30-05-2012, 04:11 PM
Kerberos The Network Authentication Protocol
pres_kerberos.pdf (Size: 376.24 KB / Downloads: 134)
What is Kerberos?
● Kerberos is a three-headed dog
● Kerberos stands at the gates of the
House of Hades and fawns on the dead
as they enter but will savagely eat
anyone trying to pass back through the
gates and return to the land of the
living
● Kerberos is also known as Cerberus,
when using the Latin spelling
What's with the 3 heads?
● Authentication
– The confirmation that a user who is requesting services
is a valid user of the network services requested
● Authorization
– The granting of specific types of service to a user,
based on their authentication, what services they are
requesting, and the current system state
● Accounting
– The tracking of the consumption of network resources
by users
Benefits of Kerberos
● Standards-based strong authentication
● Broad operating-system support
● Provides for single sign-on (SSO) capability
● Passwords never traverse the network
● Password guessing more difficult
● Stolen authentication tickets are hard to reuse
Limitations of Kerberos
● Of the three A's, Kerberos only provides authentication
– Other protocols (such as NIS or LDAP) are still needed for
authorization
● Applications must be “Kerberized” to take advantage
– Kerberos provides standard APIs to help with this
– There are also PAM modules for Kerberos authentication
● Cannot migrate existing password hashes into the
Kerberos database
● Authentication is only as good as the user's password
● Assumes relatively secure hosts on an insecure network
How is Kerberos organized?
● The Kerberos administrative domain is a “realm”
– Realm names are typically the domain's DNS name in
all caps (i.e. “foo.com” becomes “FOO.COM”)
● Authentication mediated through a central server
called the “Key Distribution Center” (KDC)
– Each user and service shares a secret key with the KDC
– The KDC generates and distributes session keys
– Communicating parties prove to each other that they
know the session key