● Developed at MIT in the mid 1980’s ● Uses tickets to authenticate ● Avoids saving passwords locally ● Avoids sending passwords over the internet ● Involves a trusted third party ● Built on symmetric-key cryptography 3
- 4. History ● Initially developed to protect network services provided by Project Athena ● Protocol is based on Needham-Schroeder symmetric key protocol ● Versions 1-3 occurred only internally at MIT ● Version 4 was designed by Steve Miller and Clifford Neuman in late 1980s ● Version 5 was designed by Neuman and Kohl in 1993 4
- 5. Why Kerberos? ● Kerberos is mature ● Kerberos meets the requirements of modern distributed systems ● Kerberos is architecturally sound ● Kerberos is already in place 5
- 6. Authenticating using Kerberos Fig 1 - Steps to authenticate 6
- 9. Key Distribution Center (KDC) ● One Kerberos server one region ● Distribution Center contains the ○ Authentication Service ○ the Ticket-Granting Service ○ master database for Kerberos ● Services are implemented as a single daemon 9 Authentication Service ● handles user authentication / verifying that principals are correctly identified ● Consists Servers in the KDC + security clients ● security server accesses the registry database to perform queries then updates and to validate user logins
- 10. Ticket-Granting Service ● Once authenticated, a principal will be granted a TGT and a ticket session key ● Your credentials = ticket + its associated key ● credentials are stored in a credentials cache, a file in a directory in the principle 10 The Kerberos Database ● Database contains all of the ○ realm’s Kerberos principals their passwords ○ other administrative information about each principal ● The master KDC contains the primary copy of the database, which it propagates at regular intervals to the slave KDCs
- 12. Kerberos Utility Programs ● OpenVMS provides different user interface programs ○ original UNIX style ○ DCL version ○ X Windows version 12 Kerberos Registry ● Kerberos registry can be manipulated in several ways ● It is initially created via the KRB$CONFIGURE ● Other tools ● Kadmin - kinit - Klist ● Kdestroy - Kpasswd -kdb5_util - Dumps or loads the Kerberos database for save and restore
- 13. Applications of Kerberos ● Microsoft Windows ● Email, FTP, network file systems, other applications have been kerberized ● Local authentication ● Authentication for network protocols ● Secure windows systems 13
- 14. Advantages ● Passwords are never sent across the network unencrypted ● Client and application services mutually authenticated ● Tickets have a limited lifetime ● Authentication through Authentication Service has to happen only once ● Sharing secret keys is more efficient than public keys 14
- 15. Disadvantages ● Single point of failure. it requires continuous availability of a central server ● Only provides authentication for clients and services ● Vulnerable to users making poor password choices ● Has strict time requirements 15
- 16. Firewall vs Kerberos? ● Firewalls ○ Assumes that the bad guys are from outside ○ But real threats are from insiders ● Kerberos ○ assumes that network connections are the weak link in network security ○ Strong authentication compared to firewalls 16
- 17. References ● http://h41379.www4.hpe.com/doc/83final/ba554_90008/ch01s03.html ● https://docs.oracle.com/cd/E18752_01/html/816-4557/intro-27.html ● https://people.eecs.berkeley.edu/~fox/summaries/glomop/kerb_limit.html ● http://searchsecurity.techtarget.com/news/1308058/Kerberos-Authentication-with-some-drawbacks ● https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3/com.ibm.isam.doc/wrp_config/reference/ref_s pnego_authe_lim.html ● https://www.slideshare.net/dotanp/kerberos-explained ● http://web.mit.edu/sipb/doc/working/guide/guide/node20.html ● https://www.kerberos.org/about/FAQ.html ● http://computing.help.inf.ed.ac.uk/why-do-we-need-kerberos 17
- 18. Copyrights ○ All the images, figures are credited to its original authors. ○ Presentation is for educational use. ○ Cover page image – https://www.freepik.com/ 18
- 19. 19
Editor's Notes
- #3: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #4: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #5: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #6: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #7: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #8: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #9: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #10: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #11: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #12: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #13: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #14: Local Autentication - login using su in OpenBSD Autentication Local Network - Remote login - Remote shell Secure Windows Systems -SSP security support Provider – API system used in windows {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #15: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #16: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #17: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #18: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #19: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}
- #20: {{#Omal Perera, #omalperera, #kerberos, #distributedSystems, #security, #CCNA}}