1 / 23

Introduction of Kerberos

Introduction of Kerberos. What is Kerberos?. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Why needs Kerberos?. The Internet is an insecure place.

herne
Download Presentation

Introduction of Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction of Kerberos

  2. What is Kerberos? • Kerberos is a network authentication protocol. • It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

  3. Why needs Kerberos? • The Internet is an insecure place. • Many Internet protocols ~ no security. • malicious hackers ~ "sniff" passwords • Application • Sending unencrypted passwords ~ extremely vulnerable. • Client/server ~ the client program to be "honest" • Client/server ~ the client to restrict its activities to those which it is allowed to do

  4. Firewall~ security problems? • A very bad assumption that "the bad guys" are on the outside ~Most of the really damaging incidents of computer crime are carried out by insiders. • A significant disadvantage~ Restrict how your users can use the Internet. • In many places, these restrictions are simply unrealistic and unacceptable.

  5. Who ~ Kerberos? • 1988,MIT, as a solution to these network security problems. • The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. • After this, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

  6. The Whole Authentication

  7. Simplified Principle

  8. Two Concepts • Long-term Key/Master Key: • 使用原则:被Long-termKey加密的数据不应该在网络上传输。 • 但是密码却又是证明身份的凭据,所以必须通过基于你密码的派生的信息来证明用户的真实身份,在这种情况下,一般将你的密码进行Hash运算得到一个Hash code, 这叫做Master Key。 • 由于Hash Algorithm是不可逆的,同时保证密码和Master Key是一一对应的,这样既保证了你密码的保密性,又同时保证你的Master Key和密码本身在证明你身份的时候具有相同的效力。 • Short-term Key/Session Key:

  9. Where  Key? • Short-termKey • Session Key(SServer-Client) • Kerberos Distribution Center (KDC) • 所有帐户的Account Database ~ Master Key

  10. KDC  SServer-Client Session Ticket

  11. ↑ ~ Authenticator • 只要通过一个双方知晓的Key就可以对对方进行有效的认证,但是在一个网络的环境中,这种简单的做法是具有安全漏洞,为此,Client需要提供更多的证明信息,我们把这种证明信息称为Authenticator • Authenticator = ClientInfo + Timestamp • Session Ticket =被Server的Master Key加密过的 (ClientInfo + Session Key )

  12. Some Advantages • Why Timestamp? • Mutual Authentication (双向认证)

  13. Authentication

  14. How  Key? • Kerberos实际上一个基于Ticket的认证方式 • 超强的防伪标识:它是被Server的Master Key加密的 • 而该Ticket应由合法的Ticket颁发机构获得 • Client和Server双方信任的KDC

  15. TGT • TGT:Ticket Granting Ticket • 前面从大体上说明了KDC向Client分发Ticket的过程,而在Kerberos中真正的Ticket Distribution要复杂一些。 • Client在从KDC 那边获得Ticket之前,需要先获得这个Ticket的认购权证,在Kerberos中被称为TGT:Ticket Granting Ticket,TGT的分发方仍然是KDC。

  16. How  TGT Logon Session Key

  17. Why TGT? • Client解密Session Key(SKDC-Client)和TGT缓存。 • 此后Client可以使用SKDC-Client向KDC申请用以访问每个Server的Ticket,而不再需要Client自己的Master Key。 • 相对于Client的Master Key这个Long-term Key,SKDC-Client是一个Short-term Key,安全保证得到更好的保障,这也是Kerberos多了这一步的关键所在。

  18. TGT  Ticket

  19. The Whole Authentication • 大体上包含以下3个子过程: • Client向KDC申请TGT(Ticket Granting Ticket)。 • Client通过获得TGT向DKC申请用于访问Server的Ticket。 • Client最终向为了Server对自己的认证向其提交Ticket。

  20. The Whole Authentication • 不过上面的介绍离真正的Kerberos Authentication还是有一点出入。 • Kerberos整个认证通过3个Sub-Protocol分别完成上面列出的3个子过程。这3个sub-protocol分别为: • Authentication Service Exchange • Ticket Granting Service Exchange • Client/Server Exchange

  21. The Whole Authentication

  22. User2User Sub-protocol

  23. Kerberos Advantages • 1.较高的Performance • 2.实现了双向验证(Mutual Authentication) • 3.对Delegation的支持 • Impersonation和Delegation是一个分布式环境中两个重要的功能。Impersonation允许Server在本地使用Logon的Account执行某些操作,Delegation需用Server将logon的Account带入到另过一个Context执行相应的操作。NTLM仅对Impersonation提供支持,而Kerberos通过一种双向的、可传递的(Mutual、Transitive)信任模式实现了对Delegation的支持。 • 4.互操作性(Interoperability)

More Related