1 / 15

Kerberos Authentication: Understanding the Evolution from Version 4 to 5

This document explores the advancements in Kerberos authentication technology, emphasizing the shift from Kerberos 4 to Kerberos 5. Initially developed at Xerox PARC in the late 1970s, Kerberos incorporates the Needham-Schroeder authentication scheme. This overview outlines key components like the Ticket Granting Ticket (TGT), session keys, and the role of the Key Distribution Center (KDC). Essential features, such as secure data encryption and pre-authentication measures, are also discussed, highlighting how Kerberos has evolved to prevent threats like replay attacks and brute force attempts.

amity
Télécharger la présentation

Kerberos Authentication: Understanding the Evolution from Version 4 to 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2

  2. PARC Once Again • Once again XEROX PARC helped develop the basis for wide spread technology • Needham-Schroeder • Paper published in 1978 • “Using Encryption for Authentication in Large Networks of Computers”

  3. Needham-Schroeder • Describes a authentication scheme • Contained Authentication Server • Clients contact Auth Server for permission to access network service • Encryption using keys to secure data

  4. Kerberos 4 • Very similar to Needham-Schreoder • Network time used to decrease network traffic • Ticket Granting Ticket (TGT)

  5. Kerberos 4 in a Nutshell • Client contacts KDC to get a Ticket Granting Ticket (TGT) so that it may access services in the future • Think of this as “logging in” • KDC authenticates client, and returns a TGT, which is used by the client for all future requests

  6. Kerberos 4 in a Nutshell • Client receives TGT and caches it locally • When client needs to access a service (SMB) the client sends a message with the TGT to request Service Ticket • The KDC authenticates the TGT and creates a session key for the client and the service to use for encryption. • The KDC then encrypts the session key for the service with the service’s key and sends that to the client

  7. Kerberos 4 in a Nutshell • The client then sends the session key encrypted with the service’s key to the service • The service decrypts the message from the client and then begins the session

  8. Kerberos 4 AS_REQ • Initial request from client to server • Client principle - jdoe@REALM.ORG • Client timestamp - 7:00am 9/9/2004 • TGS principle - server@REALM.ORG • Requested lifetime - 8 hours

  9. Kerberos 4 AS_REP • Server reply for a AS_REQ • Session key - randomly generated number • TGS (KDC) principle - server@REALM.ORG • Ticket lifetime - 8 hours • Ticket Granting Ticket (TGT) - encrypted with TGS (KDC) key • Entire structure encrypted with user’s key

  10. Kerberos 4 TGT • Fourth component of a AS_REP • Session key - randomly generated number (matches users) • user principle - jdoe@REALM.ORG • Ticket lifetime - 8 hours • KDC timestamp - 7:00am 9/9/2004 • Client IP Address • This structure is encrypted with the TGS key

  11. Kerberos 4 TGS Request • Client requesting to use service (SMB) • Service principle - smb.smbserver@REALM.ORG • TGT - encrypted data structure that authenticates client • Authenticator - data structure encrypted with session key from authentication server. This prevents replay attacks • Requested lifetime - usually 8 hours

  12. Kerberos 4 TGS Reply • Authentication Server (KDC) reply to client service request • Session key - session key to be used with the service • Service principle - smb.smbserver@REALM.ORG • Ticket lifetime - usually 8 hours • Service Ticket - data structure encrypted with service’s key • This structure is encrypted with session key from Authentication Server (received in AS_REP)

  13. Kerberos 4 Service Ticket • This ticket is sent by the client to the service being requested • Session key - session key to be used with the client • User principle - jdoe@REALM.ORG • Ticket lifetime - usually 8 hours • KDC timestamp - 7:00am 9/9/2004 • This structure is encrypted with service key

  14. Kerberos 5 • Same functionality as version 4 • Implementation is vastly different than 4 • Switched to ASN.1 to describe protocol • Flexible encryption model

  15. Pre-Authentication • Prevent off-line or brute force attacks • Kerberos 4 • Handed TGT to anyone • Client must prove identity before receiving TGT • Client encrypts timestamp with key and sends to KDC

More Related