Kerberos a moron s guide
1 / 14

KERBEROS A Moron s Guide - PowerPoint PPT Presentation

  • Uploaded on

KERBEROS (A Moron’s Guide). By Siva Saravanan Jayaraman. KERBEROS – What is Kerberos ??. Network Authentication Protocol It provides for _strong_ authentication for client-server applications. Uses secret-key cryptography to provide this strong authentication. .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'KERBEROS A Moron s Guide' - Ava

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Kerberos a moron s guide

KERBEROS(A Moron’s Guide)


Siva Saravanan Jayaraman


What is Kerberos ??

  • Network Authentication Protocol

  • It provides for _strong_ authentication for client-server applications.

  • Uses secret-key cryptography to provide this strong authentication.

  • What is authentication ??

  • Authentication is the verification of the identity of an involved party and the integrity of the data that the involved party generates.

  • What is Cryptography ?

  • Cryptography refers to the techniques employed to distort data into seemingly intelligible gibberish in the view of an intruder who doesn’t have the knowledge to interpret the gibberish.

  • Kerberos uses the Data Encryption Std. (DES) to implement encryption.

  • Ref – Layman’s dictionary of geek words.

  • Why Kerberos ???

  • Authentication is a key feature in multi-user system

    • divide up resources w/ capabilities between many users

    • restrict user’s access to resources.

    • typical authentication mechanism – passwords.

  • “Authentication by assertion” requires honest user !!??!

    • -Berkeley’s rlogin daemon is a prime example.

  • But regular password authentication is useless in the face of a computer network (as in the Internet)

    • systems crackers (hacker) can easily intercept these passwords while on the wire.

Ref – CERT AdvisoryCA 94:01 –Ongoing network monitoring attacks.

  • Surely “firewalling” is the answer for network security!!

  • Assumes “bad guys” are on the outside….while the really damaging ones happen from the inside !!

  • Restrict how users use the Internet ….

  • Simply a less extreme eg of dictum –

  • “There’s nothing more secure than a computer that is not connected to the network –and powered off !!!!”

  • This is simply not acceptable in the real world !!

  • Kerberos grew out a need to find a solution to these network security problems.

  • What’s with the name though ?? security!!

  • From the horse’s mouth –

  • “ Kerberos is the three-headed dog that guarded the entrance to Hades” –Ancient greek myth.

  • Hades => Underworld (where hackers apparently live).

  • Conflict of Kerberos with Cerebrus


Kerberos is based on the Secret-Key Distribution Model that was originally developed by Needham & Schroeder.

-keys are the basis of authentication in Kerberos

-typically a short sequence of bytes.

-used to both encrypt & decrypt

Encryption => plainTxt + Encryption key = cipherTxt

Decryption => cipherTxt + Decryption key = plainTxt

Encryption Key – identical to – Decryption Key (in Conventional Crypto).

Kerb v5 uses Public Key Crypto where Enc Key (!identical ) Dec Key

[1] R. M. Needham and M. D. Schroeder, ``Using Encryption for Authentication in Large Networks of Computers,'' Communications of the ACM, Vol. 21 (12), pp. 993-99.

  • An Authentication Analogy from Real Life– security!!

  • What does one need to buy alcohol ??

  • Driving License :

  • Goal : Links a Physical Likeness to a given Identity.

  • Params – Issuing Agency, Photo, Physical stats (seemingly uncopiable), name , address, birthdate,

  • Also includes restrictions –implicit (drinking age), explicit(corrective lenses).

  • ID has a lifetime denoted by the Expiration Date.

  • Authentication of an identity is contingent on a no. of things like for eg –

  • - card must not have been tampered with.

  • - Authenticator should accept the Agency that issued the ID

  • - Indian Driving License not accepted at Notrica’s but is accepted at Ralphs !

  • Kerberos essentially works in the same way !!! security!!

  • Steps :

  • An user requests use of a network service

  • Service wants assurance that user is who he says he is.

  • User presents a ticket that is issued to it by a Kerberos Authentication Server(AS) – think DMV.

  • If the ticket is valid, service is granted.

  • The tickets must be unequivocally linked to the user

  • Ticket demonstrates that the bearer knows something that only its intended user would know ( a passwd ?? )

  • Ticket must obviously be safeguarded against all attacks.

  • Functions of Kerberos : security!!

  • Authentication

  • Integrity – Is the assurance that the data received is the same as generated.

  • Confidentiality – is the protection of info from disclosure to those not intended to receive it.

  • Authorization – is the process by which one determines whether a principal is allowed to perform an operation. Authorization is done usually after principal has been authenticated or based on authenticated stmts by others.

  • Terms :

  • Principal – is the party whose identity is verified.

  • Verifier – is the party who demands assurance of the principal’s identity.

  • Ticket – a certificate issued by an AS encrypted using the Server Key

    • Ticket = Rnd Session Key + Name of Principal + Expiration Time +others

    • The rnd session key is used for authenticating the principal to the Verifier.

TO THE BOARD security!!

  • Assumptions that Kerberos makes : security!!

  • Kerberos assumes that the user wont use _stupid_ passwords like his own user name etc… which can be easily broken by a password cracker like “John the Ripper”….in fact no authentication mechanism till date can cope for password guessing.

  • Kerberos assumes that the workstations or machines are more or less secure i.e. there is no way for an attacker to intercept communication between a user and a client (user process).

  • Things to remember : security!!

  • Kerberos to be useful MUST be integrated with all important parts of a system.

  • Kerberos only protects the messages from software that has been written or modified to use Kerberos.

  • Kerberos does not itself provide for authorization but passes authorization info generated by other services. So Kerberos can be used as a base for building separate authorization services.

  • Cross Realm Authentication : security!!

  • Mechanism by which principals in one realm can authenticate to principals in another realm.

  • The two realms should share a special “cross-realm” secret.

    • realms usually have a _political_ connections eg. ISI & USC

    • Transitive cross-realm Authentication (in krb5)

  • Bones :

  • DES-stripped version of Kerberos.

  • - because of stringent export laws of the US

  • - E-Bones

  • Applications : security!!

  • Kerberos-aware applications are called Kerberized.

  • Kerberizing is the most difficult part of installing krb.

  • Some krb’zed applications are –

  • Berkeley R-commands, telnet, POP, USC’s Win2000 network (!?!)

  • GSS-API – Generic Security Services-API

    • -std programming interface which is authentication mechanism indep.