kerberos a moron s guide
Skip this Video
Download Presentation
KERBEROS (A Moron’s Guide)

Loading in 2 Seconds...

play fullscreen
1 / 14

KERBEROS (A Moron’s Guide) - PowerPoint PPT Presentation

  • Uploaded on

KERBEROS (A Moron’s Guide). By Siva Saravanan Jayaraman. KERBEROS – What is Kerberos ??. Network Authentication Protocol It provides for \_strong\_ authentication for client-server applications. Uses secret-key cryptography to provide this strong authentication. .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'KERBEROS (A Moron’s Guide)' - Ava

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
kerberos a moron s guide

KERBEROS(A Moron’s Guide)


Siva Saravanan Jayaraman


What is Kerberos ??

  • Network Authentication Protocol
  • It provides for _strong_ authentication for client-server applications.
  • Uses secret-key cryptography to provide this strong authentication.
  • What is authentication ??
  • Authentication is the verification of the identity of an involved party and the integrity of the data that the involved party generates.
  • What is Cryptography ?
  • Cryptography refers to the techniques employed to distort data into seemingly intelligible gibberish in the view of an intruder who doesn’t have the knowledge to interpret the gibberish.
  • Kerberos uses the Data Encryption Std. (DES) to implement encryption.
  • Ref – Layman’s dictionary of geek words.
Why Kerberos ???
  • Authentication is a key feature in multi-user system
    • divide up resources w/ capabilities between many users
    • restrict user’s access to resources.
    • typical authentication mechanism – passwords.
  • “Authentication by assertion” requires honest user !!??!
    • -Berkeley’s rlogin daemon is a prime example.
  • But regular password authentication is useless in the face of a computer network (as in the Internet)
    • systems crackers (hacker) can easily intercept these passwords while on the wire.

Ref – CERT AdvisoryCA 94:01 –Ongoing network monitoring attacks.

Surely “firewalling” is the answer for network security!!
  • Assumes “bad guys” are on the outside….while the really damaging ones happen from the inside !!
  • Restrict how users use the Internet ….
  • Simply a less extreme eg of dictum –
  • “There’s nothing more secure than a computer that is not connected to the network –and powered off !!!!”
  • This is simply not acceptable in the real world !!
  • Kerberos grew out a need to find a solution to these network security problems.
What’s with the name though ??
  • From the horse’s mouth –
  • “ Kerberos is the three-headed dog that guarded the entrance to Hades” –Ancient greek myth.
  • Hades => Underworld (where hackers apparently live).
  • Conflict of Kerberos with Cerebrus

Kerberos is based on the Secret-Key Distribution Model that was originally developed by Needham & Schroeder.

-keys are the basis of authentication in Kerberos

-typically a short sequence of bytes.

-used to both encrypt & decrypt

Encryption => plainTxt + Encryption key = cipherTxt

Decryption => cipherTxt + Decryption key = plainTxt

Encryption Key – identical to – Decryption Key (in Conventional Crypto).

Kerb v5 uses Public Key Crypto where Enc Key (!identical ) Dec Key

[1] R. M. Needham and M. D. Schroeder, ``Using Encryption for Authentication in Large Networks of Computers,'' Communications of the ACM, Vol. 21 (12), pp. 993-99.

An Authentication Analogy from Real Life–
  • What does one need to buy alcohol ??
  • Driving License :
  • Goal : Links a Physical Likeness to a given Identity.
  • Params – Issuing Agency, Photo, Physical stats (seemingly uncopiable), name , address, birthdate,
  • Also includes restrictions –implicit (drinking age), explicit(corrective lenses).
  • ID has a lifetime denoted by the Expiration Date.
  • Authentication of an identity is contingent on a no. of things like for eg –
  • - card must not have been tampered with.
  • - Authenticator should accept the Agency that issued the ID
  • - Indian Driving License not accepted at Notrica’s but is accepted at Ralphs !
Kerberos essentially works in the same way !!!
  • Steps :
  • An user requests use of a network service
  • Service wants assurance that user is who he says he is.
  • User presents a ticket that is issued to it by a Kerberos Authentication Server(AS) – think DMV.
  • If the ticket is valid, service is granted.
  • The tickets must be unequivocally linked to the user
  • Ticket demonstrates that the bearer knows something that only its intended user would know ( a passwd ?? )
  • Ticket must obviously be safeguarded against all attacks.
Functions of Kerberos :
  • Authentication
  • Integrity – Is the assurance that the data received is the same as generated.
  • Confidentiality – is the protection of info from disclosure to those not intended to receive it.
  • Authorization – is the process by which one determines whether a principal is allowed to perform an operation. Authorization is done usually after principal has been authenticated or based on authenticated stmts by others.
  • Terms :
  • Principal – is the party whose identity is verified.
  • Verifier – is the party who demands assurance of the principal’s identity.
  • Ticket – a certificate issued by an AS encrypted using the Server Key
    • Ticket = Rnd Session Key + Name of Principal + Expiration Time +others
    • The rnd session key is used for authenticating the principal to the Verifier.
Assumptions that Kerberos makes :
  • Kerberos assumes that the user wont use _stupid_ passwords like his own user name etc… which can be easily broken by a password cracker like “John the Ripper”….in fact no authentication mechanism till date can cope for password guessing.
  • Kerberos assumes that the workstations or machines are more or less secure i.e. there is no way for an attacker to intercept communication between a user and a client (user process).
Things to remember :
  • Kerberos to be useful MUST be integrated with all important parts of a system.
  • Kerberos only protects the messages from software that has been written or modified to use Kerberos.
  • Kerberos does not itself provide for authorization but passes authorization info generated by other services. So Kerberos can be used as a base for building separate authorization services.
Cross Realm Authentication :
  • Mechanism by which principals in one realm can authenticate to principals in another realm.
  • The two realms should share a special “cross-realm” secret.
    • realms usually have a _political_ connections eg. ISI & USC
    • Transitive cross-realm Authentication (in krb5)
  • Bones :
  • DES-stripped version of Kerberos.
  • - because of stringent export laws of the US
  • - E-Bones
Applications :
  • Kerberos-aware applications are called Kerberized.
  • Kerberizing is the most difficult part of installing krb.
  • Some krb’zed applications are –
  • Berkeley R-commands, telnet, POP, USC’s Win2000 network (!?!)
  • GSS-API – Generic Security Services-API
    • -std programming interface which is authentication mechanism indep.