Kerberos: An Authentication Service for Computer Networks
Feven Bekure
28,November 2014
Overview
●
●
●
●
●
●
History
Security Services
What is kerberos
Needham and Schroeder
How kerberos works
summary
2
History of kerberos
● Kerberos was developed in the mid-'80s as part of MIT's Project Athena.
● B. Clifford Neuman and Theodore Ts'o (1994).
● Kerberos was named after Cerberus, the three-headed dog of Greek mythology,
because of its three components:client, server and KDC.
3
Security Services
●
●
●
●
Authentication
Integrity
Confidentiality
Authorization
4
what is kerberos
●
●
●
●
kerberos is network authentication protocol.
It provides integrity and confidentiality for data sent between the client and server.
To overcome the limitations it should be combined with other techniques.
user is responsible to choose strong password.
5
Needham and Schroeder
authentication protocol
● needham-schroeder protocol defines three participants in the protocol exchange :a
client machine, a server that the client wishes to access, and the authentication
server ( same as kerberos)
client AS_req
AP_req
AS_rep
6
Needham and Schroeder
authentication protocol
1. AS_req containing:
●. client’s identity, application server identity and nonce(random value)
1. AS_rep to client
●. application name, nonce, message encrypted by application server key(contain:
application session key,client identity)
●. session key-that enables secure communication between client and application server.
-random key generated by authentication server
-never reused.
7
Needham and Schroeder
authentication protocol
3. AP_req client sends:
●. application session key and client’s principle (encrypted with application server
key).
8
Changes on Needham and Schroeder
authentication protocol by kerberos
● In kerberos TGT allows users to sign- on once and they can authenticate to
multiple application servers.
● Use of timestamps to reduce the number of messages needed for basic
authentication
9
Kerberos
10
Kerberos authentication protocol
1. AS_req contains:
● Client identity , client's local time, TGS principal name
● KDC receives AS_req and verify that the requesting principal exits, and that
the client's timestamp is close to the KDC's local time(usually 5 minutes).
2. As_rep
● AS generates a random session key. this session key will be shared between the
client and the TGS.
● Client will receive: a session key(encrypted with the user's long term key) and
TGT(encrypted first with the TGS's key).
11
Kerberos authentication protocol
● then the client attempts to decrypt the message with the user's long term
key(password)
● the client can not read TGT since it is encrypted with TGS therefore the client
stores the encrypted contents in credential cache.
3. Tgs_req (Client to TGS)
●. TGS request, a copy of the TGT acquired earlier, and authenticator(consists:
timestamp, encrypted with the session key acquired from AS exchange)
●. authenticator proves that the client has knowledge of the shared session key
established during the AS exchange.
12
Kerberos Authentication protocol
4.TGS_rep
● user session key, service principal name, ticket lifetime, service ticket
encrypted with session key.
● service ticket(client and server session key, client and server principal, lifetime
and timestamp) encrypted with key shared by AS and server.
5. AP_req
● client principal name, service ticket, authenticator ( client principal and client
timestamp)
6. AP_rep
● timestamp encrypted with session key.
13
References
●
●
●
●
●
http://www.techopedia.com/definition/3996/kerberos
http://web.cs.wpi.edu/~cs564/f12/papers/lowe95.pdf
kerberos the definitive guide by Jason Garman
http://gost.isi.edu/publications/kerberos-neuman-tso.html
http://en.wikipedia.org/wiki/Needham%E2%80%93Schroeder_protocol
14