Introduction of Kerberos

  • View
    102

  • Download
    1

Embed Size (px)

DESCRIPTION

Introduction of Kerberos. What is Kerberos?. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Why needs Kerberos?. The Internet is an insecure place. - PowerPoint PPT Presentation

Transcript

  • Introduction of Kerberos

  • What is Kerberos?Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

  • Why needs Kerberos?The Internet is an insecure place. Many Internet protocols ~ no security. malicious hackers ~ "sniff" passwords ApplicationSending unencrypted passwords ~ extremely vulnerable. Client/server ~ the client program to be "honest" Client/server ~ the client to restrict its activities to those which it is allowed to do

  • Firewall~ security problems?A very bad assumption that "the bad guys" are on the outside ~Most of the really damaging incidents of computer crime are carried out by insiders.A significant disadvantage~ Restrict how your users can use the Internet. In many places, these restrictions are simply unrealistic and unacceptable.

  • Who ~ Kerberos?1988,MIT, as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection.After this, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

  • The Whole Authentication

  • Simplified Principle

  • Two Concepts

    Long-term Key/Master KeyLong-termKeyHashHash code, Master KeyHash AlgorithmMaster KeyMaster KeyShort-term Key/Session Key

  • Where KeyShort-termKey Session KeySServer-Client Kerberos Distribution Center (KDC) Account Database ~ Master Key

  • KDC SServer-ClientSession Ticket

  • ~ Authenticator Key,ClientAuthenticator Authenticator = ClientInfo + Timestamp

    Session Ticket =ServerMaster Key (ClientInfo + Session Key )

  • Some AdvantagesWhy Timestamp

    Mutual Authentication ()

  • Authentication

  • How Key?KerberosTicketServerMaster Key TicketTicketClientServerKDC

  • TGTTGTTicket Granting TicketKDCClientTicketKerberosTicket DistributionClientKDC TicketTicketKerberosTGTTicket Granting TicketTGTKDC

  • How TGTLogon Session Key

  • Why TGT?ClientSession KeySKDC-ClientTGTClientSKDC-ClientKDCServerTicketClientMaster KeyClientMaster KeyLong-term KeySKDC-ClientShort-term KeyKerberos

  • TGT Ticket

  • The Whole Authentication3ClientKDCTGTTicket Granting TicketClientTGTDKCServerTicketClientServerTicket

  • The Whole AuthenticationKerberos AuthenticationKerberos3Sub-Protocol33sub-protocolAuthentication Service ExchangeTicket GrantingService ExchangeClient/Server Exchange

  • The Whole Authentication

  • User2User Sub-protocol

  • Kerberos Advantages1Performance2Mutual Authentication3DelegationImpersonationDelegationImpersonationServerLogonAccountDelegationServerlogonAccountContextNTLMImpersonationKerberosMutualTransitiveDelegation4Interoperability