Kerberos

Kerberos in the ancient greek myth was a three-headed dog that guarded the entrance to underworld {Hackers}

What is Kerberos?
Kerberos is a network authentication protocol that is designed to provide strong authentication for client/server applications using secret-key cryptography. Developed at MIT in the mid 1980s Available as open source or in supported commercial software

Why Kerberos?
Sending usernames and passwords in the clear jeopardizes the security of the network. Each time a password is sent in the clear, there is a chance for interception. Dictum Theres nothing more secure than a computer that is not connected to the network and powered off !!!!

Firewall vs. Kerberos?

Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within. Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.

Design Requirements
Consists of following three components - Client - Authentication Server or KDC - Server And has three main exchanges - Authentication Server(AS) Exchange - Ticket Granting Service(TGS) Exchange - Client Server (CS) Exchange

How does Kerberos work?

User requests use of a network service Service wants assurance that user is who he says he is. User presents a ticket that is issued to it by a Kerberos Authentication Server(AS) If the ticket is valid, service is granted. The tickets must be unequivocally linked to the user

How does Kerberos work?: Ticket Granting Tickets

Functions of Kerberos
Authentication Authorization Confidentiality Integrity

Terms Used in Kerberos

Principal is the party whose identity is
verified. Verifier is the party who demands assurance of the principals identity. Ticket a certificate issued by an AS encrypted using the Server Key
Ticket = Rnd Session Key + Name of Principal + Expiration Time +others

The rnd session key is used for authenticating the principal to the Verifier.

Assumptions
Kerberos assumes that the user wont
use passwords like his own user name etc. Though any password is subject to dictionary attack but the timestamp require hacker to guess in 5 minutes.

Thank You!!!