-
8/12/2019 Kerberos Authentication for Information Security
1/18
KERBEROS AUTHENTICATION
-
8/12/2019 Kerberos Authentication for Information Security
2/18
CONTENTS
Authentication
What Is Kerberos?
Components
Cross-realm Authentication Architecture
Kerberos Authentication Benefits
Why Kerberos?
Drawbacks Of Kerberos
Conclusion
References
-
8/12/2019 Kerberos Authentication for Information Security
3/18
AUTHENTICATION
Authenticationis the verification of the identity of aparty who generated some data, and of the integrity ofthe data
A principalis the party whose identity is verified
The verifieris the party who demands assurance of theprincipal's identity.
-
8/12/2019 Kerberos Authentication for Information Security
4/18
AUTHENTICATION
Issues with:
Password
based
authentication
Authentication
by assertion
-
8/12/2019 Kerberos Authentication for Information Security
5/18
WHAT IS KERBEROS?
Distributedauthentication
service
Allows a process
(a client) runningon behalf of a
principal (a user)to prove itsidentity to a
verifier
Without sendingdata across the
network
-
8/12/2019 Kerberos Authentication for Information Security
6/18
WHAT IS KERBEROS?
Provides integrity andconfidentiality for data
Developed in the mid-'80s as partof MIT's Project Athena
V4 still runs at many sites
V5 is considered to be standardKerberos
-
8/12/2019 Kerberos Authentication for Information Security
7/18
COMPONENTS
Principals Realms
Key DistributionCenters (KDCs)
Authentication
Service Ticket Granting
Server
Tickets
-
8/12/2019 Kerberos Authentication for Information Security
8/18
ARCHITECHTURE
-
8/12/2019 Kerberos Authentication for Information Security
9/18
CROSS-REALM
AUTHENTICATION
-
8/12/2019 Kerberos Authentication for Information Security
10/18
KERBEROS
AUTHENTICATION BENEFITS
Interoperability
Kerberos V5protocol providesinteroperabilitywith othernetworks
Efficientauthentication to
servers
Server can directlyauthenticate theclients byexaminingcredentials
presented withoutgoing to thedomain controller
Comparison to NTLAN Manager
More secure
More flexible
More efficient
-
8/12/2019 Kerberos Authentication for Information Security
11/18
KERBEROS
AUTHENTICATION BENEFITS
Mutual authentication
Provides a centralizedauthentication server toauthenticate users toservers and servers tousers.
Delegated authentication
The Kerberos V5 protocolincludes a proxymechanism that enables aservice to impersonate itsclient when connecting to
other services. Noequivalent is availablewith NTLM
-
8/12/2019 Kerberos Authentication for Information Security
12/18
WHY KERBEROS?
Divide up resource capabilities between manyusers
Restrict users access to resources
Typical authentication mechanismpasswords
When a user wants to gain access to a server, the server needsto verify the users identity. Because access to resources are
based on identity and associated permissions, the server mustbe sure the user really has the identity it claims.
Authenticate user identity
-
8/12/2019 Kerberos Authentication for Information Security
13/18
WHY KERBEROS?
The users name that is, the User Principal Name (UPN) and
the users credentials are packaged in a data structure called aticket.
Securely package the users name
After the ticket is encrypted, messages are used to transportuser credentials along the network.
Securely deliver user credentials
-
8/12/2019 Kerberos Authentication for Information Security
14/18
DRAWBACKS OF
KERBEROS
Single point of failure
Strict time requirements
No standardisation
All authentications arecontrolled by acentralized KDC
-
8/12/2019 Kerberos Authentication for Information Security
15/18
DRAWBACKS OF
KERBEROS
Unique Kerberos keys
Kerberos assumes thateach user is trusted but isusing an untrusted host
on an untrusted network
Unencrypted passwordstransferred to a non-
kerberized service is at risk
-
8/12/2019 Kerberos Authentication for Information Security
16/18
CONCLUSION
Traditional authentication methods are notsuitable for use in computer networks
where attackers monitor network traffic to
intercept passwords.
The use of strong authentication methodsthat do not disclose passwords is
imperative. The Kerberos authenticationsystem is well suited for authentication of
users in such environments.
-
8/12/2019 Kerberos Authentication for Information Security
17/18
REFERENCES
Kerberos: An Authentication Service forOpen Network Systems
Steiner, Neuman, Schiller, 1988, Winter USENIX
http://en.wikipedia.org/wiki/Kerberos_(protocol)
http://www.ifour-consultancy.com
http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol)http://en.wikipedia.org/wiki/Kerberos_(protocol) -
8/12/2019 Kerberos Authentication for Information Security
18/18