Kerberos. Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert. Introduction. Kerberos History Kerberos Environment Kerberos Architecture Kerberos Protocols Kerberos Version 5 Kerberos Advantages Kerberos Weaknesses and Solutions.
Pratima VijayakumarRafi QureshiVinay GaonkarCS 616Course Instructor: Dr. Charles Tappert
KRB consists of:
AS – Authentication Server
TGS – Ticket Granting Server
DB – Database of entity keys
Separation between two actions:
Authentication – ”logging into the network”
Communication – ”holding a session between two parties”
their passwords, and they don’t have keys
requested the session, and it does not bother the destination
Acquiring Network Credentials:
1.) User A starts working at workstation WS by entering its name ”A” and password PWA. Workstation WS computes key KA from PWA, and it then erases password PWA from its memory.
2.) Workstation WS contacts Authentication Server (AS) and requests ”Network Credentials” to A+WS. Workstation WS sends following clear data – < A, WS, RealmA, TGS, Times, Nonce1> to AS (where Times gives the time validity interval, and Nonce1 is random value).
3.) Authentication Server AS replies to A+WS with following two items: < RealmA, A, TKTTGS > AND < KA,TGS, Times, Nonce1, RealmTGS, TGS > sealed by key KA (where TKTTGS = < KA,TGS, RealmA, A, WS, Times > sealed by key KTGS). Workstation WS now tries to open the sealed item using the computed key KA.
Establishing Connection with Server:
4.) Workstation WS contacts Ticket Granting Server (TGS) and requests ticket for B as follows: < B, Times, Nonce2, TKTTGS, Auth1 > (where Auth1 = < A, WS, RealmA, Timestamp1 > sealed by key KA,TGS).
5.) Ticket Granting Server TGS replies to A+WS with following two items: < RealmA, A, TKTB > AND < KA,B, Times, Nonce2, RealmB, B > sealed by KA,TGS (where TKTB = < KA,B, RealmA, A, WS, Times > sealed by KB). Workstation WS opens the sealed item using key KA,TGS.
6.) Workstation WS requests a session from B by sending < TKTB, Auth2 > (where Auth2 = < A, WS, RealmA, Timestamp2, Subkey, Seq# > sealed by key KA,B). Fields Subkey and Seq# are optional.
7.) Server B opens ticket TKTB with key KB and replies to A+WS with authentication Auth3 = < Timestamp2, Subkey, Seq# > sealed by A,B.
Indicates that a ticket was issues by AS and not by a TGS.
Indicates that the user was pre-authenticated by some means before a TGS ticket was issued.
Indicates that the user was authenticated with a hardware token before a TGS ticket was issued.
Tells TGS that this ticket can be used to obtain a replacement ticket that expires at a later date.
Indicates that this ticket is invalid and must be validated by the TGS before use.
Tells TGS that a post-dated ticket may be issued based on this
Indicated that this ticket has been postdated.
Tells TGS that a new service-granting ticket with a different
network address may be issued based on this ticket.
Tells TGS that a new ticket-granting ticket with different network
address may be issued based on this ticket-granting ticket.
Indicates that this ticket has either been forwarded or that it was
issued based on authentication involving a forwarded ticket.