Kerberos Protocol
What is Kerberos?
Kerberos: Kerberos is a network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
What do the three heads of Kerberos
represent?
Kerberos is
a three-step security process used for authorization and authentication. The three-heads
of Kerberos are:
1-User,
2-KDC-Key
Distribution Service (security server) and
3-Services
(servers).
Kerberos is
a standard feature of Windows software.
Why Kerberos?
Kerberos is
an authentication protocol that is used to verify the
identity of a user or host. The authentication is based on
tickets used as credentials, allowing communication and proving
identity in a secure manner even over a non-secure network.
Characteristics of Kerberos
Secure: Kerberos
should be strong enough that a potential opponent does not find it to be the
weak link.
Reliable: For all
services that rely on Kerberos for access control, lack of availability of the
Kerberos service means lack of availability of the supported services. Hence,
Kerberos should be highly reliable and should employ distributed server
architecture, with one system able to back up another.
Transparent: Ideally,
the user should not be aware that authentication is taking place, beyond the
requirement to enter a password.
Scalable: The
system should be capable of supporting large numbers of clients and servers.
This suggests a modular, distributed architecture.
Kerberos Protocol Terminology
Figure : Block Diagram of Kerberos server |
Authentication
Server (AS): A server that issues tickets for a desired
service which are in turn given to users for access to the service.
Client: An
entity on the network that can receive a ticket from Kerberos.
Credentials: A
temporary set of electronic credentials that verify the identity of a client
for a particular service. It also called a ticket.
Credential
cache or ticket file: A file which contains the keys for encrypting
communications between a user and various network services.
Crypt
hash: A one-way hash used to authenticate users.
Key: Data
used when encrypting or decrypting other data.
Key
distribution centre (KDC): A service that issue Kerberos tickets and
which usually run on the same host as the ticket-granting server (TGS).
Realm: A
network that uses Kerberos composed of one or more servers called KDCs and a
potentially large number of clients.
Ticket-granting
server (TGS): A server that issues tickets for a desired
service which are in turn given to users for access to the service. The TGS
usually runs on the same host as the KDC.
Ticket-granting
ticket (TGT): A special ticket that allows the client to obtain
additional tickets without applying for them from the KDC.
Working of Kerberos
Step 1:
(Fig 1)
The AS,
receives the request by the client and verifies that the client.
|
Step 2:
Upon
verification, a timestamp is created with current time in a user session with
expiration date. The timestamp ensures that when 8 hours is up, the encryption
key is useless.
Step 3:
(Fig 2)
Figure : Authentication Service issues TGT |
The key
is sent back to the client in the form of a TGT.
Step 4:
(Fig 3)
Figure : Client submits TGT to TGS |
The
client submits the TGT to the TGS, to get authenticated.
Step 5:
(Fig. 4)
Figure : TGS grants client the service ticket |
The TGS
creates an encrypted key with a timestamp and grants the client a service
ticket.
Step 6:
The
client decrypts the ticket & send ACK to TGS.
Step 7
(Fig. 5)
Figure : Service server decrypt key and check the time stamp |
Client
sends its own encrypted key to the service server.
The
server decrypts the key and check timestamp is still valid or not.
Step 8:
(Fig. 6)
|
The
client decrypts the ticket. If the keys are still valid, communication is
initiated between client and server. Now the client is authenticated until the
session expires.
Is Kerberos symmetric or asymmetric?
Kerberos
is capable of both symmetric and asymmetric cryptography.
Is Kerberos safe?
Kerberos is
more secure than other authentication methods because it does not
send plain text pass- words over the network and instead of password uses
encrypted tickets.
To learn more about Kerberos Terminology & Working, Click here
Watch more videos click here.
No comments:
Post a Comment