1 / 24

Illustrating Kerberos Protocol: A Comprehensive Tutorial Approach

Develop a tutorial on teaching complex protocols using Kerberos as the main example. Learn about Kerberos, an authentication protocol for network principals. Discover its origins in Greek mythology and its importance in modern authentication systems. The tutorial addresses the challenges of conceptualizing Kerberos by breaking down the explanation into two passes, using metaphors for better understanding. Pass 1 likens the process to joining a club, while Pass 2 explains the concept using colored envelope metaphors. Dive into the three phases of Kerberos and understand the key exchanges and encryption processes involved. Explore communication between servers, session key generation, and long-term key sharing. Uncover common issues and solutions encountered in each phase for a comprehensive understanding of Kerberos.

ian-valentine
Télécharger la présentation

Illustrating Kerberos Protocol: A Comprehensive Tutorial Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The design of a tutorial to illustrate the Kerberos protocol Lindy Carter Supervisors : Prof Wentworth John Ebden

  2. Objectives • To design a teaching approach and tutorial to teach complex protocols • Kerberos as the chosen example

  3. Introduction • Authentication protocol used to identify principals on a network using only a single sign-on • Uses authentication based on cryptography and was developed by MIT to replace authentication based on assertion • Chosen by Microsoft to replace NTLM as the method for authentication in Window 2000 • Name come from the 3 headed dog in Greek mythology – Cerberus –who used to guard the gates of Hades

  4. The problem with teaching Kerberos • Not easy to conceptualize • Formal definitions use a “once over” type of approach and are very technical • Important concepts are presented in the same step • Formal definitions use complicated notation

  5. What we have done to solve the problem • We have divided our explanation into 2 passes • The first pass uses a concrete metaphor to explain the 3 message exchanges in the protocol • The second pass is broken down into 3 phases and uses another metaphor to explain the message exchanges, encryption and key sharing • We want start with concrete explanations and move towards more abstract ideas

  6. Pass 1 • Uses a club membership example • The process of joining a club and using its affiliated facilities is similar in Kerberos to authenticating yourself and asking to use a resource.

  7. Pass 2 • Uses a coloured envelope metaphor • We chose the envelope metaphor because it illustrates the 2 level structure of tickets. • The coloured envelopes show encryption key pairs

  8. Pass is divided into 3 phases • Phase 1 describes the 3 message exchanges in a trusted environment • Phase 2 introduces long term key sharing • Phase 3 introduces sessions and session key generation

  9. Pass 1 – Club membership

  10. Authentication Server Ticket Granting Service Resource Server Phase 1 Authentication Server Exchange

  11. Authentication Server Ticket Granting Service Resource Server Phase 1 Ticket Granting Service Exchange

  12. Authentication Server Ticket Granting Service Resource Server Phase 1 Resource Server Exchange

  13. Some Observations • There is no direct communication between the Authentication Server, Ticket Granting Service of the Resource Server • Tickets are reusable

  14. Problems with Phase 1 • Principals that receive tickets do not actually know who sent the ticket. • The access rights in the tickets are in plain text and the user is able to change them

  15. Phase 2 • First problem is easy to solve - each time the user sends a ticket to a principal, he sends his name along with the ticket • Second problem a little more involved…

  16. Phase 2 • The user needs to authenticate himself to the Authentication Server and the Authentication Server needs to pass information securely back to the user • The user and AS need to share a long term key (users password (black key) • The Authentication Server needs to pass information securely to the Ticket Granting Service • AS and TGS need to share a long term key (red key)

  17. Phase 2 • The Ticket Granting Service needs to pass information securely to the Resource Server • TGS and RS need to share a long term key (blue key)

  18. Long term Key Long term key sharing Authentication Server Ticket Granting Service Resource Server

  19. Problems with Phase 2 • Some one listening on the network can intercept the message containing the ticket and the users name. • They will be able to change the name and use the resource

  20. Phase 3 • The user should encrypt his name before he sends it to the TGS or RS (this is called an authenticator) • The user needs a communication channel to communicate with the TGS and RS • Sessions keys are generated via a third party. • A copy of the key is given to the user in his reply message for a ticket. • Another copy is embedded in the ticket that the user is receiving back

  21. Phase 3 • When the TGS or RS receive the ticket and authenticator, it is able to decrypt the ticket and retrieve the session key • TGS or RS is then able to decrypt the authenticator and see who is requesting service.

  22. Key Sharing Authentication Server Ticket Granting Service Resource Server Generates session key Generates session key Long term Key Session Key

  23. Finally… • AS exchange • TGS exchange • RS exchange Authentication Server Ticket Granting Service 1 2 Resource Server 3

  24. Questions

More Related