280 likes | 547 Views
KERBEROS. CONTENTS Introduction What is Kerberos? Where does the name Kerberos came from? Why Kerberos? What does Kerberos do? Kerberos software components How Kerberos works? Kerberos names Kerberos database Kerberos from the outside looking in
E N D
CONTENTS • Introduction • What is Kerberos? • Where does the name Kerberos came from? • Why Kerberos? • What does Kerberos do? • Kerberos software components • How Kerberos works? • Kerberos names • Kerberos database • Kerberos from the outside looking in • Kerberos issue and open problems • Effectiveness of Kerberos • Kerberos status • How widespread is deployment? • Advantages and Disadvantages • Commercial support for Kerberos • MIT Kerberos team • Conclusion • References
INTRODUCTION • A NETWORK AUTHENTICATION PROTOCOL WHAT IS KERBEROS? • KERBEROS IS A TRUSTED THIRD-PARTY • AUTHENTICATION SERVICE BASED ON THE MODEL • PRESENTED BY NEEDHAM AND_SCHROEDER.
Where does the name “Kerberos” came from? The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. “CERBERUS” is the Latin spelling of the Greek “Kerberos”, and according to the OED is pronounced like “Serberus”, but that is quite at odds with the Greek, as the initial consonant is a “k”.MIT project Athena chose to use the Greek spelling and pronunciation.
WHY KERBEROS? • SECURE THE DATA • RELIABLE SERVICE • TRANSPERANCY • SCALABILITY
WHAT DOES KERBEROS DO? • Kerberos keeps a database of its clients and their private keys. • Kerberos provides three distinct levels of protection. • Kerberos provides safe messages.
KERBEROS SOFTWARE COMPONENTS • KERBEROS APPLICATION LIBRARY • ENCRYPTION LIBRARY • DATABASE LIBRARY • DATABASE ADMINISTRATION PROGRAMS • ADMINISTRATION SERVER • AUTHENTICATION SERVER • DB PROPOGATION SOFTWARE • USER PROGRAMS
Requesting a Kerberos Service • Getting the Initial Kerberos Ticket • Getting Kerberos Server Tickets HOW KERBEROS WORKS
Flow of Authentication Information Logging on to the workstation P W A O S R S D ENTRY 3 1 User name TGT,TGS 2 Authentication Server Workstation
Session key requested S E S S I O N key • TICKET • User name • NT address • Service name • Time stamp • Session key 4 TGS Session key TGT Ticket, 2 copies of session key Workstation 5 Ticket Granting Server Application Server
Verifying the request Session Key 6 Ticket 7 Random number Random Number 8 Workstation Application Server Session Key
KERBEROS NAMES • Key referral between Domains • Key referral between Trusted Domains
KERBEROS DATABASE • The KDBM Server • The kadmin and kpasswd Programs • Kerberos Database Replication
Kerberos from the Outside Looking In • Kerberos User's Eye View • Kerberos From the Programmer's Viewpoint • The Kerberos Administrator's Job
Kerberos Issues and open Problems • How to decide the correct lifetime for a ticket? • How to allow proxies? • How to guarantee workstation integrity?
KERBEROS STATUS A prototype version of Kerberos went into production in September of 1986. Since January of 1987, Kerberos has been Project Athena's sole means of authenticating its 5,000 users, 650 workstations, and 65 servers. In addition, Kerberos is now being used in place of .rhosts files for controlling access in several of Athena's timesharing systems.
COMMERCIAL SUPPORT FOR KERBEROS • CyberSafe Corporation • Email: info@cybersafe.com • InterSoft International, Inc. • Email:http://web.mit.edu/kerberos/www/support@securenetterm.com • Email:http://web.mit.edu/kerberos/www/sales@securenetterm.com
THE MIT KERBEROS TEAM • MIT Team Members • Jeff Schiller ('79) • Ted Ts'o ('90) • Tom Yu ('96) • Ken Raeburn ('88) • Paul Hill • Marshall Vale • Miroslav Jurisic • Alexis Ellwood • Danilo Almeida
REFERENCES • www.krbcore@mit.edu • http://web.mit.edu/kerberos • www.cisco.com • www.orw.gor • www.info@cybersafe.com • www.support@securenetterm.com • www.sales@securenetterm.com • www.cybersafecorporation.com • www.crypto_publish.org.com • www.decewg@es.net • www.tytso@mit.edu • The Kerberos newsgroup • Kerberos on the Macintosh • comp.protocols.kerberosFAQ