Scribd
Upload
8 views18 pages

Kerberos

Kerberos is a network authentication protocol that uses tickets to securely verify identities over insecure networks. The protocol involves an Authentication Server (AS) and a Ticket Granting Server (TGS) to manage ticket exchanges, but has issues such as the need for multiple tickets for different services and potential security vulnerabilities. Solutions include ensuring that the ticket user is authenticated and that servers also authenticate themselves to users.

Uploaded by

fehopox550
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views18 pages

Kerberos

Kerberos is a network authentication protocol that uses tickets to securely verify identities over insecure networks. The protocol involves an Authentication Server (AS) and a Ticket Granting Server (TGS) to manage ticket exchanges, but has issues such as the need for multiple tickets for different services and potential security vulnerabilities. Solutions include ensuring that the ticket user is authenticated and that servers also authenticate themselves to users.

Uploaded by

fehopox550
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

KERBEROS

KERBEROS V 4.0
• Kerberos is a network authentication protocol
that works on the basis of tickets to allow
nodes communicating over a non secure
network to prove their identity to one another
in a secure manner.
Using authentication Server
1
1. C AS : IDc || Pc || IDv C AS

2. AS C : Ticket 3 2
3. CV : IDc || Ticket V
Ticket: E (Kv [IDc || ADc || IDv ])
Problems
1. Under this scheme , a user would need a new
ticket for every different service.
If a user wants to access a print server , a mail
server, a file server and so on the first instance
of each access would require a new ticket
2. Under this scheme , password is transmitted
without encryption, An eaves dropper could
capture the password and use any service
accessible to the victim
User Ticket Granting Server

TGS
Once per user logon session
1 AS
1. C AS : IDc || IDtgs
2
2. AS C : E (Kc [Tickettgs ])
C
Once per type of service 3
3. CTGS : IDc || IDv || Tickettgs T
4 G
4. TGS C : Ticketv 5 S
Once per service session
5. CV : IDc ||Ticketv V
Problems
Problems
1. If the Lifetime is too short  it will
repeatedly ask for password
2. If lifetime is long  greater opportunity for
replay attacks
3. If service granting ticket is captured  uses it
before it expires then opponent has access to
corresponding service
SOLUTION
• Something to prove that the person using a
ticket is the same person to whom the ticket
was issued.
• Servers must also authenticate themselves to
the users.
Summary of Kerberos version 4 Message Exchanges
Authentication service exchange to obtain ticket-granting ticket

1. C AS IDc || ID tgs || TS1

The client sends a message to the AS requesting access to


the TGS
Summary of Kerberos version 4 Message Exchanges
Authentication service exchange to obtain ticket-granting ticket
2. AS  C : E(Kc[ k c,tgs|| ID tgs || TS2 ||Lifetime 2||Ticket tgs] )
• The encrypted message also
contains a copy of the session
The AS responds key, Kc,tgs, where the
with a message, subscripts indicate that this is a
session key for C and TGS.
encrypted with a
key derived from • Because this session key is
inside the message encrypted
the user’s with Kc, only the user’s client
password (Kc), can read it.
that contains the • The same session key is
ticket. included in the Ticket, which
can be read only by the TGS.
• Thus, the session key has been
securely delivered to both C
and the TGS.
Ticket tgs = E(Ktgs[ k c,tgs|| IDc || ADc || Idtgs || Lifetime 2||TS2] )
Summary of Kerberos version 4 Message Exchanges
Ticket granting service exchange to obtain service -granting ticket
3. C  TGS : ID v || Ticket tgs || Authenticator c
• C transmits an authenticator,
which includes the ID and
address of C’s user and a
timestamp.
• Unlike the ticket, which is
reusable, the authenticator is
intended for use only once and
has a very short lifetime.
• The TGS can decrypt the ticket
with the key that it shares with
the AS.
• This ticket indicates that user C
has been provided with the
session key Kc,tgs. In effect, the
ticket says, “Anyone who uses
Kc,tgs must be C
Authenticator= E( k c,tgs[ IDc || ADc||TS3] )
Summary of Kerberos version 4 Message Exchanges
Ticket granting service exchange to obtain service -granting ticket
4. TGS  C : E(K c,tgs [Kc,v ||Idv || Ticket v || TS4 ])
• The reply from the TGS in
message (4) follows the form of
message (2).
• The message is encrypted with
the session key shared by the
TGS and C and includes a session
key to be shared between C and
the server V, the ID of V, and the
timestamp of the ticket.
• The ticket itself includes the
same session key. C now has a
reusable service-granting ticket
for V
Ticket v = E(Kv[ k c,v|| IDc || ADc || IDv || Lifetime 4||TS4] )
Summary of Kerberos version 4 Message Exchanges
Client server Authentication Exchange to obtain service
5. C  V Ticket v || Authenticator c
• C now has a reusable service-
granting ticket for V.
• When C presents this ticket, as
shown in message (5), it also
sends an authenticator. The
server can decrypt the ticket,
recover the session key, and
decrypt the authenticator.
Summary of Kerberos version 4 Message Exchanges
Client server Authentication Exchange to obtain service
6. V  C :E (K c,v [TS5 +1] )
• (For mutual Authentication)

You might also like