Kerberos/EAP

Authentication really got started with P P P and the many variations of P P P that
have evolved over the years.

However PPP was really kind of a reactionary type of authentication designed for
dial up type connections remote connections.

And while it worked fine in that way we really needed something completely
different.

For Wired local area network so I've got a bunch of computers together and they're
all wired with ethernet we have a lot of efficiencies in terms of speed of network
and things like that.

That better I don't necessarily want to say better but a different form of
authentication can really take advantage of that.

And that's where Kerberos comes into play.

Kerberos is designed to do authentication for local area networks that it can do

more than that but that's that's its claim to fame.

Kerberos works completely different from any of the concepts that we've seen in
other episodes so we really need to talk about Kerberos in some detail.

So let's go ahead and get started in order to appreciate how Kerberos works.

I'm going to put two little blocks up here.

This is going to be a Windows client so it's running like Windows 7 Windows 8

something like that.

But over here this computer is running a version of Windows server so it's reading
Server 2008 Server 2012.

This is not your regular Windows.

This copy of windows right here is going to set you back a couple of grand probably
and it could cost you a lot more.

But in return for that you have the ability to turn this into what's known as a key
distribution center.

When you set up a Windows server to be a domain controller it becomes a Kerberos

key distribution center.

The key distribution center consists of two really really important services.

First is the authentication service and the second is the ticket granting service.

So that's all built into this guy.

So what takes place is when your computer logs in.

He sends over a hash with his values for username and password.

It's taken a look at by the authentication server and the authentication server
then in turn sends back a TGT token to the client himself.
That gets him authenticated but he's not authorized the TGT is then time stamped by
the client and sent back over to the ticket granting service the ticket granting
service reads this stamps it again with a time stamp which in essence turns it into
something called a token and the token is then passed back to the client.

This token is good for well it depends on how you got it set up but eight hours is
a fairly common amount of time.

Any time your computer wants to log into any other computer on the network as long
as they're all part of the same domain the same active directory he'll use that
token to access any resource on any other computer.

Kerberos is some powerful stuff.

It's pretty much trivial to set up but it's wildly popular.

Anybody who uses Windows domains and has domain controllers is using Kerberos by
default.

However Kerberos has a couple of downsides.

The first downside is that well you've got to buy a copy of Windows Server.

It's fascinating.

I've go to a number of universities doing big parallel processing.

They've got gazillions of Linux boxes but they still buy a copy of Windows Server
just so all their Linux boxes can do a single login.

It's very popular like that.

The other downside to Kerberos is that everything is time stamped and specially
during that transaction you have an extremely short amount of time where it's
preventing man in the middle attacks and if you don't get it in the right amount of
time it's completely fails.

So you have to have all of your computers set to the same time.

Now that's relatively easy today with things like the network time protocols and
that type of thing to set them up.

But a common problem when you have a Windows system and you're trying to log in to
a domain and you're unsuccessful one of the first things you do is check the time
Kerberos is great but Kerberos is really designed for wired networks.

P p p is great but the challenge with pee pee pee is that it's really set up
primarily for point to point protocols.

So what we end up having is this fabulously complicated world where we have all of
these different forms of authentication mechanisms.

So to try to fix this many many years ago we came up with something called EAP EAP
is nothing more than well it's an envelope.

What he does is it allows transactional based authentication mechanisms to be able

to talk to each other and go hey I can do these types of authentications What can
you do.
And it allows a lot of flexibility where before you would have to go well we have
to set it up so it could only do certificates or it can only do a password or
whatever it might be.

But with EAP you now have outrageous flexibility.

The best way to think about EAP is simply to think about it as an envelope.

It's a burst of data that's being sent between some type of requester and some type
of server and the EAP helps negotiate to determine what you can do.

So the trick here is when somebody's sending to something else they have to ask
each other well what kind of EAP can you do.

So there's a number of let's go through the big ones at least.

EAP-PSK (Pre-Shared Key) basically has a calming key that everybody uses to log in
another one is EAP which is known as Peap with Peap.

It uses a standard username and password

there's very simple ones that aren't used very often for example there's one called
EAP MD5 and it simply uses a hash.

Now if you want to get hairy about things you can even use certificates for example
you can do EAP-TLS which is a single certificate which comes from the server side
of the system and passed to the individual clients.

You can even do EAP-TTLS less which requires both the individual clients as well as
the authenticating system to each have certificates EAP was designed as a
methodology of encapsulating any form of authentication that anybody could possibly
want to do.

The idea behind it is that with EAP we really wouldn't have to worry about what
type of authentication methods you used.

We would just have are the ones that we're ready for and no matter what you needed
we had it for you.

Well it didn't really work out that way with EAP even though it works beautifully.

The only other real challenger that's heavily used is Kerberos and Microsoft isn't
going to change that.

So it boils down to this.

EAP is out there but it's pretty much used almost exclusively to connect to
wireless networks.

Kerberos handles authenticaion and authorization for wired networks

Kerberos relies heavily on time stamps

EAP enables felxible authentication