CPEG-561

NETWORK SECURITY
FALL 2014

ASSIGNMENT
Submitted by:
Saitheja Kadiyala
(Student ID: 973798)

University of Bridgeport
Bridgeport, CT-06604
USA
10/01/2014

KERBEROS & LDAP

KERBEROS:
Kerberos is a kind of authentication protocol which acts as a third
party in key distribution. It is developed at MIT which provides central
authentication between server and user vice versa. It is a network
authentication protocol that is designed to provide strong authentication,
integrity and confidentiality for client/server and multi-tier applications.
WORKING:
Kerberos is the authentication protocol acts between client and server.
Under Kerberos, a client (generally either a user or a service) sends a request
for a ticket to the Key Distribution Center. The KDC creates a ticketgranting ticket (TGT) for the client, encrypts it using the client's password as
the key, and sends the encrypted TGT back to the client. The client then
attempts to decrypt the TGT, using its password. If the client successfully
decrypts the TGT (i.e., if the client gave the correct password), it keeps the
decrypted TGT, which indicates proof of the client's identity.
The TGT, which expires at a specified time, permits the client to
obtain additional tickets, which give permission for specific services. The
requesting and granting of these additional tickets is user-transparent.

There are two versions of Kerberos version 4 and version 5, in which

version 4 still exist even though they have updated versions still exists.
Version 5 corrects some of the security deficiencies of version 4 and has
been issued as a proposed internet standard
Let us see summary of Kerberos version 4 message which shows process of
it.

In first step client requests authentication server to get access, in return

authentication server will give access in the form Ticket Granting ticket
(TGT). Finally if it get access from the TGS, then client gets complete
access of the server that how Kerberos works.
Let us see the summary of Kerberos version 5

Kerberos is a solution to your network security problems. It provides

the tools of authentication and strong cryptography over the network to help

you secure your information systems across your entire enterprise. We hope
you find Kerberos as useful as it has been to us. At MIT, Kerberos has been
invaluable to our Information/Technology architecture.
Advantages of Kerberos:
Password protection :
Even though security of network is compromised it is not possible to
extract information.
Client server authentication :
It acts as an intermediate between client and server & vice-versa
Durability & Reusability :
Authentications using the Kerberos protocol are durable and reusable.
Once a user has authenticated using the protocol, the authentication is
reusable for the lifetime of the ticket. In other words, it is possible to
remain authenticated through the Kerberos protocol without having to
re-enter a user name and password across the network (until the
authentication expires).
Service session key generation :
Kerberos model uses security session so that key will not be
compromised. Even though key is compromised its not easy to access
the server and extract information
Drawbacks of Kerberos:
Migrating user passwords from a standard UNIX password database,
to a Kerberos password database can be tedious as there is no
automated mechanism to perform this task.
Kerberos has only partial compatibility with the Pluggable
Authentication Modules (PAM) system used by most servers running
Red Hat Linux.

LDAP (Lightweight Directory Access Protocol):

A set of protocols for accessing information directories. LDAP
is based on the standards contained within the X.500 standard, but is
significantly simpler. LDAP supports TCP/IP protocols which is
necessary to access internet, whereas X.500 standard doesnt support
it. LDAP should eventually make it possible for almost any
application running on virtually any computer platform to obtain
directory information, such as email addresses and public keys.
In other words LDAP is a lightweight (smaller amount of
code) version of Directory Access Protocol which is part of X.500 (a
standard for directory services in a network). It is an open protocol in
which the original application of both X.500 and LDAP was to
provide a `white pages' directory service.
WORKING:
Since directories are optimized for read access, the most
common LDAP operation is search, which provides a flexible means
of accessing information from the directory. The LDAP search
operation (also referred as a query) consists of the following
parameters which represent the semantic information.

The main benefit of using LDAP is the consolidation of certain types of

information within your organization. For example, all of the different lists of
users within your organization can be merged into one LDAP directory. This
directory can be queried by any LDAP-enabled applications that need this
information. The directory can also be used by users who need directory
information.
Other LDAP benefits include its ease of implementation (compared to
X.500), and its well-defined Application Programming Interface (API), which
means that the number of LDAP-enabled applications and LDAP gateways
should increase in the future.
On the negative side, if you want to use LDAP, you'll need LDAPenabled applications or you'll need to use LDAP gateways. As mentioned
previously, LDAP will only increase in usage, but at present, there aren't a
plethora of LDAP-enabled applications available for Linux. Also, while LDAP
does support some access control, it does not support as many security features
as X.500.

Associated with a query:

(i)
base: A DN that defines the starting point of the search in the
DIT,
(ii)
scope c{BASE, SINGLE LEVEL, SUBTREE}, specifies how
deep within the DIT to search from the base,
(iii)
Boolean combination of predicates using the standard
operators: AND (&), OR (|) and NOT (!), specifying the search
criteria,
(iv) Attributes: Set of required attributes from entries matching the
filter.
Advantages:
Multiple independent directories.
Runs directly over TCP/IP
Easier to access when compared to X.500
Disadvantages:
Security issues.
LDAP applications are not available for Linux.
LDAP does support some access control, it does not support
as many security features as X.500.

CONCLUSION:
Kerberos is one among several authentication protocols that are used
as a part of security systems. Basically, it is a network authentication
protocol designed to provide strong authentication and confidentiality for
client/server and multi-tier applications.
LDAP, on the other hand is a method of organizing the details and
providing access to it. It is mostly used for user, service and machine details,
and is incredibly useful.
Kerberos and LDAP are both popular, when considered separately.
And when you put them together, it provides an even more powerful
solution for secure authentication.