1
18kviews
Explain working of Kerberos.
1 Answer
4
743views
  1. Kerberos is an authentication service developed at MIT.
  2. It is a trusted ley server system which provides private-key third-party authentication service (i.e a third entity is responsible for authentication of two-people communication)
  3. Why Kerberos? : Sending username and password over a network medium jeopardizes the security. Every time a password is sent, there is a chance of intrusion. Using firewalls is also not secure, as firewalls think attacks come from outside network; while the internal network itself can be intruded.
  4. Approach: We use the private-key cryptography approach (where both parties use same key..e.g.DES) . We use a third-party who vouches for the identity of both the parties involved in transaction.
  5. Working: The working of Kerberos is explained in the following steps.
  • User logs into the workstation(PC) and requests for a service of host machine. The user instead of sending its username and password sends plaintext request to Authentication Server (AS)for a Ticket that the user can use to talk to Ticket Granting Server (TGS).
  • The AS finds the keys corresponding to the login name and the TGS. The AS creates a ticket which is made up of Ticket $\rightarrow$ {Login Name || TGS Name || Client n/w address || TGS Session key} . The AS encrypts the Ticket using the TGS’s secret-key.

    The AS also at the same time creates a random session-key for the client and the TGS to use. The session-key + Ticket is encrypted with user’s secret-key.

enter image description here

  • The user now decrypts using the user’s private-key (Password) . He now possesses the session key and a ticket which he can use to contact the Ticket Granting Server (TGS) (Note: The client cannot see inside the ticket as its encrypted by TGS’ private-key). The user now composes a message to sent to the TGS for a ticket which comprises of

enter image description here

(The earlier ticket was know as Ticket Granting Ticket which was used to get access to TGS. The new ticket that TGS will issue in step-4 will be a Service-Granting-Ticket which can be used to access a Server/Service)

  • The TGS on receiving the message decrypts the ticket using it’s secret key . Inside will be the TGS session-key. The TGS decrypts the authenticator using the session key. TGS checks user-id password and Server names are correct.
    It then builds a ticket for client and requested server. The ticket is encrypted with server-key. It also creates a session key and encrypts the entire message with the session-key.

  • The User now decrypts the message received from TGS using the TGS session-key. The user now has with him a Session-Key (granting him a certain time-slot duration for accessing the server) and a Ticket (to use the server)

    Using the format used in step-3 , user contacts the Server.

  • Server verifies the Authenticator and the Ticket and then grants access to the server .

enter image description here

Please log in to add an answer.