Kerberos Kerberos Kerberos was a 3 headed dog

Kerberos

Kerberos ¨ Kerberos was a 3 -headed dog in Greek mythology – Guarded the gates of the dead – Decided who might enter – Talk about strong security! 2

3 Kerberos ¨ Three Parties are Present – Kerberos server – Applicant host – Verifier host Kerberos Server Applicant Verifier

4 Kerberos ¨ Kerberos Server shares a symmetric key with each host – Key shared with the Applicant will be called Key AS (Applicant-Server) – Key shared with verifier will be Key VS Kerberos Server Applicant Key AS Key VS Verifier

5 Kerberos ¨ Applicant sends message to Kerberos server – Logs in and asks for ticket-granting ticket (TGT) • Authenticates the applicant to the server – Server sends back ticket-granting ticket – TGT allows applicant to request connections Kerberos Server TGT RQ Applicant TGT

6 Kerberos ¨ To connect to the verifier ¨ Applicant asks Kerberos server for credentials to introduce the applicant to the verifier ¨ Request includes the Ticket-Granting Tickets Kerberos Server Credentials RQ Applicant

7 Kerberos ¨ Kerberos server sends the credentials – Credential include the session Key AV that applicant and verifier will use for secure communication – Encrypted with Key AS so that interceptors cannot read it Kerberos Server Applicant Credentials= Session Key AV Service Ticket

8 Kerberos ¨ Kerberos server sends the credentials – Credential also include the Service Ticket, which is encrypted with Key VS; Applicant cannot read or change it Kerberos Server Applicant Credentials= Session Key AV, Service Ticket

9 Kerberos ¨ Applicant sends the Service Ticket plus a Authenticator to the Verifier – Service ticket contains the symmetric session key (Key AV) – Now both parties have Key AV and so can communicate with confidentiality Applicant Service Ticket (Contains Key AV) + Authenticator Verifier

10 Kerberos ¨ Applicant sends the Service Ticket plus a Authenticator to the Verifier – Authenticator contains information encrypted with Key AV • Guarantees that the service ticket came from the applicant, which alone knows Key AV • Service ticket has a time stamp to prevent replay Service Ticket (Contains Key AV) + Authenticator

11 Kerberos ¨ Subsequent communication between the applicant and verifier uses the symmetric session key (Key AV) for confidentiality Applicant Communication Encrypted with Key AV Verifier

12 Kerberos ¨ The Service Ticket can contain more than Key AV ¨ If the applicant is a client and the verifier is a server, service ticket may contain – Verifier’s user name and password – List of rights to files and directories on the server Verifier

Kerberos 13 ¨ Is the basis for security in Microsoft Windows 2000 ¨ Only uses symmetric key encryption for reduced processing cost