Kerberos: An Authentication Service for Open Network Systems

1. Kerberos: An Authentication Service for Open Network Systems J. G. Steiner, C. Neuman, J. I. Schiller

2. What is Kerberos? • Trusted third-party authentication service • Requirements: • Secure (Private Key Encryption) • Transparent (Tickets) • Scalable (Replication) • Reliable

3. Kerberos Authentication Protocols TGS Kerberos Server Client

4. Security

5. Transparency • Tickets are reusable (authenticators are not) • {s,c,addr,timestamp,life,KS,C}KS • Ticket-granting ticket can occur at login • (8 hour lease), kinit for new TGT • Library calls: • krb_mk_req, krb_rd_req, krb_mk_prv, krb_rd_prv

6. Scalability & Reliability • Slave (Read Only) Authentication Databases • Master Kerberos DB used for (Write) Administration Requests • Entire DB is propagated every hour • Common transactions can take place with replicated (Slave) servers

7. Open Issues & Questions • Ticket Lifetime? (Short-term Playback) • Integrity of workstation programs? • Scalability between realms? • Centralized authentication with Private-Key encryption advantages/disadvantages over Public-Key?