Authentication Application : Deals with the authentication function that have been developed to
support application-level authentication
Authentication Applications
Kerberos
X.509
Provides
Users to servers
Servers to users
Other possible uses of Kerberos include allowing users to log into other machines in a local-area
network, authentication for web services, authenticating email client and servers, and
authenticating the use of devices such as printers
Problem: Not trusted workstation to identify their users correctly in an open distributed environment
3 Threats:
Secure:
Reliable:
Transparent:
Scalable:
KERBEROS VERSION 4
Problem:
An opponent can pretend to be another client and obtain unauthorized privileges on server machine.
Solution :
Server must be able to confirm the identities of client who request service.
Kerberos uses the concept of a ticket as a token that proves the identity of a user. Tickets are digital
documents that store session keys. They are typically issued during a login session and then can be used
instead of passwords for any Kerberized services.
Kerberos Version 4: Dialog 1- Simple
Ticket=E(kv[IDc,ADc,IDv])
11 7/15/2016 KERBEROS
C = client
AS = Authentication server
V = Server
Idv = Identifier of V
Pc = Password of user on C
Problem:
Solution :
2. The client can use this ticket to request multiple service granting ticket.
Kerberos Version 4 : Dialog 2-More Secure
ticketTGS=EKtgs[IDc,ADc,IDtgs,TS1,LifeTime1 ]
4-TicketV
7/15/2016 KERBEROS 13
5- TicketV+ IDc
TicketV=EKv[IDc,ADc,IDv,Ts2,Lifetime2]
7/15/2016 KERBEROS 14
A ticket-granting ticket (TGT), which acts as a global identifier for a user and a session key
Kerberos Servers
To accomplish secure authentication, Kerberos uses a trusted third party known as a key distribution
center (KDC), which is composed of two components, typically integrated into a single server:
The authentication server keeps a data base storing the secret keys of the users and services. The
secret key of a user is typically generated by performing a one-way hash of the user-provided
password. Kerberos is designed to be modular, so that it ca
n be used with a number of encryption protocols, with AES being the default cryptosystem.
Kerberos aims to centralize authentication for an entire networkrather than storing sensitive
authentication information at each users machine, this data is only maintained in one presumably
secure location.
AS provide both the client and the TGS with a secret piece of information in a secure manner.
Client can prove its identity to TGS by revealing the secret information in a secure manner.
KERBEROS
ticketTGS=EKtgs [Kc.tgs,
IDc,ADc,IDtgs,TS2, LifeTime2 ]
7/15/2016 KERBEROS 1
Kerberos: The Version 4 Authentication Dialog
Cont.
4-EKc.tgs[ Kc.v,IDv,Ts4,Ticketv]
7/15/2016 KERBEROS 19
5- TicketV+ AuthenticatorC
6- EKc.v[TS5+1]
7/15/2016 KERBEROS 20
Kerberos Overview
7/15/2016 KERBEROS 21
Kerberos Realms
a Kerberos server
What will happen when users in one realm need access to service from other realms?:
Inter-realm Authentication
Kerberos server in each realm shares a secret key with other realms.
It requires
Kerberos server in one realm should trust the one in other realm to authenticate its
users
The second also trusts the Kerberos server in the first realm
Request for Service in another realm:
7/15/2016 KERBEROS 24