90 likes | 199 Views
Kerberos: An Authentication Service for Open Network Systems. Proceedings of the Winter 1988 Usenix Conference. Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology University of Washington. 3 rd May, 2004 Presented by Sookhyun, yang. Contents.
E N D
Kerberos: An Authentication Service for Open Network Systems Proceedings of the Winter 1988 Usenix Conference Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology University of Washington 3rd May, 2004 Presented by Sookhyun, yang
Contents • Motivation • What is Kerberos? • Kerberos Software Component • Kerberos Name • How Kerberos Authentication Works? • Kerberos Database • Conclusion
Kerberos controlled server service authentication authentication server Server Server controlled client server server Motivation • How access control in a network of users requiring services from many separate computers? • Requirement of Authentication in open network • Secure • Reliable • Scalable • Transparent Open network Server Client Service user user1 service Service Login user2 identification?? Service user Server user3 … Server Service user Closed environment Server Client
… … … … Session key password What is Kerberos? • Trusted third-party authentication service • Based on Needham and Schroeder key distribution algorithm • Ticket = {server, client, address, timestamp, lifetime, Ks,c}Ks Database Kerberos - Name Private key ExpireDate Private key (at registration) Private key (encrypted password) Service user Service Service user user Service … Client Server … Kerberos client program
Kerberos Software Component Kerberos application library Encryption Library (DES) Database Library (DB management) Administrative Server (KDBM server) Authentication Server (Kerberos server) Database Administration programs Database Propagation Software End-user Programs Applications
Kerberos Name • primary_name.instance@realm • Example • rlogin.priam@ATHENA.MIT.EDU The name of an administrative entity that maintains authentication data in domain Usually the name of the machine on which the server runs The name of the user or the service
2. Ticket for TGS (Session Key) 4. Ticket for rlogin (Session Key) 3. Request for rlogin ticket 5. Request for service 6. Reply Encrypted How Kerberos Authentication Works? Authentication server Authen- tication service Ticket granting service 1. Request for TGS ticket ftp Login session setup telnet http Server session setup rlogin DoOperation User/Client Server
Kerberos Database • Master-slave structure • Master machine • Read/Write operation to DB • Definitive copies • Slave machine • Read-only to DB • Copies from master machine • Authentication requests - slave/master machine • Administration requests - master machine • Database replication • Each Kerberos realm has a master Kerberos machine • Checksum WS WS WS WS WS WS
Conclusion • Kerberos system is … • Secure • Reliable • Scalable • Transparent • But, • Has many limitations and weaknesses