Kerberos

Authentication protocol Click to edit Master subtitle style

5/4/12

Submitted By

Poonam chauhan

5/4/12

What is Kerberos
Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. aimed primarily at a client server model Kerberos uses as its basis the symmetric Needham-Schroeder protocol.

5/4/12

 It

makes use of a trusted third party, termed a key distribution centre (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). The KDC maintains a database of secret keys; each entity on the network whether a client or a server shares a secret key known only to itself and to the KDC. For communication purposes the KDC generates a session key which communicating parties use to encrypt their 5/4/12 transmissions.

Working of Kerberos
Kerberos

operates by encrypting data with a symmetric key. When working with the encryption key, the details are actually sent to a key distribution center, or KDC, instead of sending the details directly between each computer.

5/4/12

Continue
The

authentication service, or AS, receives the request by the client and verifies that the client is indeed the computer it claims to be. This is usually just a simple database lookup of the users ID.

5/4/12

Continue
Upon

verification, a timestamp is created.

5/4/12

continue..
The

key is sent back to the client in the form of a ticket-granting ticket, or TGT. This is a simple ticket that is issued by the authentication service.

5/4/12

Continue..

The client submits the ticket-granting ticket to the ticket-granting server, or TGS, to get authenticated.

5/4/12

Continue..

The TGS creates an encrypted key with a timestamp, and grants the client a service ticket.

5/4/12

Continue..
The

client decrypts the ticket, tells the TGS it has done so, and then sends its own encrypted key to the service.

5/4/12

Continue..

The service decrypts the key, and makes sure the timestamp is still valid. If it is, the service contacts the key distribution center to receive a session that is returned to the client

5/4/12

Continue..

The client decrypts the ticket. If the keys are still valid, communication is initiated between client and server.

5/4/12

Challenge response authentication

challenge-response

authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. Mutual authentication is performed using a challenge-response handshake in both directions; the server ensures that the client knows the secret, and the client also ensures that the server knows the secret, which protects against a rogue server 5/4/12 impersonating the real server.

Continue
1.

The first system creates a challenge code made up of random numbers. 2. This code is sent to the second system, which generates a response to the received code. This response and a challenge code of its own are then sent back to the first system. 3. The first system verifies the response of the second system, and then sends a response to the challenge code it received. 4. When the second system receives the response, it is verified. If all is well, it notifies 5/4/12 the first system that they are indeed

Limitation
First

and foremost is the need of the Kerberos server. we have the issue of clock synchronization.

Next,

5/4/12

Advantages
Protect

against

Man in middle attack Eavesdropping Sniffing

5/4/12

Refernces
http://en.wikipedia.org/wiki/Kerberosprotocol

5/4/12

Thank You

5/4/12