??? The internet is an insecure place.? Many of the protocols used in the Internet do not provide any security.? Tools to ?sniff? passwords off of the network are in common use by systems crackers. Thus applications that send an unencrypted password over the network are extremely vulnerable.? Worse yet, other client/server applications rely on the client program to be ?honest? about the identity of the user who is using it.? Other applications rely on the client program to be ?honest? about the identity of the user who is using it.? Other applications relay on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.
Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that ?the bad guys? are on the outside, which is often a very bad assumption. Insiders carry out most of the really damaging incidents of computer crime.? Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. Kerberos is necessary because there are people who know how to tap the lines between computers and listen for your password. They do this with programs called "sniffers", and the only way to stop them would be to physically guard every inch of the Internet ... computers, cables and all. This, of course, is impossible. As long as there are physically insecure networks in the world and at Stanford, we'll need something like Kerberos to maintain the integrity and security of our electronic communications. ??Kerberos was created by MIT as a solution to these network security problems.
WHAT IS KERBEROS?
Kerberos is a network authentication protocol.? It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology.? Kerberos is available in many commercial products as well.
The kerberos protocol uses strong cryptography so that a client can prove its identity to a server across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.
Where does the name ?kerberos ?came from?
The name kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.
?Cerberus? is the Latin spelling of the Greek ?kerberos?, and according to the OED is pronounced like ?serberus?,but that is quite at odds with the Greek, as the initial consonant is a ?k?.MIT project Athena chose to use the Greek spelling and pronounciation.
BASIC KERBEROS TERMINOLOGY:
USER:
A human being who wishes to use a computer system.
SERVICE:
A program or set of programs running on a computer which is accessible over the network. The service would like to know with certainty that the workstation to which it is providing the service is really being used by the user who claims to be logged in on the workstation.
PRINCIPAL:
An entity that can both prove its identity and? verify the identities of other principals who wish to communicate with it, each user and each service registered with kerberos is thus a principal.
K.D.C.
Key Distribution Centre . Kerberos servers plus database of principals is regarded as the Key? Distribution Centre.
REALM:
The?? ?Jurisdiction? of kerberos database.? The realm includes? the? KDC plus the set of all principals registered in the database.? A realm name is normally a DNS? domain or sub domain name, in upper case.
TICKET:
A data structure obtained from kerberos, which is presented to a service or application to authenticate the ticket holder.? A ticket contains information about the client principal plus a session key that was randomly- generated by kerberos,? all encrypted in the secret kerberos key of the server to which it will presented. The client has its own copy of this session key, which was contained in the credentials that include this ticket.?? Only the server can decrypt the ticket to receive its copy of the session key.? Once this is done, the server and client share a common secret key.? That key is used to complete the authentication process and may also be employed by client and server to encrypt their entire session.
CREDENTIALS
The combination of a ticket and its session key .? The client sends the ticket to the server in order to distribute the session? key and also sends an authenticator which is encrypted in that session key.
T.G.T
Ticket Granting Ticket.? A special ticket issued by Authenticating Service , allowing a principal to authenticate itself to the Ticket Granting Service.
T.G.S
Ticket Granting Service. The Component of kerberos that issues service credentials.
AUTHENTICATOR:
A short lived packet of information that is generated by kerberized client each time it connects to a server.? The authenticator is encrypted in the session key the client shares with the server and has short lifetime.? It is presented to the server along with the service ticket
The? authenticator is what really proves the client?s identity, since an imposter may have stolen the ticket in transit from a prior session, but only the client? who possesses the session key can generate a valid authenticator.? To prevent an imposter from Simply reusing a stolen authenticator, servers should refuse to accept the same authenticator more than once.
???????? In kerberos, all authentication takes place between clients and servers.? So in Kerberos terminology, a ? kerberos client? is any entity that gets a service ticket for a kerberos service. A client is typically a user, but any principal can be a client.
KERBEROS SERVER:
The term ?kerberos server? generally refers to the key distribution center or the KDC for short.? The KDC implements the Authentication Service and Ticket Granting Service.
APPLICATION SERVER:
The term ?application server? generally refers to kerberized programs that clients communicate with using Kerberos tickets for? authentication.?
Now that we? have heard a few of the terms that Kerberos uses, here is a simplified explanation of how a Kerberos authentication system works:
On a "normal" network which uses passwords to authenticate users, when a user requests a network service that requires authentication, the user is prompted to type in their password. Their password is transmitted in plaintext over the network, and access to the network service is granted.
As mentioned previously, the central problem solved by Kerberos is how to use passwords for authentication without sending them over the network. On a kerberized network, the Kerberos database contains principals and their keys (for users, their keys are derived from their passwords). The Kerberos database also contains keys for all of the network services.
When a user on a kerberized network logs in to their workstation, their principal is sent to the Key Distribution Center (KDC) as a request for a Ticket Granting Ticket (TGT). This request can be sent by the login program (so that it is transparent to the user) or can be sent by the kinit program after the user logs in.
The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT, encrypts them using the user's key, and sends it back to the user.
The login program or kinit decrypts the TGT using the user's key (which it computes from the user's password). The TGT, which is set to expire after a certain period of time, is stored in your credentials cache. An expiration time is set so that a compromised TGT can only be used for a certain period of time, usually eight hours (unlike a compromised password, which could be used until changed). The user won't have to re-enter their password until the TGT expires or they logout and login again.
When the user needs access to a network service, the client uses the TGT to request a ticket for the service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for the desired service, which is used to authenticate the user.
REQUEST CREDENTIALS:???
The client request Credentials from the Authentication server, which runs on the kerberos key distribution center (KDC).? The Credentials will be used to secure tickets for kerberized? applications.? The tickets are used by these applications to authenticate the client tickets may be returned for application servers but when doing a kinit, they are for the (Ticket Granting Service).? We will describe this procedure .? The Credentials that are
Returned are also known as ticket granting tickets and are passed to the ticket granting service running on the KDC? to get application tickets .? The T.G.T has a limited lifetime.? That life time defaults to 10 hours.
KERBEROS KDC RESPONSE WITH CREDENTIALS:
Once authentication is successful, the Authorization Server returns a T.G.T? to the client .? The T.G.T is used by the client to request tickets for application server without needing to type in a password again.
KERBEROS CLIENT REQUEST FOR TICKET FROM T.G.S
When connecting to an application server, the client encrypts their T.G.T and a request for ticket? for the application server with their secret key.? The client then passes that to the T.G.S .
KERBEROS? T.G.S? Grants Ticket
The T.G.S decrypts the request using the client?s secret key in the kerberos database .? By doing this it?? verifies the identity of the client.? The T.G.S? creates a ticket containing the following information client name,servername,timestamp,lifetime session key
KERBEROS CLIENT ESTABLISHES CONNECTION TO APPLICATION SERVER:
The client decrypts the information it received from the T.G.S. and forwards the ticket to the application? server to request service.? The application server uses its secret key to decrypt the ticket and check the ticket for validity. If the ticket is valid the principal is? checked for authorization to the service that is requested . Note that this authorization is not done by kerberos, it is handled by the server itself.? Kerberos merely provides a method of? authenticating the principal ,giving the server a higher degree of? assurance of the identity of the service requested.? The application server then allows the connection to continue using the session key to encrypt the data stream if the data stream is to be encrypted.
ADVANTAGES AND DISADVANTAGES
???? The main advantages of kerberos is the secure transmission of electronic data over the insecure network. How ever for each and every system there exists their own advantages and disadvantages.
Download your Full Reports for Kerberos
Advertisement