Professional Documents
Culture Documents
Shumon Huque
ISC Networking & Telecommunications
University of Pennsylvania
March 19th 2003
Target audience:
What is Kerberos?
Developed at M.I.T.
A secret key based service for providing
authentication in open networks
Authentication mediated by a trusted 3rd
party on the network:
Kerberos: etymology
The 3-headed dog
that guards the
entrance to Hades
Originally, the 3
heads represented
the 3 As
But one A was work
enough!
Eavesdropping/Interception
10
Cryptographic Authentication
No password or secret is transferred over the
network
Users prove their identity to a service by
performing a cryptographic operation,usually
on a quantity supplied by the server
Crypto operation based on users secret key
11
Decryption
12
13
Examples: RSA
14
Communicating Parties
Alice and Bob
Baddies:
16
17
18
Mediated Authentication
A trusted third party mediates the
authentication process
Called the Key Distribution Center (KDC)
Each user and service shares a secret key
with the KDC
KDC generates a session key, and securely
distributes it to communicating parties
Communicating parties prove to each other
that they know the session key
19
Mediated Authentication
Nomenclature:
20
21
Mediated Authentication
22
Mediated Authentication
23
24
Kerberos (almost)
25
Kerberos (roughly)
26
Needham-Schroeder Protocol
27
Kerberos (detailed)
Each user and service registers a secret key
with the KDC
Everyone trusts the KDC
Kerberos principal
A client of the Kerberos authentication service
A user or a service
Format:
name/instance@REALM
Examples:
peggy@UPENN.EDU
ftp/pobox.upenn.edu@UPENN.EDU
29
30
31
32
33
34
35
Authenticator
37
38
39
TGS Benefits
Single Sign-on (SSO) capability
Limits exposure of users password
41
42
43
44
45
Private messages:
46
Pre-authentication
Kerberos 5 added pre-authentication
47
48
49
50
Hierarchy/Chain of Realms
51
52
Kerberos: summary
Authentication method:
55
Kerberos caveats
Kerberos server can impersonate anyone
KDC is a single point of failure
56
57
References
Kerberos: An Authentication Service for Open Network
Systems
http://www.isi.edu/gost/brian/security/kerberos.html
References (cont)
RFC 1510: The Kerberos Network Authentication
Service (v5)
draft-ietf-krb-wg-kerberos-clarifications-03.txt
59
Questions or comments?
Shumon Huque
E-mail: <shuque@isc.upenn.edu>
60