Upload
baruch
View
60
Download
0
Tags:
Embed Size (px)
DESCRIPTION
KERBEROS. CONTENTS Introduction What is Kerberos? Where does the name Kerberos came from? Why Kerberos? What does Kerberos do? Kerberos software components How Kerberos works? Kerberos names Kerberos database Kerberos from the outside looking in - PowerPoint PPT Presentation
Citation preview
CONTENTS
Introduction What is Kerberos? Where does the name Kerberos came from? Why Kerberos? What does Kerberos do? Kerberos software components How Kerberos works? Kerberos names Kerberos database Kerberos from the outside looking in Kerberos issue and open problems Effectiveness of Kerberos Kerberos status How widespread is deployment? Advantages and Disadvantages Commercial support for Kerberos MIT Kerberos team Conclusion References
A NETWORK AUTHENTICATION PROTOCOL
KERBEROS IS A TRUSTED THIRD-PARTY AUTHENTICATION SERVICE BASED ON THE MODEL PRESENTED BY NEEDHAM AND_SCHROEDER.
Where does the name “Kerberos” came from?
The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.
“CERBERUS” is the Latin spelling of the Greek “Kerberos”, and according to the OED is pronounced like “Serberus”, but that is quite at odds with the Greek, as the initial consonant is a “k”.MIT project Athena chose to use the Greek spelling and pronunciation.
SECURE THE DATA
RELIABLE SERVICE
TRANSPERANCY
SCALABILITY
Kerberos keeps a database of its clients and their private keys.
Kerberos provides three distinct levels of protection.
Kerberos provides safe messages.
KERBEROS APPLICATION LIBRARY ENCRYPTION LIBRARY DATABASE LIBRARY DATABASE ADMINISTRATION PROGRAMS ADMINISTRATION SERVER AUTHENTICATION SERVER DB PROPOGATION SOFTWARE USER PROGRAMS
Requesting a Kerberos Service
Getting the Initial Kerberos Ticket
Getting Kerberos Server Tickets
TGT,TGS
Logging on to the workstation
1 User name
2
P W
A O
S R
S D
ENTRY
3Authentication
ServerWorkstation
Flow of Authentication Information
TICKET•User name•NT address•Service name•Time stamp•Session key
TGT
Ticket, 2 copies of session key
Session key requested
4
5Ticket Granting Server
Application Server
Workstation
SESSIONkey
TGS Session key
Verifying the request
Application
Server
WorkstationRandom Number8
7 Random number
Ticket6
Session Key
Session Key
Key referral between Domains
Key referral between Trusted Domains
The KDBM Server
The kadmin and kpasswd Programs
Kerberos Database Replication
Kerberos User's Eye View
Kerberos From the Programmer's Viewpoint
The Kerberos Administrator's Job
How to decide the correct lifetime for a ticket?
How to allow proxies?
How to guarantee workstation integrity?
A prototype version of Kerberos went into production in September of 1986. Since January of 1987, Kerberos has been Project Athena's sole means of authenticating its 5,000 users, 650 workstations, and 65 servers. In addition, Kerberos is now being used in place of .rhosts files for controlling access in several of Athena's timesharing systems.
CyberSafe Corporation Email: [email protected]
InterSoft International, Inc.Email:http://web.mit.edu/kerberos/www/[email protected] Email:http://web.mit.edu/kerberos/www/[email protected]
MIT Team Members
Jeff Schiller ('79)
Ted Ts'o ('90) Tom Yu ('96) Ken Raeburn
('88) Paul Hill Marshall Vale Miroslav Jurisic Alexis Ellwood Danilo Almeida
[email protected] http://web.mit.edu/kerberos www.cisco.com www.orw.gor [email protected] [email protected] [email protected] www.cybersafecorporation.com www.crypto_publish.org.com [email protected] [email protected] The Kerberos newsgroup Kerberos on the Macintosh comp.protocols.kerberosFAQ