deep dive in to kerberos
DESCRIPTION
This presentation was first presented at Virtusa on 14th August 2014TRANSCRIPT
Deep Dive into - Kerberos
Ishan A B Ambanwela
Contents
1.What is Kerberos
2.Design Objectives
3.Cons
4.Common Terms Explained
5.Kerberos Work Flow
6.Kerberos in Practical
What is Kerberos
● Computer network authentication protocol● Developed in MIT in mid 1980s as a part of
Project Athena● Named After three-headed guard dog of Hades● Current Version 5 was released under MIT
license in 2005 (RFC4120)
Design Objectives
● Allows to communicate over non-secure network
● Based on tickets● Designed for client-server model● Interoperability● Trust no one (mutual authentication client/server)● Protected against Eavesdropping & Replay
attacks
Cons
● Single point of failure● Strict time requirements● Symmetric cryptography● Unique Kerberos keys● Complications in virtual hosting and clusters● Requires user accounts● strict separation of domains● administration protocol is not standardized
Some Common Terms
● KDC - Key Distribution Center● AS - Authentication service● AD - Active Directory● Key - parameter which determines the functional
output of a cryptographic algorithm● Ticket - Piece of information which carries the identity● Session - semi-permanent interactive information
interchange
Kerberos - Terms
● TGT – Ticket Granting Ticket– Used to prove users own identity
● ST – Service Ticket – Allows a user to use a service
– Used to securely pass the identity of the user to which the ticket is issued between KDC and the application server
● Authenticator– Proves that the user presenting the ticket is the user to which the ticket
was issued
– Proof that user knows the session key
– Prevents replay attacks
Key Distribution Center
Client
Authentication Server
Ticket Granting Server
Resource Server
Username
Password
Username
(clear
text)A. Session Key (SK)
Generate Client Secret Key (CSK)
B. Username, NA, Validity Period, Session Key (SK)
CSK
TGSSK
TGS Secret Key
ClientSecretKey
(CSK)
One wayHash
AB
A. Session Key (SK)CSK
Decode
+ Service ID (clear text)
C. Username, TimestampSK
C
B. Username, NA, Validity Period, Session Key (SK)
TGSSK
Decode
C. Username, TimestampSK
D. Client/Server Ticket, Username, NA, Validity Period, Client/Server Session Key (CSSK)
E. Timestamp+1, Client/Server Session Key (CSSK)
RSSK
SK
RS Secret Key
E
D
F. Username, Timestamp’SK
F
Decode D F
G. Timestamp’+1, ResourceCSSK
E. Timestamp+1, Client/Server Session Key (CSSK)
SK
G. Timestamp’+1, ResourceCSSK
Kerberos – Work flow
Kerberos in Practical
Java Example for Requesting a Kerberos Ticket in Client
Kerberos in Practical : background knowledge
● JAAS - Java Authentication and Authorization Service– LoginModule (javax.security.auth.spi.LoginModule)
● Classes implementing this contain the actual code for authentication● various mechanisms to authenticate
– LoginContext (javax.security.auth.login.LoginContext)● Starts authentication process by creating a Subject
– Subject (javax.security.auth.Subject)● a single user, entity or system
– Principal (java.security.Principal)● It encapsulates features or properties of a subject
– Credentials
Browser Based Kerberos Ticket Validation
Kerberos in Practical : background knowledge
● GSSAPI – Generic Security Service Application Program Interface
– IETF Standard
● SPNEGO– Simple and Protected GSSAPI Negotiation Mechanism
– a pseudo mechanism used by client-server software to negotiate the choice of security technology
Browser Based Kerberos Authentication Example :Sample Requests and Responses
Special Thanks
● Praboda Disanayaka– For Providing Kerberos Work flow Slide
● Vicknesh Subramaniyam– For Providing Sample HTTP Requests/Responses
Q&A
Discussion
Thank you and Good Luck :-)