SlideShare a Scribd company logo

kerb.ppt

Download as PPT, PDF
J
JdQi

This document discusses network security and the Kerberos authentication protocol. It provides an introduction to Kerberos, describing how it works to allow users and services to authenticate over a network. Kerberos uses secret key cryptography and issues tickets to allow users to securely access remote services without sending passwords over the network in clear text. The document outlines the initialization process when a user requests a ticket-granting ticket from the Kerberos server, and how that ticket is then used to request and access remote services. It also discusses some of the limitations of Kerberos and enhancements being made.

Technology
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Network Security and Kerberos Project Team: Tweety Member: Arlene S. Yetnikoff
Topics of Discussion  General Network Security  Introduction to Kerberos
Network Objectives  Message received as sent  Delivery on time  Message protected as needed
PREVIOUS Application System Software Access Access paths PRESENT Access here! Access here! Access here! Access here! Network Access here! Network Security: Challenges
Network Risks  Integrity  completeness  accuracy  Confidentiality  authentication  authorization  Availability  Relevance  Infrastructure
Authentication  Something you know  Something you have  Something you are
Passwords  Can be made secure in a stand- alone environment  Subject to sniffing attacks when used over a network  Network password solutions often include encryption techniques
Encryption Techniques  Symmetric - Secret Key: the same key for encryption and decryption. Tends to be fast and is good for data encryption. However, the key management issues associated with secret key can be significant. e.g. DES = Data Encryption Standard
Encryption Techniques  Asymmetric - Public/Private Key: a publicly known key for encryption and a private key for decryption (or vice versa). Tends to be slow and is generally only useful for encrypting small amounts of data (such as passwords, PINs and symmetric keys.) e.g. RSA = Rivest, Shamir, Adleman PGP = Pretty Good Privacy (Phil Zimmerman)
Decrypt User B’s Public Key User B’s Private Key Message Message Encrypted message User A User B Encrypt Public Key Encryption Only User B can read the message.
 Anyone can read the message.  Non-repudiation - can only have come from User A. Decrypt User A’s Private Key User A’s Public Key Message or data Confirmed message or data Digital Signature User A User B Encrypt Digital signatures
Kerberos - What Is It?  Authentication service developed by MIT to allow users and services to authenticate  Designed for client/server environments  Uses secret key cryptography - data encryption standard (DES)
Why Is It Needed?  Authentication across a network to normal services sends clear-text passwords, capable of being discovered in a sniffing attack  Users are annoyed at having to type passwords in often  Services were developed, such as rlogin, rsh, IDENT which used “authentication by assertion”
Kerberos Authentication  Kerberos Authentication server issues user a “ticket”  User requests a remote service  Remote service looks at ticket to verify who the user is
Kerberos - How It Works  Both user and service must have “keys” registered with the Kerberos Authentication Server  User’s key is derived from a password he chooses
Kerberos Session  kinit - call to initially set up ticket prompt for password  telnet - call to kerberized client
Client Key Distribution Center Authentication Server Ticket Granting Server Request: User login name IP address Client kinit Auth info Service Client Auth info Auth info Kerberos key User key Server session key TGT key Service secret key
Kerberos - How It Works Initialization  User requests a Kerberos “Ticket Granting Ticket” (TGT) by running kinit  kinit builds a request which has:  user login name  client machine IP address  name of ticket - here it is krbtgt, the Kerberos ticket-granting ticket  Kerberos looks in its database to see is user is allowed to request a TGT on this host
Kerberos - How It Works Initialization  Kerberos sends user a message which contains two copies of the ticket:  One copy is encrypted with Kerberos’ secret key  One copy is in plain text Entire message is encrypted with user’s key  kinit client process receives message and decrypts it based on the password the user typed in
Kerberos - How It Works Initialization  If the message decrypts correctly, kinit puts the TGT into /tmp/tktuid where uid is user’s user ID  kinit uses session key in the TGT to encrypt an “authenticator” consisting of principal name, IP address of client machine and current time
Kerberos - How It Works Service Request  User requests service, telnet, for example  kerberized telnet client sends a request to Kerberos server containing the TGT stored in /tmp/tgtuid and the authenticator  Kerberos uses its secret key to decrypt the TGT, extracts the session key from the TGT and decrypts the authenticator
Kerberos - How It Works Service Request  To validate the user:  Kerberos compares the contents of the authenticator to the contents of the TGT  Kerberos compares the expiration timestamp in the authenticator to the current time  Kerberos builds a session key for the telnet session, and makes two copies  one encrypted with TGT  one encrypted with telnetd’s key
Kerberos - How It Works Service Request  Session key sent to user  telnet client uses the TGT key to decrypt the session key, and adds ticket to Kerberos ticket file  telnet client builds an authenticator for the ticket, encrypts it with the session key and sends ticket which was encrypted with telnetd key and authenticator to telnetd service
Kerberos - How It Works Service Request  telnetd service decrypts ticket with its secret key to get the session key  telnetd service uses session key to decrypt authenticator  if information in ticket and authenticator agree, telnetd sends back a message to the user and the session begins
Kerberos Limitations  Bad passwords are still subject to a dictionary attack  Kerberos V4 subject to cracker attack (worse than some standard Unix security)  Kerberos V5 subject to sniffer attack  Passwords still subject to host security  Trojan horses in Kerberos client software can divulge passwords
Kerberos Limitations  Security over Kerberos database containing users’ and services’ encryption keys must be strictly enforced  Security over master Kerberos password must be kept
Other Security Enhancements  One-time Passwords  Device - SecurID  List of passwords - SKey  Public-key Cryptography
Today  Code available for free from MIT  Some vendor support:  Cygnus  OpenVision  DEC  IBM  Many Universities and some government institutions have implemented Kerberos  Not too many businesses have implemented it
Benefits of Kerberos  No Clear Text Passwords Across Internet  Users Do Not Need to Enter Password Multiple Times
Future  Kerberos will use public-key cryptography for the initial TGT request  Windows 2000 (formerly called NT 5.0) will have a Kerberos implementation
References  The Moron's Guide to Kerberos, Version 1.2.2 http://gost.isi.edu/brian/security/kerberos.html  Kerberos: An Authentication Service for Computer Networks http://nii.isi.edu/publications/kerberos-neuman-tso.html  Kerberos References http://sol.usc.edu/~laura/kerb_refs.html  RFC 1510 http://www.faqs.org/rfcs/rfc1510.html

More Related Content

PPTX
Kerberos
Sutanu Paul
 
PPTX
kerberos
sameer farooq
 
PPTX
Kerberos
RafatSamreen
 
PDF
Kerberos Protocol
Netwax Lab
 
PDF
Kerberos Security in Distributed Systems
IRJET Journal
 
PPTX
Kerberos survival guide SPS Kansas City
J.D. Wade
 
PPTX
Kerberos
Rahul Pundir
 
PDF
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
Kerberos
Sutanu Paul
 
kerberos
sameer farooq
 
Kerberos
RafatSamreen
 
Kerberos Protocol
Netwax Lab
 
Kerberos Security in Distributed Systems
IRJET Journal
 
Kerberos survival guide SPS Kansas City
J.D. Wade
 
Kerberos
Rahul Pundir
 
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 

Similar to kerb.ppt (20)

PPTX
IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any El...
AvsAkhilAkhil
 
PPTX
Rakesh raj
DBNCOET
 
PPTX
TLS/SSL - Study of Secured Communications
Nitin Ramesh
 
RTF
Kerberos case study
Mayuri Patil
 
PPT
Kerberos
Mohanasundaram Nattudurai
 
DOCX
Elliptic curve cryptography
Abhishek Kesharwani
 
PPTX
Kerberos using public key cryptography
ishmecse13
 
DOCX
Rakesh
DBNCOET
 
DOCX
Rakesh
DBNCOET
 
PPTX
IT235 POC - Unit I priciples of cryptography
ssuser000e54
 
PPTX
Kerberos Architecture.pptx
Shashwat Shriparv
 
PPTX
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
DOCX
Unit v
Bathshebaparimala
 
PDF
#Morecrypto 1.8 - with introduction to TLS
Olle E Johansson
 
PDF
An Introduction to Kerberos
Shumon Huque
 
PDF
Network Security Applications
Hatem Mahmoud
 
PPT
Ch15
raja yasodhar
 
PPTX
Week3 lecture
Shaikha AlQaydi
 
PPTX
Kerberos Architecture.pptx
Shashwat Shriparv
 
PPTX
1. Kerberos is an auth protocol llllllllllllllllllllll
MrVMNair
 
IS UNIT 3 PPT- PART 2.pptx is very helpful for engineering students of any El...
AvsAkhilAkhil
 
Rakesh raj
DBNCOET
 
TLS/SSL - Study of Secured Communications
Nitin Ramesh
 
Kerberos case study
Mayuri Patil
 
Kerberos
Mohanasundaram Nattudurai
 
Elliptic curve cryptography
Abhishek Kesharwani
 
Kerberos using public key cryptography
ishmecse13
 
Rakesh
DBNCOET
 
Rakesh
DBNCOET
 
IT235 POC - Unit I priciples of cryptography
ssuser000e54
 
Kerberos Architecture.pptx
Shashwat Shriparv
 
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Unit v
Bathshebaparimala
 
#Morecrypto 1.8 - with introduction to TLS
Olle E Johansson
 
An Introduction to Kerberos
Shumon Huque
 
Network Security Applications
Hatem Mahmoud
 
Ch15
raja yasodhar
 
Week3 lecture
Shaikha AlQaydi
 
Kerberos Architecture.pptx
Shashwat Shriparv
 
1. Kerberos is an auth protocol llllllllllllllllllllll
MrVMNair
 
Ad

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Cloud computing and distributed systems.
kkkkkhan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Ad

kerb.ppt

  • 1. Network Security and Kerberos Project Team: Tweety Member: Arlene S. Yetnikoff
  • 2. Topics of Discussion  General Network Security  Introduction to Kerberos
  • 3. Network Objectives  Message received as sent  Delivery on time  Message protected as needed
  • 4. PREVIOUS Application System Software Access Access paths PRESENT Access here! Access here! Access here! Access here! Network Access here! Network Security: Challenges
  • 5. Network Risks  Integrity  completeness  accuracy  Confidentiality  authentication  authorization  Availability  Relevance  Infrastructure
  • 6. Authentication  Something you know  Something you have  Something you are
  • 7. Passwords  Can be made secure in a stand- alone environment  Subject to sniffing attacks when used over a network  Network password solutions often include encryption techniques
  • 8. Encryption Techniques  Symmetric - Secret Key: the same key for encryption and decryption. Tends to be fast and is good for data encryption. However, the key management issues associated with secret key can be significant. e.g. DES = Data Encryption Standard
  • 9. Encryption Techniques  Asymmetric - Public/Private Key: a publicly known key for encryption and a private key for decryption (or vice versa). Tends to be slow and is generally only useful for encrypting small amounts of data (such as passwords, PINs and symmetric keys.) e.g. RSA = Rivest, Shamir, Adleman PGP = Pretty Good Privacy (Phil Zimmerman)
  • 10. Decrypt User B’s Public Key User B’s Private Key Message Message Encrypted message User A User B Encrypt Public Key Encryption Only User B can read the message.
  • 11.  Anyone can read the message.  Non-repudiation - can only have come from User A. Decrypt User A’s Private Key User A’s Public Key Message or data Confirmed message or data Digital Signature User A User B Encrypt Digital signatures
  • 12. Kerberos - What Is It?  Authentication service developed by MIT to allow users and services to authenticate  Designed for client/server environments  Uses secret key cryptography - data encryption standard (DES)
  • 13. Why Is It Needed?  Authentication across a network to normal services sends clear-text passwords, capable of being discovered in a sniffing attack  Users are annoyed at having to type passwords in often  Services were developed, such as rlogin, rsh, IDENT which used “authentication by assertion”
  • 14. Kerberos Authentication  Kerberos Authentication server issues user a “ticket”  User requests a remote service  Remote service looks at ticket to verify who the user is
  • 15. Kerberos - How It Works  Both user and service must have “keys” registered with the Kerberos Authentication Server  User’s key is derived from a password he chooses
  • 16. Kerberos Session  kinit - call to initially set up ticket prompt for password  telnet - call to kerberized client
  • 17. Client Key Distribution Center Authentication Server Ticket Granting Server Request: User login name IP address Client kinit Auth info Service Client Auth info Auth info Kerberos key User key Server session key TGT key Service secret key
  • 18. Kerberos - How It Works Initialization  User requests a Kerberos “Ticket Granting Ticket” (TGT) by running kinit  kinit builds a request which has:  user login name  client machine IP address  name of ticket - here it is krbtgt, the Kerberos ticket-granting ticket  Kerberos looks in its database to see is user is allowed to request a TGT on this host
  • 19. Kerberos - How It Works Initialization  Kerberos sends user a message which contains two copies of the ticket:  One copy is encrypted with Kerberos’ secret key  One copy is in plain text Entire message is encrypted with user’s key  kinit client process receives message and decrypts it based on the password the user typed in
  • 20. Kerberos - How It Works Initialization  If the message decrypts correctly, kinit puts the TGT into /tmp/tktuid where uid is user’s user ID  kinit uses session key in the TGT to encrypt an “authenticator” consisting of principal name, IP address of client machine and current time
  • 21. Kerberos - How It Works Service Request  User requests service, telnet, for example  kerberized telnet client sends a request to Kerberos server containing the TGT stored in /tmp/tgtuid and the authenticator  Kerberos uses its secret key to decrypt the TGT, extracts the session key from the TGT and decrypts the authenticator
  • 22. Kerberos - How It Works Service Request  To validate the user:  Kerberos compares the contents of the authenticator to the contents of the TGT  Kerberos compares the expiration timestamp in the authenticator to the current time  Kerberos builds a session key for the telnet session, and makes two copies  one encrypted with TGT  one encrypted with telnetd’s key
  • 23. Kerberos - How It Works Service Request  Session key sent to user  telnet client uses the TGT key to decrypt the session key, and adds ticket to Kerberos ticket file  telnet client builds an authenticator for the ticket, encrypts it with the session key and sends ticket which was encrypted with telnetd key and authenticator to telnetd service
  • 24. Kerberos - How It Works Service Request  telnetd service decrypts ticket with its secret key to get the session key  telnetd service uses session key to decrypt authenticator  if information in ticket and authenticator agree, telnetd sends back a message to the user and the session begins
  • 25. Kerberos Limitations  Bad passwords are still subject to a dictionary attack  Kerberos V4 subject to cracker attack (worse than some standard Unix security)  Kerberos V5 subject to sniffer attack  Passwords still subject to host security  Trojan horses in Kerberos client software can divulge passwords
  • 26. Kerberos Limitations  Security over Kerberos database containing users’ and services’ encryption keys must be strictly enforced  Security over master Kerberos password must be kept
  • 27. Other Security Enhancements  One-time Passwords  Device - SecurID  List of passwords - SKey  Public-key Cryptography
  • 28. Today  Code available for free from MIT  Some vendor support:  Cygnus  OpenVision  DEC  IBM  Many Universities and some government institutions have implemented Kerberos  Not too many businesses have implemented it
  • 29. Benefits of Kerberos  No Clear Text Passwords Across Internet  Users Do Not Need to Enter Password Multiple Times
  • 30. Future  Kerberos will use public-key cryptography for the initial TGT request  Windows 2000 (formerly called NT 5.0) will have a Kerberos implementation
  • 31. References  The Moron's Guide to Kerberos, Version 1.2.2 http://gost.isi.edu/brian/security/kerberos.html  Kerberos: An Authentication Service for Computer Networks http://nii.isi.edu/publications/kerberos-neuman-tso.html  Kerberos References http://sol.usc.edu/~laura/kerb_refs.html  RFC 1510 http://www.faqs.org/rfcs/rfc1510.html

Editor's Notes